Re: compiled sieve files svbin ?
The oddity now is that sieve seems to be working when there is no compiled version It could be that you have actually a compiled sieve script svbin file somewhere else thats referenced in dovecot config perhaps in global, before, after or default and thats the one working otherwise probably your per user and claws mail is working just fine or its your default/global being treated as a per user and auto compiled while it should be already precompiled. Should I expect a compiled .svbin version to be generated from claws client? Or generated by first run of the sieve server on the user account? Or should I manage the scripts with claws, but log in to the server later to generate the .svbin versions? It depends on your mail client, if it supports pigeonholes then it can rely on its managesieve server to generate svbin, write to and read sieve scripts. Compiling per user scripts manually doesnt seem to be the right way, I recommend to look for better mail client. In any event what effect does not having a .svbin version have on typical small installation? Svbin file its required for global/default sieve script while svbin file for per user its going to be generated by e.g. managesieve during runtime i.e. sieve for per user will not work if pigeonholes fails to generate its svbin. Typically, principal script i.e. global/default script which every email is going to be sieved through, must be configured in dovecot config and pre compiled in same location with identical name, while the per user i.e. sieve script which have to reference the per user script file beside an active link file symlinking the user script, and its svbin will be dynamically compiled in new email event in pigeonholes powered email server. Reference https://doc.dovecot.org/configuration_manual/sieve/configuration/#basic-configuration
Re: Can't figure out why managesieve (pigeonhole) can't connect
Change tl s:// to s sl://, it might work. If didnt, RC dropped ss l support at some point and later returned it in master 1.6. My recommendation it is upgrade to latest RC or refer to the managesieve s sl recent commit and apply the changes manually. Zakaria.
Re: Bad Signature - Can't figure out why managesieve (pigeonhole) can't connect
On 2022-11-22 17:00, co...@colinlikesfood.com wrote: Subject line says it all? I am using Roundcube, and every time i click on "filters" i get RC's "unable to connect to server" message. This might be an SQL error, but i can't figure out how to pull the relevant logs yet. Please see below and any advice you have is so very appreciated SYSLOG: --- Nov 22 10:29:27 mail roundcube[66295]: PHP Error: Connection refused (GET /index.php?_task=settings&_action=plugin.managesieve) Nov 22 10:29:27 mail roundcube[66295]: PHP Error: Unable to connect to managesieve on obfuscated.domain:4190 in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 221 (GET /index.php?_task=settings&_action=plugin.managesieve) Nov 22 10:29:27 mail roundcube[66295]: PHP Error: Not currently in AUTHORISATION state (GET /index.php?_task=settings&_action=plugin.managesieve) Nov 22 10:29:27 mail php[66295]: PHP Error: Not currently connected (GET /index.php?_task=settings&_action=plugin.managesieve) Nov 22 10:29:31 mail roundcube[66295]: PHP Error: Connection refused (GET /index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide) Nov 22 10:29:31 mail roundcube[66295]: PHP Error: Unable to connect to managesieve on obfuscated.domain:4190 in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 221 (GET /index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide) Nov 22 10:29:31 mail php[66295]: PHP Error: Not currently connected (GET /index.php?_task=settings&_action=plugin.managesieve-action&_framed=1&_nav=hide) Nov 22 10:29:43 mail roundcube[71055]: PHP Error: Connection refused (POST /?_task=settings&_action=plugin.managesieve-save) Nov 22 10:29:43 mail roundcube[71055]: PHP Error: Unable to connect to managesieve on obfuscated.domain:4190 in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 221 (POST /?_task=settings&_action=plugin.managesieve-save) Nov 22 10:29:43 mail roundcube[71055]: PHP Warning: Trying to access array offset on value of type null in /usr/local/www/roundcube/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 1065 Nov 22 10:29:43 mail php[71055]: PHP Error: Not currently connected (POST /?_task=settings&_action=plugin.managesieve-save) DOVECOT.LOG: --- Nov 22 10:28:58 mail roundcube[66297]: [43CD] C: A0008 LOGOUT Nov 22 10:28:58 mail dovecot[8514]: imap(obfusca...@user.name)<8609>: Disconnected: Logged out in=219 out=1045 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Nov 22 10:28:58 mail roundcube[66297]: [43CD] S: * BYE Logging out Nov 22 10:28:58 mail roundcube[66297]: [43CD] S: A0008 OK Logout completed (0.001 + 0.000 secs). Nov 22 10:29:25 mail roundcube[66295]: [1] SELECT "vars", "ip", "changed", datetime('now') AS ts, CASE WHEN "changed" < datetime('now', '-600 seconds') THEN 1 ELSE 0 END AS expired FROM "session" WHERE "sess_id" = 'keirks4pbepr17um9mvj1qsvt2'; Nov 22 10:29:25 mail roundcube[66295]: [2] SELECT * FROM "users" WHERE "user_id" = '2'; Nov 22 10:29:25 mail roundcube[66295]: [3] UPDATE "session" SET "changed" = datetime('now'), "vars" = 'bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjI7dXNlcm5hbWV8czoyNDoiY29saW5AY29saW5saWtlc2Zvb2QuY29tIjtzdG9yYWdlX2hvc3R8czoxODoiY29saW5saWtlc2Zvb2QuY29tIjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8czozOiJ0bHMiO3Bhc3N3b3JkfHM6NDQ6ImNYOCt0VmJXV010VEMxRTlXQVB4ZjVOSlU1bWlKa2ZveC8xRWpuZVB2Ym89Ijtsb2dpbl90aW1lfGk6MTY2OTA2MzM4OTt0aW1lem9uZXxzOjE1OiJBbWVyaWNhL0NoaWNhZ28iO2F1dGhfc2VjcmV0fHM6MjY6ImNHdkc4ZWR5QmFmNWJITVpISG5sTEY3ZmpZIjtyZXF1ZXN0X3Rva2VufHM6MzI6IkM5VXlNNVBMUnhSeERiVm9HTlNMNjdVZ05NaWE4WVZGIjt0YXNrfHM6ODoic2V0dGluZ3MiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7c zoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czoxODoiY29saW5saWtlc2Zvb2QuY29tIjttYm94fHM6NToiSU5CT1giO3NvcnRfY29sfHM6MDoiIjtzb3J0X29yZGVyfHM6NDoiREVTQyI7U1RPUkFHRV9USFJFQUR8YTozOntpOjA7czoxMDoiUkVGRVJFTkNFUyI7aToxO3M6NDoiUkVGUyI7aToyO3M6MTQ6Ik9SREVSRURTVUJKRUNUIjt9U1RPUkFHRV9RVU9UQXxiOjA7U1RPUkFHRV9MSVNULUVYVEVOREVEfGI6MTtsaXN0X2F0dHJpYnxhOjc6e3M6NDoibmFtZSI7czo4OiJtZXNzYWdlcyI7czoyOiJpZCI7czoxMToibWVzc2FnZWxpc3QiO3M6NToiY2xhc3MiO3M6NDI6Imxpc3RpbmcgbWVzc2FnZWxpc3Qgc29ydGhlYWRlciBmaXhlZ
Re: Dovecot not offering TLSv1.2 after a few minutes
Has anybody experienced a similar problem before? I have not, but testssl.sh might be buggy, try online service like internet.nl validator. Zakaria.
Re: SSL error
On 2022-11-09 16:59, Alexander Dalloz wrote: Am 09.11.2022 um 15:58 schrieb Ruben Safir: Hello I am getting this error and I have no idea why. openssh is upto date You have a self-signed certificate in place. The connecting client cannot valide whether to trust to answering server. Alexander Try to run the following against the client certificate full chain and cert file:- ope nssl verify -CAfile fullchain.pem cert.pem if it did throw an error then try verifying with an updated CA certificates bundle directly from OS using the following which works with me in RHEL7:- y um reinstall ca-certificatesupdate-ca-trust Or if already installed. update-ca-trust. Given you are using a self signed certificate, I guess, you will have to append manually the CA certificate, which you've used to sign the self signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. Also, you will have to reference the CA file in dovecot using the following:- ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_verify_client_cert = yes Good luck. Zakaria.
Re: Bad Signature - Help with configuration?
On 2022-11-09 06:20, Ellie McNeill wrote: Hi, I'm running my own mail server on Debian 11 with exim and Dovecot 2.3.13. I have it working, but I'm seeking advice on further customising my setup. I'm using the Maildir++ format with some personal folders. I use IMAP to retrieve mail and Dovecot's submission server to send mail. 1. I want to have incoming emails automatically placed in certain folders instead of 'Inbox' based on certain criteria. For example, I want all emails from PayPal to go into the 'PayPal' folder and all emails from the Debian mailing list to go into the 'Debian' folder. Can dovecot do this for me and what is the best approach? 2. When I delete an email using my user client, it is only 'marked' as deleted (Thunderbird places a scored line through it, and a 'T' is added to the filename in the Maildir). How can I get dovecot to automatically move mail marked 'deleted' to the Trash folder each time? I also want further delete operations on any mail in the 'Trash' folder to be permanently deleted. 3. I want to hide my client IP address from the headers when submitting mail to Dovecot's submissiond, but I can't seem to find any way to disable this. I would prefer that recipients only see the server IP address, but not the IP address of the mail client which submitted it. Regards, Ellie PS - When signing up for the mailing list, there was no selection ability on the question "Would you like to get replies to your mails only to the list, ie. add a Reply-To header?" Hi Ellie, For the first question, you can use pigeonholes with sieve to place specific emails from specific addresses in specific folder. Refer to the documentations for pigeonholes and dovecot sieve plugin, you will find enough information to guide you in implementing this. https://doc.dovecot.org/configuration_manual/sieve/ https://doc.dovecot.org/configuration_manual/sieve/examples/ Good luck. Zakaria.
Re: The end of Dovecot Director?
I think the real issue here is that Dovecot is removing _existing, long-standing, critical_ functionality from the open source version. That is a huge, huge red flag. Clear enough. It would be great if dovecot decides to keep it in one way or another in community release.
Re: how to configure imapsieve to be used per user
On 2022-10-27 02:28, Stephan Bosch wrote: On 24-10-2022 12:00, Sebastian Bachmann wrote: according to the documentation, this has to be added to the IMAP METADATA dict per mailbox (https://doc.dovecot.org/configuration_manual/imap_metadata/): https://doc.dovecot.org/configuration_manual/sieve/plugins/imapsieve/ says: The basic IMAPSIEVE capability allows attaching a Sieve script to a mailbox for any mailbox by setting a special IMAP METADATA entry. This way, users can configure Sieve scripts that are run for IMAP events in their mailboxes. But I can not find any example how this should work, neither which client supports setting those things. My guess is that these keys are used: https://www.iana.org/assignments/imap-metadata/imap-metadata.xhtml#imap-metadata-2 I would also be interested to know if and how that works, especially if you can add a rule when moving mails (from anywhere) to a certain mailbox for a single user. The basic capability works according to the specification: https://www.rfc-editor.org/rfc/rfc6785 This allows the users to configure these scripts. If you want to arrange this solely at the administrator's discretion, you can use the _before/_after settings documented in https://doc.dovecot.org/configuration_manual/sieve/plugins/imapsieve Best, Sebastian On 17.10.2022 12:46, Marc wrote: I only see configurations that are active for all users, how to configure this in the user sieve rules. I only need this for specific users. Why dont you use pigeonholes? Also, I recommend to look for Symlink creation titled post here in the mailing list, there is few points in about setting up per user sieve scripts that will be helpful to you. Also, there is other posts on how to setup sieve for per user scripts. Zakaria.
Re: The end of Dovecot Director?
On 2022-10-27 08:31, William Edwards wrote: Op 27 okt. 2022 om 04:25 heeft Timo Sirainen het volgende geschreven: Director never worked especially well, and for most use cases it's just unnecessarily complex. I think usually it could be replaced with: * Database (sql/ldap/whatever) containing user -> backend table. * Configure Dovecot proxy to use this database as passdb. * For HA change dovemon to update the database if backend is down to move users elsewhere * When backend comes up, move users into it. Set delay_until extra field for user in passdb to 5 seconds into future and kick the user in its old backend (e.g. via doveadm HTTP API). All this can be done with existing Dovecot. Should be much easier to build a project doing this than forking director. This is my train of thought as well. I believe the following would suffice for most setups. A database with: - Current vhost count per backend server. Alternatively, count the temporary user mappings. - Backend servers. - Temporary user mappings between user - backend server. This database is accessible by all Dovecot proxies in case there’s multiple. Steps when receiving a login: - Check if a temporary user mapping exists. - If so, proxy to the backend server in the temporary mapping. (To do: clean up mappings.) - If not, pick the backend server with the lowest vhost count, create a temporary mapping, then increase the vhost count of the chosen backend server. A monitoring service up/downs backend servers. E.g. by checking the port that we proxy to for each backend server. When a backend server is set to down, kick the user to force a reconnection. (Is that how Director ‘moves’ users?) Here is my alternative input as well using database cluster/file. Create connection mappings table in database cluster where each row must be containing user id, backend id and frontend id and agent hash, alternatively mappings file containing such info and synced across all servers. Incorporate multiple simultaneous mappings using agent hash which can be useful e.g. in the event of using client apps from several devices, in the IMAP proxy perhaps update the first row agent hash which doesnt have hash and matching frontend and user id in post login requests. Create service in each backend, monitoring login and logout entries, and whenever there is one, add the relevant user and frontend row in mappings table/file. In the event of remove just mark one matching entry with exclusion to unknown agent hash as soft removed. In load balancing solution, for SMTP/IMAP connections, use perhaps a lua script, to check mappings in database or file, and find which backend user was logged to, and alongside generate user agent hash perhaps using base64 encoding to locate exact client connection backend row in mappings where several entries might be present, and proxy the incoming request to it, uncheck soft removed if same backend using same user agent hash, if there is no mappings, use the normal load balancing method which in post login requests its mappings will be automatically created. Zakaria.
Re: The end of Dovecot Director?
On 2022-10-27 08:31, William Edwards wrote: Op 27 okt. 2022 om 04:25 heeft Timo Sirainen het volgende geschreven: Director never worked especially well, and for most use cases it's just unnecessarily complex. I think usually it could be replaced with: * Database (sql/ldap/whatever) containing user -> backend table. * Configure Dovecot proxy to use this database as passdb. * For HA change dovemon to update the database if backend is down to move users elsewhere * When backend comes up, move users into it. Set delay_until extra field for user in passdb to 5 seconds into future and kick the user in its old backend (e.g. via doveadm HTTP API). All this can be done with existing Dovecot. Should be much easier to build a project doing this than forking director. This is my train of thought as well. I believe the following would suffice for most setups. A database with: - Current vhost count per backend server. Alternatively, count the temporary user mappings. - Backend servers. - Temporary user mappings between user - backend server. This database is accessible by all Dovecot proxies in case there’s multiple. Steps when receiving a login: - Check if a temporary user mapping exists. - If so, proxy to the backend server in the temporary mapping. (To do: clean up mappings.) - If not, pick the backend server with the lowest vhost count, create a temporary mapping, then increase the vhost count of the chosen backend server. A monitoring service up/downs backend servers. E.g. by checking the port that we proxy to for each backend server. When a backend server is set to down, kick the user to force a reconnection. (Is that how Director ‘moves’ users?) Here is my alternative input as well using database cluster/file. Create connection mappings table in database cluster where each row must be containing user id, backend id and frontend id and agent hash, alternatively mappings file containing such info and synced across all servers. Incorporate multiple simultaneous mappings using agent hash which can be useful e.g. in the event of using client apps from several devices, in the IMAP proxy perhaps update the first row agent hash which doesnt have hash and matching frontend and user id in post login requests. Create service in each backend, monitoring login and logout entries, and whenever there is one, add the relevant user and frontend row in mappings table/file. In the event of remove just mark one matching entry with exclusion to unknown agent hash as soft removed. In load balancing solution, for SMTP/IMAP connections, use perhaps a lua script, to check mappings in database or file, and find which backend user was logged to, and alongside generate user agent hash perhaps using base64 encoding to locate exact client connection backend row in mappings where several entries might be present, and proxy the incoming request to it, uncheck soft removed if same backend using same user agent hash, if there is no mappings, use the normal load balancing method which in post login requests its mappings will be automatically created. Zakaria.
Re: Change password schema and post-login script
On 2022-10-22 18:00, Christos Chatzaras wrote: Hello, Question #1: For version 2.3.19.1 these commands use BLF-CRYPT, right? doveadm pw doveadm pw -s CRYPT Question #2: I want to change password schema for current users. For users using POP3 or IMAP I can do it using a post-login script. I have some accounts used only to send e-mails using Postfix, so no POP3/IMAP logins for these accounts. Is any way to change password schema for these accounts? My config: # 2.3.19.1 (9b53102964): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.19 (4eae2f79) # OS: FreeBSD 13.1-RELEASE-p2 amd64 zfs # Hostname: server2.example.com auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes default_process_limit = 225 disable_plaintext_auth = no first_valid_gid = 0 first_valid_uid = 1001 mail_location = maildir:/home/mail/%d/%n:INDEX=/tmpfs/dovecot_%u:CONTROL=/var/mail/%d/%n mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = no special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/passwd.master driver = passwd-file master = yes result_success = continue } passdb { args = /usr/local/etc/dovecot/passwd.suspended deny = yes driver = passwd-file } passdb { args = /usr/local/etc/dovecot/passwd driver = passwd-file } plugin { imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * quota = maildir:User quota quota_max_mail_size = 100M quota_rule = *:storage=2048M quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_warning = storage=80%% quota-warning 80 %u sieve = file:~/sieve;active=~/sieve.active sieve_before = /usr/local/lib/dovecot/sieve/antispam.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = imap pop3 lmtp sieve service auth { client_limit = 1125 unix_listener auth-client { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 port = 4190 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 12340 } } service quota-warning { executable = script /root/cretapanel/quota-warning.sh unix_listener quota-warning { mode = 0666 user = dovecot } } ssl_cert = Hi there, If I understood you correctly, yes you can. There is auth fallback in dovecot and you can specify it for user as well as auth queries, e.g. to full accounts including sending, you can query from the main auth and user source and remove sender only entries in such source and add in the fallback source with a tweak, thats setting a different password schema. Refer to for more info:- https://doc.dovecot.org/configuration_manual/authentication/multiple_authentication_databases/ Also, notice that it doesnt have to be database fallback, you can set file based one, refer to:- https://doc.dovecot.org/configuration_manual/authentication/passwd_file/ Good luck. Zakaria.
Re: Office 365 SSL issue
On 2022-10-22 09:30, Ervin Hegedüs wrote: Hi there, I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages: * Dovecot: 2.2.9 * OpenSSL: 1.0.1f Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S. I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ... While the client was trying, I see these lines in the log: Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF> Which is weird, because I disabled SSLv3. Here is the (relevant) config: ssl_cert = ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA verbose_ssl = yes When I check the supported encryption type with nmap, I get this: $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency). PORTSTATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C When I check the traffic with tcpdump, I see that client uses TLSv1.2: https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird). What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly... Thanks, a. Hi, You might want to check incoming releases changelog https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/ Notice the point " OpenSSL support for older than 1.0.2: Older versions are not supported anymore. " I think you should be able to upgrade in the same instance both openssl and dovecot if you compile it manually. Also, you can install additional openssl, and load its module e.g. as libssl.so and move older libssl.so.1.0.1 so to be the default. Make sure to install anything above 1.0.1. Good luck. Zakaria.
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-10-11 14:05, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-10-11 13:42: On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. i have no frinds, but it might be related https://gitlab.com/fumail/fuglu/-/issues/262 with my conservative list of signed headers it pass Indeed, it's because you set the following headers in dkim signing headers:- from : subject : date : to : message-id Although not sure why you've added some space, as per standards I think only colon separated list its the compliant format like the following:- from:subject:date:to:message-id Anyhow this is my final update, the previous headers set which I included wasnt perfect as cc header was causing a trouble, given it can fail at some point e.g. when replying more than one time to the same recipient through a mailing list, and mind me OX and iRedMail, I had to check your signing headers set, hopefully you are ok for me to present it here as the optimal one to avoid DKIM failures:- OX:- Date:From:To:In-Reply-To:References:Subject:From IRM:- x-mailer:message-id:in-reply-to:to:references:date:subject :mime-version:content-transfer-encoding:content-type:from iRedMail seems to be the best headers set given it includes X-Mailer header, which enhances signature validity, when client uses specific mail client app, although it can be faked yet one must know which client app the sender would use and if was able to have information to this length I guess signature validity would be an easy task to break it further. Also, I was advised by a friend to duplicate the signing headers in order to disallow spoofing signature further, while I couldnt see how nor populate a proof of concept, I removed it but if someone understand it, I would appreciate their elaboration, surely with thanks :) Good luck. Zakaria.
Re: The end of Dovecot Director?
On 2022-10-21 10:54, Zhang Huangbin wrote: On Oct 21, 2022, at 5:51 PM, Zhang Huangbin wrote: If mailbox is in Maildir format (and stored on shared storage like NFS), accessing it from different server may corrupt Dovecot index files and mailbox becomes unaccessible. Director perfectly avoids this issue. To be clear: Accessing same mailbox from different IMAP servers __at the same time__. Zhang Huangbin, founder of: - iRedMail: Open source email server solution: https://www.iredmail.org/ - Spider: Lightweight, on-premises Email Archiving Software: https://spiderd.io Thanks :)
Re: The end of Dovecot Director?
On 2022-10-21 10:51, Zhang Huangbin wrote: On Oct 21, 2022, at 5:23 PM, hi@zakaria.website wrote: I was wondering if one can achieve the same implementation with haproxy without dovecot director? The most important part of Director is it makes sure same mail user always proxied to same backend IMAP server. If mailbox is in Maildir format (and stored on shared storage like NFS), accessing it from different server may corrupt Dovecot index files and mailbox becomes unaccessible. Director perfectly avoids this issue. HAProxy can proxy mail user from same client IP to same backend IMAP server, but not same mail user from different IPs. Quote (https://doc.dovecot.org/admin_manual/director/dovecotdirector/): "Director can be used by Dovecot’s IMAP/POP3/LMTP proxy to keep a temporary user -> mail server mapping. As long as user has simultaneous connections, the user is always redirected to the same server. Each proxy server is running its own director process, and the directors are communicating the state to each others. Directors are mainly useful for setups where all of the mail storage is seen by all servers, such as with NFS or a cluster filesystem." Zhang Huangbin, founder of: - iRedMail: Open source email server solution: https://www.iredmail.org/ - Spider: Lightweight, on-premises Email Archiving Software: https://spiderd.io Aha makes sense, although I was not able to see how can index files be corrupted when its if will going to be updated, its in same manner as from different connection, e.g. opening email account from different app clients, with different connections, does not corrupt the index files? Also, Is it the issue Director resolving as well its with maintaining the logged in dovecot connection to same backend? Anyhow, thanks for your valuable efforts in clearing this :) I wondered if there is any other solution to avoid corrupting index files? Perhaps if dovecot offer database indexing as well as login sessions, it seems that this would eliminate Director requirement, and offer better high availability, as for now userdb/authdb is only available per my knowledge, and using database cluster resolves the issue with user and auth queries during simultaneous connections to a different backends. Otherwise, it seems in large enterprise deployment with high availability a Director implementation will be needed, hopefully we will find an alternative solution by the time Dovecot 3 is released. I might need to get my head around building dovecot with customised modules and review the code which was removed and return it back, if anyone is planning to this, and well off ahead of me, please let me know, we might be able to help one another. With thanks. Zakaria.
Re: The end of Dovecot Director?
On 2022-10-21 06:19, Zhang Huangbin wrote: On Oct 21, 2022, at 4:19 AM, Antonio Leding wrote: My understanding is that Director is targeted toward large enterprise mail installations that will incorporate several servers for a given function. In such an environment, Director would be the fore-person\traffic-cop keeping things organized & squared-away. Director is used when you setup frontend servers in a load-balance cluster, proxy imap/pop3/lmtp/managesieve requests to backend Dovecot servers. I setup load-balance cluster for clients with HAProxy + KeepAlived + Dovecot Director running in frontend servers, so sad we have to find an alternative to replace Director in such case. It's not about "small/medium" servers, but the demand of imap/pop3/lmtp proxy service, especially in load-balance cluster. Zhang Huangbin, founder of: - iRedMail: Open source email server solution: https://www.iredmail.org/ - Spider: Lightweight, on-premises Email Archiving Software: https://spiderd.io Hi, I was wondering if one can achieve the same implementation with haproxy without dovecot director? Load balancing all requests to pop3, imap, managesieve and lmtp services from specified frontend servers i.e. webmail to specified backend servers and using NFS mount filesystem/syncing data across all servers to access emails with high availability? Not sure whats the big deal director is offering? Is it just a native functionality providing a feature to find which backend server have X emails available and chooses to load from e.g. its content i.e. like checks which first server that doesnt return http 404 response equivalent in IMAP/POP3/LMTP/ManageSieve? Sometime ago I used Varnish caching directors to implement high availability using 404 response status in http web server, and it seems great if we can have this feature in dovecot too, as it offers high availability with delayed-syncing/partial-syncing across unknown selected servers, I managed to use Varnish too in dovecot proxy service i.e. the webmail, yet it requires NFS mount or high available file system all servers can have through immediate access to e.g. maildir? Any helpful input that would clear the picture for me in regards dovecot director, would be ver much appreciated. With thanks. Zakaria.
Re: adding caldav/carddav next to dovecot
On 2022-10-14 14:13, Marc wrote: I hope it is ok to post this off-topic question here. I was wondering if there are here environments running that offer next to dovecot also calendar and contacts services. In the past I was testing a bit with the one from Apple, but I think it is being discontinued because of converting the python 2 code. I am looking for some experience with a setup provisioning >10k users. Not that I have such requirement, but I want to know if the solution is stable, efficient and optionally can scale. I need something efficient, because I do not have to many resources and high iops available. I also do not want any other other 'crap' just the cal (and card) dav solution. https://github.com/1and1/cosmo This looks interesting (used 1und1 in Germany?) but not big community https://sabre.io/dav/install/ This is in php ... Hi there, I tried Roundcube Calendar and Tasks List plugins from Kolab, tbh they are good, and I would recommend them yet SOGo seems that it stands out in terms of layout and mobile mode smooth performance given RC one its PHP/JS based with caching perhaps can outplay the latter as SOGo is fully AJAX frontend based it plays smoothly in mobile mode imho better than RC thats so static. In RC, I was able to import directly from email to Calendar some events in ICS format and it worked like a charm. I think RC its great too and can scale efficiently as long as you configure the webserver and its load balancing solution properly. Btw I ought to note that I am genuinely not a spam, and my email TLD was blocked by your mail server when CC'ed this email. Good luck. Zakaria.
Re: adding caldav/carddav next to dovecot
On 2022-10-14 14:13, Marc wrote: I hope it is ok to post this off-topic question here. I was wondering if there are here environments running that offer next to dovecot also calendar and contacts services. In the past I was testing a bit with the one from Apple, but I think it is being discontinued because of converting the python 2 code. I am looking for some experience with a setup provisioning >10k users. Not that I have such requirement, but I want to know if the solution is stable, efficient and optionally can scale. I need something efficient, because I do not have to many resources and high iops available. I also do not want any other other 'crap' just the cal (and card) dav solution. https://github.com/1and1/cosmo This looks interesting (used 1und1 in Germany?) but not big community https://sabre.io/dav/install/ This is in php ... Hi there, I tried Roundcube Calendar and Tasks List plugins from Kolab, tbh they are ok, and I would recommend them yet SOGo seems that it stands out in terms of layout and mobile mode performance given RC one its PHP/JS based with caching perhaps can outplay the latter as SOGo Objective C backend and fully AJAX frontend based it plays smoothly in mobile mode imho better than RC. In RC, I was able to import directly from email to Calendar some events in ICS format and it worked like a charm. I think RC its efficient and can scale efficiently as long as you configure the webserver and its load balancing solution properly. Good luck. Zakaria.
dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: least to must pass Signature Verification. Have anyone managed to configure EXIM to verify more than one DKIM Signature header? postfix smtpd_milter_maps with a list of ips that is known maillists ips is best for software that are brokken, use DISABLE as results pr ip that is maillist ips, that will disabled opendmarc and other milters when client ip is a maillist, postfix be happy until trusted domain have updated and stable milters use rspamd if possible, with is imho the only stable milters with solve it all, i hate to write that but it might be right for time being, while spamassassin v4 is on the way Another update yet with a solution. I found the causing issue with DKIM and DMARC failure when a signed email pass through mailing list such as dovecot as I expected, it has nothing to do with the mailing list but it's to do with DKIM signing headers set. It's due to one of or several headers in the DKIM signing set, getting added or modified after signing at dovecot end. Anyhow, here is the DKIM signing headers set in this mailing list, that it should work and it will prevent the batch of DMARC emails and bad signature from happening again. from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. Zakaria.
Re: One-off backup
On 2022-10-10 14:57, Ian Evans wrote: I run a small email server for me and the missus. Six dovecot users. Our host is migrating our server instance. They usually (99.% lol) go off without a hitch. As we don't have dovecot running elsewhere, I'm assuming doveadm is the wrong tool. If we want to make a one-off backup prior to the migration, is shutting down postfix and running tar czf mailstorage.tgz /path/to/mail okay? Thanks. I would say it should be ok as long as its going to be the same setup, but if you are expecting to upgrade dovecot or any other related package, I would then recommend to perform upgrades before migrating and taking the backup, so to guarantee everything is going to be working.
Re: Dovecot mail-crypt webmail can't read encrypted messages
On 2022-10-10 08:03, Serveria Support wrote: Hi, thanks, this sounds like a great idea! Will try this and let you guys know... On 2022-10-10 10:52, George Asenov wrote: Dovecot is opensource so you can download source edit the log format removing the passwords and compile it. On 09-Oct-22 8:47 PM, Serveria Support wrote: Like I've already mentioned in my reply to Aki, I generally agree, but many of these methods require much time and expertise some bad guys don't have. You can also bruteforce the passwords but it can take years. With passwords showing in logs all they need to do is make a few clicks and enable auth logging. In most cases the attacker is really short on time and needs to act fast, before he is detected and locked out of the system. On 2022-10-09 19:10, Bernardo Reino wrote: On Sun, 9 Oct 2022, Serveria Support wrote: So this means passwords cannot be masked/hidden in the logs? You realize that it actually defeats the whole idea of encrypted storage? It's useless. I can think of lots of scenarios: malicious system administrator reading users mails and blackmailing them or selling their business secrets to competitors, corrupt law enforcement in some countries getting rid of political or business opponents by disclosing the contents of their mails and I can go on and on and on... There is no such thing as semi-privacy. Privacy is either there or it's not. If your attack scenario includes somebody owning your server, nothing prevents them from compiling/installing a custom version of dovecot (or any other tool you may be using, like PAM, etc.) which dumps the passwords in clear text to a suitable file, pipe, or socket. So good luck with that requirement.. Cheers, Bernardo Hey, I thought to recommend encrypting log file by your own. Create service with executing bash script every second perhaps using while loop to encrypt dovecot logs file, add separater at end of log, so in following encryption cycles you can know whats being inserted new and needs encryption by decrypting the old and encrypting the decrypted old and new together. Also, make sure to perform encryption in separate copy of logs temp file so to allow dovecot to pipe out logs without messing up the order of lines, and lastly, you probably want to disallow administrator account from accessing dovecot conf file perhaps by changing its permission and ownership, so they cant change logging path. There you go, passwords are encrypted in log file and no one can read. Zakaria.
Re: Replacing antispam plugin with IMAPSieve not 100% correct?
On 2022-09-25 14:35, Christian Kivalo wrote: On September 25, 2022 1:27:23 PM GMT+02:00, Marc wrote: I think this page[1] is not correct If you configure this option: imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve the file report-spam.svbin cannot be created because users cannot write there. You have to pre-compile all sieve before/global/after scripts with sievec See the end of this section https://doc.dovecot.org/configuration_manual/sieve/configuration/#executing-multiple-scripts-sequentially [1] https://doc.dovecot.org/configuration_manual/howto/antispam_with_sieve/#howto-antispam-with-imapsieve I was wondering how you will be able to use sieve in filtering spam?
Re: Pigeonhole redirect is adding a message-id header when it already exists
On 2022-10-01 22:59, michael.z...@feierfighter.de wrote: Hi Zakaria, I'm very happy about your email to the mailing list, I thought I'm alone with my problem, and it's nice to see that the problem might be a bug/problem in pigeonhole. I was not sure about it because I didn't get a technical answer from that German provider, so I didn't know it it's a bug in pigeonhole or not. I didn't have time to investigate, thanks for your time to investigate and pinpoint to the line of code where the problem might be! Back then, a few months ago, I disabled the "Message-Id duplicate check" because of this problem. It's just a problem of <0.001% of the emails, most systems generate valid Message-IDs. Maybe Alibaba/Aliexpress is the biggest one who generates invalid Message-Ids... It would be awesome if you could also try to contact Alibaba/Aliexpress, and tell them the problem. Maybe they fix it if multiple people report it. But I doubt it. Let's see what the Dovecot guys say to this problem. Maybe the best solution is to remove the invalid Message-Id before adding a new one. Michael Am 01-Oct-2022 18:24:05 +0200 schrieb hi@zakaria.website: On 2022-10-01 12:49, michael.z...@feierfighter.de wrote: Hi there, I can confirm this behavior. A few months ago I introduced a milter which is checking for multiple headers when the RFC says that there just should be one of them For example "Message-Id". I found the described problem in an email coming from Alibaba, which had an invalid "Message-Id" header. It didn't contain an "@" sign or similar. It was RFC-invalid. This email was sent from Alibaba to a German email provider. There was a redirect at that email provider, pointing to my mailserver. My server rejected the email because there were 2 "Message-Id" headers: The original invalid "Message-Id" header from Alibaba, and a new "Message-Id" header from the German provider, which seems to have been added during the redirect. There were "Dovecot-sieve" headers in that mail, so my guess was that it happened because of Dovecot-sieve/pigeonhole implementation. I contacted the email provider, asking for help. Asking if it really is a bug in pigeonhole (or maybe some other system at that provider, who knows). And I contacted Alibaba, so they fix the invalid "Message-Id". I got responses from both, but until now, as far as I can see, it has not been fixed. The best fix would be (if it really is a bug in pigeonhole), if pigeonhole fixes the problem, then it's fixed for all users of Dovecot. I guess Alibaba is not the only sender with an invalid "Message-ID" header, but that's the only one I saw. Michael Am 01-Oct-2022 14:00:45 +0200 schrieb sric...@swisscenter.com: You wrote in the original email the message was rejected. Sorry I don't have login access to my gmail test account anymore since the google @#$%@#$% wanted to have me add a phone number. In my original post I said that gmail was rejecting the forwards because of duplicate headers, and that the duplicate header seems to be a Message-ID added by pigeonhole when it's "not happy" with the original mail Message-ID. I probably failed to explain the issue clearly and sorry for that. Thank you anyway for trying to help :) Hi Michael, I just wanted to say sorry, that I sent this empty email by mistake intending nothing else. Anyhow, thanks so much for your valuable input, it's very much appreciated. Zakaria. Good Morning Michael, No problem. Although, to be clear I didnt point out anything, but its Sébastien and the credit shall go for him. Also, by the way in EXIM MTA, there is verify syntax condition in data acl, which checks all email headers and validate that they are standards compliant and reject sending any email beforehand to your issue which has non-compliant header and offers the ability to remove such headers with condition handling e.g. if contained any Sieve header, to request removing message id headers with headers_remove and add compliant one with add_header, and I guess this will mitigate any mail service provider rejection issue. If you are postfix user and considering switching, let me know, I might be able to help. Zakaria.
Re: Custom post login scripting variables via ID command
On 2022-09-26 07:03, Aki Tuomi wrote: On 22/09/2022 23:05 EEST hi@zakaria.website wrote: On 2022-09-22 16:24, Brendan Braybrook wrote: >> I wonder if dovecot would consider this feature request. In post login >> scripting, given USER, IP, LOCAL_IP, and userdb lookup fields, are >> only >> available, I want to push additional variables from web mail to >> dovecot >> using ID commands yet I looked at the source in imap-login-cmd-id.c >> and >> script-login.c it seems to be possible while I'm not an expert in C >> and >> IMAP standards and not sure if its something would break the >> standards. > > i think this can do what you need. this little bit of config: > > # trusted networks that can use the extended ID data we use for auth > now > login_trusted_networks = 192.168.0.10 > # retain these so we can log client names (when provided) > imap_id_retain=yes > > makes connections from 192.168.0.10 trusted so that the imap ID fields > get passed around during the auth/userdb processes. > > if you then use the new lua scripting for the userdb lookup > (https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication/#authentication-lua-based-authentication), > you can get the value of the imap client id via auth_request#client_id > > here's a little snippet to get you started: > --- > > package.path = package.path .. ";/usr/share/lua/5.1/?.lua" > package.cpath = package.cpath .. > ";/usr/lib/x86_64-linux-gnu/lua/5.1/?.so" > require 'lfs' > > function auth_userdb_lookup(req) > dovecot.i_info("dovecot-auth.lua: authdb client_id = [" .. > req.client_id .. "]") > ret = {} > ret.client_id = req.client_id > // ret.homedir = ...etc... > // need the rest of the userdb lookup bits > return dovecot.auth.USERDB_RESULT_OK, ret > end > > --- > > you'll want to update that to return everything you need from the > userdb > lookup, but the data returned by userdb should get pushed to your > post_login script. you should see $CLIENT_ID as an env variable with > the > example code above. > > also note: make sure your post login script explicitly calls bash and > don't get burned by /bin/sh pointing at dash (as happened to me > recently > - otherwise some environment variables might not show up with dash). Thanks so much for this, very much appreciated. Anyhow, for anyone looking for quicker and easier solution, I was able to overwrite x_connected_ip using id command thats returning the value of LOCAL_IP, since I wanted to block some client apps from using my IMAP server yet your reference to login trusted networks, doubted me if I've done things right. Probably I need to make sure restricted client apps cant just perform id command and overwrites LOCAL_IP and bypass the restriction likewise my webmail and I hope this is what trusted login networks is for, and as per doc, it seems to be like so. Hi! You should use the login_trusted_networks to enable passing variables over ID command. You can then use the supported ways there to set original IP and such without needing to touch the source code. Currently supported ID values are: x-originating-ip, x-originating-port, x-connected-ip, x-connected-port, x-proxy-ttl, x-session-id, x-session-ext-id, x-forward-. Usage: 1 ID ("x-originating-ip" "1.2.3.4" "x-originating-port" "3133"...) Aki Thanks so much for clarifying this. Zakaria.
Re: Custom post login scripting variables via ID command
On 2022-09-22 16:24, Brendan Braybrook wrote: I wonder if dovecot would consider this feature request. In post login scripting, given USER, IP, LOCAL_IP, and userdb lookup fields, are only available, I want to push additional variables from web mail to dovecot using ID commands yet I looked at the source in imap-login-cmd-id.c and script-login.c it seems to be possible while I'm not an expert in C and IMAP standards and not sure if its something would break the standards. i think this can do what you need. this little bit of config: # trusted networks that can use the extended ID data we use for auth now login_trusted_networks = 192.168.0.10 # retain these so we can log client names (when provided) imap_id_retain=yes makes connections from 192.168.0.10 trusted so that the imap ID fields get passed around during the auth/userdb processes. if you then use the new lua scripting for the userdb lookup (https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication/#authentication-lua-based-authentication), you can get the value of the imap client id via auth_request#client_id here's a little snippet to get you started: --- package.path = package.path .. ";/usr/share/lua/5.1/?.lua" package.cpath = package.cpath .. ";/usr/lib/x86_64-linux-gnu/lua/5.1/?.so" require 'lfs' function auth_userdb_lookup(req) dovecot.i_info("dovecot-auth.lua: authdb client_id = [" .. req.client_id .. "]") ret = {} ret.client_id = req.client_id // ret.homedir = ...etc... // need the rest of the userdb lookup bits return dovecot.auth.USERDB_RESULT_OK, ret end --- you'll want to update that to return everything you need from the userdb lookup, but the data returned by userdb should get pushed to your post_login script. you should see $CLIENT_ID as an env variable with the example code above. also note: make sure your post login script explicitly calls bash and don't get burned by /bin/sh pointing at dash (as happened to me recently - otherwise some environment variables might not show up with dash). Thanks so much for this, very much appreciated. Anyhow, for anyone looking for quicker and easier solution, I was able to overwrite x_connected_ip using id command thats returning the value of LOCAL_IP, since I wanted to block some client apps from using my IMAP server yet your reference to login trusted networks, doubted me if I've done things right. Probably I need to make sure restricted client apps cant just perform id command and overwrites LOCAL_IP and bypass the restriction likewise my webmail and I hope this is what trusted login networks is for, and as per doc, it seems to be like so.
Custom post login scripting variables via ID command
Hi there, I wonder if dovecot would consider this feature request. In post login scripting, given USER, IP, LOCAL_IP, and userdb lookup fields, are only available, I want to push additional variables from web mail to dovecot using ID commands yet I looked at the source in imap-login-cmd-id.c and script-login.c it seems to be possible while I'm not an expert in C and IMAP standards and not sure if its something would break the standards. I hope the dev team to consider this and if anyone have a workaround or an idea with I can start to patch a workaround myself, please let me know as it would be very much appreciated. With thanks. Zakaria.
Re: Bug report: TLS SNI for LDAP userdb/passdb
On 2022-09-15 10:23, Aki Tuomi wrote: On September 15, 2022 11:10:15 AM GMT+03:00, Tobias Wolter wrote: Cheers, On Thu, 2022-09-15 at 07:18 +0300, Aki Tuomi wrote: On September 14, 2022 5:29:46 PM GMT+03:00, Tobias Wolter wrote: > Cheers, > > Dovecot 2.3.4.1 (Debian stable) here, and the changelog does not > offer > any hope of salvation, so a bug report it is. > > The LDAP connections for userdb/passdb do not support SNI via TLS. > > Simple construct to reproduce this: > > 0.) Have a.pem with SAN `foo.example.com`, b.pem with > `bar.example.com` > 1.) Configure haproxy frontend with `bind *:636 ssl crt /foo/a.pem > ssl > crt /foo/b.pem` > 2.) Try to use ldaps://bar.example.com/ in passdb, receive > "auth: Error: LDAP: Can't connect to server: > ldaps://bar.example.com" > > Expectation, of course, would be for this to work; most libraries > should support it, it's probably just a matter of convincing the > appropriate binding. Can you verify with openssl s_client -connect bar.example.com:ldaps -servername bar.example.com that correct cert is served? Forgot to mention that I of course tested with `s_client` and `ldapsearch`/`ldapwhoami`; HAProxy correctly serves the right certificate as per the SNI indication. Regards, -towo Can you turn on auth_debug=yes and amp up ldap debug logging? Aki Try this, and confirm if your SSL certificate matched ldap SNI, otherwise I guess it should throw different error which could be whats causing ldap connection failure. http://docs.haproxy.org/dev/configuration.html#5.1-strict-sni Zakaria.
Re: Replicator: Panic: data stack: Out of memory
On 2022-06-04 12:20, Paul Kudla (SCOM.CA Internet Services Inc.) wrote: just an fyi domain is registered and appears to be active so there should not be any issues with the domain .website is an actual domain (like .com, .ca etc) however i did note ZAKARIA.WEBSITE.14400 IN MX 10 ZAKARIA.WEBSITE. usually the mx record points to an actual sub domain like mail. or whatever if you are running everything on one server then this is ok its just usually better to seperate the mx record incase you want to goto a different server down the road. Domain Name: ZAKARIA.WEBSITE Registry Domain ID: D198561373-CNIC Registrar WHOIS Server: whois.ionos.com Registrar URL: https://ionos.com Updated Date: 2021-11-02T01:42:25.0Z Creation Date: 2020-08-29T09:28:59.0Z Registry Expiry Date: 2022-08-29T23:59:59.0Z Registrar: IONOS SE Registrar IANA ID: 83 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: 1&1 Internet Limited Registrant State/Province: GLS Registrant Country: GB Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: NS1.ZAKARIA.WEBSITE Name Server: NS2.ZAKARIA.WEBSITE ## nslookup ZAKARIA.WEBSITE Server: 10.220.0.2 Address:10.220.0.2#53 Non-authoritative answer: Name: ZAKARIA.WEBSITE Address: 213.171.210.111 Name: ZAKARIA.WEBSITE Address: 2a00:da00:1800:834c::1 ## dig mx ZAKARIA.WEBSITE ; <<>> DiG 9.14.3 <<>> mx ZAKARIA.WEBSITE ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32110 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: ba2f2ec47dfcc90f458d629b4d2855567ad8dfa57bf8 (good) ;; QUESTION SECTION: ;ZAKARIA.WEBSITE. IN MX ;; ANSWER SECTION: ZAKARIA.WEBSITE.14400 IN MX 10 ZAKARIA.WEBSITE. ;; ADDITIONAL SECTION: zakaria.website.14372 IN A 213.171.210.111 zakaria.website.14372 IN 2a00:da00:1800:834c::1 ;; Query time: 87 msec ;; SERVER: 10.220.0.2#53(10.220.0.2) ;; WHEN: Sat Jun 04 08:16:40 EDT 2022 ;; MSG SIZE rcvd: 147 Happy Saturday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email p...@scom.ca On 6/4/2022 6:07 AM, Marc wrote: I think it is because of the domain, obviously you should only be running a website. -Original Message- From: dovecot On Behalf Of hi@zakaria.website Sent: Saturday, 4 June 2022 11:15 To: Dovecot Subject: Re: Replicator: Panic: data stack: Out of memory On 2022-06-04 02:46, Ivan Jurišić wrote: Ok a little more help : vsz_limit = 0 --> means unlimited ram for allocation, change this/try 2g etc pending avaliable ram. I try with 524M, 1G, 2G, 4G and 8G but in any case repclicator proces got crash. Maybe there is another service process causing OOM? e.g. check clamd, antivirus DBs tend to be quite big and in updating for sometime becomes double the size due to reloading. Also, somtimes httpd service when using event worker, and its not tuned properly, it will cause the OOM crash to other service along itself. Hi Paul, I couldnt get the context, and not sure if you've addressed me with confusion, since I didnt post the OOM issue, but its Ivan, anyhow thanks for the heads up. I think the MX record its ok. I ran validation on internet.nl, as well as staging.hardenize.net and many other mail server validating services and none of them in terms of meeting standards, has picked anything wrong on the MX records, therefore I kept it as I thought was right. If I by any chance had the mail services running on another server, then indeed as you stated, invitably, I will have to point the MX record to it's domain and using unique domain or subdomain will turn as a requirement. Also, another thought for Ivan about OOM, it seems that the memory leak sometimes can happen legitimately, if you have low resoucess, make sure your server didnt run out of resources including CPU cores, storage as well as RAM. To check storage you can run: df -h. Zakaria.
Only INBOX is searched when using gmail with dovecot FTS and solr
Hi, I am using https://github.com/docker-mailserver/docker-mailserver to setup my mailserver and added solr for full-text search. Nearly everything is working as expected. But I have a problem with the full-text search, as I have a lot of folders in my mailbox and I just can't find any mail in any of these folders except INBOX when I search with the Gmail android app. After analyzing the logs, I assume, that the bug is in the Gmail app, as it is only searching in the INBOX folder. I searched a bit and found some reports of other users confirming that. As this "design decision" (or bug) is quite old, I assume that Google won't fix it. But as many people are using Gmail, I assume that there must be a way to search all folders with Gmail. Sadly, I haven't found any possibility yet. As a workaround one may put a proxy in between and simply remove the "+box:123" filter from the path (e.g. with a small regex). With that, solr will return all found mails from that user, regardless of the folder. This may be a quite simple, but very dirty hack. Hence, I hope that you guys know a better way, a good way to overcome this issue and enable all Gmail users to search for email in all folders. Best regards, Marcel
Re: [Dovecot] using ecc-certificates (ellyptic curve) will not establish connection
hi building 2.0.15 (f6a2c0e8bc03) against the 10.0e ssl-libs _WORKS_ (on some parts ;) Note: be careful on the client-side as many clients won't understand these types of certificates check the version of openssl if you have problems ... a client on OS X 10.6 (OpenSSL 0.9.8r 8 Feb 2011) gives the folowing error # openssl s_client -host remoteserver -port 993 CONNECTED(0003) 8346:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_clnt.c:602: ==> /var/log/mail.log <== dovecot: imap-login: Disconnected (no auth attempts): rip=, lip=, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher well - THIS would work (for debuging :) # openssl s_client -host remoteserver -port 993 -cipher ECCdraft Greetings Mike Am 09.10.2011 um 16:21 schrieb Fresel Michal - hi competence e.U.: > hi > > I want to use ECC(ellyptic curve cryptography) for SSL-connections but > somehow dovecot doesn't like my ECC-certificates :( > > I tried to test using following scenario: > > > machine: > debian 6 (x64) > dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian > openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the > parameter -cipher ECCdraft for testing) > > > > creating keys+cert for ecc (i.e. curves prime192v1, secp521r1) > # openssl ecparam -name prime192v1 -genkey -out prime192v1.key > # openssl req -new -key prime192v1.key -out prime192v1.csr > # openssl req -x509 -in prime192v1.csr -key prime192v1.key -out > prime192v1.crt > > testing these in 2 windows > # openssl s_server -cert prime192v1.crt -key prime192v1.key -www > # openssl s_client > note: when using the default openssl version 0.9.8o-4squeeze3 you need to > append -cipher ECCdraft > > > output (cut) > ... > New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA > Server public key is 192 bit > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: zlib compression > SSL-Session: >Protocol : SSLv3 >Cipher: ECDHE-ECDSA-AES256-SHA >Session-ID: x >Session-ID-ctx: >Master-Key: x >Key-Arg : None >PSK identity: None >PSK identity hint: None >Compression: 1 (zlib compression) >Start Time: x >Timeout : 7200 (sec) >Verify return code: 18 (self signed certificate) > > > looks promising - also for the secp521r1 curve > > > but when changing dovecot.conf to use these keys and certificates it won't > use them and return errors > > # openssl s_client -port 993 > CONNECTED(0003) > 140543456835240:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert > handshake failure:s3_pkt.c:1195:SSL alert number 40 > 140543456835240:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:591: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: >Protocol : SSLv3 >Cipher: >Session-ID: >Session-ID-ctx: >Master-Key: >Key-Arg : None >PSK identity: None >PSK identity hint: None >Start Time: x >Timeout : 7200 (sec) >Verify return code: 0 (ok) > --- > > and the log gives (using verbose_ssl = yes in dovecot.conf) > > ==> /var/log/mail.log <== > dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept > initialization [127.0.0.1] > > ==> /var/log/mail.info <== > dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept > initialization [127.0.0.1] > > ==> /var/log/mail.warn <== > dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept > initialization [127.0.0.1] > > ==> /var/log/mail.log <== > dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept > initialization [127.0.0.1] > > ==> /var/log/mail.info <== > dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept > initialization [127.0.0.1] > > ==> /var/log/mail.warn <== > dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept > initialization [127.0.0.1] > > ==> /var/log/mail.log <== > dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal > handshake failure [127.0.0.1] > > ==> /var/log/mail.info <== > dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal > handshake failu
[Dovecot] using ecc-certificates (ellyptic curve) will not establish connection
hi I want to use ECC(ellyptic curve cryptography) for SSL-connections but somehow dovecot doesn't like my ECC-certificates :( I tried to test using following scenario: machine: debian 6 (x64) dovecot 2.0.15-0~auto+21 ((f6a2c0e8bc03) from http://xi.rename-it.nl/debian openssl 1.0.0e-2 from testing (as the default 0.9.8o-4squeeze3 needs also the parameter -cipher ECCdraft for testing) creating keys+cert for ecc (i.e. curves prime192v1, secp521r1) # openssl ecparam -name prime192v1 -genkey -out prime192v1.key # openssl req -new -key prime192v1.key -out prime192v1.csr # openssl req -x509 -in prime192v1.csr -key prime192v1.key -out prime192v1.crt testing these in 2 windows # openssl s_server -cert prime192v1.crt -key prime192v1.key -www # openssl s_client note: when using the default openssl version 0.9.8o-4squeeze3 you need to append -cipher ECCdraft output (cut) ... New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA Server public key is 192 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher: ECDHE-ECDSA-AES256-SHA Session-ID: x Session-ID-ctx: Master-Key: x Key-Arg : None PSK identity: None PSK identity hint: None Compression: 1 (zlib compression) Start Time: x Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) looks promising - also for the secp521r1 curve but when changing dovecot.conf to use these keys and certificates it won't use them and return errors # openssl s_client -port 993 CONNECTED(0003) 140543456835240:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40 140543456835240:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None Start Time: x Timeout : 7200 (sec) Verify return code: 0 (ok) --- and the log gives (using verbose_ssl = yes in dovecot.conf) ==> /var/log/mail.log <== dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1] ==> /var/log/mail.info <== dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1] ==> /var/log/mail.warn <== dovecot: imap-login: Warning: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1] ==> /var/log/mail.log <== dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1] ==> /var/log/mail.info <== dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1] ==> /var/log/mail.warn <== dovecot: imap-login: Warning: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1] ==> /var/log/mail.log <== dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1] ==> /var/log/mail.info <== dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1] ==> /var/log/mail.warn <== dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=552: fatal handshake failure [127.0.0.1] ==> /var/log/mail.log <== dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1] ==> /var/log/mail.info <== dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1] ==> /var/log/mail.warn <== dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1] ==> /var/log/mail.log <== dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1] dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher ==> /var/log/mail.info <== dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1] dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher ==> /var/log/mail.warn <== dovecot: imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3 read client hello C [127.0.0.1] from doveconf -a: ssl = required ssl_ca = ssl_cert =