Re: [Dovecot-news] v2.2.30.1 released
Am 31.05.2017 um 16:35 schrieb Timo Sirainen:
On 31 May 2017, at 16.53, Reindl Harald <h.rei...@thelounge.net
<mailto:h.rei...@thelounge.net>> wrote:
LTO build is as broken as 2.2.30
libtool: link: ( cd ".libs" && rm -f "lib10_quota_plugin.la" && ln -s
"../lib10_quota_plugin.la" "lib10_quota_plugin.la" )
/tmp/ccGO7JSw.ltrans4.ltrans.o::function
imapc_quota_refresh.lto_priv.22: error: undefined reference to
'imapc_storage_client_register_untagged'
/tmp/ccGO7JSw.ltrans4.ltrans.o::function
imapc_quota_refresh.lto_priv.22: error: undefined reference to
'imapc_storage_client_register_untagged'
Did you give --with-storages parameter? If not, I don't really see why
it would fail. What configure options & environments did you use?
unchanged as for all othe rversions including 2.2.29.1 and the only
change is the new tarball
%prep
%setup -q -n %{name}-%{version}
%build
export CFLAGS="%{optflags} -fPIC -flto -ffat-lto-objects -fuse-ld=gold
-fuse-linker-plugin -Wno-stack-protector -Wa,--noexecstack"
export CXXFLAGS="$CFLAGS"
export FFLAGS="$CFLAGS"
export CPPFLAGS="$CFLAGS"
export CC="gcc $CFLAGS"
export SH_LDFLAGS="-Wl,--as-needed -Wl,-z,now -Wl,-z,relro
-Wl,-z,noexecstack %{optflags} -flto -ffat-lto-objects -fuse-ld=gold
-fuse-linker-plugin -Wno-stack-protector -Wa,--noexecstack"
export LDFLAGS="$SH_LDFLAGS -pie -fPIE"
%configure \
INSTALL_DATA="install -c -p -m644" \
--docdir=%{_docdir}/%{name}-%{version} \
--disable-static \
--disable-largefile \
--disable-rpath \
--with-gnu-ld \
--with-pic \
--with-sql=yes \
--with-mysql \
--with-libcap \
--with-shared-libs \
--with-ssl=openssl \
--with-gssapi \
--with-ssldir=%{ssldir} \
--with-storages=pop3c \
--with-notify=none \
--without-bsdauth \
--without-gc \
--without-docs \
--without-shadow \
--without-nss \
--without-pam \
--without-ldap \
--without-pgsql \
--without-sqlite \
--without-zlib \
--without-bzlib \
--without-lz4 \
--without-vpopmail \
--without-cdb \
--without-lucene \
--without-stemmer \
--without-solr \
--without-sia \
--without-libwrap
%{__make} %{?_smp_mflags}
Re: [Dovecot-news] v2.2.30.1 released
Am 31.05.2017 um 17:19 schrieb Timo Sirainen:
On 31 May 2017, at 18.03, Reindl Harald <h.rei...@thelounge.net> wrote:
libtool: link: ( cd ".libs" && rm -f "lib10_quota_plugin.la" && ln -s
"../lib10_quota_plugin.la" "lib10_quota_plugin.la" )
/tmp/ccGO7JSw.ltrans4.ltrans.o::function
imapc_quota_refresh.lto_priv.22: error: undefined reference to
'imapc_storage_client_register_untagged'
/tmp/ccGO7JSw.ltrans4.ltrans.o::function
imapc_quota_refresh.lto_priv.22: error: undefined reference to
'imapc_storage_client_register_untagged'
Did you give --with-storages parameter? If not, I don't really see why it would
fail. What configure options & environments did you use?
unchanged as for all othe rversions including 2.2.29.1 and the only change is
the new tarball
..
--with-storages=pop3c \
See the other mails about this. --with-storages is no longer supported since it
was too much trouble to keep it working. It's already removed from the git
master branch, but I guess we should remove it from the next v2.2 release also.
I didn't know multiple people were actually using it..
to be honest i would love a --proxy-only option, see below what a
dovecot build spits out which is not needed as a proxy/tls-offloading
only install
rm -rf %{buildroot}%{_sysconfdir}/%{name}/README \
%{buildroot}%{_docdir}/%{name}-%{version} \
%{buildroot}%{_includedir}/%{name} \
%{buildroot}%{_mandir} \
%{buildroot}%{_datarootdir}/aclocal \
%{buildroot}%{_bindir}/dsync \
%{buildroot}%{_libdir}/%{name}/*_plugin.so \
%{buildroot}%{_libdir}/%{name}/doveadm/*_plugin.so \
%{buildroot}%{_libdir}/%{name}/lib%{name}-dsync.so \
%{buildroot}%{_libdir}/%{name}/lib%{name}-dsync.so.0 \
%{buildroot}%{_libdir}/%{name}/lib%{name}-dsync.so.0.0.0 \
%{buildroot}%{_libdir}/%{name}/lib%{name}-fts.so \
%{buildroot}%{_libdir}/%{name}/lib%{name}-fts.so.0 \
%{buildroot}%{_libdir}/%{name}/lib%{name}-fts.so.0.0.0 \
%{buildroot}%{_libdir}/%{name}/doveadm \
%{buildroot}%{_libdir}/%{name}/settings \
%{buildroot}%{_libdir}/%{name}/sieve \
%{buildroot}%{_libexecdir}/%{name}/aggregator \
%{buildroot}%{_libexecdir}/%{name}/decode2text.sh \
%{buildroot}%{_libexecdir}/%{name}/deliver \
%{buildroot}%{_libexecdir}/%{name}/director \
%{buildroot}%{_libexecdir}/%{name}/doveadm-server \
%{buildroot}%{_libexecdir}/%{name}/dovecot-lda \
%{buildroot}%{_libexecdir}/%{name}/gdbhelper \
%{buildroot}%{_libexecdir}/%{name}/imap-urlauth \
%{buildroot}%{_libexecdir}/%{name}/imap-urlauth-login \
%{buildroot}%{_libexecdir}/%{name}/imap-urlauth-worker \
%{buildroot}%{_libexecdir}/%{name}/indexer \
%{buildroot}%{_libexecdir}/%{name}/indexer-worker \
%{buildroot}%{_libexecdir}/%{name}/lmtp \
%{buildroot}%{_libexecdir}/%{name}/maildirlock \
%{buildroot}%{_libexecdir}/%{name}/quota-status \
%{buildroot}%{_libexecdir}/%{name}/rawlog \
%{buildroot}%{_libexecdir}/%{name}/replicator \
%{buildroot}%{_libexecdir}/%{name}/xml2text \
%{buildroot}%{_datarootdir}/%{name}/stopwords
Re: Dovecot Oy merger with Open-Xchange AG
Am 03.04.2015 um 05:28 schrieb Nick Edwards: you wouldnt know, your not a developer, shit processor maybe, but not a developer you are just an idiot and nothing else http://www.gossamer-threads.com/lists/spamassassin/users/189665 https://www.mail-archive.com/users@spamassassin.apache.org/msg91823.html On 4/3/15, Reindl Harald h.rei...@thelounge.net wrote: Am 02.04.2015 um 18:19 schrieb Jogi Hofmüller: Am 2015-04-02 um 17:49 schrieb Reindl Harald: Am 02.04.2015 um 14:30 schrieb Edwardo Garcia: On 4/1/15, Reindl Harald h.rei...@thelounge.net wrote: Am 01.04.2015 um 14:33 schrieb Bernd Petrovitsch: On Mit, 2015-04-01 at 13:07 +0200, Reindl Harald wrote: Am 01.04.2015 um 13:04 schrieb Bernd Petrovitsch: that is simple not true - if it would be true linux distributions would Define true Linux distribution. who the fuck was talking abiut true Linux distribution? you were cockhead no and if someone can't read a simple paragraph beause a missing comma it's not a compliment for him Your sentence was not really entirely precise. it was in the context What's the harm in saying sorry instead of barking at people? sorry for what? for not have any understanding that people blame developers trying to make money and feed their family while release the software as free available opensource? and frankly *until* that has changed or at least the is a *single sign* that could change ever people should just shut up instead insinuate bad intentions to the developers all the thread long signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 03.04.2015 um 21:14 schrieb Benny Pedersen:
Andreas Kasenides skrev den 2015-04-03 15:53:
Please share. I know its easy to do, but share anyway!
require [imap4flags];
# rule:[h.rei...@thelounge.net]
if header :contains From h.rei...@thelounge.net
{
addflag \\Seen;
}
this dont break threads
add this as the very first rule, before any fileinto, note no stop in
the above rule
possible he have more sender addresses
Benny, our master-troll - i already posted a working rule (yours is
bullshit when somebody asks for blow mails to /dev/null) and i don't
give a damn about people acting like stupid childs booh the bad man
said something not nice mama help me
if address :is [From, Sender] [h.rei...@thelounge.net,
nick.z.edwa...@gmail.com]
{
discard;
}
signature.asc
Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 03.04.2015 um 15:53 schrieb Andreas Kasenides:
On 03/04/15 16:09, Jerry wrote:
On Fri, 03 Apr 2015 08:42:42 -0400, Charles Marcus stated:
People, PLEASE do not engage Reindl on the list, it always results in
this kind of garbage that the adults on the list could do without.
If you feel compelled to 'call him out', then by all means do so, but do
it PRIVATELY.
It is not just Reindl. People like Nick who feel compelled to continue
this
persiflage are as bad as the originator.
I have just created a sieve rule to send Reindl, Nick and a few other
individuals who feel the need to try and show their immaturity to
/dev/null. I read this forum to learn about Dovecot, not to listen
to the
rantings of a few Testosterone poisoned, immature posters.
Please share. I know its easy to do, but share anyway!
if address :is [From, Sender] [address1, address2]
{
discard;
}
signature.asc
Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 02.04.2015 um 14:30 schrieb Edwardo Garcia: On 4/1/15, Reindl Harald h.rei...@thelounge.net wrote: Am 01.04.2015 um 14:33 schrieb Bernd Petrovitsch: On Mit, 2015-04-01 at 13:07 +0200, Reindl Harald wrote: Am 01.04.2015 um 13:04 schrieb Bernd Petrovitsch: IMHO the larger the corporation is, the less are the chances for *long-term* benefits of the OSS/free software (mainly because: usually commercial success is driven and defined from marketing to sales[1] sown to the techies which are forced into features and delivery dates to achieve some company defined goal - and that is usually not bug free, safe, or the like. Free software/OSS just happens that *at least* half of it should come from the working level and that is - at least - much more - ahemm - inconvenient for sales people) FWIW the context were large old-school corps (like Novell or Oracle) taking over free software companies. that is simple not true - if it would be true linux distributions would Define true Linux distribution. who the fuck was talking abiut true Linux distribution? you were cockhead no and if someone can't read a simple paragraph beause a missing comma it's not a compliment for him that is simple not true - if it would be true, linux distributions would not taking your drugs again reindl eh or may be you are taking too much of the illegal ones and none of the ones the doctors prescribed you go and f** yourself since i didn't ask you to speak signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 02.04.2015 um 18:19 schrieb Jogi Hofmüller: Am 2015-04-02 um 17:49 schrieb Reindl Harald: Am 02.04.2015 um 14:30 schrieb Edwardo Garcia: On 4/1/15, Reindl Harald h.rei...@thelounge.net wrote: Am 01.04.2015 um 14:33 schrieb Bernd Petrovitsch: On Mit, 2015-04-01 at 13:07 +0200, Reindl Harald wrote: Am 01.04.2015 um 13:04 schrieb Bernd Petrovitsch: that is simple not true - if it would be true linux distributions would Define true Linux distribution. who the fuck was talking abiut true Linux distribution? you were cockhead no and if someone can't read a simple paragraph beause a missing comma it's not a compliment for him Your sentence was not really entirely precise. it was in the context What's the harm in saying sorry instead of barking at people? sorry for what? for not have any understanding that people blame developers trying to make money and feed their family while release the software as free available opensource? and frankly *until* that has changed or at least the is a *single sign* that could change ever people should just shut up instead insinuate bad intentions to the developers all the thread long signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 01.04.2015 um 14:33 schrieb Bernd Petrovitsch: On Mit, 2015-04-01 at 13:07 +0200, Reindl Harald wrote: Am 01.04.2015 um 13:04 schrieb Bernd Petrovitsch: IMHO the larger the corporation is, the less are the chances for *long-term* benefits of the OSS/free software (mainly because: usually commercial success is driven and defined from marketing to sales[1] sown to the techies which are forced into features and delivery dates to achieve some company defined goal - and that is usually not bug free, safe, or the like. Free software/OSS just happens that *at least* half of it should come from the working level and that is - at least - much more - ahemm - inconvenient for sales people) FWIW the context were large old-school corps (like Novell or Oracle) taking over free software companies. that is simple not true - if it would be true linux distributions would Define true Linux distribution. who the fuck was talking abiut true Linux distribution? not include half baken and aplha quality sofwtare again and again in stable releases because the market out there That's everywhere in the commercial world the problem with delivery vs quality/known problems and someone's decision to ship or not to ship - based in whatever feels appropriate. and in the opensource world too - so shwat BTW typical Linux distributions package some else's software and (almost) everyone knows that (and do not blame the distro for shipping buggy software - is there actually any bug-free software?;-). And it depends on - the package (core package like kernel, gcc, perl, apache-http, ...) vs some exotic application (the n+1.th text editor, MUA, ...). - the bug in question - is that stuff unusable or happens the bug only if you do crazy creative stuff on files with 6+GB size or 1000k lines? And usually distros run bug tracking and (try to) get bugs fixed - in house or upstream. no it don't - it depends in a braindead race include new software generations in alpha quality state instead wait until it become mature and *because* this happens with pure OSS too your statement above is wrong the *possible* long-term benefits are more time to invest because a fixed income If the free software is the core business, it is not a problem (and these are not the companies in the discussion) and even if it is *not* the core business it is not a problem as long as you get what you have now maintained for free - if there is a new killer feature and you are a commercial mail hoster and don't want to spent a small amount of money your talking about opensource is hypocrisy because the only thing you care about is get anything for free signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 01.04.2015 um 13:04 schrieb Bernd Petrovitsch: IMHO the larger the corporation is, the less are the chances for *long-term* benefits of the OSS/free software (mainly because: usually commercial success is driven and defined from marketing to sales[1] sown to the techies which are forced into features and delivery dates to achieve some company defined goal - and that is usually not bug free, safe, or the like. Free software/OSS just happens that *at least* half of it should come from the working level and that is - at least - much more - ahemm - inconvenient for sales people) that is simple not true - if it would be true linux distributions would not include half baken and aplha quality sofwtare again and again in stable releases because the market out there the *possible* long-term benefits are more time to invest because a fixed income signature.asc Description: OpenPGP digital signature
sieve rule for header don't exist
is there a way to expresse when the header X-Spam-Status *do not* exist move the message to a different folder? :contains, :matches and :is are not helpful here background: the spamass-milter option -B is lacking the spamassassin headers in case of milter-rejects and via sendmail generated BCC while flagged messages contain the headers - so it would be nice to move the rejected ones to a subfolder REJECTED instead into the inbox signature.asc Description: OpenPGP digital signature
Re: sieve rule for header don't exist
Am 30.03.2015 um 11:41 schrieb Christian Kivalo:
On 2015-03-30 11:25, Reindl Harald wrote:
is there a way to expresse when the header X-Spam-Status *do not*
exist move the message to a different folder?
:contains, :matches and :is are not helpful here
Have you tried using the exist test from the sieve rfc
indeed - that works - thanks!
require [fileinto];
if not exists [X-Spam-Status]
{
fileinto REJECTED;
}
else
{
keep;
}
5.5. Test exists
Usage: exists header-names: string-list
The exists test is true if the headers listed in the header-names
argument exist within the message. All of the headers must exist or
the test is false.
The following example throws out mail that doesn't have a From header
and a Date header.
Example: if not exists [From,Date] {
discard;
}
https://tools.ietf.org/html/rfc5228#page-28
i have not tried it myself but the core of rfc 5228 is reported to be
fully support by pigeonhole
signature.asc
Description: OpenPGP digital signature
Re: Error after setting up fts /solr for Open-Xchange
Am 28.03.2015 um 18:02 schrieb zu...@systemschmiede.com: Well...That seemed to have worked in fact. Updated to 2:2.2.16-1~auto+36. All folders-search works, and no errors are being shown. Besides, the all folder search in Open-Xchange looks great and is lightning fast! well, the first step in case of troubles should always be update to the last recent version (every software not only postfix) - time and effort to make new releases is spent for good reasons :-) signature.asc Description: OpenPGP digital signature
Re: postfix sasl - haproxy - dovecot auth
Am 27.03.2015 um 15:04 schrieb Benny Pedersen:
Gedalya skrev den 2015-03-27 14:48:
is it possible to configure configure haproxy to work with postfix
sasl and dovecot auth like this:
clients - 25:postfix - 20025:haproxy - 20025:auth-backend-1,
20025:auth-backend-2
Why don't you set up a dovecot locally (with only auth service) on
each postfix box?
cyrus-sasl is still needed
bullshit and to be honest nobody right in his mind aware of the
capabilities configures cyrus-sasl on a server where postfix and dovecot
are running already instead just use one common auth layer for incoming
and outgoing mail supporting the same mechs and configuration
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
# configure backend for postfix sasl-auth
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group= postfix
}
}
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
signature.asc
Description: OpenPGP digital signature
Re: postfix sasl - haproxy - dovecot auth
Am 27.03.2015 um 14:49 schrieb Benny Pedersen: What I need is to make smtp authentication balanced and keep everything in backend (private network) dovecot is not a smtp server, thats why i say cyrus-sasl jesus christ keep your smart-ass responses for yourself http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 25.03.2015 um 18:28 schrieb Benny Pedersen: Reindl Harald skrev den 2015-03-25 18:08: with your argumentation making a shit would also not be completly free because you need to pinch ass bakes. and you write this on public walls? DON'T QUOTE OUT OF CONTEXT BOY, YOU HAVE MISSED YOUR only paid here by compileing time signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 25.03.2015 um 16:58 schrieb Brad Smith: On 03/25/15 08:46, Peter Chiochetti wrote: Am 25.03.2015 um 13:23 schrieb Nick Edwards: So there *is* a chance it will be commercialised Hasn't it been commercial for a long time? When was the last time you paid for Dovecot? The base product is open source and free for anyone to use and why people don't shut up until a single sign that this would ever change happened? is redhat a commercial company - yes it is - is the software available as open source and for free - yes it is a lot of responses in that thread are just whining for fun signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 25.03.2015 um 18:03 schrieb Benny Pedersen: Brad Smith skrev den 2015-03-25 16:58: On 03/25/15 08:46, Peter Chiochetti wrote: Am 25.03.2015 um 13:23 schrieb Nick Edwards: So there *is* a chance it will be commercialised Hasn't it been commercial for a long time? When was the last time you paid for Dovecot? The base product is open source and free for anyone to use. only paid here by compileing time, still have dovecot v1 working, so open source it not complete free, as long it compiles fine i am happy that you compile at your own and that you still use dovecot 1.x is *your own* decision and si opensource *is complete free* with your argumentation making a shit would also not be completly free because you need to pinch ass bakes. signature.asc Description: OpenPGP digital signature
Re: Dovecot Oy merger with Open-Xchange AG
Am 25.03.2015 um 20:34 schrieb Benny Pedersen: Brad Smith skrev den 2015-03-25 20:20: only paid here by compileing time, still have dovecot v1 working, so open source it not complete free, as long it compiles fine i am happy Not making any sense. punktum ? only paid here by compileing time is nonsense if i really need to install precompiled problems i could aswell install windows 10, and be happy, its just not opensource when the sources is not shown foolish trolling - the source needs to be available or does your self compiled binary show you his source at startup? you can download the source from Redhat, Fedora, OpenSUSE, Debian and so it is shown - you just need to look at it - well, but you don't understand it anyways, no difference to your way of download, unpack and compile a source you don#t understand where is the source codes for android ? available or where do alternate ROM providers take it its based on linux with is opensource, but where is the source for android? https://source.android.com/source/downloading.html got my point ? as in 98% of your posts you have no point i just say that opensource brands is not really opensource if one install it precompiled, punktum as you write it bullshit - there is no difference between install the binary a distribution build from the source tarball than download the tarball and call make scripts until you want change some default flags signature.asc Description: OpenPGP digital signature
Re: imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
Am 21.03.2015 um 12:02 schrieb James: On 21/03/2015 10:55, Reindl Harald wrote: well, remove that brickage of special compile I'm sorry but I did not understand your comment why do you compile openssl that way? signature.asc Description: OpenPGP digital signature
Re: imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
Am 21.03.2015 um 11:51 schrieb James: On 21/03/2015 10:00, James wrote: the SSL23_GET_CLIENT_HELLO:unsupported protocol seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the ssl_protocols = setting? All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess). I'd better add this PS, my openssl is compiled with no-ssl3 which is where the the SSL23 unsupported is coming from. I've remove the no-ssl3 from openssl indeed it accepts the connection, however, with ssl_protocols = !SSLv2 !SSLv3 in dovecot.conf imap-login still sig 11s well, remove that brickage of special compile signature.asc Description: OpenPGP digital signature
Re: imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
Am 21.03.2015 um 12:12 schrieb James: On 21/03/2015 11:07, Reindl Harald wrote: well, remove that brickage of special compile I'm sorry but I did not understand your comment why do you compile openssl that way? What way? With or without ssl3? I've now done it both ways. Reading: https://wiki.openssl.org/index.php/Compilation_and_Installation no-ssl3 seems to be a popular and legitimate option that maybe all fine and true, but since others can't reproduce your problem it's likely your openssl build and not dovecot itself signature.asc Description: OpenPGP digital signature
Re: Support for multiple passwords?
Am 18.03.2015 um 20:56 schrieb Conrad Kostecki: Am 2015-03-18 20:46, schrieb Reindl Harald: Am 18.03.2015 um 20:40 schrieb Conrad Kostecki: Hi! Currently, the passwords are stored in plaintext for my dovecot, as I am still using cram-md5 AND digest-md5. I have still to offer that, as I have some deprecated clients, therefore, I am unable to hash at least those passwords for that accounts. I've found on the Wiki: In future it's possible that Dovecot could support multiple passwords in different schemes for a single user. Is there any news about this? Are there still any plans to support this maybe in future? For my understanding, that would solve my problem, that I could define a password in both schemes (cram and digest) and don't have to use plaintext password? if you would read http://en.wikipedia.org/wiki/CRAM-MD5 and understand how CRAM-MD5 works you would know that you just can't store cram because the whole purpose is that it changes all the time Maybe I am totally wrong, but according to the Wiki, if I would be use using CRAM-MD5 without DIGEST-MD5, the password could be stored not in plain text but instead in a cram-md5 scheme? At least, that had worked for me in a test setup. But I will have a look. only in a broken and unsecure implementation - or how do you store arbitrary string of random digits, a timestamp? http://en.wikipedia.org/wiki/CRAM-MD5 Challenge: The server sends a base64-encoded string to the client. Before encoding, it could be any random string, but the standard that currently defines CRAM-MD5 says that it is in the format of a Message-ID email header value (including angle brackets) and includes an arbitrary string of random digits, a timestamp, and the server's fully qualified domain name. http://wiki.dovecot.org/Authentication/PasswordSchemes For example if you're going to use CRAM-MD5 authentication, the password needs to be stored in either PLAIN or CRAM-MD5 scheme signature.asc Description: OpenPGP digital signature
Re: Support for multiple passwords?
Am 18.03.2015 um 20:40 schrieb Conrad Kostecki: Hi! Currently, the passwords are stored in plaintext for my dovecot, as I am still using cram-md5 AND digest-md5. I have still to offer that, as I have some deprecated clients, therefore, I am unable to hash at least those passwords for that accounts. I've found on the Wiki: In future it's possible that Dovecot could support multiple passwords in different schemes for a single user. Is there any news about this? Are there still any plans to support this maybe in future? For my understanding, that would solve my problem, that I could define a password in both schemes (cram and digest) and don't have to use plaintext password? if you would read http://en.wikipedia.org/wiki/CRAM-MD5 and understand how CRAM-MD5 works you would know that you just can't store cram because the whole purpose is that it changes all the time signature.asc Description: OpenPGP digital signature
Re: v2.2.16 released
Am 13.03.2015 um 11:23 schrieb Timo Sirainen:
On 12 Mar 2015, at 21:09, Reindl Harald h.rei...@thelounge.net wrote:
/usr/lib64/dovecot/stats/libstats_mail.so
why in the world a new sub-directory containing just one so-file enforcing
pakcage buildsers to change SPEC files?
So that external plugins can add more files in there and extend the available
statistics
but they can also go to /usr/lib64/dovecot/
http://fedoraproject.org/wiki/Packaging:Guidelines#Beware_of_Rpath
hence
cat /etc/ld.so.conf.d/dovecot-x86_64.conf
/usr/lib64/dovecot
i just rm -rf the folder and other stuff for private builds in
environments where dovecot is running only as proxy
rm -rf %{buildroot}%{_sysconfdir}/%{name}/README \
%{buildroot}%{_docdir}/%{name}-%{version} \
%{buildroot}%{_includedir}/%{name}/ \
%{buildroot}%{_mandir}/man1/ \
%{buildroot}%{_mandir}/man7/ \
%{buildroot}%{_datarootdir}/aclocal/ \
%{buildroot}%{_bindir}/dsync \
%{buildroot}%{_libdir}/%{name}/*_plugin.so \
%{buildroot}%{_libdir}/%{name}/doveadm/*_plugin.so \
%{buildroot}%{_libdir}/%{name}/lib%{name}-lda.so \
%{buildroot}%{_libdir}/%{name}/lib%{name}-lda.so.0 \
%{buildroot}%{_libdir}/%{name}/lib%{name}-lda.so.0.0.0 \
%{buildroot}%{_libdir}/%{name}/lib%{name}-compression.so \
%{buildroot}%{_libdir}/%{name}/lib%{name}-compression.so.0 \
%{buildroot}%{_libdir}/%{name}/lib%{name}-compression.so.0.0.0 \
%{buildroot}%{_libdir}/%{name}/stats \
%{buildroot}%{_libexecdir}/%{name}/%{name}-lda \
%{buildroot}%{_libexecdir}/%{name}/gdbhelper \
%{buildroot}%{_libexecdir}/%{name}/quota-status \
%{buildroot}%{_libexecdir}/%{name}/deliver \
%{buildroot}%{_libexecdir}/%{name}/lmtp
signature.asc
Description: OpenPGP digital signature
Re: How to detect out-of-sync condition
Am 13.03.2015 um 14:29 schrieb Cliff Hayes: I looked in the place where dovecot logs everything ... the maillog. I didn't see anything but the log is huge and I could have easily missed it. Is there a certain error or phrase I should look for? If so please advise. man grep grep -i 'sync' maillog grep -i 'fail' maillog grep -i 'error' maillog grep -i 'warn' maillog On 3/13/2015 3:05 AM, Steffen Kaiser wrote: On Thu, 12 Mar 2015, Cliff Hayes wrote: I recently had a user whose mailbox had gone out of sync. There are no log entries about broken sync or something something like that? signature.asc Description: OpenPGP digital signature
Re: doveconf -a Segmentation Fault
Am 12.03.2015 um 15:07 schrieb Dan LaSota: Getting Segmentation Fault When I run doveconf -a i don't in other words: bad for you but what's the purpose of the information without any debugging like strace? signature.asc Description: OpenPGP digital signature
Re: location of dovecot.rawlog-directory
Am 12.03.2015 um 15:18 schrieb Hardy Flor: I want running servers, not with each new version have to compile. well, rpm-SPECs allow including of patches if you rely on distribution packages you won't see a update even if upstream would introduce a config option for years Am 12.03.2015 um 12:07 schrieb Steffen Kaiser: Patch rawlog.c and recompile. :) signature.asc Description: OpenPGP digital signature
Re: v2.2.16 released
/usr/lib64/dovecot/stats/libstats_mail.so why in the world a new sub-directory containing just one so-file enforcing pakcage buildsers to change SPEC files? Am 12.03.2015 um 18:30 schrieb Timo Sirainen: http://dovecot.org/releases/2.2/dovecot-2.2.16.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.16.tar.gz.sig A few fixes and some imapc improvements since the release candidate. * dbox: Resyncing (e.g. doveadm force-resync) no longer deletes dovecot.index.cache file. The cache file was rarely the problem so this just caused unnecessary slowness. * Mailbox name limits changed during mailbox creation: Each part of a hierarchical name (e.g. x or y in x/y) can now be up to 255 chars long (instead of 200). This also reduces the max number of hierarchical levels to 16 (instead of 20) to keep the maximum name length 4096 (a common PATH_MAX limit). The 255 char limit is hopefully large enough for migrations from all existing systems. It's also the limit on many filesystems. + director: Added director_consistent_hashing setting to enable consistent hashing (instead of the mostly-random MD5 hashing). This causes fewer user moves between backends when backend counts are changed, which may improve performance (mainly due to caching). + director: Added support for tags, which allows one director ring to serve multiple backend clusters with different sets of users. + LMTP server: Added lmtp_user_concurrency_limit setting to limit how many LMTP deliveries can be done concurrently for a single user. + LMTP server: Added support for STARTTLS command. + If logging data is generated faster than it can be written, log a warning about it and show information about it in log process's process title in ps output. Also don't allow a single service to flood too long at the cost of delaying other services' logging. + stats: Added support for getting global statistics. + stats: Use the same session IDs as the rest of Dovecot. + stats: Plugins can now create their own statistics fields + doveadm server: Non-mail related commands can now also be used via doveadm server (TCP socket). + doveadm proxying: passdb lookup can now override doveadm_port and change the username. + doveadm: Search query supports now oldestonly parameter to stop immediately on the first non-match. This can be used to optimize: doveadm expunge mailbox Trash savedbefore 30d oldestonly + doveadm: Added save command to directly save mails to specified mailbox (bypassing Sieve). + doveadm fetch: Added body.snippet field, which returns the first 100 chars of a message without whitespace or HTML tags. The result is stored into dovecot.index.cache, so it can be fetched efficiently. + dsync: Added -t timestamp parameter to sync only mails newer than the given received-timestamp. + dsync: Added -F [-]flag parameter to sync only mails with[out] the given flag/keyword. + dsync: Added -a mailbox parameter to specify the virtual mailbox containing user's all mails. If this mailbox is already found to contain the wanted mail (by its GUID), the message is copied from there instead of being re-saved. (This isn't efficient enough yet for incremental replication.) + dsync: -m parameter can now specify \Special-use names for mailboxes. + imapc: Added imapc_features=gmail-migration to help migrations from GMail. See http://wiki2.dovecot.org/Migration/Gmail + imapc: Added imapc_features=search to support IMAP SEARCH command. (Currently requires ESEARCH support from remote server.) + expire plugin: Added expire_cache=yes setting to cache most of the database lookups in dovecot index files. + quota: If overquota-flag in userdb doesn't match the current quota usage, execute a configured script. + redis dict: Added support for expiring keys (:expire_secs=n) and specifying the database number (:db=n) - auth: Don't crash if master user login is attempted without any configured master=yes passdbs - Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages. - String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all. - fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes. signature.asc Description:
Re: libdriver_msql.so
Am 11.03.2015 um 15:37 schrieb kaniggl: To make it clear, architecture is PowerPC 64bit Then i installed dovecot via apt-get. But the file /usr/lib/dovecot/modules/auth/libdriver_mysql.so is missing. install the sub-package dovecot-mysql and the next time *ask before* you ruin your system So i compiled dovecot myself on this system and got a file /usr/lib/dovecot/modules/auth/libdriver_mysql.so stupid idea, i guess without install the package proper Mar 11 15:19:25 dadd3041 dovecot: auth: Error: dlopen(/usr/lib/dovecot/modules/auth/libdriver_mysql.so) failed: /usr/lib/dovecot/modules/auth/libdriver_mysql.so: wrong ELF class: ELFCLASS32 Mar 11 15:19:25 dadd3041 dovecot: auth: Fatal: Unknown database driver 'mysql' likely the result of mix package and self compile instead use google https://packages.debian.org/de/sid/dovecot-mysql signature.asc Description: OpenPGP digital signature
Re: libdriver_msql.so
Am 11.03.2015 um 15:43 schrieb kaniggl: of course i installed dovecot-mysql before, but no file libdriver_msql.so was in there i doubt that you are the only person using debian with dovecot and mysql however, that's not a dovecot question ask on your OS list how to fix your ruined setup 2015-03-11 15:41 GMT+01:00 Reindl Harald h.rei...@thelounge.net: Am 11.03.2015 um 15:37 schrieb kaniggl: To make it clear, architecture is PowerPC 64bit Then i installed dovecot via apt-get. But the file /usr/lib/dovecot/modules/auth/libdriver_mysql.so is missing. install the sub-package dovecot-mysql and the next time *ask before* you ruin your system So i compiled dovecot myself on this system and got a file /usr/lib/dovecot/modules/auth/libdriver_mysql.so stupid idea, i guess without install the package proper Mar 11 15:19:25 dadd3041 dovecot: auth: Error: dlopen(/usr/lib/dovecot/modules/auth/libdriver_mysql.so) failed: /usr/lib/dovecot/modules/auth/libdriver_mysql.so: wrong ELF class: ELFCLASS32 Mar 11 15:19:25 dadd3041 dovecot: auth: Fatal: Unknown database driver 'mysql' likely the result of mix package and self compile instead use google https://packages.debian.org/de/sid/dovecot-mysql signature.asc Description: OpenPGP digital signature
Re: LMTP error: Too many concurrent deliveries for user (in reply to end of DATA command)
Am 06.03.2015 um 14:59 schrieb Ralf Hildebrandt: * Reindl Harald dovecot@dovecot.org: lmtp_destination_concurrency_limit on postfix side It's not a postfix issue. postfix is merely reporting what Dovecot said i know that on my own since i can read maillogs :-) anyways, we even use a lmtp concurrency level of 1 since years signature.asc Description: OpenPGP digital signature
Re: LMTP error: Too many concurrent deliveries for user (in reply to end of DATA command)
Am 06.03.2015 um 14:44 schrieb Ralf Hildebrandt: I updated dovecot today and all over a sudden I'm getting: Mar 6 14:40:46 mail postfix/lmtp[3150]: 3kz95y3nX3zCtTS: to=recipient@backup.invalid, relay=127.0.0.1[private/dovecot-lmtp], delay=88, delays=87/0.94/0.01/0.01, dsn=4.3.0, status=deferred (host 127.0.0.1[private/dovecot-lmtp] said: 451 4.3.0 recipient@backup.invalid Too many concurrent deliveries for user (in reply to end of DATA command)) Why is that? Which setting must I tweak? lmtp_destination_concurrency_limit on postfix side lmtp_destination_concurrency_limit = $default_destination_concurrency_limit postconf -d default_destination_concurrency_limit default_destination_concurrency_limit = 20 don't overload your storage by a high busy queue combined with to much parallel delivery to the mailstorage - thins don't get really faster that way signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 05.03.2015 um 20:23 schrieb @lbutlr: On 04 Mar 2015, at 21:46 , Jim Pazarena dove...@paz.bz wrote: On 2015-03-02 2:02 AM, Jochen Bern wrote: On 03/01/2015 08:53 AM, Jim Pazarena wrote: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops [...] The inherent assumption here is that dovecot, using a flat file, will be able to process the block list more effectively than the firewall, which is a tool written for the *purpose* but supposedly unable to even *try* due to the list's size. That sounds ... counterintuitive. I am the original poster and just came back to this thread. When the first couple replies were fail2ban I lost interest. Why? Fail2ban is simple to install, simple to setup, and then (and here’s the best part) then you never have to look at it again fail2ban is simple to install and to setup? *lol* yes if you have 99% out-of-the-box distribution configurations, igave it a try not so long ago and honestly the whole config snippets and log-parsing is a mess where i call it insane to give that stuff root permissions even on my private testserver signature.asc Description: OpenPGP digital signature
Re: RBL with stock Dovecot 2.2.15 (was Re: IP drop list)
Am 05.03.2015 um 22:45 schrieb Steffen:
Steffen Kaiser wrote:
passdb { driver = ipdeny args = host/matchpattern/action
*** }
With next passdb{} as 1st in chain:
passdb {
driver = checkpassword
args = /tmp/chktst ip=%r service=%s
result_success = continue
result_failure = return-fail
}
and this script
BEGIN /tmp/chktst
#!/bin/bash
echo $@ /tmp/chktst.log
# return OK
exit 0
# return FAIL
exit 1
END
I get the log entry:
ip=127.0.0.1 service=imap
/usr/local/dovecot-2.2.15/libexec/dovecot/checkpassword-reply
and with exit 0, the next passdb{} let me login, and with exit 1, all
logins fail.
So, with the current stock Dovecot you can make RBL calls and
decissions with a script. ;-)
* with a terrible overhead starting a full process
* no handling for DNS temp errors and so on
* i don't see any RBL handling above, you just call a random script
signature.asc
Description: OpenPGP digital signature
Re: IP drop list
Am 04.03.2015 um 17:06 schrieb Jochen Bern: On 03/04/2015 05:03 AM, Earl Killian wrote: I would like to reiterate Reindl Harald's point above, since subsequent discussion has gotten away from it. If Dovecot had DNS RBL support similar to Postfix, I think quite a few people would use it, and thereby defeat the scanners far more effectively than any other method. It is good that other people are suggesting things that will work today, but in terms of what new feature would be the best solution, I can't think of one better than a DNS RBL. I've *seen* mailservers after an external DNSBL configured into them became defunct or unreachable, and better, much less the best solution, is not how *I* would rank the result in comparison to local rate limiting. (Note that, unlike in the case of spam and SMTP, allowing a couple POP/IMAP connection attempts until the limit strikes is unlikely to become visible to the legit userbase.) Which is not to say that such a feature should not be implemented - after all, Jim said that he compiled the 45k list *himself*, so it would be a *locally administered* DNSBL for him. surely - and *that* was my whole point, nobody talked about using spamhaus or DUL RBL's on a IMAP/POP3 my feature request last year was *because i have* already a rbldnsd which is used in postfix and on webserver with mod_security and i find it strange that i can't stop a dictionary attack faced on SMTP to continue on POP3/IMAP after locked out from postfix without write firewall rules the whole point of a *locally administered* RBL is that you don't need to care about hown many mailservers you have and where they are nor need you to open security holes between them for sharing data On 03/03/2015 10:43 PM, Reindl Harald wrote: the problem is the in a secure way that's not really possible when you mangle firewall rules which implies root permissions - as RBL request is just a DNS request which don't need *any* permissions on the machine which does the request the other problem is mangle firewall rules in context of existing infrastructures is error prone - you may interfere existing rulesets - it's a bad idea to start with That's a lot of smoke you're blowing at a firewall that hasn't been specified beyond it's *not* iptables. FWIW, *if* it were iptables, something along the lines of -d myserver --dport 993 --state NEW -j (NF)QUEUE would happily pass *only* the incoming IMAPS connections to a decision-maker running in userspace. signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 04.03.2015 um 20:12 schrieb Michael Orlitzky: On 03/03/2015 11:03 PM, Earl Killian wrote: On 2015/3/2 10:03, Reindl Harald wrote: that is all nice but the main benefit of RBL's is always ignored: * centralized * no log parsing at all * honeypot data are delivered to any host * it's cheap * it's easy to maintain * it don't need any root privileges anywhere we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere* so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all I would like to reiterate Reindl Harald's point above, since subsequent discussion has gotten away from it. If Dovecot had DNS RBL support similar to Postfix, I think quite a few people would use it, and thereby defeat the scanners far more effectively than any other method. It is good that other people are suggesting things that will work today, but in terms of what new feature would be the best solution, I can't think of one better than a DNS RBL. Please add this support to iptables instead of Dovecot. It's a waste of effort to code it into every application that listens on the network. Combined with --ctstate NEW and a chain for IMAP packets, it would be no less efficient you don't want a dns client in a kernel module with full permissions and you will never convince any sane kernel developer doing that nor does it much help for the users on a different operating system dovecot is not linux only In the case of HTTP, IMAP, etc. things are not so easy. Just think about NAT and CGN that don't matter if i blacklist a client because he starts a dictionary attack in SMTP i want it also bock on IMAP without use a dozen of different tools because teh via IMAP now catched account password will be used for send spam later when the SMTP RBL entry expires and frankly that 100% trustable RBL lives *before* permit_sasl_authenticated because it would be pointless anywhere else ordinary blacklists are score based on the MX, that is a complete differet machine with no business for POP3/IMAP or even outgoing mail signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 04.03.2015 um 21:51 schrieb Oliver Welter: Please add this support to iptables instead of Dovecot. It's a waste of effort to code it into every application that listens on the network. head explodes Would you care to integrate it into IOS on my Cisco as well? There are things connected to the Internet that aren't PCs running Linux, you know. It may be hard to accept, but that's the way it is. I assume your dovecot runs on some kind of *nix Of course. I run it under Solaris. so there should be some sort of netfilter available which you can put in front of your listening ports. There is. But I already have a firewall, running on bulletproof hardware that doesn't depend on spinning disks. I don't want to add ANOTHER firewall when I already have a perfectly good one. Besides, my mail server is built for...serving mail. Not being a firewall. Well, from an academic point of view, a network service that denies connection on the ip layer is also an ip firewall. nonsense a service using RBL's don't reject on IP layer signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 04.03.2015 um 23:00 schrieb Felix Zandanel: I am not against block lists. I just say their use should be justified as they may decrease overall service quality as well. There is another solution for auth based services: As soon as you detect a possible attack (# auth reqs x etc.), keep the connection open, slow it down and just never let it succeed regardless of the credentials provided. This is done on a per-connection basis. No block list needed. Can be accomplished with fail2ban and iptables and therefore uses minimal server resources. well, i have iptables rate controls which blocks most dictionary attacks and small DOS-attacks perfectly well but that won't change the fact that if from an IP address starts a large dictionary attack and that IP is a CGN it *would* affect users from the same IP anyways and since this is fact it is reasonable to * enter that IP in the wbeinterface feeding rbldnsd * enter in the scond field 1800 seconds or whatever value * apply it that way for any service supporting RBL's * release that lock automatically after X seconds security and defense is always layered but such things don't work well if half or mail-subsytems needs sepcial handling signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 03.03.2015 um 22:31 schrieb Oliver Welter: I did a quick hack for exactly this purpose - send offending IPs from my mail server to the firewall in a secure way. Its a python script that uses the fail2ban syntax on the one end and feeds a (patched) pfSense on the other end. You can find the scripts on github: https://github.com/oliwel/fail2sense - be warned, its a first draft - but it does the job here...For the unblock feature you need this patch against pfsense https://github.com/pfsense/pfsense/pull/1444/ the problem is the in a secure way that's not really possible when you mangle firewall rules which implies root permissions - as RBL request is just a DNS request which don't need *any* permissions on the machine which does the request the other problem is mangle firewall rules in context of existing infrastructures is error prone - you may interfere existing rulesets - it's a bad idea to start with signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 03.03.2015 um 00:45 schrieb Benny Pedersen: On March 2, 2015 10:50:59 PM Dave McGuire mcgu...@neurotica.com wrote: On 03/02/2015 05:34 AM, Joseph Tam wrote: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets its not a big hint its not called denynets is it ? I myself just want a mechanism to deny certain IP addresses when I spot them, regardless of the implementation. But anything that offloads my mail servers from anything that doesn't involve serving mail makes me happy. fokus on not blocking 50 ips, but that users not have 50 ips if the server is just for you, your brother and his wife i will stop saying this again better so signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 02.03.2015 um 11:02 schrieb Jochen Bern: On 03/01/2015 08:53 AM, Jim Pazarena wrote: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops [...] The inherent assumption here is that dovecot, using a flat file, will be able to process the block list more effectively than the firewall, which is a tool written for the *purpose* but supposedly unable to even *try* due to the list's size. That sounds ... counterintuitive * it's unmaintainable on firewall level * it's waste of ressources because it is *packet based* * hence a RBL would make so much more sense for rbldnsd it don't matter if 100, 1000, 1, 1000 addresses or even cidr-ranges are listed because the check is always *one* cheap dns request for the IP conencting at the moment signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 02.03.2015 um 08:38 schrieb Oliver Welter: I am really tired of reading this kind of complaints on OSS lists. and because it's free everybody has to shut up? that's your defintion of free? your definition is broken? as said on a other list: if the developer of the OSS sais listen, i am not that interested but if you pay me € xyz i would include it the chances are good that one or more people sponsor it - ignore or complain about feature requests don't help that mich signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 02.03.2015 um 10:06 schrieb Steffen Kaiser: If such plugin(?) is available, I would expect immediate complains, it does not support: + local file lists with various sets of syntaxes + RBLs with a fine grained response matching + use the same RBL response for multiple match-action pairs or it could work just with no config, unconditional and in front of any authentication, frankly even without any response - connection - RBL check - close connection, done hence RBL's make sense in the core because *in front* of any other protocol specific code signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 02.03.2015 um 10:33 schrieb Steffen Kaiser: hence RBL's make sense in the core because *in front* of any other protocol specific code That's TCP wrapper or a firewall, IMHO. (for a file list, not RBL). However, there used to be a RBL patch for TCP wrapper and some distribution provide other implementations of a TCP wrapper with RBL TCP wrapper is dying (more and more software in distributions is built without tcpwrapper support, more and more upstream packages remove support starting with openssh) and given that the author of tcpwrapper is the same person which wrote postfix if it would not make sense in the mail-daemon itself you can be sure it would not be in postfix one point is logging - frankly i want rejected mail connections in the maillog and not spread over the whole system logs EADSUP: OpenSSH 6.7 drops tcpwrapper support: https://www.cygwin.com/ml/cygwin/2014-08/msg00345.html https://rwmj.wordpress.com/tag/tcp-wrappers/ signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 02.03.2015 um 18:56 schrieb Robert Schetterer: perhaps and i mean really perhaps go this way https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ 45K+ IPs will work in a recent table i have them too but for smtp only like echo 1000 /sys/module/xt_recent/parameters/ip_list_tot combine with geoip might be a good idea too is ultra faster then fail2ban cause no log file parsing is needed or an other idea you might test, configure a syslog filter pumping in a recent table the direct way that is all nice but the main benefit of RBL's is always ignored: * centralized * no log parsing at all * honeypot data are delivered to any host * it's cheap * it's easy to maintain * it don't need any root privileges anywhere we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere* so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all signature.asc Description: OpenPGP digital signature
Re: Connect failed to database
Am 02.03.2015 um 19:30 schrieb Dan LaSota: Just some quick ideas * check if the mysql socket file has rw permissions for the dovecot user # ls -l /var/lib/mysql/mysql.sock srwxrwxrwx. 1 mysql mysql 0 Mar 1 19:33 /var/lib/mysql/mysql.sock that's not the problem I have tried with connect = host=localhost dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' and connect = host=127.0.0.1 dbname=servermail user='usermail' password='gjwslegosoghjshloehg$_jsdgh' still doesn't work: Mar 2 04:58:48 mail dovecot: auth-worker(5745): Error: mysql(127.0.0.1): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 1 seconds before retry that is a pretty clear message the username / password / host is wrong, fix your mysql permissions and keep in mind that localhost != 127.0.0.1 in that context the user with that password from that host is not allowed - period signature.asc Description: OpenPGP digital signature
Re: Connect failed to database
Am 02.03.2015 um 19:53 schrieb Dan LaSota: still doesn't work: Mar 2 04:58:48 mail dovecot: auth-worker(5745): Error: mysql(127.0.0.1): Connect failed to database (servermail): Access denied for user 'usermail'@'localhost' (using password: YES) - waiting for 1 seconds before retry that is a pretty clear message the username / password / host is wrong, fix your mysql permissions and keep in mind that localhost != 127.0.0.1 in that context which is the preferred address: localhost or 127.0.0.1 ? depends if you prefer unix sockets: localhost if you prefer TCP: 127.0.0.1 the user with that password from that host is not allowed - period Then why can I use the same credentials to log into mysql from the command line? Like so: # mysql -u mailuser -h localhost -p that is unix-socket, -h 127.0.0.1 would be TCP just use host=/var/lib/mysql/mysql.sock or wherever your socket lives or give the 127.0.0.1 user the same permissions - these are mysql basics signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 01.03.2015 um 23:16 schrieb Dave McGuire: On 03/01/2015 04:25 AM, Reindl Harald wrote: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts. hence i asked month ago for RBL support because such lists are easy to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use fail2ban and what not irrelevant if there is already a local dnsbl i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses I've been asking for this off-and-on for years, and people immediately parrot back just use fail2ban. I think fail2ban is a nice idea and all, but that suggestion assumes that I use iptables (I don't), I run firewalls on my servers (I don't; I run them on routers) and that I run Linux on my mail server (I don't). The other side of this equation, Postfix, has had this capability for years. Why it hasn't been added to dovecot is a mystery. It's the only thing (really, the ONLY thing!) that I dislike about dovecot even if you use Linux, Firewalls and what not * postfix supports RBL's in several ways on the MTA * mod_security and so webservers support RBL's * RBL's are *centralized* * DNS queries, especially in a LAN, are cheap everybody answering with fail2ban if someone asks for RBL support has no clue what he is talking about because he did not get the question signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 02.03.2015 um 00:08 schrieb Benny Pedersen: On March 1, 2015 10:26:40 AM Reindl Harald h.rei...@thelounge.net wrote: i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses close pop3, set imap to listen only in lo interface, setup webmail with smtp auth, now then in apache install mod geoip, and only allow countrys with users in what a foolish trolling as usual from you signature.asc Description: OpenPGP digital signature
Re: IP drop list
Am 01.03.2015 um 08:53 schrieb Jim Pazarena: I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of IPs and drop connections it would sure put a dent in these attempts. hence i asked month ago for RBL support because such lists are easy to feed into http://www.corpit.ru/mjt/rbldnsd.html - sadly i got no reply than use fail2ban and what not irrelevant if there is already a local dnsbl i guess for a C-programmer it takes not much more than 10 minutens include a config option to list rbl servers and close connections absed on the DNS responses signature.asc Description: OpenPGP digital signature
Re: Conditional SASL authentication
Am 24.02.2015 um 19:37 schrieb Adrian Minta: On 24.02.2015 20:29, Reindl Harald wrote: don't allow senders which you would not receive mail for - period Seems interesting, at least until the bots adapt to this. Any idea how could this be implemented? with the configuration i have posted in that thread? for me that was a prerequisite before even consider put my first mailserver setup on a public IP and that's enforced even on any webserver here by shared database tables signature.asc Description: OpenPGP digital signature
Re: Conditional SASL authentication
Am 24.02.2015 um 18:28 schrieb Luciano Mannucci: I have a few users that are often hit by a trojan virus that steals e-mail user and password. Having a very little (if not null) power on their machines, I need to be able to block the outgoing mail wich is handled by postfix via dovecot SASL. Blocking it at dovecot level would be optimal, for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase. Is it feasible? not sure what you try to achieve * if you cahnge the pwd SASL auth is taken away * if you don't want enforce SASL per IP mynetworks is your friend but nobody really wants to place foreign machines in mynetworks and allow to send mail unauthenticated from a machine he don't own - and if it si only because in most configurations more restrictions than with SASL are bypassed it's anyways not a dovecot question signature.asc Description: OpenPGP digital signature
Re: Conditional SASL authentication
Am 24.02.2015 um 18:28 schrieb Luciano Mannucci: for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase so you allow random envelope senders on your servers? why? smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch permit_sasl_authenticated reject signature.asc Description: OpenPGP digital signature
Re: Conditional SASL authentication
Am 24.02.2015 um 19:04 schrieb Luciano Mannucci: On Tue, 24 Feb 2015 18:56:03 +0100 Reindl Harald h.rei...@thelounge.net wrote: * if you cahnge the pwd SASL auth is taken away True. But this way the user will be unable to read his/her mail, including my message saying Hey, you've got a new virus! if the account is compromised the password *must be changed* and the user contacted on a different channel - otherwise you risk hijacking his other accounts connected to the mail-address and a ton of additional damage signature.asc Description: OpenPGP digital signature
Re: Conditional SASL authentication
Am 24.02.2015 um 19:20 schrieb Luciano Mannucci: On Tue, 24 Feb 2015 19:00:32 +0100 Reindl Harald h.rei...@thelounge.net wrote: so you allow random envelope senders on your servers? why? I know it is not necessarily a good idea... :) It is basicaly to allow fake home addresses from the office for some managers. don't allow senders which you would not receive mail for - period especially don't allow fakes - if your machine spews a large amount of mail here not bypass sender-verification because not SPF you would get blocked unconditionally IP based Thanks for the smtpd_recipient_restrictions list, it sounds interesting! it's for submission only! signature.asc Description: OpenPGP digital signature
Re: Conditional SASL authentication
Am 24.02.2015 um 19:48 schrieb Adrian Minta: On 24.02.2015 20:40, Reindl Harald wrote: Am 24.02.2015 um 19:37 schrieb Adrian Minta: On 24.02.2015 20:29, Reindl Harald wrote: don't allow senders which you would not receive mail for - period Seems interesting, at least until the bots adapt to this. Any idea how could this be implemented? with the configuration i have posted in that thread? for me that was a prerequisite before even consider put my first mailserver setup on a public IP and that's enforced even on any webserver here by shared database tables Ups ... sorry, reject_authenticated_sender_login_mismatch from smtpd_sender_restrictions ofc. I was thinking about not accepting mails from users/ip witch don't do a least one pop3 or imap read before sending pop-before-smtp was a completly broken idea 15 years ago and is now much more after having a ton of clients behind carrier-grade NAT (mobile devices and all that stuff) * implement SMTP auth properly * enforce SMTP auth unconditionally * don't allow foreign sender domains if you can't do that 3 things don't run a public mailserver signature.asc Description: OpenPGP digital signature
Re: Bug#776094: dovecot-imapd: corrupts mailbox after trying to retrieve it (fwd)
Am 20.02.2015 um 15:03 schrieb Charles Marcus: On 2/19/2015 4:34 PM, Santiago Vila sanv...@unex.es wrote: In such case we would love to know what is the commit that fixed this, so that we can apply it to the 2.2.13 version in Debian. We have frozen the distribution as we are about to release jessie as Debian 8, so no new upstream releases are allowed anymore. I have NEVER understood the rationale for doing this for MINOR release. Major releases/updates, sure, I understand completely, but minor releases? It is far too much pain for far too little gain imnsho... that's a political decision to not break workarounds because someone removes a bug you worked around or even not break stupid software rely on the bahvior of bugs :-) and to make web-developers lifes harder because params in PHP which help to prepare upgrade to = 5.4 and are present for many years in 5.3.x are not available on Debian systems signature.asc Description: OpenPGP digital signature
Re: how to run dovecot imap on separate server from postfix?
Am 18.02.2015 um 18:15 schrieb Robert Fantini: I'm trying to figure out the exact line to put to /etc/postfix/main.cf for local lmtp deliver we use: mailbox_transport = *lmtp:unix:private/dovecot-lmtp* for remote it is supposed to be:* lmtp:host:port* yet at the remote lmtp does not use ports. UNIX domain sockets are used instead so just configure dovecot lmtpd to listen on a TCP port, port 24 is reserved for that - and don't open the port for any other machine as the postfix server [harry@srv-rhsoft:~]$ cat /etc/services | grep -i lmtp lmtp24/tcp # LMTP Mail Delivery lmtp24/udp # LMTP Mail Delivery signature.asc Description: OpenPGP digital signature
Re: how to run dovecot imap on separate server from postfix?
Am 18.02.2015 um 18:20 schrieb Reindl Harald: Am 18.02.2015 um 18:15 schrieb Robert Fantini: I'm trying to figure out the exact line to put to /etc/postfix/main.cf for local lmtp deliver we use: mailbox_transport = *lmtp:unix:private/dovecot-lmtp* for remote it is supposed to be:* lmtp:host:port* yet at the remote lmtp does not use ports. UNIX domain sockets are used instead so just configure dovecot lmtpd to listen on a TCP port, port 24 is reserved for that - and don't open the port for any other machine as the postfix server [harry@srv-rhsoft:~]$ cat /etc/services | grep -i lmtp lmtp24/tcp # LMTP Mail Delivery lmtp24/udp # LMTP Mail Delivery and since i answered the same question yet on the postfix list http://wiki2.dovecot.org/LMTP http://www.postfix.org/lmtp.8.html signature.asc Description: OpenPGP digital signature
Re: how to run dovecot imap on separate server from postfix?
Am 18.02.2015 um 20:07 schrieb Robert Fantini: OK I got delivery from postfix to lmtp working , by changing from unix_listener to inet_listener . Reindl wrote don't open the port for any other machine as the postfix server I see that is important.. I assume that just a firewall setting? Or does the 'address' line in inet_listener lmtp have something to do with it? firewall as long as you don't have more than one network card and the interface dovecot is listening on is only reachable from the postfix server even if: *always* restrict the packet filter, sooner or later somebody will change something without realize the impact and hence if it comes to security put at least 2 safety nets in front of server ports On Wed, Feb 18, 2015 at 12:37 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 18.02.2015 um 18:20 schrieb Reindl Harald: Am 18.02.2015 um 18:15 schrieb Robert Fantini: I'm trying to figure out the exact line to put to /etc/postfix/main.cf for local lmtp deliver we use: mailbox_transport = *lmtp:unix:private/dovecot-lmtp* for remote it is supposed to be:* lmtp:host:port* yet at the remote lmtp does not use ports. UNIX domain sockets are used instead so just configure dovecot lmtpd to listen on a TCP port, port 24 is reserved for that - and don't open the port for any other machine as the postfix server [harry@srv-rhsoft:~]$ cat /etc/services | grep -i lmtp lmtp24/tcp # LMTP Mail Delivery lmtp24/udp # LMTP Mail Delivery and since i answered the same question yet on the postfix list http://wiki2.dovecot.org/LMTP http://www.postfix.org/lmtp.8.html signature.asc Description: OpenPGP digital signature
Re: how to run dovecot imap on separate server from postfix?
Am 17.02.2015 um 22:29 schrieb Robert Fantini: we are using version 2.2.13 on debian. currently imap runs on the same system as postfix , spamassassin and other mail related software. I'd like to move dovecot imapd and mail storage to its own system. I've search google and wiki and could not see how to do so. could someone please point me in the direction to that done? I like reading documentation.. here is more info on our set up: postfix: # grep dovecot /etc/postfix/* /etc/postfix/main.cf:mailbox_transport = lmtp:unix:private/dovecot-lmtp /etc/postfix/main.cf:smtpd_sasl_type = dovecot just configure postfix to use lmtp:host:port of the dovecot machine signature.asc Description: OpenPGP digital signature
Re: how to run dovecot imap on separate server from postfix?
Am 17.02.2015 um 22:51 schrieb Robert Fantini: I want to make sure that the postfix delivery does not give up trying to get the email delivered when the lmtp host is not reachable. I do not just want to assume that the default settings are correct for us. Are there postfix or other settings which can be checked and adjusted? postfix was *not* written by a moron and hence in any case any mail in the queue will be re-tried until maximal_queue_lifetime is reached there is no difference if lmtp is a unix socket or on the network because nobody can say for sure that the lmtpd on localhost is reachable 365/7/24 and hence any sane MTA handles errors properly On Tue, Feb 17, 2015 at 4:37 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 17.02.2015 um 22:29 schrieb Robert Fantini: we are using version 2.2.13 on debian. currently imap runs on the same system as postfix , spamassassin and other mail related software. I'd like to move dovecot imapd and mail storage to its own system. I've search google and wiki and could not see how to do so. could someone please point me in the direction to that done? I like reading documentation.. here is more info on our set up: postfix: # grep dovecot /etc/postfix/* /etc/postfix/main.cf:mailbox_transport = lmtp:unix:private/dovecot-lmtp /etc/postfix/main.cf:smtpd_sasl_type = dovecot just configure postfix to use lmtp:host:port of the dovecot machine signature.asc Description: OpenPGP digital signature
Re: /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
yu can typically cat all the stuff into the same PEM-file and use that file for all related configuration options - since each part has a -BEGIN and -END section the chances are hight that the software dont't need to support it explicitly but the TLS layer picks the right thing (that's a very non-technical wording by intention) Am 16.02.2015 um 16:42 schrieb dove...@lists.killian.com: Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one file for those programs, that's good to know. On 2015/2/16 07:23, Reindl Harald wrote: Am 16.02.2015 um 15:53 schrieb dove...@lists.killian.com: Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL that is how you can and should build your PEM files for *every* SSL aware software, Apache and Postfix are happy with exactly that format i go even so far and include the CDHE and DHE params there which means in case of a recent httpd you can make DHE compatible which most clients even if your RSA certificate is 4096 Bit (read the hint about 2.4.7 or later at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile if you want to know why) there is also no need to place that certs below /etc/dovecot at all nor have them readable for anybody but root, we have our wildcard certificate on a unique location synced to all servers offering SSL and again Dovecot, Postfix and Apache are happy to read the PEM root-only PEM files at startup and that's it signature.asc Description: OpenPGP digital signature
Re: /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
Am 16.02.2015 um 15:53 schrieb dove...@lists.killian.com: Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL that is how you can and should build your PEM files for *every* SSL aware software, Apache and Postfix are happy with exactly that format i go even so far and include the CDHE and DHE params there which means in case of a recent httpd you can make DHE compatible which most clients even if your RSA certificate is 4096 Bit (read the hint about 2.4.7 or later at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile if you want to know why) there is also no need to place that certs below /etc/dovecot at all nor have them readable for anybody but root, we have our wildcard certificate on a unique location synced to all servers offering SSL and again Dovecot, Postfix and Apache are happy to read the PEM root-only PEM files at startup and that's it signature.asc Description: OpenPGP digital signature
Re: Server switching
Am 10.02.2015 um 16:35 schrieb The Doctor: Quick question. We are using both IMAP and POP#. Question : how can you avoid retrieving an e-mail that has been already retrieved? by just rsync the complete data from the old to the new server * first rsync hot while servicers running * stop services * second rsync only transfer the differences * DNS and/or IP change * start servcies on the new server the client don't know anything about that signature.asc Description: OpenPGP digital signature
Re: Postfix , Dovecot the Spam fight
Am 09.02.2015 um 22:29 schrieb Leander Schäfer: I'm currently busy with a substiution of my current mail server. I'm currently using * Clam-SMTP and * SpamAssassin to fight Spam. I wonder if it is worth implementing AmaViS with SpamAssassin backend instead and also using AmaViS to speak to clamd directly. But I more and more wonder wether AmaViS is even worth it?! It currently looks to me as if AmaViS is eating LOTS of ressources and it is very uncomfortable for automated installations if you have to do dynamic batch changes on the AmaViS configs - sed(1) is your friend but this hectic escaping and workarrounds is really not sustainable to maintain. So my question is: Does AmaViS have any advantages compared to the current setup? I don't seem to find lots of qualified discussions for this on the net. The AmaViS related articles I found are freaking old. Would be nice the get your best practice as a change i don't see advantages but issues if you ask something on the SA list and finally find out that amavis handles configurations different ressource usage is mostly the same, amavis is only the glue the hard work is done anyways by spamassassin and clamav for both milters exists so you can reject spam instead only flag and deliver or even more worse silently discard it - not a real problem with postscreen and RBL scroing in front, happy running here since 2014/08 with zero load even at peaks of 400 junk attempts per minute smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock, unix:/run/clamav-milter/clamav-milter.socket signature.asc Description: OpenPGP digital signature
Re: TLS config check
Am 06.02.2015 um 23:13 schrieb SW: According to https://cipherli.st/ ssl = yes ssl_cert = /etc/dovecot.cert ssl_key = /etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # Dovecot 2.2.6 Is what you want. Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH Before I made this change clients were connecting with the following cipher in the log file: ECDHE-ECDSA-AES256-SHA (256/256 bits) After the change the log now says: ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits) Is this an improvement (or more secure) despite going from 256bits to 128bits? yes it is because AES-GCM is currently the best cipher suite while there is no point for AES256, if AES128 will fall then it likely affects AES256 too and according to Brcue Schneier years ago AES128 has even less problems then AES256 (too lazy for google it again) signature.asc Description: OpenPGP digital signature
Re: auth: Warning: DNS lookup took 1.550 s
how do you come to the conclusion that it matters how busy this server is? jesus christ you are asking *remote servers* for their answers and the request as well the answer passes different routers, ISP's and likely a *chain of forwarders* until you don't recursion at your own and even if you do you have no control how overloaded one of the networks between you and the auth dns server or this server itself is *any* of the involved forwarders, networks and auth nameservers are responsible for the time to resolve your query frankly I see around 5-6 times per day the following warning as reason for writing a mail and continue insist the problem is on your side shows missing network understanding Am 04.02.2015 um 17:48 schrieb ML mail: Thanks for your comments. I understand as DNS uses UDP that there could be some DNS queries which might get lost if the CPU or network is too busy but the thing is that this server is not so busy really. It has 2 cores with 4 GB of RAM and the CPU averages to 2% usage. The network averages to 1 Mbit/s traffic and there are around 600-700 processes running for 1100 mailboxes. Note here that this server is simply a proxy server, mailboxes are located on a separated server on the same LAN, the same applies to the database which has its own server too. These are all virtual machines by the way. I am not running a local DNS cache on the server. As suggested using a local DNS cache would simply fix this issue but I am more interested to know what is generating these slow DNS queries... On Wednesday, February 4, 2015 2:59 PM, LuKreme krem...@kreme.com wrote: On 04 Feb 2015, at 03:38 , ML mail mlnos...@yahoo.com wrote: I am running a dovecot and proxy server on two different virtual machines and on the dovecot proxy server I see around 5-6 times per day the following warning: Feb 03 16:15:12 auth: Warning: proxy(em...@domain.com,xxx.xxx.xxx.xxx,ABC123456789): DNS lookup for mailboxserver.domain.com took 1.550 s If you are seeing a warning that dans lookup took 1.5 seconds 5-6 times a day, why are you concerned? I do not really understand how from time to time DNS queries are slow, Because from time to time, queries are slow. A hiccough in the line, the server is slightly busy doing something else. There’s a lot of bandwidth during those 1.5 seconds being used. It could be anything. If you were seeing hundreds of these warning, or if the times were over 5 seconds, then I’d worry. I tried replicate this issue using dig to resolve the same DNS entry and it was always very fast. Is there any way I can debug better this issue? or is this nothing to worry about really? I would not worry about it based on these numbers signature.asc Description: OpenPGP digital signature
Re: quote strings passed to sql
Am 02.02.2015 um 18:07 schrieb Juan Bernhard: Hello list. I'm thinking to migrate the hole user db from system users to mysql. I already did it in a test environment, but something is annoying my OCD... I don't quote the variables username and password sent to the mysql server. I know, the mysql user that dovecot uses only has select rights, but it stills bother me, because its possible to do an useless sql code injection. Is there a way to quote that? Something like exim's quote_mysql? there is not much to quote when dovecot accepts only a limited set of chars at all and otherwise don't send any query auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@% auth_username_translation = %@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz signature.asc Description: OpenPGP digital signature
Re: auth: Error: auth worker: Aborted request: Lookup timed out
Am 01.02.2015 um 22:44 schrieb ML mail: Thanks for your tip regarding the busy network. I am using a one year old Cisco Catalyst 2960S (WS-C2960S-48TD-L) with cat6e cables and my network should not be overloaded as far as I know. My mailbox and mail proxy servers are on two different virtual machines on two different servers. It could be possible that it is something with the virtualization but my other VMs do not have any connection time outs or anything. I will keep on searching on the network side. the busy network tip is nonsense since Connection reset by peer means nothing else as it says the remote client lost connection for whatever reason and that are most likely *mobile clients* and *bots* Feb 1 20:24:17 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 20:24:46 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 20:25:18 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 20:26:01 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 20:26:45 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 20:27:34 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 20:37:04 mail dovecot: auth: Warning: auth client 0 disconnected with 2 pending requests: Connection reset by peer Feb 1 20:37:57 mail dovecot: auth: Warning: auth client 0 disconnected with 2 pending requests: Connection reset by peer Feb 1 21:26:39 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:27:49 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:28:33 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:28:51 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:29:35 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:30:19 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:31:03 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:31:39 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:31:47 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:32:31 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Feb 1 21:33:53 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer I don't know if this is related but I also get quite a few of these error messages: Jan 31 14:10:46 auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer my interpretation: a) you have a very very bz network ... the other end cannot respond to incoming requests even if your network is NOT bz, eg, no collision blinking on your hubs/switches, you are still having network problems b) if all of your dovecot tests is on one host ... disconnect it from the network and see if dovecot's auth finishes its tasks c) to clean up your network ... - use switches ... not hubs even inexpensive netgear switches is good enuff - use good 3-6' cat6e cables ... we'll assume the bldg's wiring is done to bldg specs - my guess, you're probably having cabling problems ) - separate slow devices from faster devices eg. separate printers onto its own network with a switch in between printers and everybody else - separate 10/100 devices from gigE devices ... do not mix them up on the same switch/hub c ya alvin Jan 31 14:13:20 auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Jan 31 14:13:20 auth: Warning: auth client 0 disconnected with 2 pending requests: Connection reset by peer Jan 31 14:13:22 auth: Warning: auth client 0 disconnected with 2 pending requests: EOF Jan 31 14:13:26 auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer signature.asc Description: OpenPGP digital signature
Re: Thunderbird: improper command pipelining after EHLO
Am 26.01.2015 um 15:22 schrieb Leander Schäfer: I couldn't find working solutions for this anomalie on the net. What does this mean and does someone know how to fix this? postfix/smtpd[18757]: improper command pipelining after EHLO from unknown[192.168.10.233]: QUIT\r\n that's hardly a dovecot topic and without postconf -n, in doubt with content of master.cf and more informations nobody can help you at all signature.asc Description: OpenPGP digital signature
Re: LDA input validation
Am 26.01.2015 um 10:52 schrieb Stéphane Cottin: Le 26 janv. 2015 à 10:09, Reindl Harald h.rei...@thelounge.net a écrit : You're stilling going to lose contents. If dspam fails, the mail is dumped, the LDA returns exit code 75, and the MTA will probably issue a bounce Email to the sender. which would be OK, if never loose email contents means no message is discarded silently. no, it is not OK to backscatter because the spamfilter fails realize that 99% auf junk is using forged senders recently i got each day some hundret such bounces from mailservers configured by fools reply to spam with forged senders and if i could i would have gone out for beat every responsible admin straight in the face I may discard emails based on RBLs, but I don't want to discard emails based on statistical fllters, I prefer deliver them in the Junk folder and let the user have a chance to reclassify using dovecot_antispam. And yes, bounce spams to (forged or not) sender is useless you *must not* discard mails - in no context - period that's why milters exist to tag between let say 5.0 and 8.0 spam points and REJECT pre-queue based on SpamAssassin and/or ClamAV maybe dspam can't do that, but it's *abandonware* anyways http://comments.gmane.org/gmane.mail.spam.dspam.user/19136 signature.asc Description: OpenPGP digital signature
Re: LDA input validation
Am 26.01.2015 um 08:52 schrieb Steffen Kaiser: On Sun, 25 Jan 2015, Joseph Tam wrote: St?phane Cottin writes: dspam already send errors to syslog, the point here is to never loose email contents. This was a wrong design, i'm now use a wrapper instead ( see my previous post for details ). You're stilling going to lose contents. If dspam fails, the mail is dumped, the LDA returns exit code 75, and the MTA will probably issue a bounce Email to the sender. which would be OK, if never loose email contents means no message is discarded silently. no, it is not OK to backscatter because the spamfilter fails realize that 99% auf junk is using forged senders recently i got each day some hundret such bounces from mailservers configured by fools reply to spam with forged senders and if i could i would have gone out for beat every responsible admin straight in the face signature.asc Description: OpenPGP digital signature
Re: imap-login: Fatal: pipe() failed: Too many open files
Am 26.01.2015 um 02:13 schrieb Leander Schäfer: I just checked my ulimit again and it really seems like it has more than enough - so I still don't understand what I've configured wrong here ;/ root@WM-01 [~]$ su -m dovecot -c ulimit -a socket buffer size (bytes, -b) unlimited core file size (blocks, -c) unlimited data seg size (kbytes, -d) 33554432 file size (blocks, -f) unlimited max locked memory (kbytes, -l) 131072 max memory size (kbytes, -m) 7067352 open files (-n) 205587 pipe size(512 bytes, -p) 1 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 11278 virtual memory (kbytes, -v) unlimited swap size (kbytes, -w) unlimited besides that imap-login typically does *not* run under the same user (here dovenull versus dovecot) who tells you that 205587 is more than enough just because it is a high value? signature.asc Description: OpenPGP digital signature
Re: Client shows null Sender date
Am 23.01.2015 um 16:06 schrieb John Hendrich: I'm using Postfix and Dovecot 2.0.19 and Virtual domains users (mysql). Incoming mail is handled by Postfix and then handed off to Dovecot LMTP for delivery. However, the Sender and Date are essentially null when viewing the email with either the POP3 or IMAP client. The logs (below) show this. I changed the sender and recipient addresses for privacy. Jan 23 08:42:07 klsrv postfix/cleanup[10842]: 1F907F00276: message-id= Jan 23 08:42:07 klsrv postfix/qmgr[4889]: 1F907F00276: from=sen...@example.com, size=217, nrcpt=1 (queue active) You can see that Postfix accepts the incoming mail (from sen...@example.com) and then the message is handed to Dovecot LMTP. But the from=: should be from=sen...@example.com:. Postfix / qmgr has the sender listed (from=sen...@example.com) but no sender (from=) is seen in LMTP log output. My LMTP is setup to use UNIX sockets, not the INET socket you need to understand e-mail basics what you see in the postfix logs is the *envelope sender* what you miss in the message is the non-existent To-HEADER signature.asc Description: OpenPGP digital signature
Re: Outlook and TLSv.1
Am 18.01.2015 um 12:07 schrieb Jerry: I have: ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL and Outlook 2013 works fine but you break *for sure* older clients and should *not* recommend that broken setup untested and believe you are helping with it !SSLv3 has no business in the cipher list you disable ciphers still valid for TLS that way that was all discussed dozenz of times here ssl_protocols = !SSLv2 !SSLv3 *remove !SSLv3 from teh cipher list* and if you now say your dovecot version don't support ssl_protocols then upgrade or just accept that you can't have outdated software and state of the art protovol support signature.asc Description: OpenPGP digital signature
Re: Outlook and TLSv.1
Am 16.01.2015 um 12:24 schrieb Oliver Welter: after adding TLSv1.2 to by TLS options how did you do that? there is no need to add it as long you did not break your configuration intentional the time before a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine. no I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = /var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH !MEDIUM likely is the reason ssl_dh_parameters_length = 2048 ssl_key = /var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2 The certificate is from Comodo using sha256 the confiig below works with every known Outlook version down to Outlook 2003 on Windows XP in combination with a RSA4096/SHA256 key as well as with all other reasonable mail clients ssl_protocols = !SSLv2 !SSLv3 ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA signature.asc Description: OpenPGP digital signature
Re: [SERVERBUG] failed to send mail with SA and antispam plugin
Am 16.01.2015 um 09:46 schrieb ML mail: Thanks to your help Steffen I was able to find out the issue which was simply the size of the Spam mail as you can see here: spamc[16545]: skipped message, greater than max message size (512000 bytes) The spam mail was around 900 kbytes as such I have changed the spamc limit to 1MB. Bastard spammer who abuses this limit by attaching a big image... that's common for years now, even as we used a Barracuda Networks device where you need to add expert=1 in the extended settings to raise that limit given that only a small amount makes it to SA here i increased that to 5 MB, in case of large images there is no performance impact, only large messages with most plaintext are ressource hungry to scan in fact i have seen such bastards attach 2 MB images to the typical spam mailbody to bypass scanners signature.asc Description: OpenPGP digital signature
Re: pigeonhole ereject vs reject
Am 14.01.2015 um 01:28 schrieb Robert Blayzor: Currently pigeonhole supports reject which would generate a NDR for each message. (If I understand the current documentation) Using Dovecot LMTP it would be more optimal to kick a 5xx back to the primary MTA to reject the delivery rather than generating more back scatter NDRs and what would that change? nothing if you think about how mail works! * the MTA receives the message * the MTA confirms with 2xx status code * later the delivery server rejects * the MTA *must* create a bounce just don't reject mails after you confirmed you have received them in the SMTP session and if you don't want a mail after that DISCARD it by consider legal implications - there is nothing between signature.asc Description: OpenPGP digital signature
Re: pigeonhole ereject vs reject
Am 14.01.2015 um 02:40 schrieb Robert Blayzor: On Jan 13, 2015, at 8:30 PM, Reindl Harald h.rei...@thelounge.net wrote: so what you want in your OP is just DISCARD in a sieve script and there is no point in Using Dovecot LMTP it would be more optimal to kick a 5xx back when the desired result is DISCARD why do you want the burden of keep the SMTP session with the client open until the mail is finally stored? that don't scale! Sieve is all about policy no - it is about *filter* mails A 5xx reject would let the sending server know the message could not be delivered due a failure which belongs in the MTA and not the LDA (ie: user policy rejection, without receiving MTA generating NDR backscatter). I would rather not just accept it and the message disappear into ether without the sender receiving any notification of why. hence you reject messages on MTA level before LMTP is called because taht happens in case of sender based filters in the envelope-level and in case of subject filters at least before the mailbody signature.asc Description: OpenPGP digital signature
Re: pigeonhole ereject vs reject
Am 14.01.2015 um 02:23 schrieb Robert Blayzor: On Jan 13, 2015, at 7:34 PM, Reindl Harald h.rei...@thelounge.net wrote: and what would that change? nothing if you think about how mail works! * the MTA receives the message * the MTA confirms with 2xx status code * later the delivery server rejects * the MTA *must* create a bounce just don't reject mails after you confirmed you have received them in the SMTP session and if you don't want a mail after that DISCARD it by consider legal implications - there is nothing between The above is not entirely true. You are assuming that your MTA it's sending a 2xx accepting the message immediately before delivery via LMTP completes. With PRDR (in Exim for example, or without) a 5xx during the LMTP transport should issue a 5xx error back to the sending MTA, not a 2xx. Therefore, there would be no NDR generated by the receiving system. The senders MTA would have to generate the NDR, but that's not my problem at that point. Of course WITHOUT PRDR this is a little bit more of an issue since it would be a rejection for all recipients of the message. i assume a sane MTA like postfix with a queue and so be able to receive and confirm messages independent of the final destination - even if you use typically LMTP there could be an external transport for a RCPT and the same message can have internal and external destinations so what you want in your OP is just DISCARD in a sieve script and there is no point in Using Dovecot LMTP it would be more optimal to kick a 5xx back when the desired result is DISCARD why do you want the burden of keep the SMTP session with the client open until the mail is finally stored? that don't scale! signature.asc Description: OpenPGP digital signature
Re: Dovecot replication over TCP/SSL, certificate error
Am 12.01.2015 um 13:29 schrieb Jonas Plitt: *doveadm(exam...@example.com exam...@example.com): Error: Couldn't initialize SSL context: Can't load CA certs from directory /etc/ssl/certs: error:02001024:system library:fopen:File name too longdoveadm: Error: Failed to iterate through some users* this is my config (part): *ssl_cert = /etc/ssl/certs/alpha-servers.pemssl_key = /etc/ssl/private/alpha-servers.keyssl_ca = /etc/ssl/certs/startcom-ca-bundle.pemssl_client_ca_dir = /etc/ssl/certsssl_client_ca_file = /etc/ssl/certs/startcom-ca.pemssl_protocols = !SSLv2 !SSLv3* The file startcom-ba-bundle contains the complete chain. The file startcom-ca contains only the ca certificate. Can anybody help, please? did you read the File name too long? signature.asc Description: OpenPGP digital signature
Re: 'ssl_cipher_list' setting
Am 05.01.2015 um 21:53 schrieb Yoshito Takeuchi: I used FreeBSD 10.1 Dovecot 2.2.15 I want pop3s, so I made /usr/local/etc/dovecot/local.conf ssl = yes ssl_cert = /usr/local/etc/dovecot/server.pem ssl_key = /usr/local/etc/dovecot/server.key ssl_ca = /usr/local/etc/dovecot/ca.pem ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4 It's work fine. But, change ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4 ( SSLV3 - SSLv3 ) I did trouble /var/log/maillog Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking, session=5e9 zuO0LVwB+PO8D Is this bug ? or I did miss setting? !SSLV3 was wrong and not recognized !SSLv3 is recognized but bullshit since you want to disable SSLv3 but not all ciphers which are still valid for newer TLS versions you do that already correctly with ssl_protocols signature.asc Description: OpenPGP digital signature
Re: Awfully slow dovecot
Am 26.12.2014 um 17:16 schrieb Nick Edwards: On 12/26/14, Reindl Harald h.rei...@thelounge.net wrote: sure, you can manage anything if you write enough tools to automate things, nothing new for me as software developer, but don't you think there is a reason why advanced package management exists and 95% of all production environments are uusing them? it takes no more than a few minutes to write a perl script to handle all. and you can not claim 95% of anything in real world, even if so, there is no difference to automated tools, than yum or apt, they can do the same thing and as every machine is identical, if work on dev box, there is no way it not work on production. deployment yes versioned, clean downgrades and preserve permissions, get rid of obsolete files to keep the system clean over many years take more effort its simple, if it is not work on rpm, erase rpm and use source. it is silly and time waste to try log bug problem with version not supported in years hence i recommended use rpmbuild and build a *override* from recent source, in case of dovecot just build from source may be easy, if it comes to dependencies rpm become the easier and safer way because it would refuse to override incompatible libraries until you take care of the dependencie tree which does not come from rpm itself but is managed by using it signature.asc Description: OpenPGP digital signature
Re: Awfully slow dovecot
Am 25.12.2014 um 21:09 schrieb Benny Pedersen: Robert Schetterer skrev den 2014-12-25 19:49: Am 18.12.2014 um 17:56 schrieb Robin Helgelin: We’re using dovecot 1.0.7 that version is total out of date , update to recent version centos is a precompiled problem :=) no it is not do you realy think the RPMS are falling from heaven or is it more likely be able to use rpmbuild as i do on Fedora for packages like dovecot-2.2.15-3.fc20.20141025.rh.x86_64 or postfix-2.11.3-1.fc20.20141020.rh.x86_64? your Gentoo is nice in a small environment on larger setups someone is using binary packages and can setup his own repo with overrides while maintain *testable* setups signature.asc Description: OpenPGP digital signature
Re: Awfully slow dovecot
Am 26.12.2014 um 02:20 schrieb Edwardo Garcia: On 12/26/14, Jeff Mitchell jeffrey.mitch...@gmail.com wrote: On Dec 25, 2014 3:15 PM, Reindl Harald h.rei...@thelounge.net wrote: your Gentoo is nice in a small environment on larger setups someone is using binary packages and can setup his own repo with overrides while maintain *testable* setups Just to point out, it is possible to set up a binary Gentoo setup with a single server compiling packages then made available to downstream computers -- I ran such a setup for a few years. Can also have multiple of these in an overlay fashion for testing. Pros and cons vs. normal binary distros, but it can be done. As we do today for some 417 servers (real servers, not virtual crap), its very easy to do, even my previous employer who used slackware with a few hundred servers used almost identical fashion. Amazing at how rpm and deb users think they are the only ones in this world who can manage large enterprise server farms, just shows how narrow sighted and ill-informed they are. narrow sighted are people thinking others are ill-informed or as Benny thinking outdated RPM packages are a persistent problem not easily solveable sure, you can manage anything if you write enough tools to automate things, nothing new for me as software developer, but don't you think there is a reason why advanced package management exists and 95% of all production environments are uusing them? and if it is only to have a *formal verification* based on the rpm database that there are no dep errors and compare 100, 200, 1000 machine setups automated with a single click signature.asc Description: OpenPGP digital signature
Re: replication - more than 2 servers?
Am 16.12.2014 um 21:13 schrieb Ron Cleven: We tested dovecot for a fair amount of time and decided finally to put it into production under CentOS 7 (we are running 2.2.10). I just joined the list, so I apologize for what is probably a question that has been answered many times, but I was wondering if there are any plans to implement replication among 3 or more servers (all masters, as with 2)? As best as I can tell, replication seems to be limited to 2 servers, and it is not obvious to me even how more than 2 would be supported syntactically in the configs. That is, what might be an example of the mail_replica clauses if such a thing was supported? if you *really* have that large number of users and load you should split them to different servers (replicated server pairs) because you end in replication overhead eating away all the benefits otherwise master-master replication independent of the software is somehow limited by phyiscs (delays, replication traffic, replication I/O) and can't scale endless signature.asc Description: OpenPGP digital signature
Re: dovecot.index.log files: what are they?
Am 10.12.2014 um 21:19 schrieb Thomas Klausner: I have lots of these files: /home/wiz/Mail/my-folder-name/cur/.imap/1238738125.13533_23713.danbala:2,S/dovecot.index.log What are they for? Why are they here? Can I remove them? RTFM: http://wiki2.dovecot.org/IndexFiles https://www.google.at/search?q=dovecot.index.log signature.asc Description: OpenPGP digital signature
Re: dovecot.index.log files: what are they?
Am 10.12.2014 um 21:48 schrieb Thomas Klausner: On Wed, Dec 10, 2014 at 09:26:31PM +0100, Reindl Harald wrote: Am 10.12.2014 um 21:19 schrieb Thomas Klausner: I have lots of these files: /home/wiz/Mail/my-folder-name/cur/.imap/1238738125.13533_23713.danbala:2,S/dovecot.index.log What are they for? Why are they here? Can I remove them? RTFM: http://wiki2.dovecot.org/IndexFiles Thanks, but I had read this. I still don't know what they are good for, why they stay there for days and if I can remove them. After all, they are not the caches, but some transaction logs (I don't know what this is) http://en.wikipedia.org/wiki/Transaction_log why don't you just keep your fingers from data maintained by a server application? it's not your business to touch them signature.asc Description: OpenPGP digital signature
Re: MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
Am 06.12.2014 um 06:56 schrieb Jan Wideł: If you add disable_plaintext_auth=yes ssl=required settings, then dovecot will drop authentication without STARTTLS. But damage will be done, client will send unencrypted (or in this scenario MD5 or SHA512 hash) login/password no, damage will *not* be done STARTTLS happens in context of connect and *log before* any authentication is tried the handshake between client/server fails signature.asc Description: OpenPGP digital signature
Re: MD5-CRYPT/CRAM-MD5 vs SHA512-CRYPT/PLAIN
Am 06.12.2014 um 14:40 schrieb Daniel Parthey: Am 6. Dezember 2014 13:10:58 MEZ, schrieb Reindl Harald h.rei...@thelounge.net: Am 06.12.2014 um 06:56 schrieb Jan Wideł: If you add disable_plaintext_auth=yes ssl=required settings, then dovecot will drop authentication without STARTTLS. But damage will be done, client will send unencrypted (or in this scenario MD5 or SHA512 hash) login/password no, damage will *not* be done STARTTLS happens in context of connect and *log before* any authentication is tried the handshake between client/server fails If the client is misconfigured to not strictly require STARTTLS, but to allow plaintext authentication too, and some man in the middle strips the STARTTLS capability from the server capability message, then the client will probably send its password login attempt in plaintext, without even trying to establish a STARTTLS session, because the server seemed to be incapable of STARTTLS. So you might need to teach your users to enforce STARTTLS in their email client in order to mitigate MITM attacks that's so far true but: * if you require STARTTLS try to setup the account without TLS fails while not strictly require STARTTLS is a issue of the past where Thunderbird offered TLS if available * so that MITM needs to happen in the timeframe where the user configures the account the first time not chose STARTTLS * after the account was configured that MITM is no longer possible MITM which strips STARTTLS is more an issue in case of opportunistic TLS between MTA's frankly i still don't understand the stupidity of deprecate 465 in favor of STARTTLS instead use 465/993/995 in context of mail-clients which would MITM strip away STARTTLS not make possible at all from a straight technical point of view the only *real* use-case for STARTTLS ist MTA-to-MTA on Port 25 which don't send credentials at all signature.asc Description: OpenPGP digital signature
Re: disabling certain ciphers
Am 02.12.2014 um 06:44 schrieb Will Yardley: On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: On 12/1/2014 4:43 PM, Will Yardley wrote: Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? Is there a way to exclude these ciphers, while still keeping my config easy to parse and avoiding duplicative or deprecated configs? Yes to both. If you need to support older clients: ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3 results in TLS1.2 being the only one active, but if it is defined, 1.0, 1.1, and 1.2 are all active? ssl_protocols = !SSLv2 !SSLv3 and you are fine, aynthing else is nonsense because when TLSv1.3 will be released you go to each and every server to add it to the config? likely not! signature.asc Description: OpenPGP digital signature
Re: disabling certain ciphers
Am 02.12.2014 um 17:33 schrieb Darren Pilgrim: On 12/2/2014 1:32 AM, Reindl Harald wrote: ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3 results in TLS1.2 being the only one active, but if it is defined, 1.0, 1.1, and 1.2 are all active? ssl_protocols = !SSLv2 !SSLv3 and you are fine, aynthing else is nonsense because when TLSv1.3 will be released you go to each and every server to add it to the config? likely not! Configuration management. :) mis-management is the right word for disable future procotols Also, no, you need to do more than just disable SSLv3. You need to disable several cipher groups allowed in TLSv1.0 and TLSv1.1, bump up the DH parameter size, and, if your client base allows it, only allow ciphers with forward secrecy i *only* referred to ssl_protocols and not to ciphers that below are sane settings supporting older Outlooks only talking RC4/DES but prefer a specific order for other clients ssl_protocols = !SSLv2 !SSLv3 ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA signature.asc Description: OpenPGP digital signature
Re: SORT capability
Am 01.12.2014 um 12:19 schrieb absolutely_f...@libero.it: why I don't see SORT capability on my dovecot server? # telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready. 1 capability * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 1 OK Capability completed. a logout * BYE Logging out a OK Logout completed. Connection closed by foreign host DUNNO mabye output of dovecot -n knows signature.asc Description: OpenPGP digital signature
Re: SORT capability
Am 01.12.2014 um 12:32 schrieb absolutely_f...@libero.it: # dovecot -n |grep -i sort (nothing) i meant post the complete output you can't grep for something not existing but you or some config-include may set something wrong Maybe to full list is only available after authentication? likely # telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready. a login XXX a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in Messaggio originale Da: h.rei...@thelounge.net Data: 01/12/2014 12.21 A: dovecot@dovecot.org Ogg: Re: SORT capability Am 01.12.2014 um 12:19 schrieb absolutely_f...@libero.it: why I don't see SORT capability on my dovecot server? # telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready. 1 capability * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 1 OK Capability completed. a logout * BYE Logging out a OK Logout completed. Connection closed by foreign host DUNNO mabye output of dovecot -n knows signature.asc Description: OpenPGP digital signature
Re: best file system ?
Am 01.12.2014 um 21:13 schrieb Marcin Mirosław: W dniu 2014-12-01 o 18:19, Alessio Cecchi pisze: Il 01/12/2014 17:24, absolutely_f...@libero.it ha scritto: Hi, I'm going to set up a new storage for our email users (about 10k). It's a network attached storage (Coraid). In your opinion, what is the best file system for mail server (pop3/imap/webmail) purpose? Thank you Hi, XFS, if you can use RHEL/CentOS 6, ext4 with others distro. Hi! Does XFS works better on RHEL than on others distro?;) XFS is the default system of *RHEL7/CentOS7* no idea from where it comes that is is recommended for CentOS6 signature.asc Description: OpenPGP digital signature
Re: 2.2.15: SMTP submission server?
Am 27.11.2014 um 08:17 schrieb Steffen Kaiser: On Wed, 26 Nov 2014, Mark Homoky wrote: On 17/11/2014 07:23, Ron Leach wrote: On 16/11/2014 07:24, Robert Schetterer wrote (re-ordered): Am 16.11.2014 um 02:24 schrieb Reindl Harald: Off topic for Dovecot list, but I might think instead about separate inbound and outbound MTAs to achieve containment of inbound MTA compromise. @Ron: This seems to be the most sensible option for your concerns anyway, but with a well-known MSA. The inbound MTA need not advertise its existance to the web and, if port 587 is the only one, you could bann port probes, because few attackers will start with port 587. As Reindl said switch off SASL on port 25 (hence in the SMTP conversation following the ehlo line, the client isn't even offered AUTH and hence the chance to login to try to relay). [cut] You really can't get stronger mail injection than using the standard submission port only accepting AUTH via TLS encrypted connections on port 587 If both port 25 and port 587 are open on the same server, is there any statitic about how much attackers probe port 25 before 587 and if disabling AUTH on port 25 helps at all in that case? surely, nobody cares about 587 because it's typically only possible with autentication to submit mail and so in no way useable for deliver spam or as open relay that below is from a honeypot network but keep in mind that in case oftry a different port from the same IP last_port after testing 25/587 changes to that one mysql select count(*) from dnsbl where dnsbl_last_port=25; +--+ | count(*) | +--+ | 790 | +--+ 1 row in set (0.00 sec) mysql select count(*) from dnsbl where dnsbl_last_port=587; +--+ | count(*) | +--+ |2 | +--+ 1 row in set (0.01 sec) signature.asc Description: OpenPGP digital signature
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
no idea what you are talking about K9 is a android client and works fine with TLS no idea what has https to do with email nor why someone needs to disable K9 long enugh whatever long enough is - don't get me wrong but most technical context on several lists of you if it comes to details is cluttered and your permanently i am working on IETF even makes things worser Am 23.11.2014 um 22:23 schrieb Robert Moskowitz: I finally noticed this popup of K9 blocking https on port (143, 993, 995). So the user has to come back over here and disable K9 long enough to get things working. ARGH! On 11/23/2014 04:08 PM, Robert Moskowitz wrote: OK, I did not know that this user has a new computer with Outlook 2010. This SHOULD make it easier but... I have the computer right next to me, they brought it over. It is on the same LAN as this notebook. I can access my server with: openssl s_client -connect z9m9z.htt-consult.com:995 And then log the user in with the appropriate POP3 credentials. In Outlook 2010, in Advanced settings I have specified This server requires an encrypted connection (SSL) and it switches to port 995 (from 110). I try connecting and I get an error that Your server does notg support the connection encryption type you have specified. The first time we tried this it installed my self-signed cert in the local cert store. Any idea on what is going on or how to get this working? signature.asc Description: OpenPGP digital signature
Re: Outlook 2010 not connecting to secure POP3
Am 23.11.2014 um 22:08 schrieb Robert Moskowitz: OK, I did not know that this user has a new computer with Outlook 2010. This SHOULD make it easier but... I have the computer right next to me, they brought it over. It is on the same LAN as this notebook. I can access my server with: openssl s_client -connect z9m9z.htt-consult.com:995 And then log the user in with the appropriate POP3 credentials. In Outlook 2010, in Advanced settings I have specified This server requires an encrypted connection (SSL) and it switches to port 995 (from 110). I try connecting and I get an error that Your server does notg support the connection encryption type you have specified. The first time we tried this it installed my self-signed cert in the local cert store. Any idea on what is going on or how to get this working? learn to post details and configs, to be honest i feel disturbed by all your technical nonsense not able to express what you are talking about over that many years on so many lists for so many software dovecot -n output needed at least sslscan host:995 would also make sense signature.asc Description: OpenPGP digital signature
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
Am 23.11.2014 um 23:30 schrieb Robert Moskowitz: On 11/23/2014 04:45 PM, Robert Schetterer wrote: Am 23.11.2014 um 22:33 schrieb Reindl Harald: no idea what you are talking about K9 is a android client and works fine with TLS no idea what has https to do with email nor why someone needs to disable K9 long enugh whatever long enough is - don't get me wrong but most technical context on several lists of you if it comes to details is cluttered and your permanently i am working on IETF even makes things worser Yeah, such descriptions are leading to confusion, speculation k9 got mail downloaded before outlook couldno idea why sombody should use k9 with pop3 And I did not know there was a K9 android app. K9 like in guard dogs. that's why you should be precise in what you are posting - in context of mail K9 is for pretty anybody https://play.google.com/store/apps/details?id=com.fsck.k9 The default settings only allow https stuff on port 443. Must be some attempt to get around controls to use TLS on any other port. uhm telnet server port is still the way to go *before* start other debuggings, if that don't work no need to try a high level client until that problem is solved signature.asc Description: OpenPGP digital signature
