HELP with email attachments ONLY clean up
Hello Dovecot Dev team, In my cpanel, we use your email management. This is what my hosting provider has allowed. Our problem: Since the introduction of "hi def cameras on mobile phones", we are getting emails with "huge attachments". The email which comes with the attachments is also important. However, once we download the email (imap), using any of the email clients (outlook, bluemail etc.) the mailbox still has these huge attachments. Because of this, our mailbox storage gets filled up quickly. In our email client software, we can delete (attachments only), and leave the email in our mailbox. So this work around helps us keep our mailbox size manageable. Unfortunately, not everyone does this "email attachment cleanup" regularly and end up being locked out of email storage space and probably lost a few hours of productive time. Our dev Request: Would it be possible to create a setting for end users in our Cpanel, in which we can delete the attachments without deleting the actual message? So query should have: (drop down selection, like you have it now) * Filter 01: Select Messages older than nnn days (where nnn would be 100 to 999 days) (so for the first 99 days, every imap client would have the opportunity to download the email and the attachments) * From Filter 01 = Filter 02: Select messages which are >xxx Mb (where xxx could be 001 to 999 Mb) * From Filter 02 = Filter 03: Select only messages which contain attachments (Yes) * From Filter 03: Permanently Delete the attachments ONLY, So not deleting the actual email msg (OK). So on day 100 (or after the clean up is done), the imap email client will now only get the email but not the attachments (in the event they need to refresh their email setup). If such a query can be created and installed on our Cpanel, we can run this "clean up attachments" query regularly and as such reduce our mailbox size. Q: Would it be possible to create such a clean up tool (pre-defined) so that the cpanel web service admin user only has to enter (nnn and xxx and Yes) to finally click on "OK" to delete the attachments? If this would be possible, what will it cost us to have it installed on our Cpanel? There is so much information/documentation already on your website (doc.dovecot.org) and I spent about 60 min looking for such a "clean up tool" documentation, but started getting dizzy reading all that script language etc. Not my cup of tea. Please help. Thank you for considering and reading this request. Kind regards M. Akil Walji ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Replication going away?
Just to understand that correctly: I could setup a (cron) based process for
doveadm sync, but no longer a setup like
plugin {
mail_replica = tcp:$IMAP_REPLICA_SERVER:$IMAP_REPLICA_PORT
}
where the cron would lead to some delay and would have to check for concurrent
jobs?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Mailcrypt plugin private password
Is any of the password schemes supported or is there a reason you chose pkcs5?
4. Sep. 2019, 08:45 von aki.tu...@open-xchange.com:
>
> It should pick up the password used by the user, there is a caveat here
> though. The keypair is created on first use, so password will be
> initialized to empty string going thru pkcs5. This is slightly
> inconvenient.
>
>
> To avoid this, you should probably have
>
>
> protocol imap {
>
>
> passdb {
>
>
> driver = static
>
>
> args
> =userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>
>
> }
>
>
> and initialize the keypair using doveadm and set the password to this
> value there.
>
>
>
>
>
> This requires some user management tools though so that the password is
> changed with doveadm when user changes their password.
>
>
> Another alternative is to keep the private password in database, you can
> use the var expand encryption plugin to make sure it's decryptable with
> the user's password. See >
> https://doc.dovecot.org/configuration_manual/config_file/config_variables/
> <https://doc.dovecot.org/configuration_manual/config_file/config_variables/>>
> for details.
>
>
> Key management is pretty much the most difficult thing in mail crypt
> plugin =)
>
>
> Aki
>
>
>
>
> On 4.9.2019 9.40, info--- via dovecot wrote:
>
>> Do I have to replace the "password" part withthe actual password or
>> can I just copy it like that?
>>
>> Will dovecot create thekeypair automatically or do I have to use
>> doveadm?
>>
>>
>> 4. Sep. 2019, 08:33 von >> aki.tu...@open-xchange.com
>> <mailto:aki.tu...@open-xchange.com>>> :
>>
>>>
>>>
>>>
>>> On 4.9.2019 9.21, Dustin Schoenwolf via dovecot wrote:
>>>
>>>> Hello there,
>>>>
>>>> is there a way to make the mailcrypt pluginuse the user's
>>>> password or at least store it in a hashedvalue?
>>>>
>>>> I'm using a passwd file for authentication.
>>>>
>>>> I feel uncomfortable saving the privatepassword in plaintext
>>>> in that file.
>>>>
>>>> Regards
>>>>
>>>
>>>
>>>
>>>
>>> You can try in passdb return
>>>
>>>
>>> userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>>>
>>>
>>> Aki
>>>
>>>
>>
>>
Re: Mailcrypt plugin private password
Do I have to replace the "password" part with the actual password or can I just
copy it like that?
Will dovecot create the keypair automatically or do I have to use doveadm?
4. Sep. 2019, 08:33 von aki.tu...@open-xchange.com:
>
>
>
> On 4.9.2019 9.21, Dustin Schoenwolf via dovecot wrote:
>
>> Hello there,
>>
>> is there a way to make themailcrypt plugin use the user's password
>> or at least store it ina hashed value?
>>
>> I'm using a passwd file forauthentication.
>>
>> I feel uncomfortable savingthe private password in plaintext in that
>> file.
>>
>> Regards
>>
>
>
>
>
> You can try in passdb return
>
>
> userdb_mail_crypt_private_password=%{pkcs5,salt=%u,format=base64:password}
>
>
> Aki
>
>
Re: Dovecot can't connect to openldap over starttls [SOLVED]
Thank you very much for this idea. I thought I have already tried this out. I have copy the *.crt to the official dir of ssl/cert and set the access to 644. And now all works correctly. Tobias Am 2017-03-21 08:06, schrieb Aki Tuomi: Could you copy LetsEncrypt.pem to a world-readable location, with world-readable rights, and see if this helps with your problem. I saw you tried with cat using su(do), but unfortunately supplementary groups are not always used with processes. Aki On 20.03.2017 23:09, i...@gwarband.de wrote: The one that works fine was my openxchange server, that loads contacts from openldap. In my opinion I don't have installed a security framework list SELinux or AppArmor. The output of namei -l /etc/ssl/certs/LetsEncrypt.pem f: /etc/ssl/certs/LetsEncrypt.pem drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root ssl drwxr-xr-x root root certs lrwxrwxrwx root root LetsEncrypt.pem -> /etc/ssl/own/LetsEncrypt.crt drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root ssl drwxr-x--- root ssl-cert own -rw-r- root ssl-cert LetsEncrypt.crt Tobias Am 2017-03-20 21:49, schrieb Aki Tuomi: Did you do some succesful lookup with something there? I can see few failed attempts and one that seems to have worked just fine. As pointed out earlier, are you using security frameworks like SELinux or AppArmor? Also, can you provide namei -l /etc/ssl/certs/LetsEncrypt.pem The failed attempts are really short, indicating a VERY early problem with SSL handshake. Aki On March 20, 2017 at 9:24 PM i...@gwarband.de wrote: I have a new pcap from beginning to the end with openldap "TLS negoiation failed" https://gwarband.de/openldap/tracefile.dump The sourceports are 45376 and 45377 Tobias Am 2017-03-20 19:59, schrieb Aki Tuomi: Well, those actually *reduce* the possible algorithms that can be used, so uncommenting those can make things worse. Anyways, your pcap seems incomplete, can you try again? Aki On March 20, 2017 at 8:14 PM i...@gwarband.de wrote: I have also tested with 2.2.28 and this version has the same issue. The finding of compatible ciphers is not the problem because I have uncommented the ldap entrys: TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 Maybe you have further ideas. Am 2017-03-20 17:42, schrieb Aki Tuomi: On March 20, 2017 at 5:28 PM i...@gwarband.de wrote: Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. Originalnachricht Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White Empfänger: i...@gwarband.de Kopie: openldap-techni...@openldap.org On 03/20/17 16:06 +0100, i...@gwarband.de wrote: Debug Dovecot's implementation of ldap_start_tls_s(). I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log. I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap. Hi! I just ran a quick test, and following things are needed: uris = ldap://ldap.host.com tls = yes tls_ca_cert_file = /path/to/cert-bundle.crt this has been tested with 2.2.28, and works just fine. Not sure why you are having issues. Of course this could be anything between not finding compatible ciphers to the LDAP server actually expecting client certificate, what with the logs not actually being too verbose unfortunately. There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s. I am not sure what debugging you could try further. Aki
Re: Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
The one that works fine was my openxchange server, that loads contacts from openldap. In my opinion I don't have installed a security framework list SELinux or AppArmor. The output of namei -l /etc/ssl/certs/LetsEncrypt.pem f: /etc/ssl/certs/LetsEncrypt.pem drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root ssl drwxr-xr-x root root certs lrwxrwxrwx root root LetsEncrypt.pem -> /etc/ssl/own/LetsEncrypt.crt drwxr-xr-x root root / drwxr-xr-x root root etc drwxr-xr-x root root ssl drwxr-x--- root ssl-cert own -rw-r- root ssl-cert LetsEncrypt.crt Tobias Am 2017-03-20 21:49, schrieb Aki Tuomi: Did you do some succesful lookup with something there? I can see few failed attempts and one that seems to have worked just fine. As pointed out earlier, are you using security frameworks like SELinux or AppArmor? Also, can you provide namei -l /etc/ssl/certs/LetsEncrypt.pem The failed attempts are really short, indicating a VERY early problem with SSL handshake. Aki On March 20, 2017 at 9:24 PM i...@gwarband.de wrote: I have a new pcap from beginning to the end with openldap "TLS negoiation failed" https://gwarband.de/openldap/tracefile.dump The sourceports are 45376 and 45377 Tobias Am 2017-03-20 19:59, schrieb Aki Tuomi: Well, those actually *reduce* the possible algorithms that can be used, so uncommenting those can make things worse. Anyways, your pcap seems incomplete, can you try again? Aki On March 20, 2017 at 8:14 PM i...@gwarband.de wrote: I have also tested with 2.2.28 and this version has the same issue. The finding of compatible ciphers is not the problem because I have uncommented the ldap entrys: TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 Maybe you have further ideas. Am 2017-03-20 17:42, schrieb Aki Tuomi: On March 20, 2017 at 5:28 PM i...@gwarband.de wrote: Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. Originalnachricht Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White Empfänger: i...@gwarband.de Kopie: openldap-techni...@openldap.org On 03/20/17 16:06 +0100, i...@gwarband.de wrote: Debug Dovecot's implementation of ldap_start_tls_s(). I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log. I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap. Hi! I just ran a quick test, and following things are needed: uris = ldap://ldap.host.com tls = yes tls_ca_cert_file = /path/to/cert-bundle.crt this has been tested with 2.2.28, and works just fine. Not sure why you are having issues. Of course this could be anything between not finding compatible ciphers to the LDAP server actually expecting client certificate, what with the logs not actually being too verbose unfortunately. There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s. I am not sure what debugging you could try further. Aki
Re: Dovecot can't connect to openldap over starttls
The user "dovecot" can access and read the cert. Here is an output of the console: https://gwarband.de/openldap/dovecot-certs.log So I think there is nothing what prevent Dovecot to access the file. Tobias Am 2017-03-20 20:14, schrieb Tomas Habarta: Actually, I likely managed to replicate the problem itself. I've observed described behavior (timeout with connection error) only if Dovecot's tls_ca_cert_file provided either non-existent file or there was no read access to the existing file -- found during review after sending my last post as I run CentOS, not Debian and didn't adjust the path correctly (/etc/ldap vs. /etc/openldap) in dovecot-ldap.conf when setting that up. Anyway, ldapsearch uses the same library as Dovecot so if ldapsearch works, Dovecot _simply_ must work as well ;) As mentioned, I normally run CentOS, where /etc/ssl/certs has SELinux security context; don't you by any chance run something similar which may prevent Dovecot from accessing the file? I tested on Debian 8 with the standard repo software (same versions you reported), even tried also 2.2.27 from backports and all worked ok, so there seems to be nothing wrong with both software at all, just some little thing in the configuration... Tomas On 03/20/2017 02:04 PM, i...@gwarband.de wrote: I've tested your soulution, but it also says the same error. I've tested all combinations of: - tls_ca_cert_file = - tls = yes - tls_require_cert = demand Every time it says "Connection error". Only when tls is uncommented it says "TLS required". Additional information from my contact with the openldap-technical mailing list: The ldapsearch under the user dovecot with -ZZ works fine. And they mention that the ldap.conf and dovecot-ldap.conf should have no differences, that is correct no differences. Here is a link to the ldap.conf https://gwarband.de/openldap/ldap.conf And the output of ldapsearch under dovecot: https://gwarband.de/openldap/ldapsearch-dovecot.log Tobias Am 2017-03-20 11:00, schrieb Tomas Habarta: I've finally managed that running on Debian 8 test machine by commenting tls_ca_cert_file = option from dovecot-ldap.conf, so only tls = yes tls_require_cert = demand Not sure why is that as on my CentOS6 Dovecot works even with that commented option. May be that CentOS and Debian uses different ldap library or different versions or there's another peculiarity ... Anyway, when tls_require_cert = demand is set, cite: -- With a setting of demand the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated. -- As that option doesn't provide any source, it is taken from /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot client times out on validating provided certificate with imap-login: Error: Timeout waiting for handshake from auth server. imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs) Tomas On 03/18/2017 02:22 PM, i...@gwarband.de wrote: The serverlog of openldap with loglevel "any": https://gwarband.de/openldap/openldap-connect.log Note: openldap waits 1 Minute before he says "TLS negotiation failure" after the connect. and dovecot says direct "Connect error" I've also delete the TLSCipherSuite from openldap. Tobias Am 2017-03-18 14:01, schrieb Tomas Habarta: Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, i...@gwarband.de wrote: I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta: Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enabl
Re: Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
I have a new pcap from beginning to the end with openldap "TLS negoiation failed" https://gwarband.de/openldap/tracefile.dump The sourceports are 45376 and 45377 Tobias Am 2017-03-20 19:59, schrieb Aki Tuomi: Well, those actually *reduce* the possible algorithms that can be used, so uncommenting those can make things worse. Anyways, your pcap seems incomplete, can you try again? Aki On March 20, 2017 at 8:14 PM i...@gwarband.de wrote: I have also tested with 2.2.28 and this version has the same issue. The finding of compatible ciphers is not the problem because I have uncommented the ldap entrys: TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 Maybe you have further ideas. Am 2017-03-20 17:42, schrieb Aki Tuomi: On March 20, 2017 at 5:28 PM i...@gwarband.de wrote: Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. Originalnachricht Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White Empfänger: i...@gwarband.de Kopie: openldap-techni...@openldap.org On 03/20/17 16:06 +0100, i...@gwarband.de wrote: Debug Dovecot's implementation of ldap_start_tls_s(). I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log. I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap. Hi! I just ran a quick test, and following things are needed: uris = ldap://ldap.host.com tls = yes tls_ca_cert_file = /path/to/cert-bundle.crt this has been tested with 2.2.28, and works just fine. Not sure why you are having issues. Of course this could be anything between not finding compatible ciphers to the LDAP server actually expecting client certificate, what with the logs not actually being too verbose unfortunately. There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s. I am not sure what debugging you could try further. Aki
Re: Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
I have also tested with 2.2.28 and this version has the same issue. The finding of compatible ciphers is not the problem because I have uncommented the ldap entrys: TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM TLSProtocolMin 3.1 Maybe you have further ideas. Am 2017-03-20 17:42, schrieb Aki Tuomi: On March 20, 2017 at 5:28 PM i...@gwarband.de wrote: Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. Originalnachricht Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White Empfänger: i...@gwarband.de Kopie: openldap-techni...@openldap.org On 03/20/17 16:06 +0100, i...@gwarband.de wrote: Debug Dovecot's implementation of ldap_start_tls_s(). I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log. I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap. Hi! I just ran a quick test, and following things are needed: uris = ldap://ldap.host.com tls = yes tls_ca_cert_file = /path/to/cert-bundle.crt this has been tested with 2.2.28, and works just fine. Not sure why you are having issues. Of course this could be anything between not finding compatible ciphers to the LDAP server actually expecting client certificate, what with the logs not actually being too verbose unfortunately. There isn't too much to "debug" in Dovecot's TLS implementation, it's not doing anything fancy asides from calling the ldap_start_tls_s. I am not sure what debugging you could try further. Aki
Re: Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
Can sombody say something about this request? This is an email from the openldap-technical mailinglist from openldap. Systemdetails are mention in the other email. Originalnachricht Betreff: Re: Dovecot can't connect to openldap over starttls Datum: 2017-03-20 16:18 Absender: Dan White Empfänger: i...@gwarband.de Kopie: openldap-techni...@openldap.org On 03/20/17 16:06 +0100, i...@gwarband.de wrote: Debug Dovecot's implementation of ldap_start_tls_s(). I don't have any idea how to set a higher debug level to dovecot. In my opinion I have the highest. So I can't deliver a greater log. I recommend consulting Dovecot's advice on how to run a debugger, or dig into the code which calls libldap.
Re: Dovecot can't connect to openldap over starttls
I've tested your soulution, but it also says the same error. I've tested all combinations of: - tls_ca_cert_file = - tls = yes - tls_require_cert = demand Every time it says "Connection error". Only when tls is uncommented it says "TLS required". Additional information from my contact with the openldap-technical mailing list: The ldapsearch under the user dovecot with -ZZ works fine. And they mention that the ldap.conf and dovecot-ldap.conf should have no differences, that is correct no differences. Here is a link to the ldap.conf https://gwarband.de/openldap/ldap.conf And the output of ldapsearch under dovecot: https://gwarband.de/openldap/ldapsearch-dovecot.log Tobias Am 2017-03-20 11:00, schrieb Tomas Habarta: I've finally managed that running on Debian 8 test machine by commenting tls_ca_cert_file = option from dovecot-ldap.conf, so only tls = yes tls_require_cert = demand Not sure why is that as on my CentOS6 Dovecot works even with that commented option. May be that CentOS and Debian uses different ldap library or different versions or there's another peculiarity ... Anyway, when tls_require_cert = demand is set, cite: -- With a setting of demand the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated. -- As that option doesn't provide any source, it is taken from /etc/ldap/ldap.conf on Debian and if it's missing there, Dovecot client times out on validating provided certificate with imap-login: Error: Timeout waiting for handshake from auth server. imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs) Tomas On 03/18/2017 02:22 PM, i...@gwarband.de wrote: The serverlog of openldap with loglevel "any": https://gwarband.de/openldap/openldap-connect.log Note: openldap waits 1 Minute before he says "TLS negotiation failure" after the connect. and dovecot says direct "Connect error" I've also delete the TLSCipherSuite from openldap. Tobias Am 2017-03-18 14:01, schrieb Tomas Habarta: Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, i...@gwarband.de wrote: I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta: Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, i...@gwarband.de wrote: Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup o
Re: Dovecot can't connect to openldap over starttls
The serverlog of openldap with loglevel "any": https://gwarband.de/openldap/openldap-connect.log Note: openldap waits 1 Minute before he says "TLS negotiation failure" after the connect. and dovecot says direct "Connect error" I've also delete the TLSCipherSuite from openldap. Tobias Am 2017-03-18 14:01, schrieb Tomas Habarta: Increase log level on server side as well to see what the server says... You may remove anything in TLSCipherSuite for the purpose of testing too. Hopefully anyone knowing OpenLDAP internals could help you analyse it more deeply. Tomas On 03/18/2017 01:31 PM, i...@gwarband.de wrote: I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta: Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, i...@gwarband.de wrote: Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFilecontains certificate olcTLSCACertificateFilecontains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Re: Dovecot can't connect to openldap over starttls
I've replicate the settings from ldapsearch to dovecot but no success. To the certificate: Yes it's a *.crt file but I have linked the *.pem file to it and dovecot has read access to that file. I have enabled the debugging in dovecot and have uploaded the output: https://gwarband.de/openldap/dovecot-connect.log And the other site with ldapsearch: https://gwarband.de/openldap/ldapsearch-connect.log I'm pretty sure that there is a problem with the sslhandshaking between openldap and dovecot, but I can't find the source of the problem. One of the steps in the sslhandshaking is not success but in the debugging output I can't find any line with a hit to it. Tobias Am 2017-03-18 12:30, schrieb Tomas Habarta: Well, if ldapsearch works, try to replicate its settings for dovecot client. It's not obvious what settings ldapsearch uses, have a look at default client settings in /etc/openldap/ldap.conf, there may be something set a slightly different way. Also double check permissions for files used by dovecot, I mean mainly the file listed for tls_ca_cert_file as dovecot may not have an access for reading... I cannot see anything downright bad, just posted CA cert (which is ok, tested) is *.crt and your config mentions *.pem but I consider it's the same file. Finally, I would recommend to enable debug option for dovecot's client debug_level = -1 (which logs all available) in your dovecot-ldap.conf to see what the library reports and work further on that. You can compare with output from ldapsearch by adding -d-1 switch to it. Hard to tell more at the moment. Tomas On 03/18/2017 09:41 AM, i...@gwarband.de wrote: Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFilecontains certificate olcTLSCACertificateFilecontains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Re: Dovecot can't connect to openldap over starttls
Hello, I have also installed LE certs. But nothing helps, I have double-checking all certs. ldapsearch with -ZZ works see: https://gwarband.de/openldap/ldapsearch.log I have also uploaded the TLSCACertificateFile, maybe I have a failure in the merge of the two fiels: https://gwarband.de/openldap/LetsEncrypt.crt And also I have uploaded my complete openldap configuration: https://gwarband.de/openldap/openldap.conf All other components can work and communicate with my openldap server. The components are postfix, openxchange, apache (phpldapadmin). My installated software is: Debian 8 OpenLDAP 2.4.40 Dovecot 2.2.13 I hope you can find the issue. Thanks, Tobias Am 2017-03-17 22:48, schrieb Tomas Habarta: Hi, been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over the unix socket on the same machine, but tried over inet with STARTTLS and it's working ok... I would suggest double-checking key/certs setup on OpenLDAP side; for the test I have used LE certs, utilizing following cn=config attributes: olcTLSCertificateKeyFilecontains private key olcTLSCertificateFile contains certificate olcTLSCACertificateFile contains both certs (DST Root CA X3 and Let's Encrypt Authority X3) and used the same CA file in Dovecot's tls_ca_cert_file Is ldapsearch working ok (-ZZ) and only Dovecot has troubles or ... ? Hope that helps, good luck ;) Tomas On 03/17/2017 04:27 PM, i...@gwarband.de wrote: Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Dovecot can't connect to openldap over starttls
Hello guys, actually I'm trying to configure dovecot to access openldap for passwordcheck. My openldap is only allow access over "secure ldap". The dovecot can communicate with the openldap server but there is maybe a failure in the sslhandshake. Additional information you can find in the logs or in the dump below. Also I have my ldap config from dovecot in the links below. I have already created an bug reporting in the system of openldap but the answer was to get support from her. All datalinks: https://gwarband.de/openldap/dovecot.log https://gwarband.de/openldap/dovecot-ldap.conf https://gwarband.de/openldap/openldap.log https://gwarband.de/openldap/trace.dump The bugreportinglink from openldap: http://www.openldap.org/its/index.cgi/Incoming?id=8615 I hope you can help me. Regards. Tobias Warband
Misleading error message when case-insensitive file/dir names from config files clash with case-sensitive file system.
Hi,
Is it noted somewhere that Dovecot (v 2.0.9) doesn’t use case in directory
names in its config-files?
I found that out the hard way (i.e. a week of debugging)!!
in /etc/dovecot/conf.d/10-master.conf, the line:
unix_listener /var/spool/postOut/auth/dovecot-auth {
creates a:
Jul 29 22:15:58 server dovecot: master: Error: service(auth):
unlink(/var/run/dovecot/) failed: Is a directory
but
unix_listener /var/spool/postout/auth/dovecot-auth {
works just fine (with matching case changes on the directory names themselves).
That’s on running on Ubuntu 12.04.4 TLS, standard installation from apt-get, in
cooperation with Postfix 2.0.9.
— Hugo
Re: [Dovecot] Integrating with Drupal SQL db
On Tue, 12 Mar 2013 09:41:42 -0500, "l...@airstreamcomm.net"
wrote:
> On 3/11/13 10:54 PM, i...@stos.se wrote:
>> Hi again,
>>
>> this is what I've found regarding how Drupal 7 hashes.
>>
>> $hash = md5($salt . $password, TRUE);
>> do {
>> $hash = md5($hash . $password, TRUE);
>> } while (--$count);
>>
>>
>> The whole final hash value is encoded into 16 base64 characters and
>> prepended by an identifying string, the standard phpass MD5 mode uses
$P$
>> (Drupal’s modified version uses $S$ to indicate SHA-512) and a single
>> base64 character to indicate the number of MD5 iterations used. Examples
>> of
>> a hashed password are:
>>
>> # Drupal 7 hash
>> $S$CgwilRJS4VIF1.2y0R7B4qkXJ8F8SJPcuvXRKGlMWESVXMST.5n4
>>
>> WordPress 3.0.4 uses the phpass default of 8193 iterations ($count being
>> 8192) and Drupal 7 uses 16385 — notice that the Drupal password has C
>> after the identifier whereas WordPress has B, converted from crypt style
>> base64 (character set [./0-9A-Za-z]) these are 14 and 13 respectively,
>> then
>> take 214 + 1 = 16385. A John the Ripper benchmark, after patching and
>> enabling the usage of phpass portable passwords (WordPress style, 8193
>> iterations), quotes approximately 700 passwords checked per second.
>>
>> Can I use this inforamtion to make Dovecot understand how to interpret
>> the
>> hash?
>>
>> Thanks!
>>
>> Regards
>> Tobias
>>
>> On Mon, 11 Mar 2013 14:00:22 -0500, "l...@airstreamcomm.net"
>> wrote:
>>> On 3/11/13 11:57 AM, i...@stos.se wrote:
Hi
I'm trying to get Dovecot to use Drupal users password for
>> authenticating
IMAP users. But I just cant figure out how to make Dovecot understand
>> the
password hash type that Drupal 7 is using.
My example user with password Teacher1 looks like this in Drupal
database:
$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
Dovecot retrieves this hash but complains that its not a recognized
hash
type, or that the hash is wrong, depending on if I change the default
hash
type in Dovecot config.
Any help appreciated.
root@SSiS:/etc/postfix# dovecot --version
1.2.15
root@SSiS:/etc/postfix# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs
log_timestamp: %Y-%m-%d %H:%M:%S
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:/home/vmail/
mbox_write_locks: fcntl dotlock
auth default:
verbose: yes
debug: yes
debug_passwords: yes
passdb:
driver: pam
passdb:
driver: sql
args: /etc/dovecot/dovecot-sql.conf
userdb:
driver: passwd
root@SSiS:/etc/postfix#
root@SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$'
/etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu
default_pass_scheme = CRYPT
password_query = SELECT name AS user, pass AS password FROM users
WHERE
name='%n'
user_query = SELECT
CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/')
AS
mail FROM users WHERE name='%n'
root@SSiS:/etc/postfix# tail /var/log/mail.log
Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection:
pid=8593
Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
>>
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
pam(Teacher1,127.0.0.1): lookup service=dovecot
Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password:
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication
failure
(password mismatch?) (given password: Teacher1)
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password
FROM
users WHERE name='Teacher1'
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
sql(Teacher1,127.0.0.1): Password mismatch
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
>> md5_verify(Teacher1):
Not a valid MD5-CRYPT or PLAIN-MD5 password
Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data
in
passdb
Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data
in
passdb
Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
sql(Teacher1,127.0.0.1): CRYPT(Teacher1) !=
'$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU'
Mar 11 16:17:56 SSiS dovecot: auth(default): client out:
FAIL#0111#011user=Teacher1
Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many
inv
Re: [Dovecot] Integrating with Drupal SQL db
Hi again,
this is what I've found regarding how Drupal 7 hashes.
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
The whole final hash value is encoded into 16 base64 characters and
prepended by an identifying string, the standard phpass MD5 mode uses $P$
(Drupal’s modified version uses $S$ to indicate SHA-512) and a single
base64 character to indicate the number of MD5 iterations used. Examples of
a hashed password are:
# Drupal 7 hash
$S$CgwilRJS4VIF1.2y0R7B4qkXJ8F8SJPcuvXRKGlMWESVXMST.5n4
WordPress 3.0.4 uses the phpass default of 8193 iterations ($count being
8192) and Drupal 7 uses 16385 — notice that the Drupal password has C
after the identifier whereas WordPress has B, converted from crypt style
base64 (character set [./0-9A-Za-z]) these are 14 and 13 respectively, then
take 214 + 1 = 16385. A John the Ripper benchmark, after patching and
enabling the usage of phpass portable passwords (WordPress style, 8193
iterations), quotes approximately 700 passwords checked per second.
Can I use this inforamtion to make Dovecot understand how to interpret the
hash?
Thanks!
Regards
Tobias
On Mon, 11 Mar 2013 14:00:22 -0500, "l...@airstreamcomm.net"
wrote:
> On 3/11/13 11:57 AM, i...@stos.se wrote:
>> Hi
>>
>> I'm trying to get Dovecot to use Drupal users password for
authenticating
>> IMAP users. But I just cant figure out how to make Dovecot understand
the
>> password hash type that Drupal 7 is using.
>>
>> My example user with password Teacher1 looks like this in Drupal
>> database:
>> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU
>>
>> Dovecot retrieves this hash but complains that its not a recognized hash
>> type, or that the hash is wrong, depending on if I change the default
>> hash
>> type in Dovecot config.
>>
>> Any help appreciated.
>>
>>
>> root@SSiS:/etc/postfix# dovecot --version
>> 1.2.15
>> root@SSiS:/etc/postfix# dovecot -n
>> # 1.2.15: /etc/dovecot/dovecot.conf
>> # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs
>> log_timestamp: %Y-%m-%d %H:%M:%S
>> login_dir: /var/run/dovecot/login
>> login_executable: /usr/lib/dovecot/imap-login
>> mail_privileged_group: mail
>> mail_location: maildir:/home/vmail/
>> mbox_write_locks: fcntl dotlock
>> auth default:
>>verbose: yes
>>debug: yes
>>debug_passwords: yes
>>passdb:
>> driver: pam
>>passdb:
>> driver: sql
>> args: /etc/dovecot/dovecot-sql.conf
>>userdb:
>> driver: passwd
>> root@SSiS:/etc/postfix#
>> root@SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$'
>> /etc/dovecot/dovecot-sql.conf
>> driver = mysql
>> connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu
>> default_pass_scheme = CRYPT
>> password_query = SELECT name AS user, pass AS password FROM users WHERE
>> name='%n'
>> user_query = SELECT
>> CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/')
>> AS
>> mail FROM users WHERE name='%n'
>> root@SSiS:/etc/postfix# tail /var/log/mail.log
>> Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection:
>> pid=8593
>> Mar 11 16:17:51 SSiS dovecot: auth(default): client in:
>>
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx
>> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
>> pam(Teacher1,127.0.0.1): lookup service=dovecot
>> Mar 11 16:17:51 SSiS dovecot: auth-worker(default):
>> pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password:
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
>> pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication
>> failure
>> (password mismatch?) (given password: Teacher1)
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
>> sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password
>> FROM
>> users WHERE name='Teacher1'
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
>> sql(Teacher1,127.0.0.1): Password mismatch
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
md5_verify(Teacher1):
>> Not a valid MD5-CRYPT or PLAIN-MD5 password
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
>> passdb
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in
>> passdb
>> Mar 11 16:17:54 SSiS dovecot: auth-worker(default):
>> sql(Teacher1,127.0.0.1): CRYPT(Teacher1) !=
>> '$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU'
>> Mar 11 16:17:56 SSiS dovecot: auth(default): client out:
>> FAIL#0111#011user=Teacher1
>> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid
>> commands (auth failed, 1 attempts): user=, method=PLAIN,
>> rip=127.0.0.1, lip=127.0.0.1, secured
>> Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection:
>> pid=9075
>> Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid
>> commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured
>> root@SSiS:/etc/postfix#
>>
>>
> As far as I understand Drupal uses salted passwords, so
Re: [Dovecot] Integrating with Drupal SQL db
Hi! I dont know if thats related. The specific error message in the log is that the hash is not a valid one. Regards Tobias On Mon, 11 Mar 2013 20:38:39 +0100, Andreas Meyer wrote: > Hello! > > I took the thread back to the list. > > Tobias Rådenholt wrote: > >> I think it is ssha512 hashing. It's not stos.se that's affected. It's >> swedishschoolinsydney.org.au > > Just found this: > capabilities are 'IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE > STARTTLS LOGINDISABLED' meaning you can log in via STARTTLS but not via > plaintext authentication. > > Does it have something to do woth your problem? > >> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid >> commands (auth failed, 1 attempts): user=, method=PLAIN, >> rip=127.0.0.1, lip=127.0.0.1, secured > >> Thanks! >> /Tobias > > Andreas > > >> wrote: >> >> > Hi >> > >> > I'm trying to get Dovecot to use Drupal users password for >> > authenticating >> > IMAP users. But I just cant figure out how to make Dovecot understand >> > the >> > password hash type that Drupal 7 is using. >> > >> > My example user with password Teacher1 looks like this in Drupal >> > database: >> > $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU >> >> This is not CRAM-MD5, is it? >> >> > Dovecot retrieves this hash but complains that its not a recognized >> > hash >> > type, or that the hash is wrong, depending on if I change the default >> > hash >> > type in Dovecot config. >> > >> > Any help appreciated. >> >> This is what I get connecting to your server: >> Connected to stos.se. >> Escape character is '^]'. >> * OK [CAPABILITY IMAP4REV1 NAMESPACE ID AUTH=PLAIN AUTH=LOGIN UIDPLUS >> STARTTLS ACL METADATA] Debian-60-squeeze-64-minimal IMAP4rev1 Citadel >> 7.83 ready >> >> This is what I get connecting to mine: >> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE >> IDLE STARTTLS AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready. >> >> I see no AUTH=CRAM-MD5 in capabilites of your server. >> >> Andreas
Re: [Dovecot] Integrating with Drupal SQL db
Do you have any clue on how to rewrite Dovecot to support Drupal 7 hashes? I have a feeling this is going to become over my head. Regards Tobias On Mon, 11 Mar 2013 20:40:16 -0400, Patrick Domack wrote: > The issue is, drupal uses a custom password format. > > You could rewrite the password hashs that drupal uses, into a normal > crypt ssha256 version, that dovecot will understand, but it will > probably going be much easier, to just program it into dovecot to > support it. > > http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/ > > > Quoting i...@stos.se: > >> Hi >> >> I'm trying to get Dovecot to use Drupal users password for authenticating >> IMAP users. But I just cant figure out how to make Dovecot understand the >> password hash type that Drupal 7 is using. >> >> My example user with password Teacher1 looks like this in Drupal >> database: >> $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU >> >> Dovecot retrieves this hash but complains that its not a recognized hash >> type, or that the hash is wrong, depending on if I change the default >> hash >> type in Dovecot config. >> >> Any help appreciated. >> >> >> root@SSiS:/etc/postfix# dovecot --version >> 1.2.15 >> root@SSiS:/etc/postfix# dovecot -n >> # 1.2.15: /etc/dovecot/dovecot.conf >> # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs >> log_timestamp: %Y-%m-%d %H:%M:%S >> login_dir: /var/run/dovecot/login >> login_executable: /usr/lib/dovecot/imap-login >> mail_privileged_group: mail >> mail_location: maildir:/home/vmail/ >> mbox_write_locks: fcntl dotlock >> auth default: >> verbose: yes >> debug: yes >> debug_passwords: yes >> passdb: >> driver: pam >> passdb: >> driver: sql >> args: /etc/dovecot/dovecot-sql.conf >> userdb: >> driver: passwd >> root@SSiS:/etc/postfix# >> root@SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$' >> /etc/dovecot/dovecot-sql.conf >> driver = mysql >> connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu >> default_pass_scheme = CRYPT >> password_query = SELECT name AS user, pass AS password FROM users WHERE >> name='%n' >> user_query = SELECT >> CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/') >> AS >> mail FROM users WHERE name='%n' >> root@SSiS:/etc/postfix# tail /var/log/mail.log >> Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: >> pid=8593 >> Mar 11 16:17:51 SSiS dovecot: auth(default): client in: >> AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx >> Mar 11 16:17:51 SSiS dovecot: auth-worker(default): >> pam(Teacher1,127.0.0.1): lookup service=dovecot >> Mar 11 16:17:51 SSiS dovecot: auth-worker(default): >> pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password: >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication >> failure >> (password mismatch?) (given password: Teacher1) >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password >> FROM >> users WHERE name='Teacher1' >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> sql(Teacher1,127.0.0.1): Password mismatch >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1): >> Not a valid MD5-CRYPT or PLAIN-MD5 password >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in >> passdb >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in >> passdb >> Mar 11 16:17:54 SSiS dovecot: auth-worker(default): >> sql(Teacher1,127.0.0.1): CRYPT(Teacher1) != >> '$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU' >> Mar 11 16:17:56 SSiS dovecot: auth(default): client out: >> FAIL#0111#011user=Teacher1 >> Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid >> commands (auth failed, 1 attempts): user=, method=PLAIN, >> rip=127.0.0.1, lip=127.0.0.1, secured >> Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: >> pid=9075 >> Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid >> commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured >> root@SSiS:/etc/postfix#
[Dovecot] Integrating with Drupal SQL db
Hi I'm trying to get Dovecot to use Drupal users password for authenticating IMAP users. But I just cant figure out how to make Dovecot understand the password hash type that Drupal 7 is using. My example user with password Teacher1 looks like this in Drupal database: $S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU Dovecot retrieves this hash but complains that its not a recognized hash type, or that the hash is wrong, depending on if I change the default hash type in Dovecot config. Any help appreciated. root@SSiS:/etc/postfix# dovecot --version 1.2.15 root@SSiS:/etc/postfix# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-12-pve i686 Debian 6.0.7 simfs log_timestamp: %Y-%m-%d %H:%M:%S login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:/home/vmail/ mbox_write_locks: fcntl dotlock auth default: verbose: yes debug: yes debug_passwords: yes passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-sql.conf userdb: driver: passwd root@SSiS:/etc/postfix# root@SSiS:/etc/postfix# grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-sql.conf driver = mysql connect = host=127.0.0.1 dbname=Drupal user=Dru_Adm password=localu default_pass_scheme = CRYPT password_query = SELECT name AS user, pass AS password FROM users WHERE name='%n' user_query = SELECT CONCAT(SUBSTRING_INDEX(mail,'@',-1),'/',SUBSTRING_INDEX(mail,'@',1),'/') AS mail FROM users WHERE name='%n' root@SSiS:/etc/postfix# tail /var/log/mail.log Mar 11 16:17:42 SSiS dovecot: auth(default): new auth connection: pid=8593 Mar 11 16:17:51 SSiS dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=52316#011resp=AFRlYWNoZXIxAFRlYWNoZXIx Mar 11 16:17:51 SSiS dovecot: auth-worker(default): pam(Teacher1,127.0.0.1): lookup service=dovecot Mar 11 16:17:51 SSiS dovecot: auth-worker(default): pam(Teacher1,127.0.0.1): #1/1 style=1 msg=Password: Mar 11 16:17:54 SSiS dovecot: auth-worker(default): pam(Teacher1,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: Teacher1) Mar 11 16:17:54 SSiS dovecot: auth-worker(default): sql(Teacher1,127.0.0.1): query: SELECT name AS user, pass AS password FROM users WHERE name='Teacher1' Mar 11 16:17:54 SSiS dovecot: auth-worker(default): sql(Teacher1,127.0.0.1): Password mismatch Mar 11 16:17:54 SSiS dovecot: auth-worker(default): md5_verify(Teacher1): Not a valid MD5-CRYPT or PLAIN-MD5 password Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in passdb Mar 11 16:17:54 SSiS dovecot: auth-worker(default): Invalid OTP data in passdb Mar 11 16:17:54 SSiS dovecot: auth-worker(default): sql(Teacher1,127.0.0.1): CRYPT(Teacher1) != '$S$DZwJa.U8HXT2PvTmwCK13rGEYEvnx5DB6/hlqnfCBum4s4U7MVWU' Mar 11 16:17:56 SSiS dovecot: auth(default): client out: FAIL#0111#011user=Teacher1 Mar 11 16:18:01 SSiS dovecot: imap-login: Disconnected: Too many invalid commands (auth failed, 1 attempts): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Mar 11 16:32:36 SSiS dovecot: auth(default): new auth connection: pid=9075 Mar 11 16:32:41 SSiS dovecot: imap-login: Disconnected: Too many invalid commands (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured root@SSiS:/etc/postfix#
Re: [Dovecot] sieve multi-line parser bug
I'm sorry it is my mistake
I forgot to add a "stop". There was another rule at the bottom of my script:
if allof (header :contains "X-Spam-Flag" "YES") {
fileinto "Junk";
}
which overruled the first
I apologize for taking your time.
Sincerely,
Dennis
-
"Cotiatododia" (with upper case C) is in the first line but
"cotiatododia" (lower case) is only on the second one.
My rule is case sensitive (as far as I know):
if anyof (header :contains ["From", "Reply-To", "To", "Cc"]
["cotiatododia", "ganhedinheiro.com", "1000deaths.com", "ione.correia",
"nsbezerra", "estudenoexterior.com", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]", "[EMAIL PROTECTED]"], header :contains
"Subject" "E ai!, Essa voce Tem que Ver!") {
discard;
}
I'm using version 1.1.3
Best Regards,
Dennis
Timo Sirainen wrote:
On Wed, 2008-10-08 at 07:29 -0300, info wrote:
Hello Timo,
Thanks for the reply
It was accidentally split when sending the mail. The actual lines are
only 2:
1) From:
"=?iso-8859-1?Q?Cotiatododia=20-=20O=20Jornal=20de=20Not=EDcias=20a=20Se?=
OK, Cotiatododia is already in the first line, so the problem isn't
about reading multi-line. What Dovecot version do you use?
Re: [Dovecot] sieve multi-line parser bug
"Cotiatododia" (with upper case C) is in the first line but
"cotiatododia" (lower case) is only on the second one.
My rule is case sensitive (as far as I know):
if anyof (header :contains ["From", "Reply-To", "To", "Cc"]
["cotiatododia", "ganhedinheiro.com", "1000deaths.com", "ione.correia",
"nsbezerra", "estudenoexterior.com", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]", "[EMAIL PROTECTED]"], header :contains
"Subject" "E ai!, Essa voce Tem que Ver!") {
discard;
}
I'm using version 1.1.3
Best Regards,
Dennis
Timo Sirainen wrote:
On Wed, 2008-10-08 at 07:29 -0300, info wrote:
Hello Timo,
Thanks for the reply
It was accidentally split when sending the mail. The actual lines are
only 2:
1) From:
"=?iso-8859-1?Q?Cotiatododia=20-=20O=20Jornal=20de=20Not=EDcias=20a=20Se?=
OK, Cotiatododia is already in the first line, so the problem isn't
about reading multi-line. What Dovecot version do you use?
Re: [Dovecot] sieve multi-line parser bug
Hello Timo, Thanks for the reply It was accidentally split when sending the mail. The actual lines are only 2: 1) From: "=?iso-8859-1?Q?Cotiatododia=20-=20O=20Jornal=20de=20Not=EDcias=20a=20Se?= 2)=?iso-8859-1?Q?rvi=E7o=20de=20Cotia=20e=20Regi=E3o=2E?=" <[EMAIL PROTECTED]> (also attached) Timo Sirainen wrote: On Tue, 2008-10-07 at 14:38 -0300, info wrote: When a message header is split along several lines, it seems only the first one is parsed by sieve. The following header: From: "=?iso-8859-1?Q?Cotiatododia=20-=20O=20Jornal=20de=20Not=EDcias=20a=20Se?= =?iso-8859-1?Q?rvi=E7o=20de=20Cotia=20e=20Regi=E3o=2E?=" <[EMAIL PROTECTED]> Is that really correct? Was there no space or tab before the "=?iso.. ? Or was the line just accidentally split when sending the mail? If the above really is correct, then the header is broken and Dovecot is doing the right thing.. From: "=?iso-8859-1?Q?Cotiatododia=20-=20O=20Jornal=20de=20Not=EDcias=20a=20Se?= =?iso-8859-1?Q?rvi=E7o=20de=20Cotia=20e=20Regi=E3o=2E?=" <[EMAIL PROTECTED]>
[Dovecot] sieve multi-line parser bug
Dear sirs
Thank you and congratulations for creating Dovecot.
When a message header is split along several lines, it seems only the
first one is parsed by sieve.
The following header:
From:
"=?iso-8859-1?Q?Cotiatododia=20-=20O=20Jornal=20de=20Not=EDcias=20a=20Se?=
=?iso-8859-1?Q?rvi=E7o=20de=20Cotia=20e=20Regi=E3o=2E?="
<[EMAIL PROTECTED]>
was not discarded by the following rule (when it should have been due to
"cotiatododia"):
if anyof (header :contains ["From", "Reply-To", "To", "Cc"]
["cotiatododia", "ganhedinheiro.com", "1000deaths.com", "ione.correia",
"nsbezerra", "estudenoexterior.com", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]", "[EMAIL PROTECTED]",
"[EMAIL PROTECTED]", "[EMAIL PROTECTED]"], header :contains
"Subject" "E ai!, Essa voce Tem que Ver!") {
discard;
}
Thank you,
Dennis
