What is the current state of High Availability Dovecot ?
… without going to too much fuss ? Searching the Internet produces a lot of old results and many overly complicated results. My only complication is that I am using PostfixAdmin for mailbox management, and all the mailboxes are virtual. Thanks.
Dovecot High Availability ?
Are there any current, free high availability strategies for Dovecot ?
Dovecot, Last Login Plugin and PostfixAdmin
https://doc.dovecot.org/configuration_manual/lastlogin_plugin/ Is there any documentation about how to get the "Last Login" info into the PostfixAdmin database ?
Re: [EXTERNAL] Sv: function for whitelisting IPs
The custom login script -- in Dovecot or Roundcube or … ? Is there any documentation for such scripting ? -Original Message- From: dovecot on behalf of Sebastian Reply-To: Dovecot Mailing List Date: Thursday, July 15, 2021 at 06:56 To: 'Mailing List' Subject: [EXTERNAL] Sv: function for whitelisting IPs Most such functions would need to be custom. You need to write a custom login script, which also accepts the user's IP as input to a function, which then checks if password is right. And then it returns that password is invalid if IP isn't approved. Then you just need to write some custom functions in roundcube or similiar to have the webmail insert the IP into a database. Or just match it against a GeoIP database and save the latest country the webmail was logged in from, and then SMTP/IMAP is only approved for that country. That reduces the attack surface greatly. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För White, Daniel E. (GSFC-770.0)[NICS] Skickat: den 15 juli 2021 12:21 Till: Dovecot Mailing List Ämne: function for whitelisting IPs Sebastian, Do you have any examples of such a function and how/where it is used ? -Original Message- From: dovecot on behalf of Sebastian Reply-To: Dovecot Mailing List Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Alex Skickat: den 15 juli 2021 02:10 Till: dovecot@dovecot.org Ämne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users.
function for whitelisting IPs
Sebastian, Do you have any examples of such a function and how/where it is used ? -Original Message- From: dovecot on behalf of Sebastian Reply-To: Dovecot Mailing List Date: Thursday, July 15, 2021 at 01:19 To: 'Mailing List' Subject: [EXTERNAL] Sv: 2FA/MFA with IMAP & postfix/submission Main problem is that not many clients do natively support multifactor. Some clients, do popup a login dialog if the server rejects the password as invalid, which can be used to create a "cheaty variant" of multifactor, but some clients just popup an error dialog and tell the user to just correct password in settings. Some clients even go as long as requiring the user to delete the account with wrong password and set up a new connection. So no, it cannot be relied upon. I have a better idea: Have a function for whitelisting IPs, possible /24's or similiar, where a login to roundcube or other webmail client (with 2FA) will add the IP onto a whitelist for that account. Or perhaps, just "set" the country of the account based on GeoIP. When an account tries to login via IMAP or SMTP, you just check if IP and/or GeoIP country is right, and reject the login as invalid if so not. The only thing a client needs to do to get his IMAP or SMTP client to work again if it stops working, is to login once via the web client. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Alex Skickat: den 15 juli 2021 02:10 Till: dovecot@dovecot.org Ämne: 2FA/MFA with IMAP & postfix/submission Hi, I have a dovecot-2.3.13 system on fedora34 with a few hundred IMAP4 accounts, as well as postfix users using submission. Clients are using primarily Outlook on Windows and old squirrelmail. Are there multi-factor options available? If it is not available, do you have any recommendations on where I should look to do this? All of the links related to this topic appear to be very old, or limited to Linux PAM users.
High Availability Dovecot / Roundcube / PostfixAdmin ?
This is a new setup, running on RHEL 8 with the latest everything. Has anyone out there set up a high availability pair of Dovecot servers - with Roundcube and PostfixAdmin - successfully ? "Callahan's Law: Shared pain is lessened; shared joy, increased — thus do we refute entropy" (Spider Robinson)
Re: [EXTERNAL] Re: Help with "doveadm" - Socket ?
Many thanks, Alexander Your information was on target. -Original Message- From: dovecot on behalf of Alexander Dalloz Date: Monday, May 24, 2021 at 15:50 To: "dovecot@dovecot.org" Subject: Re: [EXTERNAL] Re: Help with "doveadm" - Socket ? Am 24.05.2021 um 19:23 schrieb White, Daniel E. (GSFC-770.0)[NICS]: > I found that /var/run/dovecot/doveadm-server is a socket > but adding it does not help. > > # doveadm mailbox status -A -S /var/run/dovecot/doveadm-server > doveadm mailbox status [-u |-A] [-S ] [-t] [...] > > Am I missing something else ? You must specify all mandatory parameters for doveadm mailbox status. doveadm mailbox status -A -S /var/run/dovecot/doveadm-server -t messages INBOX Specifying the socket is optional and not normally required. Alexander
Re: [EXTERNAL] Re: Help with "doveadm" - Socket ?
A bit more detail:
I can do this:
# doveadm mailbox list -A
...
test_u Sent
test_u Trash
test_u Drafts
test_u public
test_u INBOX
...
But I cannot do this:
# doveadm mailbox status -A
doveadm mailbox status [-u |-A] [-S ] [-t] [...]
I found this:
https://serverfault.com/questions/926034/do-i-need-a-dovecot-socket
that suggested:
Dovecot probably already listens in the sockets, this is a common configuration
for dovecot. Try this command to verify.
ss -ntpl | grep -e :143 -e :993
I tried it and got
# ss -ntpl | grep -e :143 -e :993 -e :995
LISTEN 0 100 :::993 :::* users:(("dovecot",2572,42))
LISTEN 0 100*:993 *:* users:(("dovecot",2572,41))
LISTEN 0 100 :::995 :::* users:(("dovecot",2572,27))
LISTEN 0 100*:995 *:* users:(("dovecot",2572,26))
LISTEN 0 100 :::143 :::* users:(("dovecot",2572,40))
LISTEN 0 100*:143 *:* users:(("dovecot",2572,39))
I found that /var/run/dovecot/doveadm-server is a socket
but adding it does not help.
# doveadm mailbox status -A -S /var/run/dovecot/doveadm-server
doveadm mailbox status [-u |-A] [-S ] [-t] [...]
Am I missing something else ?
-Original Message-
From: dovecot on behalf of Aki Tuomi
Date: Friday, May 21, 2021 at 17:02
To: Alexander Dalloz , "dovecot@dovecot.org"
, "daniel.e.whi...@nasa.gov" <"daniel.e.white."@nasa.gov>
Subject: [EXTERNAL] Re: Help with "doveadm" - Socket ?
> On 21/05/2021 23:59 Alexander Dalloz wrote:
>
>
> Am 21.05.2021 um 21:27 schrieb White, Daniel E. (GSFC-770.0)[NICS]:
> > doveadm [-f formatter] mailbox status [-A|-u user] [-S socket_path]
[-t] fields mailbox ...
> >
> > Where do I find this "socket_path", please ?
> >
> > I am trying to untangle a very old CentOS 6 instance.
> >
> > Thanks in advance.
>
> It should be /var/run/dovecot/doveadm-server
>
> Alexander
It can also be a tcp socket. Maybe give us bit more insight on what you are
dealing with?
Aki
Help with "doveadm" - Socket ?
doveadm [-f formatter] mailbox status [-A|-u user] [-S socket_path] [-t] fields mailbox ... Where do I find this "socket_path", please ? I am trying to untangle a very old CentOS 6 instance. Thanks in advance.
Re: [EXTERNAL] Re: Separating Dovecot and Postfix
Vielen Dank. (Google Translate)
LMTP seems the way to go.
-Original Message-
From: dovecot on behalf of Heiko Schlittermann
Organization: schlittermann -- internet & unix support
Date: Friday, May 14, 2021 at 11:08
To:
Subject: [EXTERNAL] Re: Separating Dovecot and Postfix
Hi,
White, Daniel E. (GSFC-770.0)[NICS] (Fr 14 Mai
2021 14:37:15 CEST):
> I am struggling to update a very old set of mail servers.
> Some are supposed to be relays (MTAs by my understanding) while others
are where the mailboxes live (MDA)
It depends on how your MTA hands-over the messages to the Mail Storage
Agend (MSA).
If both are on the same machine, in the same file system, there are
multiple methods:
- direct file system access: The MTA knows about the internal
structure of the MSA and writes directly to the (mostly
Maildir) mailboxes. This is considered bad practice.
- local delivery agent: `dovecot-deliver` read the message from standard
input and - as part of the MSA - it knows about the internal structure
and hides it from the MTA. This is good practice, but it may impose
permission issues.
- LMTP: The MTA uses a variant of the SMTP protocol to push the message
to the MSA, dovecot can listen on a Unix-Domain socket, as well as on
an INET socket, and serve as an LMTP server. This is IMHO the best
option, as it allows the best privilege separation, and addtionally
it allows an easy migration from having both (MTA, MSA) on the same
machine to separate machines.
If you have both (MTA, MSA) on distinct machines, then only LMTP is your
option. I'm pretty sure that Postfix can use LMTP over INET style network
connections. Depending on how you trust into your network, you should
consider using TLS for this connection.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
Re: [EXTERNAL] Re: Separating Dovecot and Postfix
Many thanks, Jeff. Online documentation is not clear. Everything implies both are necessary. -Original Message- From: Josef 'Jeff' Sipek Date: Friday, May 14, 2021 at 08:40 To: Daniel White Cc: "dovecot@dovecot.org" Subject: [EXTERNAL] Re: Separating Dovecot and Postfix On Fri, May 14, 2021 at 12:37:15 +0000, White, Daniel E. (GSFC-770.0)[NICS] wrote: > I am struggling to update a very old set of mail servers. > Some are supposed to be relays (MTAs by my understanding) while others are > where the mailboxes live (MDA) > > In rebuilding the MDA servers, is postfix required on the same server or > can dovecot connect to postfix on a separate MTA server ? The old MDAs > have both installed, but the config files are a mess. They can live on different servers. I have two - one with postfix and mailman, and a second one with dovecot. Postfix delivers mail to dovecot via lmtp. Jeff.
Separating Dovecot and Postfix
I am struggling to update a very old set of mail servers. Some are supposed to be relays (MTAs by my understanding) while others are where the mailboxes live (MDA) In rebuilding the MDA servers, is postfix required on the same server or can dovecot connect to postfix on a separate MTA server ? The old MDAs have both installed, but the config files are a mess.
Re: Installation Question: Is a web server required ?
If you push the car off a cliff, it will fly for a few seconds. Thanks for responding. -Original Message- From: dovecot on behalf of Benny Pedersen Organization: junc.eu Date: Wednesday, April 28, 2021 at 13:43 To: "dovecot@dovecot.org" Subject: [EXTERNAL] Re: Installation Question: Is a web server required ? On 2021-04-28 19:28, White, Daniel E. (GSFC-770.0)[NICS] wrote: > Can Dovecot be installed with Postfix and without being behind a web > server ? > > I want a mail service that can only be accessed by POP3(s)/IMAP(s) and > not by a web UI. can a car fly without gasoline ? :=) none of the above software require x11 not even roundcube
Re: Installation Question: Is a web server required ?
Thanks. That is what we want. Just mail, no extras -Original Message- From: dovecot on behalf of Heiko Schlittermann Organization: schlittermann -- internet & unix support Date: Wednesday, April 28, 2021 at 13:36 To: Subject: [EXTERNAL] Re: Installation Question: Is a web server required ? White, Daniel E. (GSFC-770.0)[NICS] (Mi 28 Apr 2021 19:28:41 CEST): > Can Dovecot be installed with Postfix and without being behind a web server ? Yes. > I want a mail service that can only be accessed by POP3(s)/IMAP(s) and not by a web UI. Dovecot is a pure POP3/IMAP server. No Web-UI is required/provided. (I think, there are other "modules" planned or working already, like calendar or such. But maybe I'm confusing this with alternative mail access server software.) -- Heiko
Re: [EXTERNAL] Re: Installation Question: Is a web server required ?
Excellent.
The documentation is not clear about this.
We want the email users to use POP/IMAP clients.
Many thanks.
-Original Message-
From: Shaun Johnson
Organization: LinuxMagic Inc.
Date: Wednesday, April 28, 2021 at 13:33
To: Daniel White
Cc: "dovecot@dovecot.org"
Subject: [EXTERNAL] Re: Installation Question: Is a web server required ?
On Wed, 28 Apr 2021 17:28:41 +
"White, Daniel E. (GSFC-770.0)[NICS]" wrote:
> Can Dovecot be installed with Postfix and without being behind a web
> server ?
>
> I want a mail service that can only be accessed by POP3(s)/IMAP(s)
> and not by a web UI.
>
> Thanks.
>
>
>
Most definitely - web server is only required if you wanted things like
webmail access - or any type of management interface.
Installation Question: Is a web server required ?
Can Dovecot be installed with Postfix and without being behind a web server ? I want a mail service that can only be accessed by POP3(s)/IMAP(s) and not by a web UI. Thanks.
