Re: Repo for RHEL8
On 19/05/2019 18:55, Aki Tuomi via dovecot wrote: On 19 May 2019 19:02 TG Servers via dovecot wrote: Hi, will there be a repo provided underhttps://repo.dovecot.org/ for RHEL8? Or CentOS8 at least then when it's out? Would be appreciated as we always try to use latest versions in RHEL for some apps like dovecot. Thanks. Once CentOS8 is out we will try to produce packages when possible. Aki Ok, thanks for the information. I just tried to adopt to RHEL 8 way too early. There is just so much not ready which I would need. Tom
Repo for RHEL8
Hi, will there be a repo provided under https://repo.dovecot.org/ for RHEL8? Or CentOS8 at least then when it's out? Would be appreciated as we always try to use latest versions in RHEL for some apps like dovecot. Thanks.
Re: ssl_verify_server_cert against SAN?
Aside from these two things they have really, I
mean really a lot, issues in open state regarding ssl...
Which maybe speaks for a more generous alternativ anyways
On 18/04/2019 12:25, TG Servers wrote:
Kostya,
they have already a bug open on this as I saw now
https://jira.mariadb.org/browse/MDEV-18131
and I also filed a bug on the TLS cipher string issue from
yesterday.
Depending on when this will be resolved I will have to consider
alternatives anyway, yes
Thanks for the hints!
-- T
On 18/04/2019 12:15, Kostya Vasilyev
via dovecot wrote:
Have you considered any alternatives?
I'm thinking of IPSec to create a secured network
encapsulation channel(s) "above" the TCP connection(s).
This would provide encryption with control over cipher(s),
and cert validation on both sides (if you used cert auth, not
PSK).
-- K
On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot
wrote:
Ok then it
seems again a MariaDB issue, they don't check against IP
in the SAN it seems, this has nothing to do with ssl_ca
setting it seems
host= port= dbname=
user= ssl_verify_server_cert=yes
ssl_cipher=TLSv1.2 ssl_ca=/etc/ssl/certs/ca-bundle.crt
password=
brings up this
Connect failed to database (vmail): SSL connection
error: SSL certificate validation failure
host=
port= dbname= user=
ssl_verify_server_cert=no ssl_cipher=TLSv1.2
ssl_ca=/etc/ssl/certs/ca-bundle.crt password=
is working
contents from my.cnf :
ssl_cert="/etc/ssl/certs/mysql.pem"
ssl_key="/etc/ssl/certs/mysql.key"
ssl_ca="/etc/ssl/certs/ca-bundle.crt"
ssl_cipher="TLSv1.2"
and from command line
mysql --ssl --ssl-verify-server-cert --host
brings up
ERROR 2026 (HY000): SSL connection error: Validation of
SSL server certificate failed
while
mysql --ssl --ss-verify-server-cert --host
works
TLS isn't really the domain of MariaDB, they have really
a lot of crap going on there, a lot of, sadly...
Thanks
On 18/04/2019 10:52, Aki Tuomi
via dovecot wrote:
On 18 April 2019 11:34 TG Servers via dovecot wrote:
Hi,
when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)?
Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP.
But the cert is good as the connection via IP (and IP in the SAN of the cert) works from other applications verifying.
Thanks.
Dovecot does consider SAN names too, but for MySQL driver, we use MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or ssl_ca_path in the mysql driver config file to point to acceptable CAs.
Aki
Re: ssl_verify_server_cert against SAN?
Kostya,
they have already a bug open on this as I saw now
https://jira.mariadb.org/browse/MDEV-18131
and I also filed a bug on the TLS cipher string issue from
yesterday.
Depending on when this will be resolved I will have to consider
alternatives anyway, yes
Thanks for the hints!
-- T
On 18/04/2019 12:15, Kostya Vasilyev
via dovecot wrote:
Have you considered any alternatives?
I'm thinking of IPSec to create a secured network
encapsulation channel(s) "above" the TCP connection(s).
This would provide encryption with control over cipher(s),
and cert validation on both sides (if you used cert auth, not
PSK).
-- K
On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot
wrote:
Ok then it
seems again a MariaDB issue, they don't check against IP in
the SAN it seems, this has nothing to do with ssl_ca setting
it seems
host= port= dbname=
user= ssl_verify_server_cert=yes
ssl_cipher=TLSv1.2 ssl_ca=/etc/ssl/certs/ca-bundle.crt
password=
brings up this
Connect failed to database (vmail): SSL connection error:
SSL certificate validation failure
host=
port= dbname= user=
ssl_verify_server_cert=no ssl_cipher=TLSv1.2
ssl_ca=/etc/ssl/certs/ca-bundle.crt password=
is working
contents from my.cnf :
ssl_cert="/etc/ssl/certs/mysql.pem"
ssl_key="/etc/ssl/certs/mysql.key"
ssl_ca="/etc/ssl/certs/ca-bundle.crt"
ssl_cipher="TLSv1.2"
and from command line
mysql --ssl --ssl-verify-server-cert --host
brings up
ERROR 2026 (HY000): SSL connection error: Validation of
SSL server certificate failed
while
mysql --ssl --ss-verify-server-cert --host
works
TLS isn't really the domain of MariaDB, they have really a
lot of crap going on there, a lot of, sadly...
Thanks
On 18/04/2019 10:52, Aki Tuomi
via dovecot wrote:
On 18 April 2019 11:34 TG Servers via dovecot wrote:
Hi,
when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)?
Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP.
But the cert is good as the connection via IP (and IP in the SAN of the cert) works from other applications verifying.
Thanks.
Dovecot does consider SAN names too, but for MySQL driver, we use MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or ssl_ca_path in the mysql driver config file to point to acceptable CAs.
Aki
Re: ssl_verify_server_cert against SAN?
Ok then it seems again a MariaDB issue, they don't
check against IP in the SAN it seems, this has nothing to do with
ssl_ca setting it seems
host= port= dbname=
user= ssl_verify_server_cert=yes ssl_cipher=TLSv1.2
ssl_ca=/etc/ssl/certs/ca-bundle.crt password=
brings up this
Connect failed to database (vmail): SSL connection error: SSL
certificate validation failure
host=
port= dbname= user=
ssl_verify_server_cert=no ssl_cipher=TLSv1.2
ssl_ca=/etc/ssl/certs/ca-bundle.crt password= is
working
contents from my.cnf :
ssl_cert="/etc/ssl/certs/mysql.pem"
ssl_key="/etc/ssl/certs/mysql.key"
ssl_ca="/etc/ssl/certs/ca-bundle.crt"
ssl_cipher="TLSv1.2"
and from command line
mysql --ssl --ssl-verify-server-cert --host brings up
ERROR 2026 (HY000): SSL connection error: Validation of SSL
server certificate failed
while
mysql --ssl --ss-verify-server-cert --host
works
TLS isn't really the domain of MariaDB, they have really a lot
of crap going on there, a lot of, sadly...
Thanks
On 18/04/2019 10:52, Aki Tuomi via
dovecot wrote:
On 18 April 2019 11:34 TG Servers via dovecot wrote:
Hi,
when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)?
Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP.
But the cert is good as the connection via IP (and IP in the SAN of the cert) works from other applications verifying.
Thanks.
Dovecot does consider SAN names too, but for MySQL driver, we use MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or ssl_ca_path in the mysql driver config file to point to acceptable CAs.
Aki
ssl_verify_server_cert against SAN?
Hi, when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)? Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP. But the cert is good as the connection via IP (and IP in the SAN of the cert) works from other applications verifying. Thanks.
Re: Problem with mysql backend and SSL ciphers
short and clear :) thanks... I was also heading into this direction and will get to them with this issue On 18/04/2019 08:20, Aki Tuomi via dovecot wrote: On 17.4.2019 23.00, Kostya Vasilyev via dovecot wrote: I'm not Aki but hope you don't mind... On Wed, Apr 17, 2019, at 10:42 PM, TG Servers via dovecot wrote: Hi, MariaDB documentation says it accepts OpenSSL cipher strings in its ssl_cipher parameters like ssl_cipher="TLSv1.2". This is also mentioned when creating or changing users in terms of setting this with the REQUIRE CIPHER parameter like CREATE USER ... REQUIRE CIPHER 'TLSv1.2'... So this is all very nice and also working but sadly whith a connection string from dovecot it is not working anymore. If you set the user only on REQUIRE SSL, the ssl connection and everything is working fine between dovecot and mariaDB. But when you set REQUIRE CIPHER 'TLSv1.2' in mariaDB and use ssl_cipher=TLSv1.2 in the connection string from dovecot you get the following errors, it does not account the various ciphers of TLSv1.2 but rather expects TLSv1.2 somehow. [Note] X509 ciphers mismatch: should be 'TLSv1.2' but is 'DHE-RSA-AES256-GCM-SHA384' A good cipher is sent but the cipher cannot be TLSv1.2 of course :) But no one will put in explicit ciphers there as this is dangerous in my eyes, people forget updating... Also this is misbehaviour or misdocumented. The thing is now where to address this. Dovecot or MariaDB. As dovecot seems to use a good cipher and MariaDB expects a TLSv1.2 string rather than a cipher out of TLSv1.2 I would say mariaDB but am not sure. Maybe Aki could say something to it, would be great. Thanks! The docs from mariaDB to this are here : https://mariadb.com/kb/en/library/create-user/ https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/ But but but... TLSv1.2 is not a cipher, it's a protocol. Maria DB docs say the settings excepts a list of ciphers or a protocol name: https://mariadb.com/kb/en/library/ssltls-system-variables/#ssl_cipher In in other software it's common to have two distinct settings, one for protocol and one a cipher "pattern". Maybe you could try something like this: kECDHE+CHACHA20:kECDHE+AESGCM ChaCha / Poly and AES GCM are TLS 1.2 + only ciphers. This will not include AES CBC which exist with variations in both 1.0 to 1.2, but if you're security conscious, you probably don't want to use CBC anyway. Or you could match just 1.2 versions with - I think - AESCBC+SHA384:AESCBC+SHA256. This will leave out AES CBC SHA1 which are in 1.0 - 1.1. And now Aki can correct me :) -- K All I'm going to say is that this is 100% mysql/mariadb issue. Aki
Problem with mysql backend and SSL ciphers
Hi, MariaDB documentation says it accepts OpenSSL cipher strings in its ssl_cipher parameters like ssl_cipher="TLSv1.2". This is also mentioned when creating or changing users in terms of setting this with the REQUIRE CIPHER parameter like CREATE USER ... REQUIRE CIPHER 'TLSv1.2'... So this is all very nice and also working but sadly whith a connection string from dovecot it is not working anymore. If you set the user only on REQUIRE SSL, the ssl connection and everything is working fine between dovecot and mariaDB. But when you set REQUIRE CIPHER 'TLSv1.2' in mariaDB and use ssl_cipher=TLSv1.2 in the connection string from dovecot you get the following errors, it does not account the various ciphers of TLSv1.2 but rather expects TLSv1.2 somehow. [Note] X509 ciphers mismatch: should be 'TLSv1.2' but is 'DHE-RSA-AES256-GCM-SHA384' A good cipher is sent but the cipher cannot be TLSv1.2 of course :) But no one will put in explicit ciphers there as this is dangerous in my eyes, people forget updating... Also this is misbehaviour or misdocumented. The thing is now where to address this. Dovecot or MariaDB. As dovecot seems to use a good cipher and MariaDB expects a TLSv1.2 string rather than a cipher out of TLSv1.2 I would say mariaDB but am not sure. Maybe Aki could say something to it, would be great. Thanks! The docs from mariaDB to this are here : https://mariadb.com/kb/en/library/create-user/ https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/
Re: Fwd: Problem with solr working, but not indexing
Thanks for providing help this quick!
It's always the small things
I just added now
mail_plugins = $mail_plugins fts
fts_solr
globally, right in front of the 2 protocol sections and it is
indexing like hell now :)
It seems it had to be done globally as I saw no reaction when
putting it into doveadm protocol section
Thanks!
On 14/04/2019 22:39, Aki Tuomi wrote:
You need to load it either globally or for doveadm protocol
as well.
Loading it globally should be safe.
Aki
On 14 April 2019 23:36 TG Servers via dovecot
wrote:
I have this in my dovecot.conf already, yes :
protocol imap {
mail_plugins = $mail_plugins quota imap_quota imap_sieve
fts fts_solr
mail_max_userip_connections = 20
imap_idle_notify_interval = 24 mins
}
protocol lmtp {
postmaster_address = postmas...@xxx.com
mail_plugins = $mail_plugins sieve fts fts_solr
}
---
On 14/04/2019 22:30, Aki Tuomi
via dovecot wrote:
On 14 April 2019 23:22 TG Servers via dovecot
wrote:
Hi,
I have setup dovecot 2.3.5.1 with solr 7.7.1
Everything seems to be working so far except that solr
doesn't index a single message.
Solr is running, the web api can be accessed, I see the
dovecot core there, but with zero docs.
If I trigger a "body" search from Thunderbird solr is
responding and searching, but hitting 0 of course.
Looks like that : 2019-04-14 19:57:42.789 INFO
(qtp898557489-40) [ x:dovecot] o.a.s.c.S.Request
[dovecot] webapp=/solr path=/select
params={q={!lucene+q.op%3DAND}body:foobar=uid,score=uid+asc=%2Bbox:925efe067ac8a35ce143828c97da+%2Buser:x...@xxx.net=2=xml}
hits=0 status=0 QTime=2
Everytime a new message comes in indexer-worker is
working but indexing 0.
Looks like that : 2019-04-14T19:39:36.887817+02:00 riot
dovecot: indexer-worker(x...@xxx.net)<31697><3pDsLlhws1zMewAAgoyX2g:vb2mNFhws1zRewAAgoyX2g>:
Indexed 0 messages in INBOX
A "doveadm fts rescan" just brings up this message :
"Fatal: Unknown command 'fts', but plugin fts exists.
Try to set mail_plugins=fts"
Have you tried to add
mail_plugins = $mail_plugins fts fts_solr to config
My
dovecot settings are :
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before =
/var/vmail/sieve/global/spam-global.sieve
sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve
###
### Spam learning
...
sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions = +vnd.dovecot.pipe
fts = solr
fts_autoindex = yes
fts_solr = url="" class="moz-txt-link-freetext"
href="http://localhost:8988/solr/dovecot/"
moz-do-not-send="true">http://localhost:8988/solr/dovecot/
debug
...
}
I don't know what to do or what I am doing wrong because
solr is responding as said. Also the data directory of
the core is empty.
If I should provide more information please tell me
which, it's my own server so I have access to everything
Can anyone please help with that??
Thanks.
If the suggested change do
Fwd: Problem with solr working, but not indexing
On 14/04/2019 22:30, Aki Tuomi via
dovecot wrote:
On 14 April 2019 23:22 TG Servers via dovecot
wrote:
Hi,
I have setup dovecot 2.3.5.1 with solr 7.7.1
Everything seems to be working so far except that solr
doesn't index a single message.
Solr is running, the web api can be accessed, I see the
dovecot core there, but with zero docs.
If I trigger a "body" search from Thunderbird solr is
responding and searching, but hitting 0 of course.
Looks like that : 2019-04-14 19:57:42.789 INFO
(qtp898557489-40) [ x:dovecot] o.a.s.c.S.Request
[dovecot] webapp=/solr path=/select
params={q={!lucene+q.op%3DAND}body:foobar=uid,score=uid+asc=%2Bbox:925efe067ac8a35ce143828c97da+%2Buser:x...@xxx.net=2=xml}
hits=0 status=0 QTime=2
Everytime a new message comes in indexer-worker is working
but indexing 0.
Looks like that : 2019-04-14T19:39:36.887817+02:00 riot
dovecot: indexer-worker(x...@xxx.net)<31697><3pDsLlhws1zMewAAgoyX2g:vb2mNFhws1zRewAAgoyX2g>:
Indexed 0 messages in INBOX
A "doveadm fts rescan" just brings up this message : "Fatal:
Unknown command 'fts', but plugin fts exists. Try to set
mail_plugins=fts"
Have you tried to add
mail_plugins = $mail_plugins fts fts_solr to config
My
dovecot settings are :
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve
###
### Spam learning
...
sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions = +vnd.dovecot.pipe
fts = solr
fts_autoindex = yes
fts_solr = url=""
href="http://localhost:8988/solr/dovecot/"
class="moz-txt-link-freetext" moz-do-not-send="true">http://localhost:8988/solr/dovecot/
debug
...
}
I don't know what to do or what I am doing wrong because
solr is responding as said. Also the data directory of the
core is empty.
If I should provide more information please tell me which,
it's my own server so I have access to everything
Can anyone please help with that??
Thanks.
If the suggested change does not help, send doveconf -n
---
Aki Tuomi
Problem with solr working, but not indexing
Hi,
I have setup dovecot 2.3.5.1 with solr 7.7.1
Everything seems to be working so far except that solr doesn't
index a single message.
Solr is running, the web api can be accessed, I see the dovecot
core there, but with zero docs.
If I trigger a "body" search from Thunderbird solr is responding
and searching, but hitting 0 of course.
Looks like that : 2019-04-14 19:57:42.789 INFO (qtp898557489-40)
[ x:dovecot] o.a.s.c.S.Request [dovecot] webapp=/solr
path=/select
params={q={!lucene+q.op%3DAND}body:foobar=uid,score=uid+asc=%2Bbox:925efe067ac8a35ce143828c97da+%2Buser:x...@xxx.net=2=xml}
hits=0 status=0 QTime=2
Everytime a new message comes in indexer-worker is working but
indexing 0.
Looks like that : 2019-04-14T19:39:36.887817+02:00 riot dovecot:
indexer-worker(x...@xxx.net)<31697><3pDsLlhws1zMewAAgoyX2g:vb2mNFhws1zRewAAgoyX2g>:
Indexed 0 messages in INBOX
A "doveadm fts rescan" just brings up this message : "Fatal:
Unknown command 'fts', but plugin fts exists. Try to set
mail_plugins=fts"
My dovecot settings are :
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve =
file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve
###
### Spam learning
...
sieve_pipe_bin_dir = /usr/bin
sieve_global_extensions = +vnd.dovecot.pipe
fts = solr
fts_autoindex = yes
fts_solr = url="" class="moz-txt-link-freetext" href="http://localhost:8988/solr/dovecot/">http://localhost:8988/solr/dovecot/ debug
...
}
I don't know what to do or what I am doing wrong because solr is
responding as said. Also the data directory of the core is empty.
If I should provide more information please tell me which, it's my
own server so I have access to everything
Can anyone please help with that??
Thanks.
