Re: email location - files or sql
On 2/25/22 12:51, Chris Bennett wrote: On Wed, Feb 23, 2022 at 08:48:11PM -0500, Robert Moskowitz wrote: I liked Maildir at the time and still do. Only a 1,000+ emails a day. My wife keeps a lot (10K messages) on the server, I keep all of my various boxes on the server small. So do my other users. Personally, I would not use a relational database as a mail store unless specifically required by the mail system of your choice. Email is not organised in a way that benefits from a RDB. I was there for the beginning of RDB. Almost had NOMAD shoved down my throat (UNIVAC) and did work with RIM (BCS) then R:Base. Was gamma release site of DB2, where we worked out how to do a UNION which was not supported in the original design. I have seen email systems that stuff the messages into RDB and really wonder if the hammer really fits. What is the opinion on repairs to problems that occur? Easier to fix in a DB? That does give a simple set of fixed points and dates to make repairs simple. I backup into a tar.gz and that preserves a timepoint, but how in the heck could a fix a problem that occurs? That seems like a nightmare problem. Does anyone have any method to do that? I'd love to know that if it exists. I love Maildir, but the backups are very large. I don't have a huge set of emails, but downloading a copy to home instead of my other server is a big task. Since I use a single ISP and once had a company shut down all servers, which makes me nervous. I have used a simple rsync with --delete to maintain a backup of the maildir directories. rsync is run via cron. You stop postfix, wait a bit, rsync, then restart postfix. But recently, partly to do migration, one person pointed out that he uses Dovecot on the backup server to just use imap to replicate the mail store. I have to learn how to do this...
Re: email location - files or sql
Wondered about that. Other reasons not to go with iRedMail. On 2/23/22 21:01, Lucas Rolff wrote: iRedMail does not store emails in a database. It stores account information in a database. Emails are stored on the filesystem. Get Outlook for iOS <https://aka.ms/o0ukef> *From:* dovecot on behalf of Robert Moskowitz *Sent:* Thursday, February 24, 2022 9:48:11 AM *To:* dovecot@dovecot.org *Subject:* Re: email location - files or sql On 2/23/22 19:12, Ralph Seichter wrote: > * Robert Moskowitz: > >> What I am seeing is that many of the packages seem to roll the >> messages into some SQL database. > Do they? Packages like iRedMail list email stored in the database of your choice. Of course this is just their web blurb, and I have yet to find one of these that suit my needs. More and more, I am looking at rolling my own again. Challenge has always been integrating the anti-virus. Clamav has been quite the challenge. >> My Dovecot setup uses the /home/vmail/doman/../{cur,new,etc} tree >> structure. > That's the classic Maildir format. Widely supported, works fine if file > system nodes are not a scarce commodity. Dovecot supports other formats > (see https://doc.dovecot.org/admin_manual/mailbox_formats/) as well, but > I still use Maildir because it is required by Notmuch, which is my > software of choice for handling all my mailing list subscriptions. I liked Maildir at the time and still do. Only a 1,000+ emails a day. My wife keeps a lot (10K messages) on the server, I keep all of my various boxes on the server small. So do my other users. > Personally, I would not use a relational database as a mail store unless > specifically required by the mail system of your choice. Email is not > organised in a way that benefits from a RDB. I was there for the beginning of RDB. Almost had NOMAD shoved down my throat (UNIVAC) and did work with RIM (BCS) then R:Base. Was gamma release site of DB2, where we worked out how to do a UNION which was not supported in the original design. I have seen email systems that stuff the messages into RDB and really wonder if the hammer really fits. > >> Is there some nice packed mailserver I can drop on a Centos-arm server >> that has Dovecot under the covers and I can easily rsync my current >> mail store to it? > As far as migrating content is concerned, you're better off using some > form of IMAP synchronisation. This method is not dependent on the > underlying mail store format, and it preserves the IMAP flags for your > existing messages. I did see that mentioned once, and have down to research it. Thanks for the pointer.
Re: email location - files or sql
On 2/23/22 19:12, Ralph Seichter wrote: * Robert Moskowitz: What I am seeing is that many of the packages seem to roll the messages into some SQL database. Do they? Packages like iRedMail list email stored in the database of your choice. Of course this is just their web blurb, and I have yet to find one of these that suit my needs. More and more, I am looking at rolling my own again. Challenge has always been integrating the anti-virus. Clamav has been quite the challenge. My Dovecot setup uses the /home/vmail/doman/../{cur,new,etc} tree structure. That's the classic Maildir format. Widely supported, works fine if file system nodes are not a scarce commodity. Dovecot supports other formats (see https://doc.dovecot.org/admin_manual/mailbox_formats/) as well, but I still use Maildir because it is required by Notmuch, which is my software of choice for handling all my mailing list subscriptions. I liked Maildir at the time and still do. Only a 1,000+ emails a day. My wife keeps a lot (10K messages) on the server, I keep all of my various boxes on the server small. So do my other users. Personally, I would not use a relational database as a mail store unless specifically required by the mail system of your choice. Email is not organised in a way that benefits from a RDB. I was there for the beginning of RDB. Almost had NOMAD shoved down my throat (UNIVAC) and did work with RIM (BCS) then R:Base. Was gamma release site of DB2, where we worked out how to do a UNION which was not supported in the original design. I have seen email systems that stuff the messages into RDB and really wonder if the hammer really fits. Is there some nice packed mailserver I can drop on a Centos-arm server that has Dovecot under the covers and I can easily rsync my current mail store to it? As far as migrating content is concerned, you're better off using some form of IMAP synchronisation. This method is not dependent on the underlying mail store format, and it preserves the IMAP flags for your existing messages. I did see that mentioned once, and have down to research it. Thanks for the pointer.
email location - files or sql
I have been running a Dovecot based mail server for over 10 years and it is time (really past) to upgrade. I really don't want to roll my own anymore. Too much time and too many skills needed. Time to retire. But still want it 'in-house'. What I am seeing is that many of the packages seem to roll the messages into some SQL database. My Dovecot setup uses the /home/vmail/doman/../{cur,new,etc} tree structure. Is there any pros vs cons on this that I can read? Is there some nice packed mailserver I can drop on a Centos-arm server that has Dovecot under the covers and I can easily rsync my current mail store to it? Mail-in-a-box looks interesting. But I have not figured out its internals and if I have to worry about anything compiled for arm that is not part of the distro. Thanks in advance for help.
Re: Using SHA256/512 for SQL based password
On 2/20/19 5:09 AM, Yassine Chaouche via dovecot wrote: On 2/12/19 5:05 PM, Robert Moskowitz via dovecot wrote: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: [...] default_pass_scheme = SHAxxx-CRYPT [...] How do your users change their password ? Many never do! Those that do, use the Roundcube plugin, or ask me to change their password via the Postfixadmin manager. Sigh. Here's how I configured my roundcube's password plugin to keep things together ($roundcubefolder/plugins/password/config.php) $config['password_algorithm'] = 'dovecot'; $config['password_algorithm_prefix'] = '{SHA512-CRYPT}'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_query'] = "UPDATE mail.users SET password=%P WHERE email=%u LIMIT 1"; I left other fields alone. Yassine. Thanks much better info than I was seeing in my googling. Except I would not use %p: // The SQL query used to change the password. // The query can contain the following macros that will be expanded as follows: // %p is replaced with the plaintext new password // %c is replaced with the crypt version of the new password, MD5 if available // otherwise DES. // %D is replaced with the dovecotpw-crypted version of the new password // %o is replaced with the password before the change // %n is replaced with the hashed version of the new password // %q is replaced with the hashed password before the change // %h is replaced with the imap host (from the session info) // %u is replaced with the username (from the session info) // %l is replaced with the local part of the username // (in case the username is an email address) // %d is replaced with the domain part of the username // (in case the username is an email address) %D seems to be what I want... And in mysql, I believe the table is mailbox. $rcmail_config['password_query'] = "UPDATE mailbox SET password = %D, modified = NOW() WHERE username = %u"; I got from: https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin-and-roundcube/ thanks!
Re: Using SHA256/512 for SQL based password
On 2/20/19 9:06 AM, @lbutlr via dovecot wrote: On 20 Feb 2019, at 06:10, Robert Moskowitz via dovecot wrote: libsodium does not help with CentOS7 and Dovecot 2.3: This is what your HTML message looks like here: <https://www.dropbox.com/s/puwyqle5nwm1c9t/Screen%20Shot%202019-02-20%20at%2007.04.05.png?dl= Thunderbird 60.4 on Fedora 28
Re: Using SHA256/512 for SQL based password
On 2/20/19 8:38 AM, Aki Tuomi wrote: On 20 February 2019 15:10 Robert Moskowitz via dovecot wrote: On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote: On 17.2.2019 10.46, Aki Tuomi via dovecot wrote: On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org> wrote: On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org> wrote: Jean-Daniel Dupas via dovecot wrote: Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot < dovecot@dovecot.org > a écrit : ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. CentOS7 is on dovecot 2.2.36: # doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2 I tend to stay with the distro's rpms and not take on building and maintaining myself. And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I Marc It works for me over here: [wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) I'll check next week if and why argon is missing from ce packages. --- Aki Tuomi Marc, ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium. libsodium does not help with CentOS7 and Dovecot 2.3: Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1 Installed: libsodium.armv7hl 0:1.0.17-1.el7 Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Previously installed argon2: grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl Hi! Just installing libsodium is not enough. It's not compiled into dovecot centos7 packages because the libsodium in centos7 (not epel) is not recent enough. It was worth the try
Re: Using SHA256/512 for SQL based password
On 2/19/19 1:50 AM, Aki Tuomi via dovecot wrote: On 17.2.2019 10.46, Aki Tuomi via dovecot wrote: On 17 February 2019 at 10:38 Odhiambo Washington via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On Sun, 17 Feb 2019 at 11:34, Marc Weustink via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: Jean-Daniel Dupas via dovecot wrote: > > >> Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot >> < dovecot@dovecot.org <mailto:dovecot@dovecot.org> dovecot@dovecot.org <mailto:dovecot@dovecot.org>>> a écrit : >> >> >> >>> ARGON2 support is added in dovecot v2.3. It also needs to be enabled >>> when compiling dovecot, so varying from packagers it might or not be >>> available. The CRYPT ones are available if crypt(3) supports them. In >>> dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. >> >> CentOS7 is on dovecot 2.2.36: >> >> # doveadm pw -s ARGON2-CRYPT -p secret >> Fatal: Unknown scheme: ARGON2-CRYPT >> # doveadm pw -s ARGON2 -p secret >> Fatal: Unknown scheme: ARGON2 >> >> I tend to stay with the distro's rpms and not take on building and >> maintaining myself. > And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org < http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk Also from dovecot.org < http://dovecot.org> repo: doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I Marc It works for me over here: [wash@waridi ~]#/opt/dovecot2.3/bin/doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$9pggnQBea9F3h3O31HoJEA$0zZZgwEuMRVZ3Mc/v6ckpalzVRVCr+GLBWnb8OrgsxU -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) I'll check next week if and why argon is missing from ce packages. --- Aki Tuomi Marc, ARGON2 is supported only on Debian Stretch and Ubuntu 18 for dovecot, due to libsodium. libsodium does not help with CentOS7 and Dovecot 2.3: Installing : libsodium-1.0.17-1.el7.armv7hl 1/1 Verifying : libsodium-1.0.17-1.el7.armv7hl 1/1 Installed: libsodium.armv7hl 0:1.0.17-1.el7 Complete! [root@klovia ~]# doveadm pw -s ARGON2I -p secret Fatal: Unknown scheme: ARGON2I [root@klovia ~]# doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Previously installed argon2: grep -n argon /var/log/yum.log* /var/log/yum.log:128:Feb 13 09:01:01 Installed: libargon2-20161029-2.el7.armv7hl /var/log/yum.log:129:Feb 13 09:01:01 Installed: argon2-20161029-2.el7.armv7hl
Re: Quota count and clone questions
I figured out that I can't just drop maintaining quota2 if I want postfixadmin to report the quota status. I also figured out a way to run a test on my config guesses. I will try to fit it in today, or tomorrow. But any advise to the questions below are welcomed! On 2/13/19 8:53 PM, Robert Moskowitz via dovecot wrote: all this almost reads like I can drop maintaining the quota2 table? From https://wiki.dovecot.org/Quota/Count mailbox_list_index = yes # Avoid spending excessive time waiting for the quota calculation to finish when # mails' vsizes aren't already cached. If this many mails are opened, finish the # quota calculation on background in indexer-worker process. Mail deliveries will # be assumed to succeed, and explicit quota lookups will return internal error. mail_vsize_bg_after_count = 100 seems to belong in 10-mail.conf. That is where those var are shown. But: plugin { # 10MB quota limit quota = count:User quota quota_rule = *:storage=10M # This is required - it uses "virtual sizes" rather than "physical sizes" for quota counting: quota_vsizes = yes } I am having problems with. Right now for quota I have: plugin { quota = dict:user::proxy::sqlquota trash = /etc/dovecot/dovecot-trash.conf.ext } How do I reconcile these two? Then for clone: https://wiki.dovecot.org/Plugins/QuotaClone how does: mail_plugins = $mail_plugins quota quota_clone plugin { quota_clone_dict = redis:host=127.0.0.1:port=6379 } get replaced with something for mysql? dovecot-sql.conf.ext: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = $cryptsha-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' and dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } thanks
Quota count and clone questions
all this almost reads like I can drop maintaining the quota2 table? From https://wiki.dovecot.org/Quota/Count mailbox_list_index = yes # Avoid spending excessive time waiting for the quota calculation to finish when # mails' vsizes aren't already cached. If this many mails are opened, finish the # quota calculation on background in indexer-worker process. Mail deliveries will # be assumed to succeed, and explicit quota lookups will return internal error. mail_vsize_bg_after_count = 100 seems to belong in 10-mail.conf. That is where those var are shown. But: plugin { # 10MB quota limit quota = count:User quota quota_rule = *:storage=10M # This is required - it uses "virtual sizes" rather than "physical sizes" for quota counting: quota_vsizes = yes } I am having problems with. Right now for quota I have: plugin { quota = dict:user::proxy::sqlquota trash = /etc/dovecot/dovecot-trash.conf.ext } How do I reconcile these two? Then for clone: https://wiki.dovecot.org/Plugins/QuotaClone how does: mail_plugins = $mail_plugins quota quota_clone plugin { quota_clone_dict = redis:host=127.0.0.1:port=6379 } get replaced with something for mysql? dovecot-sql.conf.ext: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = $cryptsha-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' and dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } thanks
Re: Maintaining table quota2
On 2/13/19 6:51 PM, Benny Pedersen via dovecot wrote: Robert Moskowitz via dovecot skrev den 2019-02-14 00:22: Am I 'getting it'? 15- is loaded before 20- check dovecot -n always gives wanted results Yes, that I see. But local.conf is loaded after 15- and 20-. If any of these have a mail-plugins line (All such lines are commented out in the default conf.d directory, though), would any 'global' setting of mail_plugins in local.conf be applied? I am guessing not, as it would come too late in the conf processing. Of course CURRENTLY, all mail_plugins lines in the conf.d directory ARE just comments.
Re: Maintaining table quota2
More on 'global' local section: If there was !include_try global_local.conf before the !include_try local.conf It would have things like: # dovecot.conf protocols = imap pop3 lmtp sieve dict { sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } On 2/13/19 1:51 AM, Aki Tuomi wrote: On 13.2.2019 2.02, Robert Moskowitz via dovecot wrote: On 2/12/19 1:57 PM, Aki Tuomi wrote: On 12 February 2019 at 20:52 Robert Moskowitz via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote: Dovecot keeps the quota current, although dict quota has been known to be bit bad at this. We nowadays recommend using count quota instead and use quota_clone to copy the quota state to database. It is more accurate. And how is this recommendation implemented? All I have are my old notes and what google is finding for me... Please give me some pointers. thanks https://wiki.dovecot.org/Quota/Count https://wiki.dovecot.org/Plugins/QuotaClone and the recommendation is under https://wiki.dovecot.org/Quota I have been spending effort today reading up on this and searching on a couple questions. For my additions to 20-imap.conf I have: imap_client_workarounds = delay-newmail protocol imap { mail_plugins = quota imap_quota trash } I see that the mail_plugin quota is moved to 10-mail.conf. No biggie there. But what about trash? And I tried to find documentation on imap_client_workarounds and all I have found is in: https://wiki.dovecot.org/QuickConfiguration#Client_Workarounds "Check imap_client_workarounds and pop3_client_workarounds and see if you want to enable more of them than the defaults. ? With no link about where to learn more. Where does quota count go? Just dovecot.conf or one of the numbered conf addtions? https://wiki.dovecot.org/Quota/Count Also is there a way to compute the count for all users? I am migrating the maildir and rebuilding the sql database. I see: doveadm mailbox status -u user@domain vsize '*' But do I do that for each user in each domain or is that '*' there to run it on all users? I think this will get me started. You probably should configure quota plugin globally, if you want LMTP/LDA deliveries to update quota. The quota count can be recalculated with doveadm quota recalc Aki
Re: Maintaining table quota2
On 2/13/19 1:51 AM, Aki Tuomi wrote: On 13.2.2019 2.02, Robert Moskowitz via dovecot wrote: On 2/12/19 1:57 PM, Aki Tuomi wrote: On 12 February 2019 at 20:52 Robert Moskowitz via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote: Dovecot keeps the quota current, although dict quota has been known to be bit bad at this. We nowadays recommend using count quota instead and use quota_clone to copy the quota state to database. It is more accurate. And how is this recommendation implemented? All I have are my old notes and what google is finding for me... Please give me some pointers. thanks https://wiki.dovecot.org/Quota/Count https://wiki.dovecot.org/Plugins/QuotaClone and the recommendation is under https://wiki.dovecot.org/Quota I have been spending effort today reading up on this and searching on a couple questions. For my additions to 20-imap.conf I have: imap_client_workarounds = delay-newmail protocol imap { mail_plugins = quota imap_quota trash } I see that the mail_plugin quota is moved to 10-mail.conf. No biggie there. But what about trash? And I tried to find documentation on imap_client_workarounds and all I have found is in: https://wiki.dovecot.org/QuickConfiguration#Client_Workarounds "Check imap_client_workarounds and pop3_client_workarounds and see if you want to enable more of them than the defaults. ? With no link about where to learn more. Where does quota count go? Just dovecot.conf or one of the numbered conf addtions? https://wiki.dovecot.org/Quota/Count Also is there a way to compute the count for all users? I am migrating the maildir and rebuilding the sql database. I see: doveadm mailbox status -u user@domain vsize '*' But do I do that for each user in each domain or is that '*' there to run it on all users? I think this will get me started. You probably should configure quota plugin globally, if you want LMTP/LDA deliveries to update quota. hmm. This is a bit of an eye-opening statement. My current practice is not to modify all of the various conf.d files, but rather to have a local.conf that has sections for each one that I want to customize. Basically keeping what is provided then having custom overrides in one place like: # 20-pop3.conf pop3_client_workarounds = outlook-no-nuls oe-ns-eoh protocol pop3 { mail_plugins = quota } I think what I should be learning here is to start my local.conf with: mail_plugins = quota then 15-lda section says: # 15-lda.conf postmaster_address = postmas...@htt-consult.com protocol lda { mail_plugins = $mail_plugins sieve } lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes Am I 'getting it'? Also 20-lmtp only has: # 20-lmtp.conf lmtp_save_to_detail_mailbox = yes protocol lmtp { mail_plugins = sieve } Again, it seems from your comment that should be: mail_plugins = $mail_plugins sieve Finally, I am putting all my additions in local.conf. This is included via the LAST line in dovecot.conf. It seems that there should be a !include_try global.conf at the beginning of dovecot.conf, or some such name. Perhaps local_global.conf The quota count can be recalculated with doveadm quota recalc I will dig into this doveadm function. thanks Aki
Re: Using SHA256/512 for SQL based password
On 2/13/19 10:53 AM, Jean-Daniel Dupas via dovecot wrote: Le 13 févr. 2019 à 14:54, Robert Moskowitz via dovecot mailto:dovecot@dovecot.org>> a écrit : On 2/13/19 8:30 AM, Aki Tuomi wrote: On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz mailto:r...@htt-consult.com>>: On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either... ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. CentOS7 is on dovecot 2.2.36: # doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2 I tend to stay with the distro's rpms and not take on building and maintaining myself. And for the record, the hash names are ARGON2I and ARGON2ID (see doveadm pw -l ) With dovecot from the dovecot.org <http://dovecot.org> repo: # doveadm pw -s ARGON2I -p secret {ARGON2I}$argon2i$v=19$m=32768,t=4,p=1$bt96TSr3nVrho2SRhnNP0A$h7LYiqkw/4s6d1d+0Xpe+VUE3aISPnkYq/R7QqPRntk For those with dovecot v 2.3 I will note this for the future.
Re: Using SHA256/512 for SQL based password
On 2/13/19 8:30 AM, Aki Tuomi wrote: On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz : On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either... ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. I just found an Argon2 binary for CentOS7: Installing: argon2 armv7hl 20161029-2.el7 epel 22 k Installing for dependencies: libargon2 armv7hl 20161029-2.el7 epel 26 k How do I get Dovecot 2.2 to use it?
Re: Using SHA256/512 for SQL based password
On 2/13/19 8:30 AM, Aki Tuomi wrote: On 13.2.2019 15.18, Robert Moskowitz via dovecot wrote: On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz : On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either... ARGON2 support is added in dovecot v2.3. It also needs to be enabled when compiling dovecot, so varying from packagers it might or not be available. The CRYPT ones are available if crypt(3) supports them. In dovecot v2.3 we have added bcrypt support regardless of crypt(3) support. CentOS7 is on dovecot 2.2.36: # doveadm pw -s ARGON2-CRYPT -p secret Fatal: Unknown scheme: ARGON2-CRYPT # doveadm pw -s ARGON2 -p secret Fatal: Unknown scheme: ARGON2 I tend to stay with the distro's rpms and not take on building and maintaining myself.
Re: Using SHA256/512 for SQL based password
On 2/13/19 1:23 AM, Matthias Fechner via dovecot wrote: Am 13. Februar 2019 00:34:15 schrieb Robert Moskowitz : On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? Sure, please see here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt Thanks for the tip, will have a look for into it. Keccak is a general hashing function. It was the first? of the hashing 'sponge' functions, that many have followed. It is the basis of SHA3 (at Keccak's greatest strength). Argon2 seems to be special-built for password hashing. Thing is it is not supported on my CentOS7 system: # doveadm pw -l MD5 MD5-CRYPT SHA SHA1 SHA256 SHA512 SMD5 SSHA SSHA256 SSHA512 PLAIN CLEAR CLEARTEXT PLAIN-TRUNC CRAM-MD5 SCRAM-SHA-1 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 PLAIN-MD5 LDAP-MD5 LANMAN NTLM OTP SKEY RPA PBKDF2 CRYPT SHA256-CRYPT SHA512-CRYPT Of course SHA3 is not listed either...
Re: Using SHA256/512 for SQL based password
On 2/12/19 7:16 PM, Michael Slusarz via dovecot wrote: On February 12, 2019 at 4:33 PM Robert Moskowitz via dovecot wrote: On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? https://password-hashing.net/ Thank you very interesting. I will read draft-irtf-cfrg-argon2-04.txt And see the comments on the cfrg list. Russ Housley had concerns about the 03 draft; I will have to see if they are addressed in the 04 draft. I really don't like SHA512, a bit of a hack that was rushed out before SHA3.
Re: Maintaining table quota2
On 2/12/19 1:57 PM, Aki Tuomi wrote: On 12 February 2019 at 20:52 Robert Moskowitz via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote: Dovecot keeps the quota current, although dict quota has been known to be bit bad at this. We nowadays recommend using count quota instead and use quota_clone to copy the quota state to database. It is more accurate. And how is this recommendation implemented? All I have are my old notes and what google is finding for me... Please give me some pointers. thanks https://wiki.dovecot.org/Quota/Count https://wiki.dovecot.org/Plugins/QuotaClone and the recommendation is under https://wiki.dovecot.org/Quota I have been spending effort today reading up on this and searching on a couple questions. For my additions to 20-imap.conf I have: imap_client_workarounds = delay-newmail protocol imap { mail_plugins = quota imap_quota trash } I see that the mail_plugin quota is moved to 10-mail.conf. No biggie there. But what about trash? And I tried to find documentation on imap_client_workarounds and all I have found is in: https://wiki.dovecot.org/QuickConfiguration#Client_Workarounds "Check imap_client_workarounds and pop3_client_workarounds and see if you want to enable more of them than the defaults. ? With no link about where to learn more. Where does quota count go? Just dovecot.conf or one of the numbered conf addtions? https://wiki.dovecot.org/Quota/Count Also is there a way to compute the count for all users? I am migrating the maildir and rebuilding the sql database. I see: doveadm mailbox status -u user@domain vsize '*' But do I do that for each user in each domain or is that '*' there to run it on all users? I think this will get me started.
Re: Using SHA256/512 for SQL based password
On 2/12/19 6:03 PM, Matthias Fechner via dovecot wrote: Am 12.02.2019 um 17:05 schrieb Robert Moskowitz via dovecot: I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: you maybe would like to have a look to the hashing algo ARGON2I which is currently recommended for new developments and deployments. Recommended by whom? Can you provide a link? And if I was adventurous about hashes, I would be looking more at Keccak. Check out my Internet Draft: draft-moskowitz-small-crypto-00.txt
Re: Maintaining table quota2
On 2/12/19 1:03 PM, Aki Tuomi via dovecot wrote: On 12 February 2019 at 19:55 Robert Moskowitz via dovecot wrote: On 2/12/19 12:38 PM, Aki Tuomi via dovecot wrote: On 12 February 2019 at 18:23 Robert Moskowitz via dovecot wrote: Does dovecot compute that values for quota2 with each email it updates for the user? Or only an incremental change? I ask because I am looking at migrating all the user mail from the old server to the new and building a new sql database. All I see is: dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } what is actually done with this table? thanks dict-sql converts the mappings into SQL statements. But does dovecot check out the current bytes used and # of messages and resets quota2, or only uses this latest operation (add message, delete message...) to adjust quota2? If the later how to reset quota2 to the current reality? thanks Dovecot keeps the quota current, although dict quota has been known to be bit bad at this. We nowadays recommend using count quota instead and use quota_clone to copy the quota state to database. It is more accurate. And how is this recommendation implemented? All I have are my old notes and what google is finding for me... Please give me some pointers. thanks
Re: Maintaining table quota2
On 2/12/19 12:38 PM, Aki Tuomi via dovecot wrote: On 12 February 2019 at 18:23 Robert Moskowitz via dovecot wrote: Does dovecot compute that values for quota2 with each email it updates for the user? Or only an incremental change? I ask because I am looking at migrating all the user mail from the old server to the new and building a new sql database. All I see is: dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } what is actually done with this table? thanks dict-sql converts the mappings into SQL statements. But does dovecot check out the current bytes used and # of messages and resets quota2, or only uses this latest operation (add message, delete message...) to adjust quota2? If the later how to reset quota2 to the current reality? thanks
Maintaining table quota2
Does dovecot compute that values for quota2 with each email it updates for the user? Or only an incremental change? I ask because I am looking at migrating all the user mail from the old server to the new and building a new sql database. All I see is: dovecot-dict-sql.conf.ext: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } what is actually done with this table? thanks
Using SHA256/512 for SQL based password
I have trying to find how to set the dovecot-sql.conf for using SHA256/512. I am going to start clean with the stronger format, not migrate from the old MD5. It seems all I need is: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=$Postfix_Database_Password default_pass_scheme = SHAxxx-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=3:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' where xxx is either 256 or 512. All the rest I have been finding in my searches concern converting the format and are not needed for a clean start? thanks
Re: How to backup maildir
On 2/10/19 8:21 AM, Christoph Haas wrote: Hello Robert, [... snip ...] of course I'm totally with you: asking other people for help, is often a good - if even not the only way to getting things done. It was not my intention to insult you! I hope this did not come in to your mind ... You did not insult me at all. I have taken stronger barbs over the years! Personally I would have a look at the mentioned Dovecot-backup-script as a start. It does really a very good job! Cudos to Klaus Tachtler! That is on top of my list. Thanks for the pointer. Another option could be, to sync your mail via mbsync/isync or offlineimap to your Notebook ... but as an alternative backup, it depends on how many users are on your Dovecot-server. I have 4 domains., 20+ users. Small stuff. I suspect that would only work for me, and I have my processes in place. In a second cycle, you can then extend or modify this script - as I have been doing. But you should bear in mind, that you should have at least 2-3 replicas of your data on different storage, for having a good backup. The local image is for 'fast' backup. This will then be rsynced to a server in my neighbor's house (we have ethernet between us. He lunches off my ISP connection, he hosts my 'offsite' backups). Cheers Christoph.
Re: How to backup maildir
On 2/10/19 2:24 AM, Christoph Haas via dovecot wrote: Hello Robert, - Nachricht von Robert Moskowitz via dovecot - Datum: Sat, 9 Feb 2019 22:50:24 -0500 Von: Robert Moskowitz via dovecot Antwort an: Robert Moskowitz , Dovecot Mailing List Betreff: How to backup maildir An: Dovecot Mailing List I have been thinking, and reading, on how to back up my mailserver. I have not found any approach that seems ready to use. I have run years without any backup, but would really like to have something in place. you're a really lucky guy! - I've been struck in the past for such carelessness on the one or other machine with dataloss ;-) Absolute laziness. No real excuse. Also all users were POPing until 2 years ago. Finally got everyone on IMAP just in the last year. So a server loss would have been an inconvenience. For myself, almost nothing in the IMAP store, everything in local folders that I have a separate backup procedure. I figure I can attach a USB drive and backup to that, then from there rsync to something elsewhere. Further if that USB drive is a full mailserver image, I actually have a 'hot backup' where I only have to put the backup drive into a system and boot up at the last backup. But this means properly copying all of /home/vmail and probably /home/sieve plus the /var/lib/mysql Are you aware of the dovecot command "dsync"? (man dsync or https://wiki.dovecot.org/Tools/Doveadm/Sync) This could be an approach of using dsync: dsync backup -o plugin/quota= -f -u $user backup maildir:/mnt/USB/dovecot-backup/Maildir/$user/mail My search foo is weak. This is a long documented fact. I did spend a number of hours searching and reading before opening my mouth here, fully expecting to put more than my toes in. I will read up on dsync. Are there good tools that nicely does this? Or do I choose a time late at night (only I am sometimes in non-US timezones) to shut down all services and just use rsync? And stopping services itself is thought provoking. What if Dovecot, amavis, mysql, or whatelse is in the middle of writing out a mail file what happens to that file and restart. Just scary stuff and, in part, why I have never tackled this in the past. thanks for all feedback - Ende der Nachricht von Robert Moskowitz via dovecot - It really depends on how important your data is to you ... But you should really think about a general backup-strategy! "Mr. Google" can help you to get some ideas how YOUR backup-strategy could look like... Also there is much input for backing up dovecot with it's different mail storage flavours. - But you have to invest some effort on your own, to search, read, evaluate and finally choose what's fitting into YOUR setup! I have been and have been searching. Some hits, but so far nothing was hitting the spot. But, I will blame my dyslexia that my search foo is weak. But as an starting point: I'm using a for _MY setup_ modified and adopted version of Klaus Tachtler's dovecot-backup script: https://github.com/tachtler/dovecot-backup/blob/master/dovecot_backup.sh ... mixed it with Borg Backup: https://www.borgbackup.org/ ... some further encryption, cloud storage and ... and ... and other stuff. I will check both of these. But as above mentioned: YOU have to think about the grade of your paranoia level, how importand the data is to you in case of an data loss, time and money you are willing to invest and build upon this YOUR PERSONAL backup strategy. - Sadly there is no one-size-fits-all! If there was, we would not be here, I suspect. Last famous words: I've looked at your vita and was wondering about your post - you were writing RFCs, but have no clue about backing up your mail-data??? Strange ... MY mail is well backed up. Locally so that I can read on a plane and the like. I have been running one flavor or another of my own mail server since '95. I switched to dovecot 6 years ago. My home file server is backed up 4 ways around. And I have lost file servers and file server drives over the years. Upgrading my file server is the next project. But I write RFCs. I have been using geany for XML for a few years. I 'code' in English. I have not written computer code since probably the late 80s. I never coded in C, but I did use B for a while! These days I can write simple scripts when forced to. :) My 'spare' time these days is working with armv7 boards. I have been using Cubietech since '13, recently got an Odroid HC1 and that is what this server will be. For the most part you will find me on the Centos/Fedora lists and their arm lists. Occasionally I will put on my Kevlar suit and ask something basic on a product list. But as a result of doing this, recently there is a new SElinux policy for permitting D
How to backup maildir
I have been thinking, and reading, on how to back up my mailserver. I have not found any approach that seems ready to use. I have run years without any backup, but would really like to have something in place. I figure I can attach a USB drive and backup to that, then from there rsync to something elsewhere. Further if that USB drive is a full mailserver image, I actually have a 'hot backup' where I only have to put the backup drive into a system and boot up at the last backup. But this means properly copying all of /home/vmail and probably /home/sieve plus the /var/lib/mysql Are there good tools that nicely does this? Or do I choose a time late at night (only I am sometimes in non-US timezones) to shut down all services and just use rsync? And stopping services itself is thought provoking. What if Dovecot, amavis, mysql, or whatelse is in the middle of writing out a mail file what happens to that file and restart. Just scary stuff and, in part, why I have never tackled this in the past. thanks for all feedback
Really solved - Re: Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
This is an old issue, but I am building a new system and hit this problem all over again. This time, I asked for help from the SELinux list, as googling did not find anything new. What resulted was a policy to allow dovecot to connect to mysql.sock: yum install policycoreutils cat > dovecot_mysql.te << \EOF policy_module(dovecot_mysql,1.0.0) gen_require(` type dovecot_t; ') mysql_read_config(dovecot_t) mysql_stream_connect(dovecot_t) EOF make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp semodule -i dovecot_mysql.pp IF you are using a TCP connection over 127.0.0.1, then it is simpler: echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > dovecot-mysql.cil semodule -i dovecot-mysql.cil sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql allow dovecot_t mysqld_port_t:tcp_socket name_connect; allow dovecot_t postgresql_port_t:tcp_socket name_connect; Enjoy! On 4/7/17 11:12 AM, Robert Moskowitz wrote: I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password And all fixed. No more failures. Plus probably securer. On 04/07/2017 10:57 AM, Robert Moskowitz wrote: The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing. On 04/07/2017 10:43 AM, Robert Moskowitz wrote: As I have noted in previous messages, I been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. It is not a timing issue as I earlier thought. So I googled dovecot mysql selinux and the only worthwhile hit was: http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff. Is there a simpler way like a setsbool option? With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP). thanks!
Problems with Dovecot to mysql socket with SELinux
Anyone here running Dovecot connecting to mysql through the mysql.sock with SELinux enabled? I am getting access errors that go away when I put SELinux in permissive mode. I cannot find any direct help on this. Most howtos say to disable SELinux; they just don't want to bother, and in part I can see that. I have tried making a policy with allow2access and I get really bad SELinux errors with that. So I am looking to see if anyone else is running this combination? thanks
Re: several misc questions, public folders and sharing, quota, ssl
On 04/14/2017 05:11 PM, Aki Tuomi wrote: Can you try turning mail_debug=yes and posting logs? Also if possible, can you try telnetting to the server and issuing If you only allow secure connections, you may need instead of telnet: openssl s_client -connect your_host_tld:993 or openssl s_client -connect your_host_tld:143 -starttls imap a LOGIN username password a SELECT public/TestFolder1 with debug turned on? ACL plugin is needed *iff* you want to *restrict* access. Aki On April 14, 2017 at 11:53 PM David Mehler wrote: Hi Aki, Thanks for your reply. Sorry, hit the reply to and not the reply to all option. So, even when a folder is a public folder I'm still needing to use the acl plugin? The public/TestFolder is showing up, the public/TestFolder1 is not. Thanks. Dave. On 4/14/17, Aki Tuomi wrote: Please keep responses on the list. Thank you. =) Without ACL plugin there is no way to restrict access, it's free for all. my site is a very tiny few user site, but ... auth_mechanisms = login plain mail_attribute_dict = file:%h/Mail/dovecot-attributes mail_location = sdbox:~/Mail mail_plugins = stats quota fts fts_lucene namespace inbox { inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { special_use = \Trash } prefix = separator = . subscriptions = yes type = private } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { fts = lucene fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * quota = count:User quota quota_vsizes = yes recipient_delimiter = + sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_extensions = +notify +imapflags sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute sieve_pipe_bin_dir = /usr/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms stats_refresh = 30 } protocols = imap lmtp service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } user = $default_internal_user } service doveadm { inet_listener http { address = 127.0.0.1 port = 38080 } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service lmtp { inet_listener lmtp { address = 127.0.0.1 port = 8025 } } service stats { fifo_listener stats-mail { mode = 0666 } } ssl = required ssl_cert = # ssl_cipher_list = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA ssl_dh_parameters_length = 4096 ssl_key = # ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 submission_host = 127.0.0.1:25 userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol imap { mail_plugins = stats quota fts fts_lucene imap_stats imap_sieve } protocol lmtp { mail_plugins = stats quota fts fts_lucene sieve } protocol lda { mail_plugins = stats quota fts fts_lucene sieve } Aki On April 14, 2017 at 7:21 PM David Mehler wrote: Hello Aki, Thank you for your reply. I've implemented your changes and thanks for the @STRENGTH reminder, I had forgotten about that one. I'll check out the acl plugin. Is it required when sharing a public folder or are public folders usable by all? I know it is for shared folders. The TestFolder1 is still not showing up in public not sure why everything looks good. My configuration was migrated from 2.0 to 2.1 then 2.2, various ports along the way. I was wondering if I could take a look at your dovecot configuration files and a doveconf -n output? Thanks. Dave. On 4/14/17, Aki Tuomi wrote: On April 14, 2017 at 3:04 AM David Mehler wrote: Hello, I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to optimize how the system is running and have a few misc questions. First ssl, is my cipher list good? I'm trying for pfs and wanting to ensure these cipherlist is appropriate: ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH I would add @STRENGTH to the end, so it'll get sorted by strengthness. Next, a new feature that I'm trying for is virtual folders that store All messages. My understanding of this is that it stores a version of every received message in one place? I've got the virtual plugin
Re: Cutting down on sql connections
On 04/13/2017 07:33 PM, David Mehler wrote: Hello, I'm running dovecot 2.29 on a freebsd 10.3 system. I'm trying to cut down queries to my database and tried to do a userdb static and prefetch. I modified the password query to pull in userdb_quota and got an error that that was not valid. Is this behavior normal? Apr 13 17:22:15 hostname dovecot: master: Dovecot v2.2.29 (13ebc01) starting up for imap, sieve Apr 13 17:22:24 hostname dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=66452, secured, session= Apr 13 17:22:24 hostname dovecot: imap(usern...@example.com): Logged out in=102 out=3020 Apr 13 17:22:24 hostname dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=68924, secured, session=<4xDQ6xJNht1/AAAB> Apr 13 17:22:24 hostname dovecot: imap(username Change to use the mysql socket: driver = mysql connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password
Re: Trouble setting up dovecot/postfix/mysql with virtual mailboxes..
On 04/13/2017 07:02 PM, Michael Segel wrote: Thanks! But I’m still trying to understand where to look and debug the inbound mail issue… Any pointers on where to start? On Centos, it is /var/log/maillog also /var/log/messages then is SELinux sticking its nose into things. try setenforce 0 and see if things start working, then start trouble shooting the SELinux policy errors. Note that when I create /home/vmail, I have to set SELinux permissions. chcon -Rv --type=mail_home_rw_t /home/vmail/ And see my Apache section for creating and setting permissions for the certificates and keys. Thx again ! On Apr 13, 2017, at 6:00 PM, Robert Moskowitz wrote: On 04/13/2017 03:40 PM, Michael Segel wrote: Hi, I’m building a new linux box to replace my current DNS/Mail server for my SOHO. I was going to set up postfix/dovecot/mysql so I can support virtual users. I also use Webmin to make admin easier. I ran in to a couple of snags. When I first got it set up, mail went to the virtmail user and I could use my Mac mail client to read the mail. Everything was working when testing it. I was working on my TLS certificates and I broke something. I don’t know what I did, but now it’s going to the local mailbox instead. (MailDir folder) Since most of my time is doing other things, I am hoping someone could point me in the right direction. Here is my work in progress. I still have to test out some things, like it looks like pickup is passing through amavis twice. (sendmail from root testing). http://medon.htt-consult.com/Centos7-mailserver.html But I seem to have the mail coming in and going to where I want it. Any review and help is greatly appreciated.
Re: Trouble setting up dovecot/postfix/mysql with virtual mailboxes..
On 04/13/2017 03:40 PM, Michael Segel wrote: Hi, I’m building a new linux box to replace my current DNS/Mail server for my SOHO. I was going to set up postfix/dovecot/mysql so I can support virtual users. I also use Webmin to make admin easier. I ran in to a couple of snags. When I first got it set up, mail went to the virtmail user and I could use my Mac mail client to read the mail. Everything was working when testing it. I was working on my TLS certificates and I broke something. I don’t know what I did, but now it’s going to the local mailbox instead. (MailDir folder) Since most of my time is doing other things, I am hoping someone could point me in the right direction. Here is my work in progress. I still have to test out some things, like it looks like pickup is passing through amavis twice. (sendmail from root testing). http://medon.htt-consult.com/Centos7-mailserver.html But I seem to have the mail coming in and going to where I want it. Any review and help is greatly appreciated.
Re: sieve does not seem to be working
Yassine, I believe I sent a 'solved' message. It was a permission problem in that .svbin was owned by root. I have my commands in the wrong order in my script. Robert On 04/09/2017 06:34 AM, chaouche yacine wrote: Hello Robert, You said that the script worked when you ran it with sieve-test, proabably as root user, but not when you sent an e-mail with sendmail, which I guess would run it as the dovecot user (probably vmail as you said you changed the ownership of the e-mail to vmail:mail ?) You forgot to show us the file permissions on the script and the folder containing it. A namei -l on the whole path can show if dovecot can reach it. Example : root@messagerie-secours[10.10.10.20] ~ # namei -l /var/vmail/mailfilters/spam.svbin f: /var/vmail/mailfilters/spam.svbin drwxr-xr-x root root / drwxr-xr-x root root var drwxr-xr-x vmail vmail vmail drwxr-xr-x root root mailfilters -rw-r--r-- vmail vmail spam.svbin root@messagerie-secours[10.10.10.20] ~ # -- Yassine.
Re: How to use quota with dovecot
Oh, if you want to see my mods to base Dovecot that includes quota support, check out: http://medon.htt-consult.com/Centos7-mailserver.html#Configuring%20Dovecot I is based on what I am currently running that I learned from: http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer On 04/09/2017 12:16 AM, Robert Moskowitz wrote: On 04/08/2017 04:46 AM, Mik J wrote: Hello, I would like to use quotas with dovecot and things are not clear to me. I read this page https://wiki2.dovecot.org/Quota 1) I did this # ls /usr/local/lib/dovecot/lib10_quota_plugin.so /usr/local/lib/dovecot/lib10_quota_plugin.so # grep mail_plugins /etc/dovecot/conf.d/10-mail.conf mail_plugins = notify replication quota In 10-mail, mail_plugins is a global variable. All you are doing here is setting it. Or that is my reading. Of course this variable is then used in the protocols. Then the page tells about 20-imap.conf but an explanation is written # Space separated list of plugins to load (default is global mail_plugins). So what is that default global mail_plugins ? Is it the one coming from 10-mail.conf ? Yes. null unless you set it, as you did in 10-mail. BTW, I set it in local.conf instead of modifying 10-mail.conf. 2) I tried both use this mail_plugins = $mail_plugins quota in 20-imap.conf or comment it. And restarted dovecot each time in 20-imap.conf, it is a protocol: So you have enabled quota for protocol imap only. You have already defined the global variable mail_plugins so adding it here does nothing more. Do you have pop3 users? If so you need to modify 20-pop3.conf as well. And I think you need to add it to 15-lda.conf. And what about imap_quota, do you need that plugin? Then commented out in 90-quota.conf quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_grace = 10%% } I use a mysql query. But I have this message # doveadm quota recalc -u u...@mydomain.org doveadm(u...@mydomain.org): Error: Quota not enabled Does anyone knows why ?
Re: How to use quota with dovecot
On 04/08/2017 04:46 AM, Mik J wrote: Hello, I would like to use quotas with dovecot and things are not clear to me. I read this page https://wiki2.dovecot.org/Quota 1) I did this # ls /usr/local/lib/dovecot/lib10_quota_plugin.so /usr/local/lib/dovecot/lib10_quota_plugin.so # grep mail_plugins /etc/dovecot/conf.d/10-mail.conf mail_plugins = notify replication quota In 10-mail, mail_plugins is a global variable. All you are doing here is setting it. Or that is my reading. Of course this variable is then used in the protocols. Then the page tells about 20-imap.conf but an explanation is written # Space separated list of plugins to load (default is global mail_plugins). So what is that default global mail_plugins ? Is it the one coming from 10-mail.conf ? Yes. null unless you set it, as you did in 10-mail. BTW, I set it in local.conf instead of modifying 10-mail.conf. 2) I tried both use this mail_plugins = $mail_plugins quota in 20-imap.conf or comment it. And restarted dovecot each time in 20-imap.conf, it is a protocol: So you have enabled quota for protocol imap only. You have already defined the global variable mail_plugins so adding it here does nothing more. Do you have pop3 users? If so you need to modify 20-pop3.conf as well. And I think you need to add it to 15-lda.conf. And what about imap_quota, do you need that plugin? Then commented out in 90-quota.conf quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_grace = 10%% } I use a mysql query. But I have this message # doveadm quota recalc -u u...@mydomain.org doveadm(u...@mydomain.org): Error: Quota not enabled Does anyone knows why ?
Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password And all fixed. No more failures. Plus probably securer. On 04/07/2017 10:57 AM, Robert Moskowitz wrote: The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing. On 04/07/2017 10:43 AM, Robert Moskowitz wrote: As I have noted in previous messages, I been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. It is not a timing issue as I earlier thought. So I googled dovecot mysql selinux and the only worthwhile hit was: http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff. Is there a simpler way like a setsbool option? With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP). thanks!
Re: SELinux policy to allow Dovecot to connect to Mysql
The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing. On 04/07/2017 10:43 AM, Robert Moskowitz wrote: As I have noted in previous messages, I been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. It is not a timing issue as I earlier thought. So I googled dovecot mysql selinux and the only worthwhile hit was: http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff. Is there a simpler way like a setsbool option? With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP). thanks!
SELinux policy to allow Dovecot to connect to Mysql
As I have noted in previous messages, I been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. It is not a timing issue as I earlier thought. So I googled dovecot mysql selinux and the only worthwhile hit was: http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff. Is there a simpler way like a setsbool option? With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP). thanks!
Re: Running sievec as user vmail
thanks On 04/07/2017 08:24 AM, Florian Beer | 42dev wrote: You could give # su -c MYSIEVESCRIPT vmail a try. Also: # man su Cheers, Florian _ 42dev e. U. - web solutions & hosting services http://42dev.eu On 2017-04-07 14:19, Robert Moskowitz wrote: My sieve problem ended up a permissions problem. I ran sievec as root and .svbin needs vmail:mail ownership. I could always just add the chown command to my process, but I wonder if there is some 'clean' way to run sievec as user vmail while logged in as root? thanks
Running sievec as user vmail
My sieve problem ended up a permissions problem. I ran sievec as root and .svbin needs vmail:mail ownership. I could always just add the chown command to my process, but I wonder if there is some 'clean' way to run sievec as user vmail while logged in as root? thanks
sieve does not seem to be working
my local.conf has: #90-sieve.conf plugin { sieve_before = /home/sieve/globalfilter.sieve } and cat /home/sieve/globalfilter.sieve require ["fileinto","mailbox"]; if anyof ( header :contains "X-Spam-Flag" "YES", header :contains "subject" "***SPAM***" ) { fileinto :create "Spam"; } There IS a globalfilter.svbin when I tried: sendmail -i test...@test.htt-consult.com < sample-spam-GTUBE-junk.txt amavis is flagging it as ***Spam*** but it stays in inbox. So I tried: sieve-test -e -l /home/vmail/test.htt-consult.com/testit3/ /home/sieve/globalfilter.sieve /home/vmail/test.htt-consult.com/testit3/cur/1491512409.M371278P6513.z9m9z.test.htt-consult.com\,S\=1823\,W\=1868\:2\, info: msgid=: stored mail into mailbox 'Spam'. sieve-test(root): Info: final result: success And it DID get copied to Spam, not moved. I am now seeing it in inbox and Spam. Of course ownership on the message in Spam were wrong (root:root instead of vmail:mail, but I fixed that). So two questions, probably linked: Why did sieve not work. Is the subject test case sensitive? If it is case sensitive, why did the sieve-test work? thanks
Solved? - Re: Spam instead of Junk folder
I fixed a value in Postfixadmin and it looks kind of like the folders are being created properly. When I log directly into dovecot I get: c list "" * * LIST (\HasNoChildren \Sent) "." Sent * LIST (\HasNoChildren \Trash) "." Trash * LIST (\HasNoChildren \Drafts) "." Drafts * LIST (\HasNoChildren) "." Spam * LIST (\HasNoChildren) "." INBOX c OK List completed. But why does not Spam have some \something like the ones above it? thanks On 04/06/2017 03:18 PM, Robert Moskowitz wrote: Traditionally I have used 'Spam' as the folder name for all those emails that get tagged as, well Spam. But it seems that the standard is now 'Junk' as from 15-mailboxes.conf # Space separated list of IMAP SPECIAL-USE attributes as specified by # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash #special_use = If I have in local.conf # 15-mailboxes.conf namespace inbox { mailbox Spam { special_use = \Junk } } This would auto make Spam, but: Would Junk (and all the others specified in 15-mailboxes.conf) still get created? What actually controls which folders get created?
Maybe it is an sql config error?
I am looking at these messages in maillog: Apr 6 15:46:58 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry Apr 6 15:46:58 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 6 15:46:58 z9m9z dovecot: dict: Error: dict sql lookup failed: Not connected to database and wondering if my config is wrong. Here is what I have: in local.conf: #dovecot.conf protocols = imap pop3 lmtp sieve dict { sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } #10-auth.conf !include conf.d/auth-sql.conf.ext #auth-sql.conf.ext userdb { driver = prefetch } #90-quota.conf plugin { quota = dict:user::proxy::sqlquota trash = /etc/dovecot/dovecot-trash.conf.ext } dovecot-sql.conf.ext: driver = mysql connect = host=localhost dbname=postfix user=postfix password=mailpassword default_pass_scheme = MD5-CRYPT # following should all be on one line. password_query = SELECT username as user, password, concat('/home/vmail/', maild ir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' # following should all be on one line user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/ho me/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=3:by tes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' [root@z9m9z dovecot]# dovecot-dict-sql.conf.ext: connect = host=localhost dbname=postfix user=postfix password=mailserv map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } Users ARE getting authenticated: # openssl s_client -connect z9m9z.test.htt-consult.com:993 CONNECTED(0003) Cert stuff cut --- SSL handshake has read 1676 bytes and written 405 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Cert stuff cut --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready. a login fa...@test.htt-consult.com faxitpaaswd a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA] Logged in b list "" * * LIST (\HasNoChildren \Sent) "." Sent * LIST (\HasNoChildren \Trash) "." Trash * LIST (\HasNoChildren \Drafts) "." Drafts * LIST (\HasNoChildren) "." Spam * LIST (\HasNoChildren) "." INBOX b OK List completed. == So perhaps it is with the quota sql on sending/recv mail? thanks
Spam instead of Junk folder
Traditionally I have used 'Spam' as the folder name for all those emails that get tagged as, well Spam. But it seems that the standard is now 'Junk' as from 15-mailboxes.conf # Space separated list of IMAP SPECIAL-USE attributes as specified by # RFC 6154: \All \Archive \Drafts \Flagged \Junk \Sent \Trash #special_use = If I have in local.conf # 15-mailboxes.conf namespace inbox { mailbox Spam { special_use = \Junk } } This would auto make Spam, but: Would Junk (and all the others specified in 15-mailboxes.conf) still get created? What actually controls which folders get created?
Re: Dovecot impatient with mysql?
Oh, that time is an exponential backoff on mysql not responding. So where is the time dovecot waits before backing off configured? On 04/06/2017 01:04 PM, Robert Moskowitz wrote: On 04/06/2017 12:50 PM, George Kontostanos wrote: On Thu, Apr 6, 2017 at 7:10 PM, Robert Moskowitz wrote: It seems dovecot is impatient with connecting with mysql, as I see in maillog entries like: Apr 6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds before retry Apr 6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry I suspect it does connect eventually. This is a test system with only 1GB of memory and free reports: totalusedfree shared buff/cache available Mem:1025484 696344 24556 21528 304584 251552 Swap:524284 92168 432116 The production box has 2GB, so if the problem is mysql is swapping out, that will be 'fixed', if it is processor, well this is an ARMv7 duo core, as is the production box. I am considering buying the new quad core. Is there anything I can do to get dovecot more patient with mysql, or just ignore there messages? thank you I really don't understand how you reached to the conclusion that dovecot is impatient. Well, it waits a varying amount of time before reporting the connection failed. Not a fixed amount of time. Why mysql takes so long to connect via a sock is separate, but I suspect it is the low memory and duo core limitations. Maybe the question is more what is mysql not doing to take so long to respond to the connection.
Re: Dovecot impatient with mysql?
On 04/06/2017 12:50 PM, George Kontostanos wrote: On Thu, Apr 6, 2017 at 7:10 PM, Robert Moskowitz wrote: It seems dovecot is impatient with connecting with mysql, as I see in maillog entries like: Apr 6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds before retry Apr 6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry I suspect it does connect eventually. This is a test system with only 1GB of memory and free reports: totalusedfree shared buff/cache available Mem:1025484 696344 24556 21528 304584 251552 Swap:524284 92168 432116 The production box has 2GB, so if the problem is mysql is swapping out, that will be 'fixed', if it is processor, well this is an ARMv7 duo core, as is the production box. I am considering buying the new quad core. Is there anything I can do to get dovecot more patient with mysql, or just ignore there messages? thank you I really don't understand how you reached to the conclusion that dovecot is impatient. Well, it waits a varying amount of time before reporting the connection failed. Not a fixed amount of time. Why mysql takes so long to connect via a sock is separate, but I suspect it is the low memory and duo core limitations. Maybe the question is more what is mysql not doing to take so long to respond to the connection.
Dovecot impatient with mysql?
It seems dovecot is impatient with connecting with mysql, as I see in maillog entries like: Apr 6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds before retry Apr 6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry I suspect it does connect eventually. This is a test system with only 1GB of memory and free reports: totalusedfree shared buff/cache available Mem:1025484 696344 24556 21528 304584 251552 Swap:524284 92168 432116 The production box has 2GB, so if the problem is mysql is swapping out, that will be 'fixed', if it is processor, well this is an ARMv7 duo core, as is the production box. I am considering buying the new quad core. Is there anything I can do to get dovecot more patient with mysql, or just ignore there messages? thank you
Re: The challenge of customizing Dovecot
On 03/22/2017 11:15 PM, Rob McAninch wrote: -- Rob McAninch robmcaninch.com (Sent from my iPhone) On Mar 22, 2017, at 23:53, Robert Moskowitz wrote: On 03/22/2017 09:16 PM, Rob McAninch wrote: On Mar 22, 2017, at 18:25, Robert Moskowitz wrote: On 03/22/2017 11:36 AM, chaouche yacine wrote: Robert, What would be the benefit of using sed against making customized files and just copying them ? I'd probably just want to copy a working version of/etc/dovecot/ conf files instead of modifying my existing files with sed scripts (or create new ones with cat). new options are left unaltered. I learned this with postfix, to use postconf instead of trying to replace main.cf. I thought about mv old confs then cat new confs, but again, there are other things set up, and I worked at changing what needed customization, rather than wholesale replacement. Did you consider putting your customization in a local.conf which should be tried at the end? Could put whatever explanation in there you want. On a system like Debian this would more easily allow the default files to be upgraded without intervention. I have not seen any reference to a local.conf. Can you point this out to me? I will have to see that it is maintained in Centos. But some of the mods are additions (like plugins) to existing lines. I would have to find out how those are processed. It is mentioned here http://wiki.dovecot.org/ConfigFile Debian Jessie has the last line of dovecot.conf as: !include_try local.conf Finally revamped my approach to a local.conf file. I maintained an organization based on which conf file is 'modified' to assist review against later versions of Dovecot. I had observed in developing this, using a guide written for Centos6 (and no telling really how old), that some things had changed. Of course, I still have to test this out. I have quotas actually handled in postfix and dovecot. I can think of reasons why you do both. And if you see anything here obviously wrong, I appreciate any review. Will save me headaches later. Thanks for the help so far. Here is what I got: cat </etc/dovecot/local.conf || exit 1 # Developed on Dovecot 2.2.10 #dovecot.conf protocols = imap pop3 lmtp sieve dict { sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } #10-auth.conf !include conf.d/auth-sql.conf.ext #auth-sql.conf.ext userdb { driver = prefetch } #10-mail.conf mail_location = maildir:/home/vmail/%d/%n first_valid_uid = 101 first_valid_gid = 12 #10-master.conf service auth { unix_listener auth-userdb { mode = 0666 user = vmail group = mail } unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } } service dict { unix_listener dict { mode = 0666 user = vmail group = mail } } #10-ssl.conf ssl_cert =
Re: The challenge of customizing Dovecot
On 03/23/2017 12:15 AM, Rob McAninch wrote: -- Rob McAninch robmcaninch.com (Sent from my iPhone) On Mar 22, 2017, at 23:53, Robert Moskowitz wrote: On 03/22/2017 09:16 PM, Rob McAninch wrote: On Mar 22, 2017, at 18:25, Robert Moskowitz wrote: On 03/22/2017 11:36 AM, chaouche yacine wrote: Robert, What would be the benefit of using sed against making customized files and just copying them ? I'd probably just want to copy a working version of/etc/dovecot/ conf files instead of modifying my existing files with sed scripts (or create new ones with cat). new options are left unaltered. I learned this with postfix, to use postconf instead of trying to replace main.cf. I thought about mv old confs then cat new confs, but again, there are other things set up, and I worked at changing what needed customization, rather than wholesale replacement. Did you consider putting your customization in a local.conf which should be tried at the end? Could put whatever explanation in there you want. On a system like Debian this would more easily allow the default files to be upgraded without intervention. I have not seen any reference to a local.conf. Can you point this out to me? I will have to see that it is maintained in Centos. But some of the mods are additions (like plugins) to existing lines. I would have to find out how those are processed. It is mentioned here http://wiki.dovecot.org/ConfigFile Debian Jessie has the last line of dovecot.conf as: !include_try local.conf Did a tail and see the same line in Centos. I will have to think about the best way to use this and if it CAN be used for all the customization. I have some ideas. Starting with a comment of which conf.d file a particular section is customizing. thanks
Re: The challenge of customizing Dovecot
On 03/22/2017 09:16 PM, Rob McAninch wrote: On Mar 22, 2017, at 18:25, Robert Moskowitz wrote: On 03/22/2017 11:36 AM, chaouche yacine wrote: Robert, What would be the benefit of using sed against making customized files and just copying them ? I'd probably just want to copy a working version of /etc/dovecot/ conf files instead of modifying my existing files with sed scripts (or create new ones with cat). new options are left unaltered. I learned this with postfix, to use postconf instead of trying to replace main.cf. I thought about mv old confs then cat new confs, but again, there are other things set up, and I worked at changing what needed customization, rather than wholesale replacement. Did you consider putting your customization in a local.conf which should be tried at the end? Could put whatever explanation in there you want. On a system like Debian this would more easily allow the default files to be upgraded without intervention. I have not seen any reference to a local.conf. Can you point this out to me? I will have to see that it is maintained in Centos. But some of the mods are additions (like plugins) to existing lines. I would have to find out how those are processed. thanks
Re: Solved? - Re: Understanding quotas
Thanks. I will look this over. On 03/22/2017 12:42 PM, chaouche yacine wrote: Robert, If you wish, you can go one step further and configure postfix to reject mail -5.X.X DSN- when user is over quota instead of having the mail waiting in the postfix mail queue for considering it a temporary delivery problem -4.X.X DSN-. When the problem is considered temporary postfix will retry to send the e-mail several times (sometimes for a whole week) and the sender wouldn't even know that their message didn't get to the recipient. With a permanent error, the sender is immediately informed that their mail couldn't make it to the recipient's inbox. In order to do this, you need to tell postfix and dovecot to talk together using the LMTP protocol. To achieve this, two things : 1/ In dovecot : configure the lmtp service and tell it that postfix will talk to it through the /var/spool/postfix/private/dovecot-lmtp unix socket. In conf.d/10-master.conf : service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } Here, dovecot will create the socket in postfix's chroot directory just to make sure it can access it (in case it runs chrooted, which is the default in debian). Should you have created the socket outside of postfix's chroot, then postfix wouldn't have access to it. In order for dovecot to create that socket it needs to connect as the postfix system user and group. In Debian, postfix chroot is /var/spool/postfix/. 2/ In postfix : use the lmtp service as your transport and set the "next hop" (postfix's jargon) to the unix dovecot-lmtp socket (that dovecot will create for you). This is done by editing postfix's main.cf : virtual_transport = lmtp:unix:private/dovecot-lmtp you should also find an lmtp line in master.cf, it should read like this : lmtp unix - - - - - lmtp you can leave that unchanged. If you do 1/ and 2/, dovecot will inform postfix (via the LMTP protocol) that the user is over quota and mail should be rejected (not held in queue), postfix will then bounce to the sender, informing them that their message couldn't be delivered : This is the mail system at host my.mailserver.tld I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. [...] : host my.mailserver.tld[private/dovecot-lmtp] said: 552 5.2.2 Quota exceeded (mailbox for user is full) (in reply to end of DATA command) -- Yassine
Re: The challenge of customizing Dovecot
On 03/22/2017 11:36 AM, chaouche yacine wrote: Robert, What would be the benefit of using sed against making customized files and just copying them ? I'd probably just want to copy a working version of /etc/dovecot/ conf files instead of modifying my existing files with sed scripts (or create new ones with cat). new options are left unaltered. I learned this with postfix, to use postconf instead of trying to replace main.cf. I thought about mv old confs then cat new confs, but again, there are other things set up, and I worked at changing what needed customization, rather than wholesale replacement.
Re: Problem with sieve_before
On 03/22/2017 04:25 AM, chaouche yacine wrote: On Tuesday, March 21, 2017 7:07 PM, Robert Moskowitz wrote: The howto I am making has: mkdir /home/sieve [...] chown -R vmail:mail /home/sieve I notice you are creating a sieve directory in /home/ as if it was a system user, then you change ownership to vmail. I would create the sieve directory directly in /home/vmail or whatever $HOME vmail user has (mine is /var/vmail). But that's just my particular taste :) I picked this up years ago from another howto. Lots of pieces of his work, I am reworking. I can see your point. I t puts all the mail related stuff into /home/vmail for backups, rather than the /home backup. I would have to change managesieve the same so that user sieves go there too. No big deal. Must think on this. thanks
Re: Problem with sieve_before
On 03/21/2017 11:32 AM, chaouche yacine wrote: On Tuesday, March 21, 2017 3:03 PM, Robert Moskowitz wrote: On 03/21/2017 09:06 AM, chaouche yacine wrote: Hi Ger, sieve_before should be a path to sieve script file, not to a directory. in your configuration, you set sieve_before to /var/lib/dovecot/sieve/before which is a directory. I don't get that reading: https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration Either file or directory. If a file, it searches for the svbin of that name, otherwise compiles your script. If directory, executes all in the directory. Well spotted Robert, I didn't know that. It also says here https://wiki2.dovecot.org/Pigeonhole/Sieve/Usage#scriptcompile that one must be aware of permission issues with auto-compiled scripts : if the system user used by sieve to compile the script doesn't have write access to the directory where the script lives then it can't write the compiled version in that location. This is why one should consider pre-compiling scripts himself to make sure the compiled version is written to disk As mentionned in the link you gave : "IMPORTANT: Be sure to manually pre-compile the scripts specified by sieve_before and sieve_after using the sievec tool, as explained here." The howto I am making has: mkdir /home/sieve cat </home/sieve/globalfilter.sieve || exit 1 require "fileinto"; if anyof ( header :contains "X-Spam-Flag" "YES", header :contains "subject" "***SPAM***" ) { fileinto "Spam"; } EOF sievec /home/sieve/globalfilter.sieve chown -R vmail:mail /home/sieve With: sed -i -e "s/#sieve_before =/sieve_before = \/home\/sieve\/globalfilter.sieve/w /dev/stdout" /etc/dovecot/conf.d/90-sieve.conf
Re: Problem with sieve_before[solved]
ownership may also have been the issue, but we will no know what the permissions were before you changed them. I would have tried chown -R vmail:mail /var/lib/dovecot Where vmail:mail is the user:group dovecot is running with. This is how I do it. On 03/21/2017 10:14 AM, Ger Hooton Scoil Chroí Íosa Blarney wrote: I did chmod -R 777 /var/lib/dovecot and it worked. I just need to figure out what the correct setting are. Thanks everyone //Ger original message- From:Ger Hooton Scoil Chroí Íosa Blarney [ghoo...@scins.ie ] To:Robert Moskowitz [r...@htt-consult.com ], chaouche yacine [yacinechaou...@yahoo.com ], dovecot@dovecot.org Date:Tue, 21 Mar 2017 14:05:17 + - Thanks Robert, how do I do that? original message- From:Robert Moskowitz [r...@htt-consult.com ] To:Ger Hooton Scoil Chroí Íosa Blarney [ghoo...@scins.ie ], chaouche yacine [yacinechaou...@yahoo.com ], dovecot@dovecot.org Date:Tue, 21 Mar 2017 09:47:18 -0400 - On 03/21/2017 09:30 AM, Ger Hooton Scoil Chroí Íosa Blarney wrote: Hi Yassine, That did not work, is there a way to see is the script is been run? Perhaps it is an SELinux permissions problem? Try setenforce 0 to see? original message- From:chaouche yacine [yacinechaou...@yahoo.com ] To:Ger Hooton Scoil Chroí Íosa Blarney [ghoo...@scins.ie ], dovecot@dovecot.org Date:Tue, 21 Mar 2017 13:06:14 + (UTC) - Hi Ger, sieve_before should be a path to sieve script file, not to a directory. in your configuration, you set sieve_before to /var/lib/dovecot/sieve/before which is a directory. what you need to do is figure out which sieve script you'd like to execute and its path rather. If you think that default2.sieve is the right script then set sieve_before to /var/lib/dovecot/sieve/before/default2.sieve -- Yassine. On Tuesday, March 21, 2017 12:56 PM, Ger Hooton Scoil Chroí Íosa Blarney wrote: Hi All, [...] plugin { [...] sieve_before = /var/lib/dovecot/sieve/before . In /var/lib/dovecot/sieve/before I have : drwxrwxrwx 3 mail mail 4096 Mar 20 23:47 .. -rw-rw-rw- 1 root root 195 Mar 21 09:57 default2.svbin -rwxrwxrwx 1 mail mail 157 Mar 21 11:12 default2.sieve default2.sieve is as follows: require ["fileinto"]; if allof (header :matches "subject" "*JUNK*") { fileinto "INBOX.Junk"; } __ Please consider the environment before printing this email. Ger Hooton Systems Administrator Scoil Chroí Íosa Blarney. Blarney. Co. Cork __ Please consider the environment before printing this email. Ger Hooton Systems Administrator Scoil Chroí Íosa Blarney. Blarney. Co. Cork __ Please consider the environment before printing this email. Ger Hooton Systems Administrator Scoil Chroí Íosa Blarney. Blarney. Co. Cork
Re: Problem with sieve_before
On 03/21/2017 09:06 AM, chaouche yacine wrote: Hi Ger, sieve_before should be a path to sieve script file, not to a directory. in your configuration, you set sieve_before to /var/lib/dovecot/sieve/before which is a directory. I don't get that reading: https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration Either file or directory. If a file, it searches for the svbin of that name, otherwise compiles your script. If directory, executes all in the directory. what you need to do is figure out which sieve script you'd like to execute and its path rather. If you think that default2.sieve is the right script then set sieve_before to /var/lib/dovecot/sieve/before/default2.sieve -- Yassine. On Tuesday, March 21, 2017 12:56 PM, Ger Hooton Scoil Chroí Íosa Blarney wrote: Hi All, [...] plugin { [...] sieve_before = /var/lib/dovecot/sieve/before . In /var/lib/dovecot/sieve/before I have : drwxrwxrwx 3 mail mail 4096 Mar 20 23:47 .. -rw-rw-rw- 1 root root 195 Mar 21 09:57 default2.svbin -rwxrwxrwx 1 mail mail 157 Mar 21 11:12 default2.sieve default2.sieve is as follows: require ["fileinto"]; if allof (header :matches "subject" "*JUNK*") { fileinto "INBOX.Junk"; }
Re: Problem with sieve_before
On 03/21/2017 09:30 AM, Ger Hooton Scoil Chroí Íosa Blarney wrote: Hi Yassine, That did not work, is there a way to see is the script is been run? Perhaps it is an SELinux permissions problem? Try setenforce 0 to see? original message- From:chaouche yacine [yacinechaou...@yahoo.com ] To:Ger Hooton Scoil Chroí Íosa Blarney [ghoo...@scins.ie ], dovecot@dovecot.org Date:Tue, 21 Mar 2017 13:06:14 + (UTC) - Hi Ger, sieve_before should be a path to sieve script file, not to a directory. in your configuration, you set sieve_before to /var/lib/dovecot/sieve/before which is a directory. what you need to do is figure out which sieve script you'd like to execute and its path rather. If you think that default2.sieve is the right script then set sieve_before to /var/lib/dovecot/sieve/before/default2.sieve -- Yassine. On Tuesday, March 21, 2017 12:56 PM, Ger Hooton Scoil Chroí Íosa Blarney wrote: Hi All, [...] plugin { [...] sieve_before = /var/lib/dovecot/sieve/before . In /var/lib/dovecot/sieve/before I have : drwxrwxrwx 3 mail mail 4096 Mar 20 23:47 .. -rw-rw-rw- 1 root root 195 Mar 21 09:57 default2.svbin -rwxrwxrwx 1 mail mail 157 Mar 21 11:12 default2.sieve default2.sieve is as follows: require ["fileinto"]; if allof (header :matches "subject" "*JUNK*") { fileinto "INBOX.Junk"; } __ Please consider the environment before printing this email. Ger Hooton Systems Administrator Scoil Chroí Íosa Blarney. Blarney. Co. Cork
The challenge of customizing Dovecot
I have been running Dovecot for sometime, but I have just used someone else efforts on customizing it. Many of these throw out the dovecot/conf.d files for a single dovecot.conf with no explanation on what does what. So tell you a few conf.d files to edit. So over the past few days, I have rolled up my sleeves and did my best to work out how to modify the proper conf.d files. To 'stay true' to the Dovecot maintainer's config organization. The target is Centos7 with Dovecot 2.2.10-7 It was HARD! Besides dovecot.conf, I had to modify 13 conf.d files. Add 3 .ext files in /etc/dovecot, and set up sieve. I will soon have my total instructions available on my server, but to share with you what I have done for Dovecot customization and maybe to get some recommendations on improvements. For the most part, I have used SED to modify the conf files. I use a few env variables: your_domain_tld= your_host_only= your_host_tld=$your_host_only.$your_domain_tld Postfix_Database_Password= What follows are the pieces of my customization, all comments welcomed (this is NOT adequately tested! That is later in the week!): sed -i -e "/^#protocols/s/$/ sieve/w /dev/stdout" /etc/dovecot/dovecot.conf sed -i -e "s/^#protocols/protocols/w /dev/stdout" /etc/dovecot/dovecot.conf sed -i -e "s/#quota = /sqlquota = /w /dev/stdout" /etc/dovecot/dovecot.conf sed -i -e "/^auth_mechanisms/s/$/ login/w /dev/stdout" /etc/dovecot/conf.d/10-auth.conf sed -i -e 's/^#!include auth-sql.conf.ext/!include auth-sql.conf.ext/w /dev/stdout' /etc/dovecot/conf.d/10-auth.conf sed -i -e "0,/#userdb {/ s/#userdb {/userdb {/w /dev/stdout" /etc/dovecot/conf.d/auth-sql.conf.ext sed -i -e "s/# driver = prefetch/ driver = prefetch\n }/w /dev/stdout" /etc/dovecot/conf.d/auth-sql.conf.ext sed -i -e "/^#mail_location/s/$/maildir:\/home\/vmail\/%d\/%n/w /dev/stdout" /etc/dovecot/conf.d/10-mail.conf sed -i -e "s/^#mail_location/mail_location/w /dev/stdout" /etc/dovecot/conf.d/10-mail.conf sed -i -e "s/first_valid_uid = 1000/first_valid_uid = 101/w /dev/stdout" /etc/dovecot/conf.d/10-mail.conf sed -i -e "s/#first_valid_gid = 1/first_valid_gid = 12/w /dev/stdout" /etc/dovecot/conf.d/10-mail.conf sed -i "/unix_listener auth-userdb/ a mode = 0666\n user = vmail\n group = mail" /etc/dovecot/conf.d/10-master.conf sed -i "/#unix_listener \/var\/spool/ a mode = 0666\n user = postfix\n group = postfix\n }" /etc/dovecot/conf.d/10-master.conf sed -i -e "s/#unix_listener \/var\/spool/unix_listener \/var\/spool/w /dev/stdout" /etc/dovecot/conf.d/10-master.conf sed -i "/unix_listener dict/ a mode = 0666\n user = vmail\n group = mail" /etc/dovecot/conf.d/10-master.conf sed -i -e "s/^mode/ mode/w /dev/stdout" /etc/dovecot/conf.d/10-master.conf sed -i -e "s/dovecot\/certs\/dovecot.pem/tls\/certs\/$your_host_tld.crt/w /dev/stdout" /etc/dovecot/conf.d/10-ssl.conf sed -i -e "s/dovecot\/private\/dovecot.pem/tls\/private\/$your_host_tld.key/w /dev/stdout" /etc/dovecot/conf.d/10-ssl.conf sed -i -e "/^#postmaster_address/s/$/ postmaster@$your_domain_tld/w /dev/stdout" /etc/dovecot/conf.d/15-lda.conf sed -i -e "s/^#postmaster_address/postmaster_address/w /dev/stdout" /etc/dovecot/conf.d/15-lda.conf sed -i "/#mail_plugins/ a mail_plugins = quota sieve" /etc/dovecot/conf.d/15-lda.conf sed -i -e "s/^mail_plugins/ mail_plugins/w /dev/stdout" /etc/dovecot/conf.d/15-lda.conf sed -i -e "s/^#lda_mailbox_autocreate = no/lda_mailbox_autocreate = yes/w /dev/stdout" /etc/dovecot/conf.d/15-lda.conf sed -i -e "s/^#lda_mailbox_autosubscribe = no/lda_mailbox_autosubscribe = yes/w /dev/stdout" /etc/dovecot/conf.d/15-lda.conf sed -i "/#mail_plugins / a mail_plugins = quota imap_quota trash" /etc/dovecot/conf.d/20-imap.conf sed -i -e "s/^mail_plugins/ mail_plugins/w /dev/stdout" /etc/dovecot/conf.d/20-imap.conf sed -i "/#imap_client_workarounds/ a imap_client_workarounds = delay-newmail" /etc/dovecot/conf.d/20-imap.conf sed -i "/#mail_plugins/ a mail_plugins = sieve" /etc/dovecot/conf.d/20-lmtp.conf sed -i -e "s/^mail_plugins/ mail_plugins/w /dev/stdout" /etc/dovecot/conf.d/20-lmtp.conf sed -i -e "s/^#lmtp_save_to_detail_mailbox = no/lmtp_save_to_detail_mailbox = yes/w /dev/stdout" /etc/dovecot/conf.d/20-lmtp.conf sed -i -e "s/#service managesieve-login/service managesieve-login/w /dev/stdout" /etc/dovecot/conf.d/20-managesieve.conf sed -i -e "s/#inet_listener sieve {/inet_listener sieve {/w /dev/stdout" /etc/dovecot/conf.d/20-managesieve.conf sed -i -e "s/# port = 4190/ port = 4190\n }/w /dev/stdout" /etc/dovecot/conf.d/20-managesieve.conf sed -i "/#vsz_limit/ a }" /etc/dovecot/conf.d/20-managesieve.conf sed -i "/#mail_plugins/ a mail_plugins = quota" /etc/dovecot/conf.d/20-pop3.conf sed -i -e "s/^mail_plugins/ mail_plugins/w /dev/stdout" /etc/dovecot/conf.d/20-pop3.conf sed -i "/#pop3_client_workarounds/ a pop3_client_workarounds = outlook-no-nuls oe-ns-eoh" /etc/dovecot/conf.d/20-pop3.conf
Solved? - Re: Understanding quotas
I spent an evening, again, reading up on quota. This time I think my search foo was strong enough. I found guidance and came up with the following: sed -i -e "s/#quota = /sqlquota = /w /dev/stdout" /etc/dovecot/dovecot.conf Sets up a dovecot dictionary of sqlquota to the default file of /etc/dovecot/dovecot-dict-sql.conf.ext cat <>/etc/dovecot/conf.d/90-quota.conf || exit 1 plugin { quota = dict:user::proxy::sqlquota } EOF Appends to the end of 90-quota.conf (tried to do with with a single SED, but it was getting messy) finally: cat </etc/dovecot/dovecot-dict-sql.conf.ext || exit 1 connect = host=localhost dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } EOF Please let me know if I missed something here. Thanks On 03/17/2017 09:08 AM, Robert Moskowitz wrote: Just to level-set, I am using Centos7-arm which supplies Dovecot 2.2.10. I don't have access to a arm build or mock environment and use what is available (I DID try to install them but had dependency issues). Much of what I have is from campworld, but some I have picked up from other Centos mailserver builders. Also I am using Postfixadmin which provides quotas per user in mysql database. To access those quotas for dovecot, I have the following script: cat </etc/dovecot/dovecot-dict-quota.conf || exit 1 connect = host=localhost dbname=postfix user=postfix password=$Postfix_Database_Password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } EOF Where $Postfix_Database_Password is an env variable in my install howto. I am setting up quota plugins as follows: sed -i "/#mail_plugins/ a mail_plugins = quota sieve" /etc/dovecot/conf.d/15-lda.conf sed -i "/#mail_plugins / a mail_plugins = quota imap_quota trash" /etc/dovecot/conf.d/20-imap.conf sed -i "/#mail_plugins/ a mail_plugins = quota" /etc/dovecot/conf.d/20-pop3.conf But I am having 'challenges' with how to actually enable quotas and understanding 90-quota.conf. I am starting from campworld's 'reduced' dovecot.conf seeing: dict { quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf } and plugin { quota = dict:user::proxy::quotadict acl = vfile:/etc/dovecot/acls trash = /etc/dovecot/trash.conf sieve_global_path = /home/sieve/globalfilter.sieve sieve = ~/dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /home/sieve/ #sieve_extensions = +notify +imapflags sieve_max_script_size = 1M } I have put the sieve plugin lines into the 90-sieve.conf and the acl into 10-acl.conf. Trash is a separate matter for a later question... So I am looking for guidance as to how to integrate the Postfixadmin quota information properly into 90-quota.conf thank you
Understanding quotas
Just to level-set, I am using Centos7-arm which supplies Dovecot 2.2.10. I don't have access to a arm build or mock environment and use what is available (I DID try to install them but had dependency issues). Much of what I have is from campworld, but some I have picked up from other Centos mailserver builders. Also I am using Postfixadmin which provides quotas per user in mysql database. To access those quotas for dovecot, I have the following script: cat
Re: sievec
On 03/17/2017 12:07 AM, Doug Barton wrote: Not precisely. You want to remove the 'else' in there, as the clause you have will do the opposite of what you intend. Also note that I removed your superfluous square brackets. require "fileinto"; if header :contains "X-Spam-Flag" "YES" { fileinto "Spam"; } if header :contains "subject" "***SPAM***" { fileinto "Spam"; } This is a pretty good tutorial on the syntax and options for Sieve. Given your intended purpose you should pay special attention to the 'create' modifier for 'fileinto'. Also, I would accomplish both things in the same rule using 'anyof' which should be slightly more efficient (which could make a big difference to server load depending on how many users you are supporting). https://support.tigertech.net/sieve Reading this and 'man sievec'... Here is how I have modified your script above: require "fileinto"; if anyof ( header :contains "X-Spam-Flag" "YES", header :contains "subject" "***SPAM***" ) { fileinto "Spam"; } And for sievec, I still use: sieve_before = /home/sieve/globalfilter.sieve dovecot will find the /home/sieve/globalfilter.svbin and proceed with that. I don't have to specify the svbin in the sieve_before option. thanks Bob
Re: sievec
On 03/17/2017 12:07 AM, Doug Barton wrote: On 03/16/2017 11:50 PM, Robert Moskowitz wrote: Doug, On 03/16/2017 11:23 PM, Doug Barton wrote: Your pattern seems a little too complicated. See below. I acquired this script from: http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer No telling where he got it from. So I greatly appreciate any and all advice. Blindly following things you find on the Internet is not a path to success. :) That is why I am here asking questions. Like I have done on the postfix, apache, openssl, amavis, and roundcubemail lists (and of course centos, centos-arm, and fedora). With BIND, I just sit down with Mark at IETF meetings :) Going to be doing that with Rich and openssl, as I want to start working with EDDSA certs, as does he. I am writing my own howto, and I would like to think I am doing a better job of it. You may consider whether your own depth of understanding is sufficient to improve the situation, or whether you are simply adding more noise. I wish you luck in any case. Lots of the examples out there say, "use this conf file rather than the one in the package". I learned with postfix NOT to do that, but to use their postconf tool. So I have been brushing up on my SED skills to write SED commands to make the desired changes to the provided files. Once I test out the dovecot conf mods that they are working as I want I will post them here. Not completely. I 'program' in English writing standards like IEEE 802.1AR, 802.15.9, and RFCs. I have not really programmed since the mid-80s with 'B'. I leave the converting of our carefully worded standards to executables to others :) We all have our own areas of expertise. Nothing wrong with that. I once knew some AWK (back around '93 on SunOS), but that skill is long gone, and SED is not so hard to learn. Lots of guidance if you google a bit. Then test, test, test! That said, is this what you are advising: Not precisely. You want to remove the 'else' in there, as the clause you have will do the opposite of what you intend. I thought so, but was not sure what you were advising me. Yet another reason to post a reply, "do I got it now", "no you don't" ;) Also note that I removed your superfluous square brackets. require "fileinto"; if header :contains "X-Spam-Flag" "YES" { fileinto "Spam"; } if header :contains "subject" "***SPAM***" { fileinto "Spam"; } Thanks The best way to work with this is to start with simple rules on an individual client. Once you get a rule set that works, then you can move on to compiling it for the system. Always start as simple as possible though, and only add to it if your simple thing does not work. This is a pretty good tutorial on the syntax and options for Sieve. Given your intended purpose you should pay special attention to the 'create' modifier for 'fileinto'. Also, I would accomplish both things in the same rule using 'anyof' which should be slightly more efficient (which could make a big difference to server load depending on how many users you are supporting). Particularly since this is a duo core armv7 (CubieTruck) that I am working with. I would really want to get one of the newer quad cores, so that amavis/clamav/spamassin could eat up 2 of them, and still have 2 left for postfix, dovecot, and other processes. I don't like the armv8 so far as they are 12V and ready power supplies just aren't out there like 5V for the armv7; plus they are still pricey. But armv8 is 64bit... See: http://medon.htt-consult.com/images/cubietower-3.JPG medon is the top server. It is a simple web server running Centos7-arm: http://medon.htt-consult.com/Centos7-armv7.html onlo is the bottom one, and it is my DNS outward master server. ROI replacing a bunch of intel SFFs like the one on the left was 18 months on power savings. https://support.tigertech.net/sieve hope this helps, Yes it does. I have been reading a lot, recently! Bob
Re: sievec
Doug, On 03/16/2017 11:23 PM, Doug Barton wrote: Your pattern seems a little too complicated. See below. I acquired this script from: http://www.campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServer No telling where he got it from. So I greatly appreciate any and all advice. I am writing my own howto, and I would like to think I am doing a better job of it. I hope to have it finished in a couple weeks. I would say I am the proverbial 80% complete. On 03/16/2017 02:20 PM, Robert Moskowitz wrote: if exists "X-Spam-Flag" { This isn't needed. If the flag doesn't exist, the 'if header ...' line won't match. You're doing two tests for every message where one is all that's needed. if header :contains "X-Spam-Flag" "NO" { You can just do "YES" here, and go straight to the command (fileinto). Yes/No is a boolean flag, it will either be one or the other. fileinto "Spam"; stop; It's not clear that you need the 'stop' here. hope this helps, Not completely. I 'program' in English writing standards like IEEE 802.1AR, 802.15.9, and RFCs. I have not really programmed since the mid-80s with 'B'. I leave the converting of our carefully worded standards to executables to others :) That said, is this what you are advising: require "fileinto"; if header :contains "X-Spam-Flag" "YES" { } else { fileinto "Spam"; } if header :contains "subject" ["***SPAM***"] { fileinto "Spam"; } Thanks!
Re: sievec
On 03/16/2017 03:58 PM, Stephan Bosch wrote: Op 3/16/2017 om 10:20 PM schreef Robert Moskowitz: I am building a new mailserver on Centos7. My sieve is created with: mkdir /home/sieve cat </home/sieve/globalfilter.sieve || exit 1 require "fileinto"; if exists "X-Spam-Flag" { if header :contains "X-Spam-Flag" "NO" { } else { fileinto "Spam"; stop; } } if header :contains "subject" ["***SPAM***"] { fileinto "Spam"; stop; } EOF chown -R vmail:mail /home/sieve But in 90-sieve.conf there is the comment: # A path to a global sieve script file, which gets executed ONLY # if user's private Sieve script doesn't exist. Be sure to # pre-compile this script manually using the sievec command line # tool. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve Do I run sievec on this script? Yes. And I found the following comment on a blog, about 3 years old: 2: Having a user-defined sieve script will cancel out the global script for redirecting spam. In the dovecot.conf, get rid of the sieve_global_path and sieve_global_dir, and instead use: sieve_before = /path/to/global.sieve -- what this will do is make sure that the global script runs before any user scripts, which allows the spam redirecting to actually work. What is current situation on this? That is usually good advice. The sieve_global_path setting is now called sieve_default, since it configures the default script for users that don't have a personal one. And it is changes like this is why I am really trying for my notes to modify the provided files than replace them. So, unless you want users to have the ability and necessity (!) to create their own spam handling rules once they create a personal script, use the sieve_before setting. The sieve_before script also needs to be pre-compiled with sievec. It seems to my reading that this is the same global.sieve script as what I am using now. That you earlier told me I need to pre-compile. Or am I missing something?
sievec
I am building a new mailserver on Centos7. My sieve is created with: mkdir /home/sieve cat
Solved - Re: Roundcubemail problem with Dovecot
From: http://www.roundcubeforum.net/index.php?topic=9886.0 I saw the comment about telneting from the host to its domain, and for some reason I recalled that I had to hardcode the server's IP address into /etc/hosts. And I recently moved the host to a new IP address. QED On 03/17/2015 07:23 PM, Robert Moskowitz wrote: I am getting "Connection to storage server failed." in roundcubemail. On doing a google search If find: http://help.directadmin.com/item.php?id=473 Which puts the problem at dovecot. I did get a dovecot update back on 3-5 and that would match to my one roundcube mail user complaining and the delays I am seeing with thunderbird and outlook users. So with my setup, I am trying to figure what are the index files to delete. Say for myself, I am seeing: /home/vmail/htt-consult.com/rgm/dovecot.index /home/vmail/htt-consult.com/rgm/dovecot.index.cache /home/vmail/htt-consult.com/rgm/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Drafts/dovecot.index /home/vmail/htt-consult.com/rgm/.Drafts/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Drafts/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Sent/dovecot.index /home/vmail/htt-consult.com/rgm/.Sent/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Sent/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Spam/dovecot.index /home/vmail/htt-consult.com/rgm/.Spam/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Spam/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Trash/dovecot.index /home/vmail/htt-consult.com/rgm/.Trash/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Trash/dovecot.index.log Do I delete all of these? The index.cache files are quite large.
Roundcubemail problem with Dovecot
I am getting "Connection to storage server failed." in roundcubemail. On doing a google search If find: http://help.directadmin.com/item.php?id=473 Which puts the problem at dovecot. I did get a dovecot update back on 3-5 and that would match to my one roundcube mail user complaining and the delays I am seeing with thunderbird and outlook users. So with my setup, I am trying to figure what are the index files to delete. Say for myself, I am seeing: /home/vmail/htt-consult.com/rgm/dovecot.index /home/vmail/htt-consult.com/rgm/dovecot.index.cache /home/vmail/htt-consult.com/rgm/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Drafts/dovecot.index /home/vmail/htt-consult.com/rgm/.Drafts/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Drafts/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Sent/dovecot.index /home/vmail/htt-consult.com/rgm/.Sent/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Sent/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Spam/dovecot.index /home/vmail/htt-consult.com/rgm/.Spam/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Spam/dovecot.index.log /home/vmail/htt-consult.com/rgm/.Trash/dovecot.index /home/vmail/htt-consult.com/rgm/.Trash/dovecot.index.cache /home/vmail/htt-consult.com/rgm/.Trash/dovecot.index.log Do I delete all of these? The index.cache files are quite large.
Re: Geting mail quota exceeded with plenty of space
On 02/09/2015 04:04 PM, Bertrand Caplet wrote: that was it. Emptied trash and mail flowing. How is the message # quota managed? I never encountered it before. But don't have time today to dig into it. conference call coming up. You might have messages quota configured somewhere. And for : doveadm(root): Fatal: Unknown command 'quota', but plugin quota exists. Try to set mail_plugins=quota See http://wiki2.dovecot.org/Quota/Configuration you might haven't enabled quota plugin somewhere. /etc/dovecot/dovecot-dict-quota.conf connect = host=localhost dbname=postfix user=postfix password=*** map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } /etc/dovecot/dovecot-mysql.conf driver = mysql connect = host=localhost dbname=postfix user=postfix password=*** default_pass_scheme = MD5-CRYPT password_query = SELECT username as user, password, concat('/home/vmail/', maildir) as userdb_home, concat('maildir:/home/vmail/', maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1' user_query = SELECT concat('/home/vmail/', maildir) as home, concat('maildir:/home/vmail/', maildir) as mail, 101 AS uid, 12 AS gid, CONCAT('*:messages=1:bytes=', quota) as quota_rule FROM mailbox WHERE username = '%u' AND active = '1' Well there it is, clear as day. messages=1 Guess I can increase that. I suspect I will have to restart dovecot
Re: Geting mail quota exceeded with plenty of space
On 02/09/2015 03:51 PM, Bertrand Caplet wrote: doveadm(root): Fatal: Unknown command 'quota', but plugin quota exists. Try to set mail_plugins=quota Show me your doveconf -n without your passwords. I looked and no passwords in my doveconf... # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 3.4.61.sun7i+ armv7l Red Sleeve Enterprise Linux release 6 (Leap) ext4 auth_mechanisms = plain login dict { quotadict = mysql:/etc/dovecot/dovecot-dict-quota.conf } first_valid_gid = 12 first_valid_uid = 101 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_location = maildir:/home/vmail/%d/%n managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql } plugin { acl = vfile:/etc/dovecot/acls quota = dict:user::proxy::quotadict sieve = ~/dovecot.sieve sieve_dir = ~/sieve sieve_global_dir = /home/sieve/ sieve_global_path = /home/sieve/globalfilter.sieve sieve_max_script_size = 1M trash = /etc/dovecot/trash.conf } protocols = imap pop3 lmtp sieve service anvil-auth-penalty { name = anvil } service auth-worker { name = auth-worker } service { unix_listener { group = postfix mode = 0666 user = postfix path = /var/spool/postfix/private/auth } unix_listener { group = mail mode = 0666 user = vmail path = auth-userdb } name = auth } service config { name = config } service { unix_listener { group = mail mode = 0666 user = vmail path = dict } name = dict } service login/proxy-notify { name = director } service dns-client { name = dns_client } service doveadm-server { name = doveadm } service { inet_listener { port = 143 name = imap } inet_listener { port = 993 ssl = yes name = imaps } name = imap-login } service login/imap { vsz_limit = 256 M name = imap } service lmtp { name = lmtp } service { inet_listener { port = 4190 name = sieve } process_min_avail = 0 service_count = 1 vsz_limit = 64 M name = managesieve-login } service login/sieve { name = managesieve } service { inet_listener { port = 110 name = pop3 } inet_listener { port = 995 ssl = yes name = pop3s } name = pop3-login } service login/pop3 { name = pop3 } service login/ssl-params { name = ssl-params } ssl_cert =
Re: Geting mail quota exceeded with plenty of space
On 02/09/2015 03:51 PM, Bertrand Caplet wrote: doveadm(root): Fatal: Unknown command 'quota', but plugin quota exists. Try to set mail_plugins=quota Show me your doveconf -n without your passwords. Tomorrow. Got a conference call that I am not ready for :(
Re: Geting mail quota exceeded with plenty of space
On 02/09/2015 03:37 PM, Bertrand Caplet wrote: Further checkings shows another user also getting "Quota exceeded". This user has only 127Mb toward his quota. Only these two users have this problem. So far. Both are infrequent mail checkers. It might be the quota for number of messages : that was it. Emptied trash and mail flowing. How is the message # quota managed? I never encountered it before. But don't have time today to dig into it. conference call coming up. Check with "doveadm quota get -u user@domain.example" If there is a limit for number of messages. Regards,
Re: Geting mail quota exceeded with plenty of space
On 02/09/2015 03:37 PM, Bertrand Caplet wrote: Further checkings shows another user also getting "Quota exceeded". This user has only 127Mb toward his quota. Only these two users have this problem. So far. Both are infrequent mail checkers. It might be the quota for number of messages : Could be. dm has over 9k of trashed messages. but.. Check with "doveadm quota get -u user@domain.example" If there is a limit for number of messages. doveadm(root): Fatal: Unknown command 'quota', but plugin quota exists. Try to set mail_plugins=quota
Re: Geting mail quota exceeded with plenty of space
Further checkings shows another user also getting "Quota exceeded". This user has only 127Mb toward his quota. Only these two users have this problem. So far. Both are infrequent mail checkers. On 02/09/2015 03:14 PM, Robert Moskowitz wrote: I have a user that is getting mail quota exceeded: Feb 9 15:00:21 z9m9z dovecot: lda(d...@htt-consult.com): Error: sieve: msgid=<38308773.1704736628308773ywdm@htt-consult.com853430>: failed to store into mailbox 'INBOX': Quota exceeded (mailbox for user is full) Yet the quota is set for 1000Mb and the current reported use is 277Mb. There are only 28 messages in the in box and 842 in the spam. Where might the problem becoming from? The server is Redsleeve 6 (Centos6 on arm). I am running a combination of postfix/dovecot/roundcubemail with a mysql virtual domain database maintained with postfix.admin
Geting mail quota exceeded with plenty of space
I have a user that is getting mail quota exceeded: Feb 9 15:00:21 z9m9z dovecot: lda(d...@htt-consult.com): Error: sieve: msgid=<38308773.1704736628308773ywdm@htt-consult.com853430>: failed to store into mailbox 'INBOX': Quota exceeded (mailbox for user is full) Yet the quota is set for 1000Mb and the current reported use is 277Mb. There are only 28 messages in the in box and 842 in the spam. Where might the problem becoming from? The server is Redsleeve 6 (Centos6 on arm). I am running a combination of postfix/dovecot/roundcubemail with a mysql virtual domain database maintained with postfix.admin
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
On 11/23/2014 06:37 PM, Bertrand Caplet wrote: Hey Robert, There is a command on linux to test ssl/tls smtp server : openssl s_client -connect mail.example.com:port -starttls smtp You just need openssl for windows here : http://slproweb.com/products/Win32OpenSSL.html Let me know if this is working. Regards By the way if this isn't working, try connecting to your server via Mozilla Thunderbird. You'll get fixed if this is related to K9 or to your server. I use Thuderbird all the time. I would have to install it on the users computer. But the problem was a nanny software that was monitoring ports opened so any program that tried to connect to port 995 and do a TLS handshake would have gotten slapped down. The user now knows that the K9 nanny software was blocking the mail. We disabled it monitoring https and secure pop3 started working. So now they have to figure out how to enable it and allow the mail to work. Not my problem.
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
On 11/23/2014 06:35 PM, Bertrand Caplet wrote: Well, since this was a secure connection test, needed openssl for the connect, not telnet. And how to do that on Windows? I DID try it on this F20 notebook, and of course it worked just fine. That was why I really suspected Windows TLS functions. Then when I was trying again, I caught a little pop up in the system tray saying how the nanny software was blocking the bad program that was trying to do https to port 995... Hey Robert, There is a command on linux to test ssl/tls smtp server : openssl s_client -connect mail.example.com:port -starttls smtp That I knew and used. You just need openssl for windows here : http://slproweb.com/products/Win32OpenSSL.html Let me know if this is working. Will try this on the family computer. For any future needs... thanks
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
On 11/23/2014 05:59 PM, Reindl Harald wrote: Am 23.11.2014 um 23:30 schrieb Robert Moskowitz: On 11/23/2014 04:45 PM, Robert Schetterer wrote: Am 23.11.2014 um 22:33 schrieb Reindl Harald: no idea what you are talking about K9 is a android client and works fine with TLS no idea what has "https" to do with email nor why someone needs to "disable K9 long enugh" whatever "long enough" is - don't get me wrong but most technical context on several lists of you if it comes to details is cluttered and your permanently "i am working on IETF" even makes things worser Yeah, such descriptions are leading to confusion, speculation k9 got mail downloaded before outlook couldno idea why sombody should use k9 with pop3 And I did not know there was a K9 android app. K9 like in guard dogs. that's why you should be precise in what you are posting - in context of mail K9 is for pretty anybody https://play.google.com/store/apps/details?id=com.fsck.k9 Got it for next time. The default settings only allow https stuff on port 443. Must be some attempt to get around controls to use TLS on any other port. uhm "telnet server port" is still the way to go *before* start other debuggings, if that don't work no need to try a high level client until that problem is solved Well, since this was a secure connection test, needed openssl for the connect, not telnet. And how to do that on Windows? I DID try it on this F20 notebook, and of course it worked just fine. That was why I really suspected Windows TLS functions. Then when I was trying again, I caught a little pop up in the system tray saying how the nanny software was blocking the bad program that was trying to do https to port 995... I really should be so harsh about the nanny software. It DOES protect a lot of families from content they do not want to see. Just that the defaults no longer match where we want internet privacy to go.
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
On 11/23/2014 04:45 PM, Robert Schetterer wrote: Am 23.11.2014 um 22:33 schrieb Reindl Harald: no idea what you are talking about K9 is a android client and works fine with TLS no idea what has "https" to do with email nor why someone needs to "disable K9 long enugh" whatever "long enough" is - don't get me wrong but most technical context on several lists of you if it comes to details is cluttered and your permanently "i am working on IETF" even makes things worser Yeah, such descriptions are leading to confusion, speculation k9 got mail downloaded before outlook couldno idea why sombody should use k9 with pop3 And I did not know there was a K9 android app. K9 like in guard dogs. The default settings only allow https stuff on port 443. Must be some attempt to get around controls to use TLS on any other port. I really strongly dislike nanny software. But it is very popular in my community... Am 23.11.2014 um 22:23 schrieb Robert Moskowitz: I finally noticed this popup of K9 blocking https on port (143, 993, 995). So the user has to come back over here and disable K9 long enough to get things working. ARGH! On 11/23/2014 04:08 PM, Robert Moskowitz wrote: OK, I did not know that this user has a new computer with Outlook 2010. This SHOULD make it easier but... I have the computer right next to me, they brought it over. It is on the same LAN as this notebook. I can access my server with: openssl s_client -connect z9m9z.htt-consult.com:995 And then log the user in with the appropriate POP3 credentials. In Outlook 2010, in Advanced settings I have specified "This server requires an encrypted connection (SSL)" and it switches to port 995 (from 110). I try connecting and I get an error that "Your server does notg support the connection encryption type you have specified." The first time we tried this it installed my self-signed cert in the local cert store. Any idea on what is going on or how to get this working? Best Regards MfG Robert Schetterer
Re: Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
On 11/23/2014 04:33 PM, Reindl Harald wrote: no idea what you are talking about K9 is a android client and works fine with TLS K9 for Redcoat is a 'nanny' watcher for Windows. It protects the home computer from all sorts of nastiness on the Internet. Very popular in my community. I do not use it. no idea what has "https" to do with email nor why someone needs to "disable K9 long enugh" whatever "long enough" is - don't get me wrong but most technical context on several lists of you if it comes to details is cluttered and your permanently "i am working on IETF" even makes things worser Am 23.11.2014 um 22:23 schrieb Robert Moskowitz: I finally noticed this popup of K9 blocking https on port (143, 993, 995). So the user has to come back over here and disable K9 long enough to get things working. ARGH! On 11/23/2014 04:08 PM, Robert Moskowitz wrote: OK, I did not know that this user has a new computer with Outlook 2010. This SHOULD make it easier but... I have the computer right next to me, they brought it over. It is on the same LAN as this notebook. I can access my server with: openssl s_client -connect z9m9z.htt-consult.com:995 And then log the user in with the appropriate POP3 credentials. In Outlook 2010, in Advanced settings I have specified "This server requires an encrypted connection (SSL)" and it switches to port 995 (from 110). I try connecting and I get an error that "Your server does notg support the connection encryption type you have specified." The first time we tried this it installed my self-signed cert in the local cert store. Any idea on what is going on or how to get this working?
Probably K9 not Outlook - Re: Outlook 2010 not connecting to secure POP3
I finally noticed this popup of K9 blocking https on port (143, 993, 995). So the user has to come back over here and disable K9 long enough to get things working. ARGH! On 11/23/2014 04:08 PM, Robert Moskowitz wrote: OK, I did not know that this user has a new computer with Outlook 2010. This SHOULD make it easier but... I have the computer right next to me, they brought it over. It is on the same LAN as this notebook. I can access my server with: openssl s_client -connect z9m9z.htt-consult.com:995 And then log the user in with the appropriate POP3 credentials. In Outlook 2010, in Advanced settings I have specified "This server requires an encrypted connection (SSL)" and it switches to port 995 (from 110). I try connecting and I get an error that "Your server does notg support the connection encryption type you have specified." The first time we tried this it installed my self-signed cert in the local cert store. Any idea on what is going on or how to get this working?
Outlook 2010 not connecting to secure POP3
OK, I did not know that this user has a new computer with Outlook 2010. This SHOULD make it easier but... I have the computer right next to me, they brought it over. It is on the same LAN as this notebook. I can access my server with: openssl s_client -connect z9m9z.htt-consult.com:995 And then log the user in with the appropriate POP3 credentials. In Outlook 2010, in Advanced settings I have specified "This server requires an encrypted connection (SSL)" and it switches to port 995 (from 110). I try connecting and I get an error that "Your server does notg support the connection encryption type you have specified." The first time we tried this it installed my self-signed cert in the local cert store. Any idea on what is going on or how to get this working?
Re: Outlook Express and STARTTLS
On 11/22/2014 01:17 AM, Robert Schetterer wrote: Am 21.11.2014 um 22:29 schrieb Reindl Harald: Am 21.11.2014 um 22:24 schrieb Robert Schetterer: Am 21.11.2014 um 20:59 schrieb Robert Moskowitz: I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes? you shouldnt support outdated stuff http://en.wikipedia.org/wiki/Outlook_Express Included with Windows 98, Windows Me, Windows 2000, Windows XP, Windows Server 2003 the situation for Outlook (not OE) and TLS is not much better some versions support STARTTLS on SMTP but not for IMAP/POP3 and "you shouldnt support" is not that easy to do - if i could i would shut down so much outdated clients while i can't in case of business customers having other business companies as their customers yes i know that problem, but outdated os may hacked anytime and then it will not be a client/user problem only I have one user that I have to deal with this, and I will probably have them come over so I can 'fix' their notebook, and see what I might do. Thing is this is a charity organization where we do things for them because. So whatever old notebook they have, I have to support what it can do.
Re: Outlook Express and STARTTLS
On 11/21/2014 03:38 PM, Gedalya wrote: On 11/21/2014 03:32 PM, Robert Moskowitz wrote: On 11/21/2014 03:09 PM, Reindl Harald wrote: Am 21.11.2014 um 20:59 schrieb Robert Moskowitz: I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes? it can't as well as Outlook for POP3/IMAP you need 993/995 *without* STARTTLS - period and that's why a sane mailserver needs to support 110,143,993,995,587 *and* 465 to support every client, that won't change in the near future I missed 465; got the rest. Will have to look THAT one up. Thanks for the tip, Harald. That's just implicit TLS for SMTP submission, instead of 587. OE needs that. Back to fixing this and first I see that I DID try something because I created a firewall rule for 645 instead of 465. Then I checked over at: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt And 465 is not assigned for this purpose. Looks like a land-grab from back in the days. Anyway, this is most likely a POSTFIX config item, not Dovecot, so I will have to check through the docs there to get this set up right.
Re: Outlook Express and STARTTLS
On 11/21/2014 04:04 PM, Reindl Harald wrote: Am 21.11.2014 um 21:51 schrieb Robert Moskowitz: On 11/21/2014 03:38 PM, Gedalya wrote: On 11/21/2014 03:32 PM, Robert Moskowitz wrote: On 11/21/2014 03:09 PM, Reindl Harald wrote: Am 21.11.2014 um 20:59 schrieb Robert Moskowitz: I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes? it can't as well as Outlook for POP3/IMAP you need 993/995 *without* STARTTLS - period and that's why a sane mailserver needs to support 110,143,993,995,587 *and* 465 to support every client, that won't change in the near future I missed 465; got the rest. Will have to look THAT one up. Thanks for the tip, Harald. That's just implicit TLS for SMTP submission, instead of 587. OE needs that. Which is way IETF has made a major pushback against every transport wanting a second port number for TLS. There just are not enough port numbers for this purpose well, if we could tun back time 15 years ago many things would be different - IMHO the decision to deprecate 465 in favour to STARTTLS is plain wrong - it is much easier for a MITM to strip out the STARTTLS in the still unencrypted connection (given a client falls back to unencrypted in that cse) before the TLS handshake ever happens It becomes yet another DOS attack, as the server would recognize this and drop the connection. Or at least it should. There are still so many MITM attacks it is sad. We do them be intent in corporation proxies to meet their legal rights as to internal usage. But, yes, we really need a way-back machine. Lots of great ideas are just not holding up.
Re: Outlook Express and STARTTLS
On 11/21/2014 03:38 PM, Gedalya wrote: On 11/21/2014 03:32 PM, Robert Moskowitz wrote: On 11/21/2014 03:09 PM, Reindl Harald wrote: Am 21.11.2014 um 20:59 schrieb Robert Moskowitz: I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes? it can't as well as Outlook for POP3/IMAP you need 993/995 *without* STARTTLS - period and that's why a sane mailserver needs to support 110,143,993,995,587 *and* 465 to support every client, that won't change in the near future I missed 465; got the rest. Will have to look THAT one up. Thanks for the tip, Harald. That's just implicit TLS for SMTP submission, instead of 587. OE needs that. Which is way IETF has made a major pushback against every transport wanting a second port number for TLS. There just are not enough port numbers for this purpose.
Re: Outlook Express and STARTTLS
On 11/21/2014 03:09 PM, Reindl Harald wrote: Am 21.11.2014 um 20:59 schrieb Robert Moskowitz: I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes? it can't as well as Outlook for POP3/IMAP you need 993/995 *without* STARTTLS - period and that's why a sane mailserver needs to support 110,143,993,995,587 *and* 465 to support every client, that won't change in the near future I missed 465; got the rest. Will have to look THAT one up. Thanks for the tip, Harald.
Re: Outlook Express and STARTTLS
On 11/21/2014 03:06 PM, Gedalya wrote: On 11/21/2014 02:59 PM, Robert Moskowitz wrote: I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes? Just put "outlook express ssl" (or tls) in google image search. It doesn't support STARTTLS, only implicit TLS. OK. No wonder nothing on STARTTLS. I support TLS as well.
Outlook Express and STARTTLS
I have one user that uses Outlook Express. Not only do I not use it, I don't have any systems here that can easily use it. I bit of a challenge. I am strictly enforcing STARTTLS or TLS for SMTP/POP3/IMAP connections. SO far a google search has not shown me how to configure this for a user. Anyone have a pointer to instructions so I can talk the person through the changes?
Re: logwatch reporting
On 11/21/2014 12:27 PM, Birta Levente wrote: On 21/11/2014 16:31, Robert Moskowitz wrote: On 11/21/2014 09:01 AM, Birta Levente wrote: On 21/11/2014 15:48, Robert Moskowitz wrote: On 11/21/2014 04:13 AM, Tamsy wrote: Robert Moskowitz wrote on 20.11.2014 20:41: I just launched a new mailserver that is using dovecot. My previous mailserver used courier-mail. I am expecting better things with this new server, but I was use to some login information in logwatch that I am not seeing now. For example I would get: [IMAPd] Logout stats: User | Logouts | Downloaded | Mbox Size --- | --- | -- | -- us...@htt-consult.com | 55 | 219571 | 0 us...@htt-consult.com | 285 | 221681 | 0 us...@labs.htt-consult.com | 32 | 15183 | 0 --- 372 | 456435 | 0 **Unmatched Entries** Disconnected, ip=[:::107.150.52.84], time=1, starttls=1: 2 Time(s) -- IMAP End - - POP-3 Begin [POP3] Logout stats (in MB): User | Logouts | Downloaded | Mbox Size --- | --- | -- | -- us...@htt-consult.com | 78 | 5.96 | 0 us...@communaljob.com | 215 | 9.24 | 0 us...@htt-consult.com | 1 | 7.47 | 0 us...@htt-consult.com | 1 | 2.34 | 0 us...@htt-consult.com | 301 | 31.08 | 0 us...@labs.htt-consult.com | 201 | 4.98 | 0 --- 797 | 61.06 | 0.00 **Unmatched Entries** Disconnected, ip=[:::107.150.52.84]: 2 Time(s) Disconnected, ip=[:::12.159.43.147]: 50 Time(s) Disconnected, ip=[:::172.245.45.20]: 61 Time(s) LOGIN FAILED, user=Alfredo, ip=[:::172.245.45.20]: 1 Time(s) LOGIN FAILED, user=Antonio, ip=[:::172.245.45.20]: 2 Time(s) LOGIN FAILED, user=postmaster, ip=[:::172.245.45.20]: 7 Time(s) LOGIN FAILED, user=webmaster, ip=[:::172.245.45.20]: 7 Time(s) LOGIN FAILED, user=www, ip=[:::172.245.45.20]: 4 Time(s) Maximum connection limit reached for :::172.245.45.20: 509 Time(s) -- POP-3 End - Whereas dovecot is only reporting: - Dovecot Begin Dovecot disconnects: Inactivity: 1 Time(s) Logged out: 379 Time(s) no auth attempts: 5 Time(s) no reason: 1 Time(s) tried to use disabled plaintext auth: 1 Time(s) **Unmatched Entries** dovecot: dict: mysql: Connected to localhost (postfix): 351 Time(s) -- Dovecot End - How can I get more detailed user activity reporting to logwatch? And why is connection to mysql under Unmatched Entries? What version of Logwatch is installed on the server and on which distro? We are using Logwatch here too and the summary for Dovecot is very detailed; even more detailed compared to what you got with courier-mail. I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its logwatch is: logwatch-7.3.6-52.el6.noarch Oh, and dovecot is: dovecot-2.0.9-7.el6.armv5tel Thanks for this pointer but... There is Detail and *OnlyService parameters in logwatch's dovecot.conf (in centos by default /usr/share/logwatch/default.conf/services/dovecot.conf) No detail parameter in mine which seems rather old: # $Log: dovecot.conf,v $ # Revision 1.3 2006/08/13 21:05:03 bjorn # Changed OnlyService to include dovecot for compatibility with Dovecot 1.0 # based on patches by Mark Nienberg; modification by Patrick Vande Walle. *OnlyService = (imap-login|pop3-login|dovecot) What would I add to that? OnlyService refer to the log prefix or service name in your maillog. If you need more detailed report just add to the mentioned config file: Detail=10 # 10 is the maximum detail Will make this change shortly. But for me looks like you have no imap or pop logins nor deliveries in logfile at all. Can you confirm having like this in your maillog? Oct 28 08:36:34 srv2 dovecot: imap-login: Login: user=, method=PLAIN, rip=192.168.1.2, lip=192.168.1.1, mpid=11188, TLS, TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Oh, they are there e.g.: Nov 21 12:44:24 z9m9z dovecot: pop3-login: Login: user=, method=PLAIN, rip=208.83.67.157,
Re: spam folder and POP users
On 11/21/2014 05:40 AM, Peter Chiochetti wrote: Am 2014-11-21 um 02:21 schrieb Robert Moskowitz: On 11/20/2014 07:55 PM, Joseph Tam wrote: Seems sort of klunky though. In my opinion, your energy is better invested in converting your POP3 holdouts to IMAP. Agreed. I am looking at what it takes to do this with Thunderbird, as I am the biggest holdout! The recommended way is HARD. I have 20 years and gigabytes of emails in local pop folders that I do not want to loose or have replicated on the server. Somewhere is the magic goo for this. Once I figure it out for myself, it will be easy for the other users. It might not be that hard with Thunderbird. You have though to recreate all accounts as IMAP ones, which leaves the POP ones alone. This is most of the work. Then, in the Profiles/./Mail folder in the local filesystem move all POP folders below the "Local Folders" there. Then delete the POP accounts. I got a response on Mozilla for help on this. Better understand 'local', 'pop user' and 'imap user' folders. After some thought, there is no reason to actually move all those folders from the pop user directory to the local directory structure. I can just disable the account. The challenge will be creating the filters. They did give me instructions on how to move the filters, and I expect if I did that, they will still point to the folders over in the old account directory structure! Likely you can even point the "archive" Folder in IMAP account settings to this new path, tick keep structure and from now on, move mails from IMAP to local with a single tap on the "a" key. I did this years ago, so take advise with caution. I looked at this back when I launched my courier-mail server 4 years ago, but did not figure it out then. Plus squirelmail was not all that great compared to roundcubemail. Much better off now with the server, just need to get a 'few' nits working right. amavis-new is not properly handling the virtual domains defined by postfixadmin; I have asked for help on this in both groups, as I have tried all the examples I have found googling and none of them are working. Then I have the DNS DMARC to tackle so that google mail will be happy. Not much left. And getting more detailed logwatch reports. I think over all, I am doing OK with this move.
Re: logwatch reporting
On 11/21/2014 09:01 AM, Birta Levente wrote: On 21/11/2014 15:48, Robert Moskowitz wrote: On 11/21/2014 04:13 AM, Tamsy wrote: Robert Moskowitz wrote on 20.11.2014 20:41: I just launched a new mailserver that is using dovecot. My previous mailserver used courier-mail. I am expecting better things with this new server, but I was use to some login information in logwatch that I am not seeing now. For example I would get: [IMAPd] Logout stats: User | Logouts | Downloaded | Mbox Size --- | --- | -- | -- us...@htt-consult.com | 55 | 219571 | 0 us...@htt-consult.com | 285 | 221681 | 0 us...@labs.htt-consult.com | 32 | 15183 | 0 --- 372 | 456435 | 0 **Unmatched Entries** Disconnected, ip=[:::107.150.52.84], time=1, starttls=1: 2 Time(s) -- IMAP End - - POP-3 Begin [POP3] Logout stats (in MB): User | Logouts | Downloaded | Mbox Size --- | --- | -- | -- us...@htt-consult.com | 78 | 5.96 | 0 us...@communaljob.com | 215 | 9.24 | 0 us...@htt-consult.com | 1 | 7.47 | 0 us...@htt-consult.com | 1 | 2.34 | 0 us...@htt-consult.com | 301 | 31.08 | 0 us...@labs.htt-consult.com | 201 | 4.98 | 0 --- 797 | 61.06 | 0.00 **Unmatched Entries** Disconnected, ip=[:::107.150.52.84]: 2 Time(s) Disconnected, ip=[:::12.159.43.147]: 50 Time(s) Disconnected, ip=[:::172.245.45.20]: 61 Time(s) LOGIN FAILED, user=Alfredo, ip=[:::172.245.45.20]: 1 Time(s) LOGIN FAILED, user=Antonio, ip=[:::172.245.45.20]: 2 Time(s) LOGIN FAILED, user=postmaster, ip=[:::172.245.45.20]: 7 Time(s) LOGIN FAILED, user=webmaster, ip=[:::172.245.45.20]: 7 Time(s) LOGIN FAILED, user=www, ip=[:::172.245.45.20]: 4 Time(s) Maximum connection limit reached for :::172.245.45.20: 509 Time(s) -- POP-3 End - Whereas dovecot is only reporting: - Dovecot Begin Dovecot disconnects: Inactivity: 1 Time(s) Logged out: 379 Time(s) no auth attempts: 5 Time(s) no reason: 1 Time(s) tried to use disabled plaintext auth: 1 Time(s) **Unmatched Entries** dovecot: dict: mysql: Connected to localhost (postfix): 351 Time(s) -- Dovecot End - How can I get more detailed user activity reporting to logwatch? And why is connection to mysql under Unmatched Entries? What version of Logwatch is installed on the server and on which distro? We are using Logwatch here too and the summary for Dovecot is very detailed; even more detailed compared to what you got with courier-mail. I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its logwatch is: logwatch-7.3.6-52.el6.noarch Oh, and dovecot is: dovecot-2.0.9-7.el6.armv5tel Thanks for this pointer but... There is Detail and *OnlyService parameters in logwatch's dovecot.conf (in centos by default /usr/share/logwatch/default.conf/services/dovecot.conf) No detail parameter in mine which seems rather old: # $Log: dovecot.conf,v $ # Revision 1.3 2006/08/13 21:05:03 bjorn # Changed OnlyService to include dovecot for compatibility with Dovecot 1.0 # based on patches by Mark Nienberg; modification by Patrick Vande Walle. *OnlyService = (imap-login|pop3-login|dovecot) What would I add to that? Probably you can override these parameters in /etc/logwatch/conf/services ... but I personally never used this. Look at the meaning of these parameters ... maybe this is the problem Where do I look for their meaning? My google searching is coming up empty. thanks
Re: logwatch reporting
On 11/21/2014 04:13 AM, Tamsy wrote: Robert Moskowitz wrote on 20.11.2014 20:41: I just launched a new mailserver that is using dovecot. My previous mailserver used courier-mail. I am expecting better things with this new server, but I was use to some login information in logwatch that I am not seeing now. For example I would get: [IMAPd] Logout stats: User | Logouts | Downloaded | Mbox Size --- | --- | -- | -- us...@htt-consult.com | 55 | 219571 | 0 us...@htt-consult.com | 285 | 221681 | 0 us...@labs.htt-consult.com | 32 | 15183 | 0 --- 372 | 456435 | 0 **Unmatched Entries** Disconnected, ip=[:::107.150.52.84], time=1, starttls=1: 2 Time(s) -- IMAP End - - POP-3 Begin [POP3] Logout stats (in MB): User | Logouts | Downloaded | Mbox Size --- | --- | -- | -- us...@htt-consult.com | 78 | 5.96 | 0 us...@communaljob.com | 215 | 9.24 | 0 us...@htt-consult.com | 1 | 7.47 | 0 us...@htt-consult.com | 1 | 2.34 | 0 us...@htt-consult.com | 301 | 31.08 | 0 us...@labs.htt-consult.com | 201 | 4.98 | 0 --- 797 | 61.06 | 0.00 **Unmatched Entries** Disconnected, ip=[:::107.150.52.84]: 2 Time(s) Disconnected, ip=[:::12.159.43.147]: 50 Time(s) Disconnected, ip=[:::172.245.45.20]: 61 Time(s) LOGIN FAILED, user=Alfredo, ip=[:::172.245.45.20]: 1 Time(s) LOGIN FAILED, user=Antonio, ip=[:::172.245.45.20]: 2 Time(s) LOGIN FAILED, user=postmaster, ip=[:::172.245.45.20]: 7 Time(s) LOGIN FAILED, user=webmaster, ip=[:::172.245.45.20]: 7 Time(s) LOGIN FAILED, user=www, ip=[:::172.245.45.20]: 4 Time(s) Maximum connection limit reached for :::172.245.45.20: 509 Time(s) -- POP-3 End - Whereas dovecot is only reporting: - Dovecot Begin Dovecot disconnects: Inactivity: 1 Time(s) Logged out: 379 Time(s) no auth attempts: 5 Time(s) no reason: 1 Time(s) tried to use disabled plaintext auth: 1 Time(s) **Unmatched Entries** dovecot: dict: mysql: Connected to localhost (postfix): 351 Time(s) -- Dovecot End - How can I get more detailed user activity reporting to logwatch? And why is connection to mysql under Unmatched Entries? What version of Logwatch is installed on the server and on which distro? We are using Logwatch here too and the summary for Dovecot is very detailed; even more detailed compared to what you got with courier-mail. I am running Redsleeve 6 which is a port of Centos 6 to ARM. Its logwatch is: logwatch-7.3.6-52.el6.noarch Oh, and dovecot is: dovecot-2.0.9-7.el6.armv5tel
Re: spam folder and POP users
On 11/20/2014 07:55 PM, Joseph Tam wrote: Robert Moskowitz writes: My server is moving all tagged spam into the IMAP spam folder. Very nice for the IMAP users, but not for the POP users. Of course the server don't know, and the mysql database for users does not have any flags for this. Don't want my server to fill up with spam from POP users that don't know to check via IMAP. You can contort the virtual plugin to fuse your user's INBOX and spam box together into a virtual INBOX: http://wiki2.dovecot.org/Plugins/Virtual (See section "Virtual POP3 INBOX") This turns the problem from a delivery problem into a reading (or presentation) problem. Seems sort of klunky though. In my opinion, your energy is better invested in converting your POP3 holdouts to IMAP. Agreed. I am looking at what it takes to do this with Thunderbird, as I am the biggest holdout! The recommended way is HARD. I have 20 years and gigabytes of emails in local pop folders that I do not want to loose or have replicated on the server. Somewhere is the magic goo for this. Once I figure it out for myself, it will be easy for the other users.
Re: Found It - Re: spam folder and POP users
On 11/20/2014 05:57 PM, Gedalya wrote: On 11/20/2014 05:51 PM, Robert Moskowitz wrote: On 11/20/2014 05:29 PM, Robert Moskowitz wrote: I am new to actually running dovecot. I actually still use POP as I have for YEARS and thunderbird does not make it easy to convert to IMAP... My server is moving all tagged spam into the IMAP spam folder. Very nice for the IMAP users, but not for the POP users. Of course the server don't know, and the mysql database for users does not have any flags for this. Don't want my server to fill up with spam from POP users that don't know to check via IMAP. I am using roundcubemail for the webmail IMAP client. Is there any way for POP users to indicate that they do not want spam so nicely auto moved to the IMAP spam folder? Obviously I picked this up and did not think through the results. Seemed good at the time... mkdir /home/sieve cat </home/sieve/globalfilter.sieve || exit 1 require "fileinto"; if exists "X-Spam-Flag" { if header :contains "X-Spam-Flag" "NO" { } else { fileinto "Spam"; stop; } } if header :contains "subject" ["***SPAM***"] { fileinto "Spam"; stop; } EOF chown -R vmail:mail /home/sieve So one option is just to disable this. Another is to work out how each user can do this if they want... You're already using roundcube, so just enable managesieve and the roundcube managesieve plugin, and let every user configure for themselves how to react to the X-Spam-Flag header. You can drop in a few sieve scripts as suggestions and they can enable the one they like, or none, if they prefer to use their local mail client for sorting this out. I was just figuring that out. Kind of tossed everything into the sink and now I have to sort it out. Let the IMAP users (most likely Roundcube) deal with it themselves and let the POP3 users continue to get their spam to eat.
Re: spam folder and POP users
On 11/20/2014 05:37 PM, Gedalya wrote: On 11/20/2014 05:29 PM, Robert Moskowitz wrote: I am new to actually running dovecot. I actually still use POP as I have for YEARS and thunderbird does not make it easy to convert to IMAP... My server is moving all tagged spam into the IMAP spam folder. Very nice for the IMAP users, but not for the POP users. Of course the server don't know, and the mysql database for users does not have any flags for this. Don't want my server to fill up with spam from POP users that don't know to check via IMAP. I am using roundcubemail for the webmail IMAP client. Is there any way for POP users to indicate that they do not want spam so nicely auto moved to the IMAP spam folder? How do you even define a "pop user" - it's not an easy thing to determine. Some that connects to port 110 using a POP3 client. Remember those? Back to the days of Eudora, perhaps? Pete Resnick still attends IETF. Of course one time they attach with POP3, another with IMAP so I did find out what I did and now I have to decide what to do about it. Problem with taking such a big move in one, and then seeing how it works. Or not. Someone who hasn't logged in via IMAP in x days? Perhaps implement a lastlogin_imap field? You really should just have a flag in your database. Otherwise, just purge from the spam folder messages older than X days (preferably after notifying the users, of course). Something to think about. Might be good for those that are not IMAP users. Another (rather annoying) feature some people have is to have a "spam report" delivered to Inbox daily, listing messages delivered to Spam in the past 24 hours, you can script that around doveadm fetch. but basically the above purge would result in a daily message: "I am going to purge old spam if you don't do it yourself".
Found It - Re: spam folder and POP users
On 11/20/2014 05:29 PM, Robert Moskowitz wrote: I am new to actually running dovecot. I actually still use POP as I have for YEARS and thunderbird does not make it easy to convert to IMAP... My server is moving all tagged spam into the IMAP spam folder. Very nice for the IMAP users, but not for the POP users. Of course the server don't know, and the mysql database for users does not have any flags for this. Don't want my server to fill up with spam from POP users that don't know to check via IMAP. I am using roundcubemail for the webmail IMAP client. Is there any way for POP users to indicate that they do not want spam so nicely auto moved to the IMAP spam folder? Obviously I picked this up and did not think through the results. Seemed good at the time... mkdir /home/sieve cat </home/sieve/globalfilter.sieve || exit 1 require "fileinto"; if exists "X-Spam-Flag" { if header :contains "X-Spam-Flag" "NO" { } else { fileinto "Spam"; stop; } } if header :contains "subject" ["***SPAM***"] { fileinto "Spam"; stop; } EOF chown -R vmail:mail /home/sieve So one option is just to disable this. Another is to work out how each user can do this if they want...
Re: spam folder and POP users
On 11/20/2014 05:35 PM, Reindl Harald wrote: Am 20.11.2014 um 23:29 schrieb Robert Moskowitz: I am new to actually running dovecot. I actually still use POP as I have for YEARS and thunderbird does not make it easy to convert to IMAP... My server is moving all tagged spam into the IMAP spam folder. Very nice for the IMAP users, but not for the POP users. Of course the server don't know, and the mysql database for users does not have any flags for this. Don't want my server to fill up with spam from POP users that don't know to check via IMAP. I am using roundcubemail for the webmail IMAP client. Is there any way for POP users to indicate that they do not want spam so nicely auto moved to the IMAP spam folder? dovecot just don't know if it is a "POP3 user" That I know. Though since it is using a mysql database of users, I COULD add a column designating this. But it would be difficult to maintain. Better perhaps for dovecot NOT to be so nice to move the messages and leave that to the client. it is just a user what about setup a better spam filter so you can deliver the 5-10 spam messages just to INBOX with [SPAM] added to the subject? Well ***SPAM*** is added to the subject. And it seems that dovecot is being really nice to act on that and move it. Now I have to remember what I did to configure this and unconfigure this. I did much of the work long ago, set it aside, built a new box,,, So now I am learning what I did. to give you some numbers: 1200 users, 150 flagged messages per day I only have 12 users. Small time, I know. And some have 1000 flagged messages per day.
spam folder and POP users
I am new to actually running dovecot. I actually still use POP as I have for YEARS and thunderbird does not make it easy to convert to IMAP... My server is moving all tagged spam into the IMAP spam folder. Very nice for the IMAP users, but not for the POP users. Of course the server don't know, and the mysql database for users does not have any flags for this. Don't want my server to fill up with spam from POP users that don't know to check via IMAP. I am using roundcubemail for the webmail IMAP client. Is there any way for POP users to indicate that they do not want spam so nicely auto moved to the IMAP spam folder?
Re: Mailing list test
On 11/20/2014 04:34 PM, Timo Sirainen wrote: Apparently this list has somehow broken.. Not really sure what the problem is, lets see what happens to this mail. thanks for fixing it. I thought the problem was on my end with my new server and got yelled at on the postfix list on some of my assumptions! New to actually running dovecot. Old server was courier-mail. Though I worked off and on developing this server for a year!