Re: Dovecot infrastructure

2017-08-08 Thread Simone Marx :: Edinet Srl 

Hi


Sounds a bit less good. If you only have one server now, then
partitioning out by function will probably be *much* easier.
Everything except dovecot is very easy to spread out across
servers, so to take the easy route I would probably keep dovecot
where it is, and spread out the other functions on new servers.
You can have one or two sendmail servers, two or more AV servers,
and add to those as needed. I'll bet that your "not enough"
problems are more related to the AV functions than to dovecot.


It's not completely true.
The trend in recent years has seen the increase in the size of the 
mailboxes as well as their number.
It's true what you say, so you partially won, but consider that virtual 
server provider I will use offers machines with a fixed mix of resources
(instance A with 4vCPU/8GB RAM /100GB SDD, B with 6vCPU/16GB RAM /200GB 
SDD etc), no block storage available,
and that I'm actually hitting low disk space with 1.5TB, I will waste 
vCPU for storage/dovecot instances.




P.S. BTW... Sendmail?


I'm using sendmail but I thought that in an environment like the one 
proposed was better postfix with virtual users, any suggestions?


Thank you.

Simone.

Dovecot infrastructure

2017-08-07 Thread Simone Marx :: Edinet Srl 

Hi,
I would need some suggestion for a dovecot based mail infrastructure.
Actually, only one server (with dovecot sendmail amavis spamassassin 
clamav etc etc) is no longer enouth, so I thought I would put on a more 
complex infrastructure on different servers.


But I do not know a few things.
I was thinking about partitioning users on 3-4 servers with dovecot 
(imap / pop3) and dovecot-lda (no networked filesystem between them) and 
then configuring 1-2 servers with dovecot director and 1-2 servers for 
SMTP with postfix.
It is not clear how the director will map user -> server to be used and, 
in a user virtualization context (maybe on MySQL) what is the owner / 
permissions I should give to home folders where I will store mail


Thank you.
Simone.

Re: [Dovecot] Enable IMAP only for certain users/IP

2013-05-29 Thread Simone Marx :: Edinet Srl 

what about using some kind of
http://wiki2.dovecot.org/PostLoginScripting


You got it, a script call for post-login does the trick.

Thank you, Robert.

Sincerely,
Simone.

Re: [Dovecot] Enable IMAP only for certain users/IP

2013-05-29 Thread Simone Marx :: Edinet Srl 

Hi Robert,
thank you for your answer.

My prevoius mail is based on the wiki page you specified.

Also, the allow_nets parameter seems not to do what I want.

I want to combime remote IP address check (system wide - common for all 
users)

and single user permission check.

The problem is that I would specify for the IP section something 
similar to:


127.0.0.1
1.2.0.0/21

and not:
127.0.0.1
1.2.0.1
1.2.0.2
1.2.0.3
1.2.0.4
1.2.0.5
.
.
.
1.2.7.254

Thank you.


Sincerely,
Simone.

[Dovecot] Enable IMAP only for certain users/IP

2013-05-29 Thread Simone Marx :: Edinet Srl 

Hi,
I'm trying to config dovecot to enable IMAP protocol only for certain 
IPs and users.

The logical steps I've followed are:
1. If a user is trying to login from an IP that I've authorized ( 
listed in a file) the request is authorized.
2. If not, if the user is listed in a second file the request is 
authorized.

3. If also this check fails the request is rejected.

I'm using PAM for passdb and a passwd-file for userdb:

passdb {
  driver = pam
  args = session=yes failure_show_msg=yes max_requests=16 
cache_key=%u%r%l dovecot-%s

}

userdb {
  driver = passwd-file
  args  = /etc/passwd-dovecot
}


In /etc/pam.d/ there are two files:
dovecot-pop3
dovecot-imap

dovecot-pop3:

#%PAM-1.0

@include common-auth
@include common-account
@include common-session

(for this protocol everything works fine, I don't want to limit it.)


dovecot-imap:

#%PAM-1.0

@include common-auth

authsufficient  pam_listfile.so item=rhost sense=allow 
file=/etc/dovecot/imaphosts onerr=fail
authrequiredpam_listfile.so item=user sense=allow 
file=/etc/dovecot/imapusers onerr=fail


@include common-account
@include common-session


If I'm not wrong, once the user is authenticated, PAM checks if the 
remote IP address is in imaphosts; if it's true,
it returns PAM_SUCCESS and stops the execution of the auth block, else 
if it's false, PAM executes the next line, verifying the presence of the 
username in imapusers file; if found, then return PAM_SUCCESS, else 
fail.


If this can work, I've a problem with pam_listfile.so and IP addresses: 
I want to do something smarter than specifying 2^11 IP addresses instead 
a /21 or IP/netmask


Are there alternatives for doing it better?

Thanks.

Sincerely,
Simone Marx.