Re: How to get a server listed in the IMAP Test wiki?

2023-02-24 Thread justina colmena ~biz



On February 24, 2023 10:19:54 AM EST, Timo Sirainen  wrote:
> If you want, you can post them publicly here in case someone else wants to 
> verify.

Who are you doxxing? What other crimes are you confessing to publicly?

-- 
https://justina.abeja.colmena.biz/


Re: How to get a server listed in the IMAP Test wiki?

2023-02-24 Thread justina colmena ~biz
Something I can't quite place finger on here. Altogether too much Mafia, in the 
bulk email business generally, and I know Switzerland borders on Italy ...

This sounds, (albeit vaguely,) altogether too much like the thieves I seem to 
have fallen amongst lately. Two stolen trucks, three stolen laptops, another 
one wrecked, three or four stolen cell phones, passwords GPG keys, city hall 
hookers and towers and parking masters took everything the first moment I 
turned my back on it. Smashed the windows, hot wired the ignition at 4am 
assaulted me, mugged me in the street after I made a police complaint. I barely 
made it away alive. Another cop trying to arrest me without a warrant as I 
hopped a plane took a flight away from the city hall lynch mob. And the corrupt 
corporate-paid cops who previously stole my car, cell phone, digital camera, 
photos and laptop in another state, too.

And that's only the latest such violent attack. In real life. People plannimg 
crimes and getting away with crimes in real life. Bragging about it online is 
always what what gets them caught in the end.

And so far the thieves and robbers and assailants are apparently not being 
prosecuted at all for the violent crimes they are committing but they were 
forced to let me go since there were no charges they could file against the 
victim of their horrible crimes and atrocities under color of law. And City 
Hall is still in the bedroom & bathroom business to boot.

On February 24, 2023 2:29:41 AM EST, Leander Beernaert 
 wrote:
>Hey Timo,
>
>Thanks for the quick turnaround, once we have the test results I'll contact 
>you again.
>
>Should I also include instructions on how to run the a self contained server 
>with a dummy backend so you can independently verify our results?
>
>Leander Beernaert
>Proton AG
>
>--- Original Message ---
>On Thursday, February 23rd, 2023 at 8:59 PM, Timo Sirainen  
>wrote:
>
>> On 23. Feb 2023, at 16.13, Leander Beernaert  
>> wrote:
>>
>>> Hey,
>>>
>>> We recently announced Gluon (https://github.com/ProtonMail/gluon/) our IMAP 
>>> server library we are using in Proton 
>>> Bridge(https://github.com/ProtonMail/proton-bridge). We would love to have 
>>> it have it listed in the IMAP Server Compliancy Status wiki page 
>>> (https://imapwiki.org/ImapTest/ServerStatus). What do we need to do or whom 
>>> do we need to contact to make this happen?
>>
>> There was so much spam that we disabled all outside access to the wiki. 
>> Maybe we should move it to github/sphinx similarly to doc.dovecot.org so we 
>> could get pull requests instead. For now just email me what you want there 
>> and I can add it.
>>
>>> Additionally, We have been using running imaptest 
>>> (https://github.com/dovecot/imaptest) against our server library, but due 
>>> to variety of configuration parameters, we would really appreciate it (if 
>>> possible) if someone could point out to us the test setup used to validate 
>>> each of those servers.
>>
>> I updated the page to specify how the different columns can be tested. It's 
>> the same for all servers.
-- 
https://justina.abeja.colmena.biz/

Re: replicator: Panic: data stack: Out of memory when allocating 268435496 bytes

2023-01-06 Thread justina colmena ~biz
On Thursday, January 5, 2023 10:53:13 PM AKST Aki Tuomi wrote:
> On January 6, 2023 3:56:39 AM GMT+02:00, Gerben Wierda 
 wrote:
> >Jan 06 00:50:31 replicator: Panic: data stack: Out of memory when
> >allocating 268435496 bytes Jan 06 00:50:32 replicator: Fatal: master:
>  ...
> service replicator {
>   vsz_limit = 2G
> }
> 
> because replicator might have to use more memory, especially for larger
> indexes.
> 
> Aki
That's probably as good a short-term fix as any, but a longer term fix will 
probably require effectively "going on a diet," losing weight, cracking down on 
memory leaks, matching up every malloc() and free() and getting leaner and 
meaner with the memory allocation and Big-O time & space complexity of 
algorithms.
-- 
https://justina.abeja.colmena.biz/

signature.asc
Description: This is a digitally signed message part.


Re: Permissions for dovecot logging

2022-12-30 Thread justina colmena ~biz
On Thursday, December 29, 2022 10:17:08 PM AKST Aki Tuomi wrote:
> > On 30/12/2022 05:25 EET James Moe  wrote:
> >   Permission is still denied.
> >   Where do I find information about "status=80/n/a"?
> > 
> >   I did not include all two of the syslog entries in the previous message:
> > 2022-12-29T20:17:56-0700 sma-server3 dovecot[12102]: Can't open log file
> > /data01/var/log/dovecot.log: Permission denied
> > 2022-12-29T20:17:56-0700 sma-server3 systemd[1]: dovecot.service: Main
> > process exited, code=exited, status=80/n/a
> 
> Maybe you have selinux or apparmor involved? On rhel based systems, selinux
> logs into /var/log/audit/audit.log, dmesg -T is another good thing to
> check.
> 
Status=80 I assume is the exit code dovecot threw when it couldn't open the 
log file. Whatever "int main()" is programmed to return.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
>  Dovecot fails to start with the error:
> Can't open log file /data01/var/log/dovecot.log: Permission denied
That error message is typical of a simple unix permission issue, nothing to do 
with selinux etc.

On Tuesday, December 27, 2022 2:19:39 PM AKST James Moe wrote:
>   Permissions:
> drwxrwxr-x 1 root   users 104 Feb 25  2018 /data01/
> drwxrwxr-x 1 sma-user3x users 102 Dec 17 14:50 /data01/var/
> drwxrwxr-x 1 sma-user3x users 146 Dec 27 15:37 /data01/var/log/
> drwxrwxr-x 1 dovecotusers  22 Dec 27 15:47 /data01/var/log/dovecot/
> 
>   "dovecot" is a member of "users".
> 
>   What "permission" am I missing?

If the process isn't running with an effective group id of "users", then it 
cannot access that directory simply by virtue of being a member of that group. 
The main program has to call setegid() with the proper group id before 
attempting to access those files.

On Tuesday, December 27, 2022 10:27:31 PM AKST Aki Tuomi wrote:
> If you want to run log as `dovecot`, you can do so with
> 
> service log {
>   user = dovecot
> }

Maybe try something like this:

service log {
   user = dovecot
   group = users
 }

Otherwise you might not have the process running with the right effective group 
id to access the log file location by unix group permissions.
-- 
https://justina.abeja.colmena.biz/




Re: sasl service for other app

2022-12-12 Thread justina colmena ~biz
Okay.  Let's try this. With the snippet you posted from
"/etc/dovecot/conf.d/10-master.conf "
inside the "service auth {...}" section. 

This is from my "/etc/postfix/master.cf"

> submission inet n   -   n   -   -   smtpd
> #  -o syslog_name=postfix/submission
> 
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_sasl_security_options=noanonymous



On Thursday, December 8, 2022 4:49:06 AM AKST Shawn Heisey wrote:
> On 12/7/22 21:53, Henry R wrote:
> > can dovecot run as a general sasl service for other apps? such as webdav.
> 
> I am using dovecot to provide authentication for postfix submission. 
> This is the config in postfix:
> 
> smtpd_sasl_type = dovecot
> # Referring to /var/spool/postfix/private/auth
> smtpd_sasl_path = private/auth
> 
> In /etc/dovecot/conf.d/10-master.conf I have this:
> 
>unix_listener /var/spool/postfix/private/auth {
>  mode = 0666
>  user = postfix
>  group = postfix
>}
> 
> If the application supports using a socket for sasl, then I would
> imagine that Dovecot should work.
> 
> Postfix is using the same postfixadmin database for email addresses that
> Dovecot is, but for authentication, it's all Dovecot.
> 
> I should probably look into Dovecot's submission support so I don't need
> to have postfix using that auth socket, just haven't found the time.
> 
> Thanks,
> Shawn


-- 
https://justina.abeja.colmena.biz/




Re: sasl service for other app

2022-12-08 Thread justina colmena ~biz
So this should allow postfix to piggyback on top of whatever dovecot auth 
is being used.


On Thursday, December 8, 2022 4:49:06 AM AKST, Shawn Heisey wrote:

On 12/7/22 21:53, Henry R wrote:

can dovecot run as a general sasl service for other apps? such as webdav.


I am using dovecot to provide authentication for postfix 
submission.  This is the config in postfix:


smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth

In /etc/dovecot/conf.d/10-master.conf I have this:

  unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
  }

If the application supports using a socket for sasl, then I 
would imagine that Dovecot should work.


Postfix is using the same postfixadmin database for email 
addresses that Dovecot is, but for authentication, it's all 
Dovecot.


I should probably look into Dovecot's submission support so I 
don't need to have postfix using that auth socket, just haven't 
found the time.


Thanks,
Shawn





--
https://justina.abeja.colmena.biz/


Re: sasl service for other app

2022-12-08 Thread justina colmena ~biz

https://doc.dovecot.org/configuration_manual/authentication/sql/#password-verification-by-sql-server

Perfect. However on Postfix it is more finicky.

https://www.postfix.org/SASL_README.html#auxprop_sql

Tip
If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead, 
see section "Using saslauthd with PAM", and configure PAM to look up the 
encrypted passwords with, for example, the pam_mysql module. You will not be able to use 
any of the methods that require access to plaintext passwords, such as the shared-secret 
methods CRAM-MD5 and DIGEST-MD5.


On Thursday, December 8, 2022 10:17:11 AM AKST, Alessio Cecchi wrote:

Yes,

we are using dovecot, also, for SASL only as authentication provider.

Here some relevants parts of the configuration:

# probably not necessary but dovecot requires it so i set it to /tmp/

mail_location = maildir:/tmp/%u/Maildir:INDEX=memory

# setup a mysql database with your users and password
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

# here is the most important part, with this you can query SASL 
via port "12345" or via socket

service auth {
  inet_listener {
port = 12345
  }
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
  }
}

# SASL don't support SSL
ssl = no

Ciao

Il 08/12/22 05:53, Henry R ha scritto:

can dovecot run as a general sasl service for other apps? such as webdav.

Thanks.






Re: sasl service for other app

2022-12-08 Thread justina colmena ~biz
I suppose. Essentially create a database table and supply a custom SQL 
query for authentication. Program a PHP web form with a token to reset user 
password with a recovery email, etc. Postgres/nginx should be just as easy 
as mysql/apache. -- 


On Wednesday, December 7, 2022 10:48:27 PM AKST, Robert Schetterer wrote:

Am 08.12.22 um 06:14 schrieb justina colmena ~biz:

On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote:

can dovecot run as a general sasl service for other apps? such as webdav.

Thanks.


For some reason I use cyrus-sasl with postfix, but I can't get 
it to work with dovecot. Ideas? Pointers to docs online?


usally its more easy to configure dovecot,postfix with a 
database like mysql, mysql auth with i.e apache should be easy 
then






Re: sasl service for other app

2022-12-07 Thread justina colmena ~biz

On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote:

can dovecot run as a general sasl service for other apps? such as webdav.

Thanks.


For some reason I use cyrus-sasl with postfix, but I can't get it to work 
with dovecot. Ideas? Pointers to docs online?


Re: Doveadm Move Query

2022-12-01 Thread justina colmena ~biz
Sounds like a boss at work. An "admin" doing off-beat SQL-like stuff on 
people's email. I'm a little disconcerted. I don't really use these 
commands myself or see a good use case for them, or the whole 
infrastructure built up on "doveadm" commands.


These are general purpose mailbox utilities. Something that would be much 
less confusing to fork off into a totally separate project independent of 
Dovecot. There is sifting and sorting for spam and porn and scams, but that 
isn't really a "dove(cot) admin" job.


https://wiki.dovecot.org/Tools/Doveadm
https://wiki.dovecot.org/Tools/Doveadm/Move
https://wiki.dovecot.org/Tools/Doveadm/SearchQuery

I have several virtual mailboxes but dovecot knows nothing about them. 
Postfix is configured to deliver mail for my virtual mailboxes, and my 
desktop & mobile email clients are configured with "identities" to respond 
to them.



On Thursday, December 1, 2022 12:25:52 AM AKST, Simon B wrote:

On Tue, 2 Aug 2022 at 12:58, Paul Kudla (SCOM.CA Internet Services
Inc.)  wrote:

ok u...@domain.com needs to exist before any operations can be done on it.

I discovered that dovecot does not consider a virtual mailbox active
until it is returned in the user database

see : doveadm user '*'

both accounts MUST be returned in the list (user@.net & user@.com) ...


Thanks Paul.

I finally got around to looking at this again, and for my own benefit,
and perhaps anyone else in the future, the format that eventually
worked was:

doveadm -Dv move -u u...@destination.com INBOX  user user @source.net
MAILBOX INBOX ALL

However...

the -v option does NOT as the man page indicates produce any kind of
progress counter.

 -v Enables verbosity, including progress counter.

On a medium mailbox (~1000 messages) it took about 3 minutes, with no
indication anything was being done until the prompt returned.  Maybe I
need -D -v and not -Dv?

AND,

it moved all the mails from
/var/spool/mail/virtual/source.net/user/cur but none of the emails
from  /var/spool/mail/virtual/source.net/user/new

And I have not been able to figure how to move those...

Simon






Re: moving messages between namespaces go into purge

2022-11-30 Thread justina colmena ~biz
That particular feature seems to work for me as documented. People have to 
play first-name games with mass-marketed emails, and clients crash for 
various reasons.


On Wednesday, November 30, 2022 9:23:44 AM AKST, Aki Tuomi wrote:
The reason is that MOVING a mail is same COPYING and EXPUNGING 
a mail. mdbox format retains deleted messages, even if they 
result from moving. It's not a queue as such.


With mdbox format you are supposed to run purge periodically in any case.

I am not sure what justina is again rambling about...

Aki


On 30/11/2022 19:34 EET justina colmena ~biz  wrote:

 
Mails stored as individual files in a "Maildir/" can 
conceivably be "moved" 
within the O/S file system rather than copied, but the default flatfile 
Mailbox format does require a copy-and-purge, as far as I know. ...







Re: moving messages between namespaces go into purge

2022-11-30 Thread justina colmena ~biz
Mails stored as individual files in a "Maildir/" can conceivably be "moved" 
within the O/S file system rather than copied, but the default flatfile 
Mailbox format does require a copy-and-purge, as far as I know.


/etc/postfix/main.cf:
   # DELIVERY TO MAILBOX
   #
   # The home_mailbox parameter specifies the optional pathname of a
   # mailbox file relative to a user's home directory. The default
   # mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
   # "Maildir/" for qmail-style delivery (the / is required).
   #
   #home_mailbox = Mailbox
   home_mailbox = Maildir/


On Wednesday, November 30, 2022 8:24:40 AM AKST, Marc wrote:
I think it would be nice to have an option where the moving of 
messages between namespaces (by automated server scripts) would 
not result in messages ending up in the 'purge' queue.


Currently when you move these copied messages, they end up in 
the purge queue combined with messages that users deleted. I am 
more or less forced to purge the mailbox after moving GB's while 
I prefer not to do this, because I would like to keep the 
opportunity to recover from the purge queue.


Maybe there is a way to 'deduplicate' this purge queue?






Re: Can't figure out why managesieve (pigeonhole) can't connect

2022-11-22 Thread justina colmena ~biz

On Tuesday, November 22, 2022 8:25:19 AM AKST, PGNet Dev wrote:
first, confirm that you can connect/authenticate to Dovecot's 
managesieve server without Roundcube in the picture.


e.g., show the output of a successful 'openssl s_client ...' 
sieve authentication session


Subject line says it all?  I am using Roundcube, and every 


I don't like the sounds of this discussion at all, and it's not because I 
don't want it to take place or because I don't want to be aware of it. 
"Security first" is and ought to be the absolute rule, but there's a 
pernicious kid sister attitude of «fausse naïveté» showing up everywhere 
with everything email-related.


Filtering and sieving are absolute necessities, too, for obvious reasons, 
but these authentication issues with half-baked development and 
here-be-dragons code showing up in official releases are very alarming.


We need to build much stronger defenses for our email online against 
nation-state political spammers as well as aggressive drug cartels 
promoting and compelling unethical & illegal "products" and "services" 
online.


Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

2022-10-21 Thread justina colmena ~biz

Trojitá, a fast Qt IMAP e-mail client
http://www.trojita.flaska.net/

I also use

http://opendkim.org/ 
http://www.trusteddomain.org/opendmarc/


as milters on Postfix

Active development, I'm sure they could all use some help, or forks for 
alternatives, I don't know, I'm not involved in development per se, just a 
user, and I have to get off the property of any of these places with my 
code before anything happens. All that Finnish osalliyhdistys and by the 
time a Swede gets online all hell breaks loose./


On Friday, October 21, 2022 1:50:43 PM AKDT, hi@zakaria.website wrote:

On 2022-10-11 14:05, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-10-11 13:42: ...


Indeed, it's because you set the following headers in dkim signing headers:-

from : subject :
date : to : message-id

Although not sure why you've added some space, as per standards 
I think only colon separated list its the compliant format like 
the following:-


from:subject:date:to:message-id

Anyhow this is my final update, the previous headers set which 
I included wasnt perfect as cc header was causing a trouble, 
given it can fail at some point e.g. when replying more than one 
time to the same recipient through a mailing list, and mind me 
OX and iRedMail, I had to check your signing headers set, 
hopefully you are ok for me to present it here as the optimal 
one to avoid DKIM failures:-


OX:-
Date:From:To:In-Reply-To:References:Subject:From

IRM:-
x-mailer:message-id:in-reply-to:to:references:date:subject
:mime-version:content-transfer-encoding:content-type:from

iRedMail seems to be the best headers set given it includes 
X-Mailer header, which enhances signature validity, when client 
uses specific mail client app, although it can be faked yet one 
must know which client app the sender would use and if was able 
to have information to this length I guess signature validity 
would be an easy task to break it further.


Also, I was advised by a friend to duplicate the signing 
headers in order to disallow spoofing signature further, while I 
couldnt see how nor populate a proof of concept, I removed it 
but if someone understand it, I would appreciate their 
elaboration, surely with thanks :)


Good luck.

Zakaria.






Re: The end of Dovecot Director?

2022-10-21 Thread justina colmena ~biz
Nginx is an excellent suggestion for the purpose. However I do not like 
German client certificates. That is far too much "proof" of identification 
18/21++ on a public network with nowhere to hide and those of us who are 
not German citizens and do not have the advantage of a friendly local 
police jurisdiction with massive international clout and an assumed 
legitimacy for all the online surveillance, policing, and copping with 
unfounded sex charges etc. being pressed online.


Not that I care much for alcohol, but the analogy that comes to mind with 
such "proof" of identity presented across the internet as a public 
certificate is that of "public drunkenness," versus, say, "drinking 
privately in one's quarters," i.e., making an encrypted connection, and 
only then within the encrypted channel establishing identity and 
authorization with a username and password or other means of 
authentication.


On Friday, October 21, 2022 3:29:36 AM AKDT, spi wrote:

Am 21.10.22 um 13:14 schrieb Amol Kulkarni:

Nginx has an mail proxy for pop, imap, smtp.
Can it be used instead of director ?



Nginx can authenticate imap/smtp (and probably pop3) users. If you that,
you can define a backend server the session is routed to. Currently I
use that approach to authenticate users by client certificates and route
them to the appriopriate backend (well, I only have one ;-).

--
Cheers
spi






Re: The end of Dovecot Director?

2022-10-21 Thread justina colmena ~biz
You still need in some sense one coherent file system to store and retrieve 
the mail messages. Although a load-balance cluster would still be quite 
useful for rejecting the bulk of unauthorized connections.


I am sure in many cases a small/medium server can in fact sit and function 
quite adequately behind a large enterprise load balancing firewall and 
proxy, given the typical quantities of spam "out there" and the large 
number of bad connections typically attempted on any given system.


On Thursday, October 20, 2022 9:19:59 PM AKDT, Zhang Huangbin wrote:



On Oct 21, 2022, at 4:19 AM, Antonio Leding  wrote:

My understanding is that Director is targeted toward large 
enterprise mail installations that will incorporate several 
servers for a given function. In such an environment, Director 
would be the fore-person\traffic-cop keeping things organized & 
squared-away.


Director is used when you setup frontend servers in a 
load-balance cluster, proxy imap/pop3/lmtp/managesieve requests 
to backend Dovecot servers.


I setup load-balance cluster for clients with HAProxy + 
KeepAlived + Dovecot Director running in frontend servers, so 
sad we have to find an alternative to replace Director in such 
case.


It's not about "small/medium" servers, but the demand of 
imap/pop3/lmtp proxy service, especially in load-balance 
cluster.



Zhang Huangbin, founder of:
- iRedMail: Open source email server solution: https://www.iredmail.org/
- Spider: Lightweight, on-premises Email Archiving Software: 
https://spiderd.io








Re: Multidomain ssl config ?

2022-10-15 Thread justina colmena ~biz
Yeah. You get a better spam score and a better rep for your server if the 
hostname you use as an MX record matches the reverse DNS for its IP 
address(es) as well and everything is correct as recommended by rfc docs. 
If there's outgoing mail it's all going to use the same hostname as the 
"ehlo" I.D. anyways, isn't it?


The big bosses and professionals are cracking down on servers etc., aren't 
they? I just recently tried to set up an alternate/backup server from a 
different provider in a very authoritarian country in northwestern/central 
Europe, but they borked my billing information terminated service and 
screwed up my domain renewal and caused a lot of other grief elsewhere in 
addition. Barely managed to save myself and stay online.


So we're going to see more small and medium sites kicked off the internet, 
and even having had one's own website and email means we're not welcome on 
FB, TWTR, and friends. Just squash the competition for interstate commerce, 
because the cartels are taking over.


On Wednesday, June 29, 2022 1:25:18 PM AKDT, Paul Kudla (SCOM.CA Internet 
Services Inc.) wrote:

John please send me a direct email address


I understand what you need and my customers are all seperate 
certs per domain on both sides



I spent over three months setting stuff up


I wil send complete instructions for both postfix & dovecot


Plus auto scripts etc


You will need to be running a postgresql database for my stuff 
to work without mods



And running python 2.xx


  
 thanks - paul 
   Paul Kudla  SCOM.CA Internet Services Inc.004-1009 
Byron Street South   Whitby, Ontario - Canada   L1N 4S3
Toronto   416.642.7266   Main   1.866.411.7266   Fax   
1.888.892.7266   

On Jun 29, 2022 at 16:39:29 EDT, John Stoffel 
 wrote:



"Maurizio" == Maurizio Caloro  writes:


Maurizio> on postfix now this seems to run, and with dovecot i need
Maurizio> also handle this two domains, but appairing this error
Maurizio> messages. like:

Why aren't you just using a single domain as the MX record for all the
domains? Then you only need one SSL cert pair for all of this, and if
you publish the right SPF records, each domain can send from the same
MX host as well.




Maurizio> Jun 29 20:49:28 Dovecot/imap-login: Info: 
Disconnected (no auth attempts in 0 secs): user=<>,
Maurizio> rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: 
SSL_accept() failed: error:14094416:SSL routines:
Maurizio> ssl3_read_bytes:sslv3 alert certificate unknown: SSL 
alert number 46, session=


Maurizio> Running with Debian Buster

Maurizio> # dovecot --version
Maurizio> 2.3.4.1 (f79e8e7e4)

Maurizio> # nmail.caloro.ch
Maurizio> local_name nmail.caloro.ch {
Maurizio>  ssl_cert =   ssl_key =   }
Maurizio> # nmail.calm-ness.ch
Maurizio> local_name nmail.calm-ness.ch {
Maurizio>  ssl_cert =   ssl_key =   }

Maurizio> thanks for possible help








Re: One-off backup

2022-10-11 Thread justina colmena ~biz
Is that a divorce? Or else a little bit better spelling and respect for the 
lady is called for? And I don't like criminals serving bogus law papers and 
hacking into my mail any more than anyone else does.

On October 10, 2022 6:57:39 AM AKDT, Ian Evans  wrote:
>I run a small email server for me and the missus. Six dovecot users.
>
>Our host is migrating our server instance. They usually (99.% lol) go
>off without a hitch.
>
>As we don't have dovecot running elsewhere, I'm assuming doveadm is the
>wrong tool.
>
>If we want to make a one-off backup prior to the migration, is shutting
>down postfix and running
>tar czf mailstorage.tgz /path/to/mail okay?
>
>Thanks.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Re[4]: Pigeonhole redirect is adding a message-id header when it already exists

2022-10-01 Thread justina colmena ~biz
These are real people with bank accounts? Get paid? Have money for breakfast 
lunch dinner and a roof over their heads?

Just asking because my own bank account stupidly enough requires a phone number 
to log in online whether or not I even have an email address.

And the POTS (Plain Old Telephone Service) system, including cell phone 
service, unlike the internet at large which is based on open standards, is a 
highly proprietary closed-source-only multinational corporate fee-for-service 
system based on billing and debt collections for long distance calls, mostly 
owned by fraudsters, blackmailers, thieves, extortioners and hackers, and 
subject to strict intellectual property restrictions and intelligence 
surveillance by various governments and nation-states as well as court orders 
relating to domestic violence restraining orders, no-contact orders and various 
other "established" service of process in local small town court systems to 
obstruct or deny access.

AT and friends have been around since the early railroad days, and there are 
people who need to be SERVED here like no one has ever been served in over 150 
years in the United States.

On October 1, 2022 3:52:43 AM AKDT, Marc  wrote:
>> >Oct  1 13:31:46  sendmail[30321]: 291BVjjx030318:
>> to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp,
>> pri=122536, relay=gmail-smtp-in.l.google.com. [142.250.102.27],
>> dsn=2.0.0, stat=Sent (OK  1664623906 gs19-
>> 20020a1709072d1300b00777a40d515dsi4096082ejc.456 - gsmtp)
>> >
>> >I just tested for you, enabled the sieve forward, send test mail and
>> the forward is being accepted by google.
>> >
>> >
>> 
>> Thanks for the test. However, does your test mail had a "bogus"
>> Message-ID header in it like I tried to explain ?
>> 
>
>You wrote in the original email the message was rejected. Sorry I don't have 
>login access to my gmail test account anymore since the google @#$%@#$% wanted 
>to have me add a phone number. 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: convert mdbox to maildir

2022-08-14 Thread justina colmena ~biz




On August 14, 2022 9:46:54 AM AKDT, lutz.niede...@gmx.net wrote:
>Yes, you are right.  The problems are not of technical nature.
>...
>We do what the customer wants us to do.  And yes, they pay pretty well for 
>working on weekends.
>...
I'm sure there are more than enough professional mental health services 
available in any given district or locality, but I'm not sure why they are 
being discussed on a technical mailing list.

If your job is technical in nature, and that's what your customers are paying 
you for, then those problems of a technical nature are precisely what you'd 
better be focusing on.

Mostly I am a semi-technical do-it-yourselfer on the principle that I just 
can't tolerate the p*rn-surfing techie crowd from Silicon Valley, CA, and I 
find that most of the time if you want the job done right, you'd better do it 
yourself, especially if it's something very specific or technical.

Which is what many people have done and consequently why so much free and open 
source software exists in the first place.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


RE: convert mdbox to maildir

2022-08-13 Thread justina colmena ~biz
*My* inbox gets filled with thousands of emails, more or less commercial 
content and trivial notifications from shopping online, and postfix crashes and 
will not accept new messages if the file "/var/mail/justina" becomes too large.

Configuring postfix to deliver the mail to "~/Maildir" solved that problem.

I still need to configure a sieve or a filter or some nicer mechanism to clear 
out messages that are either outright spam or too old or no longer of interest 
to me.

On August 13, 2022 10:00:36 AM AKDT, Marc  wrote:
>> 
>> We need to move all users from one (pretty old) installation of dovecot
>> to a new one.
>> The old one uses mdbox for users' mailboxes and maildir for
>> shared/public mailboxes.
>> The new one must be maildir only.
>
>why did you decide to move to maildir?
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: RHEL9 Repository

2022-08-05 Thread justina colmena ~biz


On August 5, 2022 3:30:57 PM AKDT, Peter  wrote:
>The main site doesn't currently support https but the repositories do, also 
>all packages are cryptographically signed and the signing keys are served off 
>of a secure server.
>
>The info on the site is public information that doesn't really need to be 
>secure.
>
In which case any actual content on the said site becomes injected with 
ultra-persistent linux-targeted adware, spyware, and pop-ups by any given third 
party in transit, which craps up my phone and slows down my desktop browser to 
a crawl, and then I have to update my adblocker, re-up all my security settings 
and fix all the other things that break due to spam malicious advertising on 
the internet. Plain old http is simply maddening these days. Leave the front 
door wide open for online hustlers and thieves, yeah, some people have bank 
accounts or manage actual money on their computers.

I would highly encourage a use of basic https all around: certbot/letsencrypt 
is currently free and there are many other low-cost options for https in 
conjunction with any given hosting service or platform.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: RHEL9 Repository

2022-08-05 Thread justina colmena ~biz
/_!_\

The connection to ghettoforge.org is not secure

You are seeing this warning because this site does not support HTTPS. _Learn 
more_

[Go back]
[Continue to site]

On August 5, 2022 4:06:46 AM AKDT, Peter  wrote:
>For those who have been asking, GhettoForge 9 is now released with dovecot23 
>packages for all EL9 distributions in the gf-plus repository. These are built 
>against Rocky Linux 9 and should install and run on any EL9 distro including, 
>but not limited to:
>
>* Rocky Linux 9
>* Red Hat Enterprise Linux 9
>* Oracle Linux 9
>* Alma Linux 9
>* Scientific Linux 9
>...and more
>
>This provides the latest stable version of dovecot-2.3.19.1
>
>Please see the instructions at the following link for how to install and run 
>packages from the gf-plus repository:
>http://ghettoforge.org/index.php/Usage
>
>...and let me know if you have any difficulties or questions with these 
>packages.
>
>
>Peter Ajamian
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Tracing Sieve actions

2022-07-20 Thread justina colmena ~biz
Thank you. I will have to look at "basic configuration" for sieving although I 
don't want things crashing on production.

I get too much mail at a publicly available address -- and while SPF+DKIM+DMARC 
does cut down on the bulk of obvious spam -- the spam that does get through is 
a little bit too "legitimate" to eliminate without special sieving rules.

This stuff really needs to be configurable per user without abusing root 
privileges and without futzing at the command line, or else it just isn't 
useful to the end user on the desktop or mobile device. Sieving needs to be 
either an email client thing, or else a standard interface for rules that can 
be configured and uploaded to Dovecot from the email client / reader software.

https://doc.dovecot.org/configuration_manual/sieve/configuration/#basic-configuration

On July 19, 2022 10:35:40 PM AKDT, Aki Tuomi  wrote:
>
>> On 20/07/2022 09:34 EEST Doug Hardie  wrote:
>> 
>>  
>> I encountered an interesting problem that one originator was being dumped 
>> into the Deleted file directly by my sieve.  The sieve file was quite large 
>> and it was not obvious which entry was causing the issue.  I recall there 
>> was a way to get sieve-test to show what is going on and which lines it 
>> used, but I could not replicate it tonight for anything.  I ended up having 
>> to change all the deliver to the Deleted files to something else and test 
>> one at a time to find the offending entry.  It took a long time.  How do you 
>> get sieve-test to show the actual path it took through the file?
>> 
>> -- Doug
>
>Hi Doug, take a loot at 
>https://doc.dovecot.org/configuration_manual/sieve/configuration/#trace-debugging
>
>It might help.
>
>Kind regards,
>Aki

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [Dovecot-news] CVE-2022-30550: Privilege escalation possible in dovecot when similar master and non-master passdbs are used

2022-07-08 Thread justina colmena ~biz
What? No user serviceable parts inside your car? It's a federal felony to raise 
the hood for any reason. You've got to see an authorized dealer or a 
professional mechanic for every little thing on a used car because cars are 
closed source proprietary and it's illegal to circumvent anything etc. Elon 
Musk is hard at work.

On July 7, 2022 12:59:13 PM AKDT, Noel Butler  wrote:
>On 07/07/2022 07:24, Aki Tuomi wrote:
>
>>> On 06/07/2022 16:54 EEST Aki Tuomi via Dovecot-news 
>>>  wrote:
>>> 
>>> Affected product: Dovecot IMAP Server
>>> Internal reference: DOV-5320
>>> Vulnerability type: Improper Access Control (CWE-284)
>>> Vulnerable version: 2.2
>>> Vulnerable component: submission
>>> Report confidence: Confirmed
>>> Solution status: Fixed in main
>>> Researcher credits: Julian Brook (julezman)
>>> Vendor notification: 2022-05-06
>>> CVE reference: CVE-2022-30550
>>> CVSS: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
>>> 
>>> Vulnerability Details:
>>> When two passdb configuration entries exist in Dovecot configuration, which 
>>> have the same driver and args settings, the incorrect username_filter and 
>>> mechanism settings can be applied to passdb definitions. These incorrectly 
>>> applied settings can lead to an unintended security configuration and can 
>>> permit privilege escalation with certain configurations involving master 
>>> user authentication.
>>> 
>>> Dovecot documentation does not advise against the use of passdb definitions 
>>> which have the same driver and args settings. One such configuration would 
>>> be where an administrator wishes to use the same pam configuration or 
>>> passwd file for both normal and master users but use the username_filter 
>>> setting to restrict which of the users is able to be a master user.
>>> 
>>> Risk:
>>> If same passwd file or PAM is used for both normal and master users, it is 
>>> possible for attacker to become master user.
>>> 
>>> Workaround:
>>> Always authenticate master users from different source than regular users, 
>>> e.g. using a separate passwd file. Alternatively, you can use global ACLs 
>>> to ensure that only legimate master users have priviledged access.
>>> 
>>> Fix:
>>> This has been fixed in main branch. See 
>>> https://github.com/dovecot/core/compare/7bad6a24%5E..a1022072.patch
>> 
>> Two small corrections to this CVE notice... The service impacted is of 
>> course 'auth' not 'submission', and the version impacted is from 2.2 to 
>> 2.3.19.1.
>> 
>> Aki
>
>I wouldnt exactly call them  " small " corrections
>
>its like saying the left window on your 2020 car can be pushed down easily to 
>saying  oh wait its every window and you dont need a key to start the engine 
>and btw its all cars from 2010 to 2022
>
>And if its that serious where is the release, thats how dealing with CVE's 
>works Aki, not a CVE statement saying go to gitbub.
>
>That said, I'd assume everyone uses a separate db for support teams anyway, or 
>I'd hope so/
>
>-- 
>Regards,
>Noel Butler
>
>This Email, including attachments, may contain legally privileged information, 
>therefore at all times remains confidential and subject to copyright protected 
>under international law. You may not disseminate this message without the 
>authors express written authority to do so.   If you are not the intended 
>recipient, please notify the sender then delete all copies of this message 
>including attachments immediately. Confidentiality, copyright, and legal 
>privilege are not waived or lost by reason of the mistaken delivery of this 
>message.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Is multi factor authentication practical/feasible?

2022-07-02 Thread justina colmena ~biz
Guns are banned and there's a night guard with a Big Mag flashlight or a 
billy club walking the beat around the bank, kicking a homeless man who 
fell asleep on the sidewalk to tell him wake up or your pocket's going be 
picked clean by morning, because you've got too much money in your name for 
your own good anyways, if you've got any teeth left in your mouth or can 
afford the dentist's bill for that.


On Saturday, July 2, 2022 12:15:09 AM AKDT, Marc wrote:

I have a small client whose insurance company insists they
have MFA for their email to be covered under some kind of data
protection policy. Currently I have the client set up on a Debian box
for the email server coupled with roundcube for webmail. Most the users
just use roundcube but some also use their mobile devices to check ...


The two factor became necessary for the big 'moron' companies 
who decided to start using email addresses as logins so it was 
easier to track people, because in that situation you only have 
to try commonly used passwords or passwords used at a different 
application.
If you stay with an username that is not published publicly, 
the commonly known password is still useless, since you do not 
have the username.
I think for a small organization you can push this 
implementation at the insurance company. Unless of course they 
do not think ios and windows are not secure enough to store your 
username ;)









Re: Is multi factor authentication practical/feasible?

2022-06-27 Thread justina colmena ~biz

I don't see why not.

Dovecot and Postfix are entirely configurable to connect to and use any 
desired authentication mechanism through certain basic interfaces.


The main problem I have experienced with MFA is a continual battle with 
extortion, "long cons," and thievery in law -- that the thieves are able to 
obtain one of the necessary factors for authentication -- a dongle or cell 
phone app or access to a cell phone number, or surveillance intelligence on 
calls or texts, whatnot -- whether by force or deception -- and then deny 
the targeted individual access to his or her own account.


Later on, after the victim has given up, the thieves are able to obtain the 
other factors for authentication, and then proceed to social-engineer a 
false account recovery using the victim's stolen I.D. -- and then they 
often as not falsely report the victim to gullible or complicit police 
forces as the thief.


If the victim cannot be successfully accused of theft in court, the 
"thieves in law" at work with inside help in government and law enforcement 
communities are able to cast identity theft as a mental illness akin to 
dissociative identity disorder -- to which the government offers nothing 
but a mental health "recovery" plan which does not include any actual 
recovery of the stolen assets in a person's name.


* https://www.identitytheft.gov/
* https://www.robodeidentidad.gov/

Casting identity theft as a mental health issue further enables thieves to 
take control of a victim's finances by possibly being appointed as 
guardians or payees in court. For the same reasons of legalized theft, 
extortion, and wrongful appropriation through state, local, military and 
federal court systems, individuals with similar names to known criminals 
are not allowed to hold significant assets in their names or possess 
firearms or obtain employment in sensitive positions in the United States.


* https://en.wikipedia.org/wiki/Thief_in_law

On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
I have a small client whose insurance company insists they have 
MFA for their email to be covered under some kind of data 
protection policy. Currently I have the client set up on a 
Debian box for the email server coupled with roundcube for 
webmail. Most the users just use roundcube but some also use 
their mobile devices to check email. Maybe one person uses 
outlook. There’s about 5 to 10 users total. 

I know roundcube offers a MFA plugin. But I don’t have the 
foggiest idea how of an iPhone, Android device, or Outlook could 
all be set up to work with MFA with a standard dovecot/postfix 
setup. Are there any practical solutions for easily implementing 
MFA that could work across multiple devices?






Re: [EXT] Re: Dovecot v2.3.19 released

2022-05-11 Thread justina colmena ~biz
So there's an "honest abe" -- with a "dv" attached the name -- and it's time to 
change the locks on the doors -- because apparently a couple of girls at the 
bank are working overtime doing loans and repossessions online and something is 
being served at a local bar or pub and a SWAT team is being called out Friday 
night or very early Saturday with fabricated criminal charges on any "hackers" 
who happen to be posting here 

On May 11, 2022 1:43:39 PM AKDT, "A. Schulze"  wrote:
>
>
>Am 11.05.22 um 07:26 schrieb Michael Tokarev:
>>> You are using something like `libssl-dv` instead of libssl, hence me 
>>> asking. It does not appear to be using the stock libssl.
>
>Hello Aki & Michael
>
>I reviewed my build and indeed found a glitch. So: sorry for the noise.
>dovecot-2.3.19 can be built with Debian/11 + Debian/openssl-1.1.1n
>
>I'm also able to build with my own openssl-1.1.1 version.
>The error occurred because I tried to build with my own openssl-3.0.2 which 
>worked with dovecot-2.3.18
>But maybe this was unsupported anyway.
>
>Andreas
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: disabling namespace in special-userdb on dovecot 2.2

2022-04-21 Thread justina colmena ~biz
I have no idea what that's all about!

But my dovecot system keeps bogging down & lot of my emails are disappearing 
and being eaten alive before I can read them ...

On April 20, 2022 4:01:38 AM AKDT, Marc  wrote:
>> 
>> Currently I have such special-userdb file
>> 
>> test:x:1:2:testaccount_descr:/home/users/testaccount:/bin/false:userdb_
>> mail=mbox:~/mbox:INBOX=/home/users/testaccount/inbox:INDEX=/home/users/testacco
>> unt/index
>> 
>> However I am still getting errors of a default configured namespace that 
>> still
>> seems to be active. Is there a way to disable this namespace or reconfigure
>> this in the userdb file? (When I was testing this on a dovecot 2.3 I did not
>> run into this)
>> 
>
>userdb_mail_debug=yes userdb_namespace/archives/disabled=yes

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: temporary block incoming messages to specific user

2022-04-20 Thread justina colmena ~biz
So the file "/var/mail/username" is a "system inbox" for the user, typically a 
flat file that will accept new mail no matter what as long as it isn't too 
large, which would indicate that the user's mailbox is full.

Some of the early text clients, mutt etc. would move any mail in the 
"/var/mail/username" inbox to a local inbox in "/home/username/Maildir" or 
"/home/username/mbox" as soon as it is seen or read from the system inbox.

Are you blocking the user from logging in, or do you just want incoming mail 
for that user to sit in the general queue until you have that person's account 
set up?

IMHO dovecot or other clients should ideally pick up any mail in the system 
inbox "/var/mail/username" and move it to a local maildir inbox in the user's 
home folder as expeditiously as possible for any further reading or sorting.

On April 20, 2022 4:39:24 AM AKDT, Marc  wrote:
>Is it possible to block incoming messages from being delivered to a specific 
>user in such a way that the MTA will try again later. I do not want these 
>message to bounce. (eg while doing some manual maintenance on the user)?
>
>
>
>
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [EXT] AW: AW: AW: invalid lz4 chunk size??

2022-03-16 Thread justina colmena ~biz
What's with the "AW: AW: AW:" business? It sounds for all the world like a guy 
outbid at the Sotheby's auction or something like that. There's got to be a lot 
of artwork online with that fancy lz4 compression algorithm.

On March 16, 2022 2:32:32 AM AKDT, Joachim Lindenberg  
wrote:
>What might go wrong? Or should I copy the directory myself from remote? What 
>can go wrong with that?
>Thanks, Joachim
>
>-Ursprüngliche Nachricht-
>Von: Aki Tuomi  
>Gesendet: Wednesday, 16 March 2022 11:31
>An: Joachim Lindenberg 
>Betreff: Re: [EXT] AW: AW: AW: invalid lz4 chunk size??
>
>It might, I can't promise it =)
>
>Aki
>
>> On 16/03/2022 12:29 Joachim Lindenberg  wrote:
>> 
>>  
>> With remote I am referring to the second instance of mailcow including 
>> dovecot I am running, which has dovecot replication active. I am observing 
>> the issue on just one box. Thus I am hoping  that when I remove the user 
>> mail directory on one host, replication will restore it from remote. 
>> Thanks, Joachim
>> 
>> -Ursprüngliche Nachricht-
>> Von: Aki Tuomi 
>> Gesendet: Wednesday, 16 March 2022 11:17
>> An: Joachim Lindenberg ; dovecot@dovecot.org
>> Betreff: Re: AW: AW: invalid lz4 chunk size??
>> 
>> Not sure what "remote" you are talking about. You can remove the file, and 
>> dovecot will notice it's absence and update it's indexes if this is 
>> maildir++ format.
>> 
>> If this is sdbox, you need to run `doveadm force-resync -u user FolderName`.
>> 
>> Aki
>> 
>> > On 16/03/2022 12:08 Joachim Lindenberg  wrote:
>> > 
>> >  
>> > Hi Aki,
>> > sure I can delete (or rename) the file(s) in the mail directory. 
>> > Will sync then restore it from remote or should I do this manually? Should 
>> > I stop dovecot during the process?` I am not very familiar with dovecot 
>> > yet, as most of the complexity is hidden by mailcow.
>> > Thanks, Joachim
>> > 
>> > -Ursprüngliche Nachricht-
>> > Von: Aki Tuomi 
>> > Gesendet: Wednesday, 16 March 2022 08:38
>> > An: Joachim Lindenberg ; dovecot@dovecot.org
>> > Betreff: Re: AW: invalid lz4 chunk size??
>> > 
>> > Hi,
>> > 
>> > looks a lot like your mail file is corrupted. Not much you can do about it 
>> > other than maybe delete the file? You can try recover it with `doveadm 
>> > fetch -u someone text uid 1553 mailbox Sent` and then using `doveadm save 
>> > -u someone -m Sent` to store it back.
>> > 
>> > Aki
>> > 
>> > > On 16/03/2022 09:35 Joachim Lindenberg  wrote:
>> > > 
>> > >  
>> > > Nobody that can help?
>> > > Thanks,
>> > > Joachim
>> > > 
>> > > --
>> > > 
>> > > I am still experiencing the issue. Any suggestion?
>> > > As I do have replication between two nodes and only one is showing the 
>> > > issue - can I rename the mailbox easily on one side and rely on 
>> > > replication to get the copy replaced? If that makes sense, which 
>> > > commands do you recommend?
>> > > Thanks,
>> > > Joachim
>> > > 
>> > > -Ursprüngliche Nachricht-
>> > > Von: Joachim Lindenberg 
>> > > Gesendet: Thursday, 3 March 2022 12:06
>> > > An: 'Aki Tuomi' ; dovecot@dovecot.org
>> > > Betreff: AW: invalid lz4 chunk size??
>> > > 
>> > > dovecot --version reports 2.3.17.1 (476cd46418) Joachim
>> > > 
>> > > -Ursprüngliche Nachricht-
>> > > Von: Aki Tuomi 
>> > > Gesendet: Thursday, 3 March 2022 11:56
>> > > An: Joachim Lindenberg ; 
>> > > dovecot@dovecot.org
>> > > Betreff: Re: invalid lz4 chunk size??
>> > > 
>> > > 
>> > > > On 03/03/2022 12:24 Joachim Lindenberg  wrote:
>> > > > 
>> > > >  
>> > > > Hello,
>> > > > when accessing one mailbox via ActiveSync / SoGo / Dovecot I get the 
>> > > > following error repeatedly in dovecot log:
>> > > > imap(somemail...@example.org)<1579><***>: Error: Mailbox Sent: 
>> > > > UID=1553: read(compress()) failed: read() failed: lz4.read(): invalid 
>> > > > lz4 chunk size: 1601505441 at 16842752 (read reason=) I can still 
>> > > > access the mailbox via IMAP though.
>> > > > What can I do to resolve the issue?
>> > > > Thanks,
>> > > > Joachim
>> > > 
>> > > Which version of Dovecot?
>> > > 
>> > > Aki
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Build with MySQL -> libmysqlclient not found

2022-02-26 Thread justina colmena ~biz



On February 26, 2022 9:07:12 AM AKST, John Stoffel  wrote:
>Dimitri> My Dovecot version: 2.3.18
>Dimitri> My Mariadb version: 10.6.5
>Dimitri> My OS: Ubuntu 20.04
>
>Why aren't you just using the Ubuntu 20.04 packaged version instead?

That's the beauty of free and open source software. We want to know how it's 
compiled and exactly what it depends on. And if we can't do it ourselves, then 
a lot of us amateurs feel like it's getting a little bit too closed-source and 
corporate for our purposes, or somehow more complicated than it needs to be. In 
which case we're looking for an alternative or a fork of the project with a 
legal license.

>Also, did you install the headers for libmysqlclient properly as
>well?
>
>What does /test/core/mariadb/includes/ or
>/test/core/includes/... show?

These are probably very good questions or problem-solving suggestions for 
"Dimitri."

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: Nasty Bug: Re: Index Corruption Problem with new VM Host - But Only With Replication Enabled

2022-02-20 Thread justina colmena ~biz
Something about this a little bit ominous.

There's a new type of "architecture" unrolling with a certain flavor, and it is 
becoming, by and by, irremediably complex. I'm not really sure where the 
stopping or turning point is, or perhaps there are other "tools" for memory 
leak detection and static code analysis that could in theory help find bugs 
like this.

Assuming the bug is in Dovecot and not in the Linux kernel or the underlying 
KVM virtualization container.

I was using a KVM that got hacked, and I'm having better luck with CentOS on 
OpenVZ at the provider on a very small scale system, but certain critical 
security bits and pieces are going missing in action.

On February 20, 2022 8:39:13 PM AKST, Reuben Farrelly  
wrote:
>Following up to my original mail:
>
>On 18/02/2022 3:59 pm, Reuben Farrelly wrote:
>> Hi,
>>
>> I've recently migrated my two VMs across from Linode (who use KVM) 
>> onto a local VPS service (which also uses KVM).  Since doing so I have 
>> started to see some strange problems with Dovecot relating to indexes 
>> and replication.
>>
>> I have copied the configuration files across from old host to new 
>> host. The kernel is the same - as this is Gentoo everything was 
>> rebuilt and installed from fresh, but with the same options (use 
>> flags).  Even the Linux kernel is the same version with the exact same 
>> options (as is Dovecot).  The filesystem is the same EXT4 with the 
>> same options too.
>>
>No one responded from here (is anyone helping on this list anymore?) but 
>after many hours I found out the problem was to do with replication on 
>the far end host, and not anything to do with either the new VPS or the 
>existing dovecot or linux config.
>
>It turns out that if there is an existing Maildir/ in the user's 
>directory on the remote replica, the initial sync from the master 
>fails.  It may fail early on in the sync, or at the end of the initial 
>replication but either way it fails and the user ends up with a mailbox 
>in a half sync'd state.  Even if the remote Maildir is completely empty 
>as mine were, it fails - it is the mere presence of the Maildir/ 
>directory on the remote breaks the sync. Typically new users have a new 
>and empty Maildir (copied from /etc/skel) so it fails for them by default.
>
>Once I deleted the Maildir/ from the remote user's home directory and 
>the entire contents of a half replica, then dovecot created a new 
>Maildir and everything was able to sync through on all users to completion.
>
>To reproduce this: create a new user with an empty (Maildir/new 
>Maildir/cur and Maildir/tmp)  and then trigger the sync with debug 
>manually:       doveadm -v -D sync -u username -f tcp:imap2.reub.net:4814
>
>Here - with a completely empty and brand new Maildir/ on both master and 
>remote replica we can see it already fails:
>
>tornado ~ # doveadm -v -D sync -u testuser -f tcp:imap2.reub.net:4814
>Debug: Loading modules from directory: /usr/lib64/dovecot/doveadm
>Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so: undefined 
>symbol: acl_user_module (this is usually intentional, so just ignore 
>this message)
>Debug: Skipping module doveadm_quota_plugin, because dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined 
>symbol: quota_user_module (this is usually intentional, so just ignore 
>this message)
>Debug: Module loaded: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_sieve_plugin.so
>Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: undefined 
>symbol: fts_user_get_language_list (this is usually intentional, so just 
>ignore this message)
>Debug: Skipping module doveadm_mail_crypt_plugin, because dlopen() 
>failed: /usr/lib64/dovecot/doveadm/libdoveadm_mail_crypt_plugin.so: 
>undefined symbol: mail_crypt_box_get_pvt_digests (this is usually 
>intentional, so just ignore this message)
>Feb 21 16:31:51 Debug: Loading modules from directory: /usr/lib64/dovecot
>Feb 21 16:31:51 Debug: Module loaded: 
>/usr/lib64/dovecot/lib15_notify_plugin.so
>Feb 21 16:31:51 Debug: Module loaded: 
>/usr/lib64/dovecot/lib20_replication_plugin.so
>Feb 21 16:31:51 Debug: Loading modules from directory: 
>/usr/lib64/dovecot/doveadm
>Feb 21 16:31:51 Debug: Skipping module doveadm_acl_plugin, because 
>dlopen() failed: /usr/lib64/dovecot/doveadm/lib10_doveadm_acl_plugin.so: 
>undefined symbol: acl_user_module (this is usually intentional, so just 
>ignore this message)
>Feb 21 16:31:51 Debug: Skipping module doveadm_quota_plugin, because 
>dlopen() failed: 
>/usr/lib64/dovecot/doveadm/lib10_doveadm_quota_plugin.so: undefined 
>symbol: quota_user_module (this is usually intentional, so just ignore 
>this message)
>Feb 21 16:31:51 Debug: Skipping module doveadm_fts_plugin, because 
>dlopen() failed: /usr/lib64/dovecot/doveadm/lib20_doveadm_fts_plugin.so: 
>undefined symbol: 

Re: Unable to connect from macOS mail client

2022-02-19 Thread justina colmena ~biz
So presumably the entire contents of the ssl public and/or private key could be 
included verbatim in the configuration file without the "<" input pipeline 
redirection symbol.

On February 19, 2022 5:25:15 AM AKST, Bernardo Reino  wrote:
>On Sat, 19 Feb 2022, necktwi wrote:
>
>> After adding “<“ before ssl_ca file path, macOS mail client complained no 
>> more. Why do we need “<“ before file paths? — Necktwi
>
>Because the manual says so? :)
>
>"The < is mandatory. It indicates that the variable should contain contents of 
>the file, instead of the file name. Not using it will cause an error."
>(https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/)
>
>Or is it a rhetorical question?
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

2022-02-12 Thread justina colmena ~biz
Google's corporate web page, Alphabet, Inc., is on the ".xyz" top level domain.

* https://abc.xyz/

I suppose Sergey Brin is Russian as well, so what have you there?

Perhaps you have inadvertently confused ".xyz" with the ".xxx" TLD. The popular 
grade school acronym for "eXamine Your Zipper" is obviously not commercially 
desirable for the same purposes, although I cannot vouch for particular 
instances.


On February 12, 2022 5:51:12 AM AKST, Marc  wrote:
>
>
>> 
>>   (sorry for posting to list this, but I don't have any ways to contact
>> Marc off-list now)
>> 
>> >>
>> >>Problem is, I need to unpack each of them to be sure, that these are
>> >> false positives and I'm afraid, that it could lower reputation of my
>> mail
>> >> server IP address with major providers (like Google Mail).
>> >>
>> >
>> > How can you get a lower reputation? Afaik dmarc is just signing your
>> outgoing messages.
>>   Marc, my domain already has problems sending mail to you, for example:
>> 
>> : host spam1.roosit.eu[212.26.193.45] said: 553
>> 5.3.0
>>  550We have blocked this toplevel because of spam. Use another
>> toplevel
>>  until the maintainer has resolved these issues (in reply to MAIL FROM
>>  command)
>> 
>> --
>
>.ru is not blocked. The connect is originating from a .xyz host.
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

2022-02-12 Thread justina colmena ~biz
The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious 
and honest for what it is, unless that's part of Biden's sanctions, the others 
you mention look like vice domains, but looking at GitHub:

* https://github.com/dovecot

There's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not 
heard of recent hostility between Finland and Russia, notwithstanding the 
Ukraine situation. Your mail client is all configured in Swedish, but Sweden & 
Finland are not officially part of NATO, AFAIK, and Sweden has its own currency 
whereas Finland did give up the markka in exchange for the Euro some 20-odd 
years ago I don't recall.


On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen  
wrote:
>Thats a TLD ban. Meaning *.ru is banned.
>
>same applies for my domain for example, I ban *.xyz, *.date and a few others.
>
>-Ursprungligt meddelande-
>Från: dovecot-boun...@dovecot.org  För Lev 
>Serebryakov
>Skickat: den 12 februari 2022 12:08
>Till: dovecot@dovecot.org
>Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
>
>On 11.02.2022 16:31, Marc wrote:
>
>  (sorry for posting to list this, but I don't have any ways to contact Marc 
> off-list now)
>
>>>
>>>Problem is, I need to unpack each of them to be sure, that these 
>>> are false positives and I'm afraid, that it could lower reputation of 
>>> my mail server IP address with major providers (like Google Mail).
>>>
>> 
>> How can you get a lower reputation? Afaik dmarc is just signing your 
>> outgoing messages.
>  Marc, my domain already has problems sending mail to you, for example:
>
>: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
> 550We have blocked this toplevel because of spam. Use another toplevel
> until the maintainer has resolved these issues (in reply to MAIL FROM
> command)
>
>--
>// Black Lion AKA Lev Serebryakov
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

2022-02-09 Thread justina colmena ~biz
Google, Yahoo and Microsoft, the big providers all use ARC, and have used it 
for years. But Wikipedia doesn't have much nice to say about it.

--> allows a receiving service to validate an email when the email's SPF and 
DKIM records are rendered invalid by an intermediate server's processing. ARC 
is defined in RFC 8617, published in July 2019, as "Experimental".

It sounds like a Microsoft/Google/corporate standard, not IETF. I do seem to 
have trouble communicating with insurance companies' email systems in 
particular when I'm not using ARC on my email system, but outside the insurance 
industry -- and I'm making an educated guess that they are the main sticklers 
-- it doesn't seem to be a problem if SPF, DKIM, and DMARC are all working.


On February 9, 2022 6:16:19 AM AKST, Benny Pedersen  wrote:
>On 2022-02-09 14:33, Aki Tuomi wrote:
>> We did that replacement for a while, but people complained. We have
>> ARC signing there, unfortunately it only works if you trust it.
>
>ARC-Authentication-Results: i=1; talvi.dovecot.org;
>  dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq;
>  dmarc=pass (policy=reject) header.from=open-xchange.com;
>  spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com 
>designates
>  87.191.57.183 as permitted sender) 
>smtp.mailfrom=aki.tu...@open-xchange.com
>
>X-Spam-Status: No, score=-6.4 required=5.0 
>tests=AWL,DKIM_INVALID,DKIM_SIGNED,
>   HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL,
>   MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W,
>   RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
>   T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
>
>seems it breaks :/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

2022-02-09 Thread justina colmena ~biz



On February 4, 2022 11:56:53 AM AKST, Lev Serebryakov  
wrote:
>  After that I've got several DMARC reports about "spam" from my domain. All 
> these reports are about my mailing list post.
>
Interesting. That's exactly how DMARC is supposed to work with reporting 
enabled. So you've got that set up correctly at any rate!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


RE: Certificate and showing a sign-cert not there

2022-02-08 Thread justina colmena ~biz
You shouldn't need a root in the full chain, because the client already has to 
have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak  wrote:
>Justina,
>
> 
>
>The vendor I have, which is having the difficulty is still saying he gets a 
>self-signed cert… but as I showed in my last email after I added Intermediate 
>to the certificate, everything was ok.
>
> 
>
>So ServerCert, Intermediate, Root in same file should solve this?
>
> 
>
>Wayne
>
>From: dovecot  On Behalf Of justina colmena ~biz
>Sent: Tuesday, February 8, 2022 2:44 PM
>To: dovecot@dovecot.org
>Subject: Re: Certificate and showing a sign-cert not there
>
> 
>
>In general:
>
>Lots of mail servers out in the wild do not require TLS or even bother to 
>verifying TLS certificates when connecting to a remote server on port 25.
>
>However, desktop and mobile email *clients* tend to be much stricter about 
>verifying server certificates when connecting via SSL or TLS, mainly to 
>protect user passwords.
>
>Sometimes the server certificate needs to be presented with a "full chain" 
>appended to it for verification. That has been an issue before when I've used 
>some certs, particularly StartSSL before Letsencrypt started offering free 
>certs.
>
>On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <mailto:wspi...@sbanetweb.com> > wrote:
>
>Hi –
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
> <http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for 
> authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list = 
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-S

Re: Certificate and showing a sign-cert not there

2022-02-08 Thread justina colmena ~biz
In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak  wrote:
>Hi -
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
> , OU = "(c) 2012 Entrust, Inc. - for
>authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list =
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
>CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
>S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
>6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
>ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
>28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
>-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12
>8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL
>L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D
>ES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Password Mismatch when connecting from Email Client

2022-02-04 Thread justina colmena ~biz
That is a test user on a private network. Not publicly accessible at all.

Anyways, I have had the best luck on dovecot and postfix with the unix/linux 
utility "pass" to generate fairly long alphanumeric-only passwords as I have 
found that any special characters in passwords are ending up garbled or 
misinterpreted when I attempt to log in to dovecot on IMAP or POP.

On February 4, 2022 7:37:54 AM AKST, Benny Pedersen  wrote:
>On 2022-02-04 17:17, Dr Francis Greaves wrote:
>
>> Any help much appreciated.
>
>what is stored in mysql on the password field ?
>
>you dont need to expose passwords in maillists 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: silly quesiton [ot]

2022-01-31 Thread justina colmena ~biz
I see. People make money outsourcing, consulting, and hooking up companies with 
the best solutions for email, office collaboration, CRM, etc., etc., which is 
great, but I didn't quite realize that look like a paid offering on the table 
and this isn't the right list to discuss potential free market competition...

On January 31, 2022 12:45:48 AM AKST, Aki Tuomi  
wrote:
>
>> On 31/01/2022 10:36 Marc  wrote:
>> 
>>  
>> > 
>> > Just ideas.
>> 
>> Maybe an idea to participate on a Microsoft forum? They like to use db's for 
>> email, and they are removing everything what is nice in order to push people 
>> into their cloud. So lots to change for the better there. 
>> 
>> It's so crappy that I recently wrote Bill Gates that he should not whine so 
>> much about the environment, because if he used only half of his profits to 
>> optimize code/designs in ms products, this would result in a significant 
>> reduction in energy use. Think of what global effect that has.
>> 
>> FYI T-mobile (and the commercial version of dovecot?) is working on storing 
>> emails in object storage, that is the future.
>
>Commercial Dovecot has had the ability to store mails & indexes in Object 
>Storage for years now, we are not "working on it" anymore.
>
>Aki

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: silly quesiton [ot]

2022-01-30 Thread justina colmena ~biz
Just ideas.

Removing or deleting a single message from near the beginning of a large flat 
file takes an inordinate amount of time because the remainder of the flat file 
has to be rewritten all the way from the point of the deleted message to the 
end of the file and then truncated.

On January 30, 2022 6:30:44 PM AKST, Sam Kuper  wrote:
>On Sun, Jan 30, 2022 at 06:17:49PM -0900, justina colmena ~biz wrote:
>> On January 30, 2022 5:46:53 PM AKST, dove...@ptld.com wrote:
>>> Storing mail in a db... at the end of the day isn't it still just a
>>> file (.db file) on the drive?
>>>
>>> Aren't you just adding bloat and complexity vs just storing the mail
>>> directly (maildir format) to a file on the drive? [...]
>>
>> You'll get better indexing and fast full text search by storing your
>> emails in a database rather than a flat file, hopefully after decoding
>> any attachments. Especially for spam scoring, analysis, and
>> classification. Much better performance deleting or moving specific
>> messages, too.
>
>Do you have evidence to back up these claims, specifically re: mail
>servers?
>
>Like-for-like benchmarks, for instance?
>
>Thanks,
>
>Sam
>
>-- 
>A: When it messes up the order in which people normally read text.
>Q: When is top-posting a bad thing?
>
>()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
>/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: silly quesiton [ot]

2022-01-30 Thread justina colmena ~biz
You'll get better indexing and fast full text search by storing your emails in 
a database rather than a flat file, hopefully after decoding any attachments. 
Especially for spam scoring, analysis, and classification. Much better 
performance deleting or moving specific messages, too.

On January 30, 2022 5:46:53 PM AKST, dove...@ptld.com wrote:
>Storing mail in a db... at the end of the day isn't it still just a file (.db 
>file) on the drive?
>Aren't you just adding bloat and complexity vs just storing the mail directly 
>(maildir format) to a file on the drive?
>
>What do you think you are saving? Security?
>If someone can read files on your server, they can equally read a maildir or a 
>.db file.
>K.I.S.S.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Non-unique Message ID in mail messages

2022-01-28 Thread justina colmena ~biz



On January 27, 2022 6:17:05 AM AKST, "Daniel Ryšlink" 
 wrote:
>
>RFC 5322 clearly states that mail messages SHOULD contain a Message ID 
>identifier, but if the do contain it, it MUST be globally unique.
>
That's nice polite behavior, all right, but the enforcement of it is another 
matter entirely. Slap a tracking label with a barcode on a piece of mail, and 
the mail truck is taking off from the loading dock at the post office with the 
door wide open being rear-ended by the cop car with a federal warrant and and a 
razor-sharp military letter opener in his hand. Oh yeah, I almost forgot I've 
got a flat tire and I discovered my brake hose was apparently slit wide open, 
and my att0rney says I'm facing additional charges since they had a lawful 
warrant to take all that action against me on my account. /sarcasm

>Despite this requirement, I have encountered senders (namely Spamcop) 
>that sends obviously different (albeit related) messages called "Alert" 
>and "Summary" (they are always related to the same incident and have the 
>same Message ID). This creates all sorts of problems when processing 
>these mails, namely with users that have local forwards from one domain 
>to another (our mailserver hosts multiple domains), because for example 
>Dovecot refuses to forward the second message, flagging it as a duplicate.
>
>My question to you is - did you also encounter similar incorrect 
>(according to RFC standards) problem, and if so, is there a way to 
>persuade dovecot to perhaps determine the uniqueness of a message by 
>other means than just checking the message ID (i.e. look at other 
>identifiers, Subject, perhaps)? Because according to the log records, 
>Spamcop does not seem to be the only offender.
>
Thank you, that's a years-old bug, pet peeve and aggravation in several mailing 
systems not just Dovecot and you get my upvote for the question and complaint. 
We need to be nice, and deal respectfully but set our limits with people who 
aren't being so nice when they send emails.

>Thanks in advance for any reactions, and if I did something wrong by 
>writing this message, I apologize again in advance.
>
>If required, I can provide samples of the Spamcop messages.
>
I am hoping there are more and better solutions to this problem forthcoming.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: silly quesiton

2022-01-25 Thread justina colmena ~biz



On January 24, 2022 1:33:46 PM AKST, John Stoffel  wrote:
>steph> 1) How can I says sendmail to use the same passwd file ( with MD5) than 
>dovecot ?
>
>Ah... just saw this.  And I don't know how to configure sendmail for
>this.  I would suggest you look on the sendmail.org site for help.  

Too many professional bulk mailers on all those lists. I for one don't like the 
documentation runaround. There's a lot of stuff that's getting more complicated 
than it needs to be. I need SPF+DKIM+DMARC for basic spam control.

>steph> 2) Ideally, I would like to create virtual users for the same
>steph> mailbox  Is that possible ?

I have a setup like that myself. Nothing to do with Dovecot. It's entirely up 
to postfix which mailbox to deliver incoming messages to, and the user's client 
to address outgoing mail with a proper ID.

>steph> like 2 files Users and PAsswrds pointing out the mailbox :
>steph> maildir :/home/mailbox/user1 ex : us...@foo.com  passwrd1 
>steph> /home/mailbox/generic_mails and user2 passwrd2 
>steph> home/mailbox/generic_mails
>
>I do this myself using postfix and dovecot and it works well.  I have
>my users defined in an sqlite3 DB, though for a small number of users
>I think a flat file is simpler.

The performance of flat files really bogs down my system and causes me to lose 
mails if too many arrive or if the file grows too large.

>The trick is to have the dovecot and postfix/sendmail using the same
>files for the virtual users and their passwords.  There are a number
>of tutorials out there for doing this.
>
>John

Without a doubt there are many useful tricks and tutorials out there. I have 
found several very helpful.

Maybe a future programming project idea: I want a system that will store all 
mail messages and user account info in, say, a postgresql transactional 
database, a little more manageable and reliable than ad hoc databasing with 
those flat files all over the place cluttering up the system.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: Why would dovecot not be answering

2022-01-22 Thread justina colmena ~biz
Good question. This looks like a unix socket set up for dovecot to provide 
authentication services to postfix and anyways postfix would be listening on 
TCP port 587 for authenticated mail submission. Normally you do not want to 
offer any user authentication or login on port 25, but that is all set up and 
specified explicitly in /etc/postfix/main.cf and /etc/postfix/master.cf.

Of course you do need user authentication for dovecot itself to offer IMAP 
and/or POP services for users to fetch or read their email.

I can't get really get on the postfix mailing list myself, or sort through all 
that volume. There's an unsolicited bulk email industry in control of 
everything.

On January 22, 2022 7:05:04 PM AKST, Ruben Safir  wrote:
>I am really lost as to why dovecot is not authenticating
>
>I have 
>
>smtpd_sasl_type = dovecot
>
>in main.cf
>
>and 
>
># Postfix smtp-auth
>unix_listener /var/spool/postfix/private/auth {
> mode = 0666
> user = postfix
> group = postfix
>}
>in /etc/dovecot/conf.d/10-master.conf
>
>
>I want it to authenticate on submition only
>
>Everything I read says this should do it, but I am up against a wall.  I
>have no debugging information or log at all to confirm what postfix is
>doing.
>
>
>-- 
>So many immigrant groups have swept through our town
>that Brooklyn, like Atlantis, reaches mythological
>proportions in the mind of the world - RI Safir 1998
>http://www.mrbrklyn.com 
>
>DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>http://www.nylxs.com - Leadership Development in Free Software
>http://www2.mrbrklyn.com/resources - Unpublished Archive 
>http://www.coinhangout.com - coins!
>http://www.brooklyn-living.com 
>
>Being so tracked is for FARM ANIMALS and extermination camps, 
>but incompatible with living as a free human being. -RI Safir 2013
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Is Diffie-Hellman needed?

2022-01-13 Thread justina colmena ~biz



On January 12, 2022 4:22:00 PM AKST, Joseph Tam  wrote:
>
>   - perfect forward secrecy: the disclosure of a private
>   key will not compromise past traffic.  This is probably the
>   more compelling reason.
>
As to ECC vs. the "old fashioned" RSA paradigm based on the difficulty of 
factoring very large natural numbers --- that's a totally separate issue, 
irrelevant to that of choosing protocols that offer PFS over those that do not.

I'm "convinced" on no special considerations beyond elementary math that the 
product of two large randomly chosen primes numbers is darn near impossible to 
factor on modern computers. Scientists have tried and failed and assiduously 
documented their vain attempts at cracking the RSA challenge up to commonly 
used key size parameters.

The ECC business for involves too many secret codes and ciphers coming out of a 
college fraternity or university dormitory, and it's not clear to me as an 
outsider what it offers beyond smoke-and-mirrors obfuscation and security by 
obscurity of the algorithm. The magic numbers and specially chosen curve 
parameters like "25519" offered as is without explanation are alarming to me as 
if someone is trying to pull the wool over my eyes with the fancy maths.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: Is Diffie-Hellman needed?

2022-01-10 Thread justina colmena ~biz
I want better explanations of the maths.

If RSA and DSA algorithms based on standard arithmetic exponentiation modulo 
the product of two large primes are "deprecated" -- that means that there have 
been or are expected to be major mathematical and algorithmic advances in 
factoring large integers. The maths are easy for those algorithms, whereas the 
ECC algorithms are based on very advanced maths which aren't being explained 
satisfactorily to the general public, with $1,000,000 USD prizes still out for 
the so-called Birch and Swinnerton-Dyer conjecture and the Riemann Hypothesis, 
which might be more applicable to factoring the "semi-primes" of RSA/DSA/DH 
type algorithms.

On January 10, 2022 7:12:40 AM AKST, dove...@ptld.com wrote:
>And follow up question;
>
>The docs say you are encouraged to disable non-ECC DH algorithms completely.
>However i didn't see anything on that same page explaining how to go about 
>doing that.
>
>Can someone point me to something explaining what that means and how to go 
>about doing it?

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Memory leaks in dovecot

2021-11-04 Thread justina colmena ~biz
Random bit-flipping due to aurora borealis from recent X1 class solar flares. 
Do expect soft errors, hard errors, some temporary and some permanent damage to 
computer hardware.

On November 4, 2021 6:41:36 AM AKDT, Joan Moreau  wrote:
>
>
>Hi
>
>Anyone can help on those memory leaks since 2.3.17 ?
>
>These came after adding the fts_mail_user_init(user, FALSE, ) and 
>fts_mail_user_deinit(user) function calls to avoid breaking due to 
>change in the API
>
>Thank you for help
>
>doveadm: Warning: Event 0x5563f3f2b740 leaked (parent=0x5563f3f2b330): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f2b330 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f4009ef0 leaked (parent=0x5563f3f4cf80): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f40096c0 leaked (parent=0x5563f3f4cf80): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f40092b0 leaked (parent=0x5563f3f4cf80): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3f4cf80 leaked (parent=0x5563f3f21f00): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f21f00 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3f2d080 leaked (parent=0x5563f3f234f0): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f3f2c820 leaked (parent=0x5563f3f234f0): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f3f2c300 leaked (parent=0x5563f3f234f0): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3f234f0 leaked (parent=0x5563f3f4e1d0): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f4e1d0 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3f24d20 leaked (parent=0x5563f3fd58b0): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f3f24620 leaked (parent=0x5563f3fd58b0): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f3f23e30 leaked (parent=0x5563f3fd58b0): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3fd58b0 leaked (parent=0x5563f3fd54a0): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3fd54a0 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3fd6df0 leaked (parent=0x5563f3fcc8a0): 
>mail-index.c:67
>doveadm: Warning: Event 0x5563f3fd65c0 leaked (parent=0x5563f3fcc8a0): 
>fs-api.c:32
>doveadm: Warning: Event 0x5563f3fd5dd0 leaked (parent=0x5563f3fcc8a0): 
>mail-storage.c:430
>doveadm: Warning: Event 0x5563f3fcc8a0 leaked (parent=0x5563f3f1c990): 
>mail-user.c:78
>doveadm: Warning: Event 0x5563f3f1c990 leaked (parent=(nil)): 
>mail-storage-service.c:1359
>doveadm: Warning: Event 0x5563f3f16a20 leaked (parent=0x5563f3fbb710): 
>mail-index.c:67
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Design Check

2021-10-27 Thread justina colmena ~biz
Interesting. Have you looked at this?

https://serverfault.com/questions/133190/host-wildcard-subdomains-using-postfix

[People have too much "flair" and rep points and I can't participate in those 
stackexchange discussions or ask or answer like I used to.]

On October 27, 2021 3:15:01 PM AKDT, dove...@ptld.com wrote:
>> I think your approach would work, however, if I set
>> up aliases similar to:
>> 
>> @barbaz.mydomain.com -> bar...@mydomain.com.
>> 
>> I believe I can do that in postfix with some regex magic.
>
>Yes, that would work perfectly without any regex.
>You just point the catchall alias to the "user".
>@barbaz.mydomain.com -> bar...@mydomain.com
>
>
>
>> one stumbling block could be that we don't
>> know the various subdomains ahead of time.
>> 
>> The subdomain can be any value that the user
>> wants, and we don't want them to have to
>> precreate them before they can use an address
>
>Best to my knowledge this is not possible with postfix. But ask the 
>postfix mailing list to get a definitive answer. In postfix you have to 
>tell it the domains it accepts mail for, anything else it considers 
>relaying. Otherwise how does postfix know that email is meant to be 
>saved here or it is just passing through and you want postfix to query 
>DNS to find out where it goes (if relaying is even allowed).
>
>
>
>> The purpose of the system is that users can create disposable/temporary 
>> email addresses for various testing jobs.
>
>Are you aware of postfix recipient_delimiter? It allows for disposable / 
>wild card addresses. If enabled in postfix, you setup a mailbox user 
>like bar...@mydomain.com and any address with that user and the 
>delimiter would still get delivered to that user.
>
>bar...@mydomain.com -> bar...@mydomain.com
>barbaz+randomt...@mydomain.com -> bar...@mydomain.com
>barbaz+te...@mydomain.com -> bar...@mydomain.com
>
>You can change the + to any symbol you want postfix to look out for.
>
>
>
>> I think my "creating users" was me wanting to make sure that when 
>> postfix
>> passes an email for "bar...@mydomain.com" to Dovecot, then Dovecot will 
>> store it and wait for
>> someone to come along and impersonate barbaz. i.e. "barbaz" doesn't 
>> have to exist as a user
>> already before Dovecot will store the mail.
>
>If you are using LMTP dovecot will only accept emails from postfix that 
>it can lookup the /directory/path to from one of the userdb{} or 
>passdb{} sections. If dovecot can not find a match in any of the 
>userdb{} or passdb{} it will reject the email as user unknown causing 
>postfix to send a undeliverable notice email back to the envelope sender 
>address, also known as back-scatter. I am not aware of a way to use 
>wildcard addresses in dovecot userdb{}, i don't think its possible but i 
>don't know what i don't know.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Disable authentication for submission service

2021-07-28 Thread justina colmena ~biz
Thank you for the pointers. People say RTFM, as if that's rude, but it's good 
to know, especially if there is documentation of ongoing development or a "road 
map" for future work.

On July 28, 2021 10:51:50 AM AKDT, Antonio Leding  wrote:
>Making no assertions\judgements as to the goal or intended path to get 
>there…just helping with the original question…
>
>Based on the submission server link below, it appears you will need to 
>use the same auth mechanisms for submission as you do for imap\pop.  So

Good enough reason to integrate MSA (Mail Submission Agent) capabilities into 
the MUA (Mail User Agent).

Suggestion box: This should be able (in the future) to handle "tricks" like 
archiving sent messages alongside received messages or simply copying sent 
messages into an IMAP sent folder on the server. 

>https://doc.dovecot.org/admin_manual/submission_server/
>https://doc.dovecot.org/configuration_manual/authentication/
>

This is all quite new then and under active development.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: Disable authentication for submission service

2021-07-28 Thread justina colmena ~biz
I am quite curious about the circumstances of this question. I was not aware 
that Dovecot actually offered mail submission service. If Dovecot does offer 
such a service, then it will have to relay the submitted mail to the real MTA, 
which is very likely not Dovecot. At the moment I have Postfix set up as MTA 
for that purpose —

Relaying on port 25 is usually quick and easy to whitelist for certain 
permitted hosts, but otherwise port 587, optionally with STARTTLS, and/or port 
465 with SSL/TLS is generally set up for user authenticated mail submissions.

See also:
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/



On July 28, 2021 6:10:28 AM AKDT, Dan Conway  wrote:
>Hello,
>
>Is it possible to disable the requirement for authentication on the 
>submission service? I'm trying to require authentication for all,
>except 
>for a handful of IP addresses.
>
>Thank you.
>
>
>ehlo test.com
>250-aaa
>250-AUTH PLAIN LOGIN
>250-BURL imap
>250-CHUNKING
>250-DSN
>250-ENHANCEDSTATUSCODES
>250-SIZE
>250 PIPELINING
>MAIL FROM:
>530 5.7.0 Authentication required.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: 2FA/MFA with IMAP & postfix/submission

2021-07-15 Thread justina colmena ~biz
I think it's only 12 steps. There are people who need to sober up

On July 15, 2021 8:54:16 AM AKDT, Sebastian  wrote:
>The thing is, that people must stop expecting "being able to access
>mail whenever you are" without extra steps.
>
>Best solution is to offer a webmail with TOTP or SQRL or similiar
>secure auth method.
>
>Then have that webmail adds IP or country into trusted list, so if you
>want to access IMAP mail or SMTP mail from hotel wifi, you have to
>simply do one single login to webmail, and then your IMAP/SMTP will
>work as usual.
>
>The problem with certificates, is as I said, not many clients support
>them. Outlook support them natively, I don't know if Windows Mail
>support them, and I don't know if Samsung Mail do support them (maybe
>they do support client certificates in Enterprise mode, but then you
>need a license for that), K9 mail I know support them, other built-in
>email clients I don't know if they support client certificates.
>
>The solution I have on my email is a OpenVPN connection to my server,
>which is protected. My phone has a 24/7 connection to that VPN server,
>and thus im able to lock out all logins outside from VPN.
>
>-Ursprungligt meddelande-
>Från: dovecot-boun...@dovecot.org  För
>@lbutlr
>Skickat: den 15 juli 2021 18:37
>Till: dovecot mailing list 
>Ämne: Re: 2FA/MFA with IMAP & postfix/submission
>
>On 2021 Jul 15, at 08:52, Alex  wrote:
>> Client certs appears to be a good solution.
>
>A solution, certainly. A GOOD solution? Not really.
>
>> What's the process for managing them with more than a hundred client
>accounts?
>
>And that's the first issue.
>
>The second issue is "my primary device is not available, I need to
>login from this other computer or use my phone which is unsuitable for
>this task. Too bad I have no choice but to use the phone because this
>computer doesn’t have the cert."
>
>And then you have the "now that I've installed this cert, theis
>computer is considered trusted" which is another issue.
>
>2FA is a lot more flexible and robust.
>
>OATH works well. SQRL looks promising though it requires a web UI I to
>do the authentication (and SQRL does away with passwords as well).
>
>> I believe the problem they are trying to solve is hacked accounts
>from
>> compromised passwords. Does client certs solve that problem?
>
>Maybe. Depends on if the hacker can get access to the user's machine or
>not.
>
>> Perhaps there are dovecot (and postfix submission) options to at
>least
>> restrict access by IP?
>
>It is certainly possible in Postfix, but that opens up its own issues.
>It may be acceptable in some corporate environs, but in most situations
>being able to access your email wherever you are is a requirement.
>
>-- 
>The wages of sin is death, but so is the salary of virtue, and at
>   least the evil get to go home early on Fridays. --Witches Abroad

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: TLS Security

2021-07-14 Thread justina colmena ~biz
Interesting.

Assuming your "Kali" tools are in fact up to date to test with newer protocols 
TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS 
library or whatever it uses to support the newer TLS protocols?

Definitely an outdated cipher issue, on Postfix as well as Dovecot


On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher 
 wrote:
>Hi,
>
>
>I wish to build a new secure email server. It seems I am on the right
>way – at least I get no more error messages for Postfix – but Dovecot
>is still making trouble.
>
>
>I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to
>do the rough configuring and nano and whats left of my brain to do the
>finer details. Lets start with what I added to conf.d/10-ssl.conf
>
>
>ssl_cert = 
>ssl_key = 
>
>ssl_cipher_list =
>EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$
>
>ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>
>ssl_min_protocol = TLSv1.2
>
>
>As you can see, I clearly do not want to use TLS before v1.2. I think
>this is not unreasonable in the year 2021.
>
>
>Now, after the changes I ran Kali (I use it to verify the results of my
>experiments)
>
>and - this is a mailing list, so no screenshots:
>
>It says:
>
>
>SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the
>ports 143, 110, 993 and 995.
>
>
>I thought I had done everything one could to disable old TLS-Versions.
>What am I doing wrong?
>
>
>Yours sincerely
>
>Stefan Schumacher

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Major upgrade of mail server

2021-07-08 Thread justina colmena ~biz
It's generally a good thing to be reminded to upgrade. Regardless of whether or 
not a certain release is considered Long Term Service — if there are major 
unresolved problems with the platform or supported software that are not fixed 
— then it will be necessary and appropriate to upgrade as soon as the "nag" 
issue is fixed in the next release assuming other problems are not being 
introduced at the same time.

Otherwise if everything "works" and there are no major security issues, then 
it's not such a hurry, but plans should be made to upgrade in any case.

On July 8, 2021 5:46:25 AM AKDT, Oscar del Rio  wrote:
>On 2021-07-08 1:29 a.m., Plutocrat wrote:
>> First thing to note is that Ubuntu 18.04 is a Long Term Service 
>> release, and will be supported until 2023. So no matter how naggy 
>> Ubuntu is, you don't actually HAVE to upgrade at this point.



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


Re: disable pop3 ports?

2021-05-04 Thread justina colmena ~biz
On Tuesday, May 4, 2021 11:27:28 AM AKDT Dan Egli wrote:
> Aki, That's what I'm saying. The only place pop3 IS listed is in
> doveconf protocols. I'm going to try settiing the ports to 0 and see if
> that does the trick.
> 
> And for those who keep mentioning the firewall, understand that I'm
> beyond security paranoid. Simply blocking at the firewall is not enough.
> I want to ensure that NO ONE is listening on that port, even if it's
> just localhost.

What in the world is going on here with POP3 on dovecot? I used to use POP3 on 
my desktop, and configure my desktop POP3 client to leave maybe 30 days' worth 
of email on the server accessible via IMAP to my mobile phone.

After that I could archive or delete / discard old email on my desktop at my 
leisure. Except since the last couple of upgrades to dovecot software, that is 
no longer possible, and the system crashes and I lose all my email whenever I 
try to use POP3 for anything.

I completely understand the tinfoil hat attitude with commercial spammers 
trying every trick in the book to take over private email servers and German 
Nazi cops doing the same to make criminal busts beating in doors with a 
battering ram, letting off flash-bang grenades, hadcuffing suspects and 
"disappearing" them to top-secret dentention centers -- (Does anyone remember 
Buchenwald, Auschwitz, Dachau?) -- without even so much as a case on the court 
docket, it's all for the safety and well-being of the children in the 
community, and no one in his right mind would even doubt that all the cops are 
on the right side of the law doing good works for humanity.
 
I don't want to say "compromise" -- no, there's got to be a very basic, simple 
"right way" to do it, and POP3 has to be made to work properly "by the book" 
somehow like it used to, and I don't have any better answers than anybody else 
either, because it's broke on my system, too.

signature.asc
Description: This is a digitally signed message part.


Re: Installation Question: Is a web server required ?

2021-04-29 Thread justina colmena ~biz
On Wednesday, April 28, 2021 9:41:17 PM AKDT @lbutlr wrote:
> On 28 Apr 2021, at 11:28, White, Daniel E. (GSFC-770.0)[NICS] 
 wrote:
> > only be accessed by POP3(s)/IMAP(s
> 
> There is no reason to support POP3 on a new mail service. IMAP is suppserior
> in every way, both for the user and for the server.
> 
> (There is nothing that POP3 can do that IMAP cannot duplicate, and many many
> MANY things that IMAPO can do that POP3 cannot).

The astronaut guy says the POP3/IMAP setup should "just work," and as pissed 
off as I am at U.S. government bureaucracy and maybe I confuse NASA with 
another government agency NSA and government spooks demanding back door access 
to read my email over my shoulder, I happen to agree with the general 
sentiment.

POP3 is the better and more efficient protocol for clients who simply want to 
download email messages to their desktop once and for all so they don't need 
to keep accessing the server over and over again to read the same old 
messages.

IMAP is better for clients with multiple devices etc.

Professionals of any line of work who use email at work on the job and 
especially people on this list know that already.

signature.asc
Description: This is a digitally signed message part.


Re: CA certs for Dovecot-as-client (proxy)

2021-04-21 Thread justina colmena ~biz
On Wednesday, April 21, 2021 2:13:01 AM AKDT Aki Tuomi wrote:
> Hi!
> 
> This is unfortunately a bug, see note in
> https://doc.dovecot.org/configuration_manual/authentication/proxies/
> 
> "ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying
> the remote certificate, although ideally they will be in a future Dovecot
> version. For now you need to add the trusted remote certificates to
> ssl_ca."
> 
> Aki
FWIW, I always thought Aki was a man's name, but they're calling it a baby 
girl's name if you look it up on Google. You couldn't make this stuff up if 
you tried.
 * https://www.thebump.com/b/aki-baby-name
I don't like the Microsoft-dominated scene here any more than anyone else 
does. If a guy has to clear his throat in a court of law or something like 
that over every little bug or issue to have it fixed, then there's quite a mob 
of organized criminal spammers on the mailing list, and of course the law 
enforcement community is always on their side when they spam vice pills down 
our throats via e-mail.

signature.asc
Description: This is a digitally signed message part.


Re: How to prevent, or change priority, of dovecot's FAILed relay-submission to relay's IPv6 address, and submit ONLY/first to IPv4?

2021-04-09 Thread justina colmena ~biz
On Friday, April 9, 2021 5:19:20 AM AKDT PGNet Dev wrote:
> And it's a bad assumption that since the host is dual-stack that all
> services on it will be.

That's right. Email stuff that's supposed to work has to be crippled and 
disabled somehow so that it does not actually work as it is supposed to.

There's a knob to tweak to break someone's mailbox for a party prank, cut off 
a service if it isn't immediately obvious how it's affecting someone else's 
work, or screw something else up so it can't or doesn't work reliably, either.

signature.asc
Description: This is a digitally signed message part.


Re: Mass Stripping Attachments by Directory, Age, Size

2021-04-01 Thread justina colmena ~biz
Well ain't that rich? To use an allegory of sorts, we're going to have start 
using staples rather than paperclips ️  with our email attachments, and one 
unified digital signature on the whole message as sent rather than a separate 
signature for each enclosure as commonly "done" with PGP, GnuPG, etc.

On March 30, 2021 7:39:02 PM AKDT, Plutocrat  wrote:
>Still can't find the magic solution to this.
>
>- My PERL isn't good enough to re-purpose strip-attachments.pl so it
>works on individual emails.
>- ripmime works to extract attachments only
>- altermime looked good and would delete all attachments from a
>directory of emails. However it messed up the structure somehow so they
>wouldn't display in an email client (Thunderbird, Roundcube).
>- mimeDEFANG looked possible, but couldn't figure out how to use that
>as a standalone script.
>- PHP solutions including the promising
>https://github.com/php-mime-mail-parser/php-mime-mail-parser seem only
>to be able to save attachments from the email, not delete it.
>
>I'll keep going I guess. I can't believe I'm the only person in the
>world to want to do this though ...
>
>P.
>
>On 19/03/2021 07.31, Joseph Tam wrote:
>> On Thu, 18 Mar 2021, Plutocrat wrote:
>> 
>>> I've been looking around for a solution to this problem. I want to
>prune down the attachments on a server before a migration. Some of the
>emails are 7 years old and have 40Mb attachments, so this seems like a
>good opportunity to rationalize things. So perhaps I'd like to "Remove
>all attachments from emails older than 2 years, in the .Sent
>directory", or "Attachments over 10Mb anywhere in the mail tree"
>>>
>>> I've found the strip_attachments.pl script here
>
>which works fine on mbox (as tested on my local Thunderbird mboxes),
>but not on maildir which is on the dovecot server. My Perl isn't strong
>enough to re-purpose it.
>> 
>> It you have anything that works on mbox, it will probably work on
>Maildir
>> as each file can be considered a single message mbox.  You can
>combine
>> the script with
>> 
>>  find ~user/MailDir -type f ... -exec /path/to/mbox-strip {} \;
>> 
>> The ... can be replaced with more file tests (like minimum size or
>age
>> or only within */cur/) to cut down on processing.
>> 
>> I wrote a gawk script to slim down a multi-Gb Outlook mbox
>> for a user, but it wasn't really complicated, just matching for
>> /^Content-Transfer-Encoding:.*base64/i header (virtually all bulky
>data
>> will be encoded this way), buffering the base64 data part, then
>outputting
>> it if it was small, or deleting/replacing/extracting it otherwise.
>> 
>> It was a one-off discarded tool but I can hunt for it if you're hard
>up.
>> 
>>> I've looked at ripmime and mpack/munpack, and although they seem
>like useful tools to do the job of deconstructing the mail into its
>constituent parts, it doesn't seem to help in re-building the email. I
>think they could be used with a bit of study into mail MIME structure,
>and used with a helper script.
>>>
>>> So before I take a deep dive into scripting my own solution, I just
>wanted to check if anyone else on the list has been through this and
>has some resources or pointers they can share, or maybe even someone to
>tell me "Duh, you can do it with doveadm of course".
>> 
>> MIMEDefang may help.
>> 
>> Joseph Tam 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Question about doveadm altmove

2021-03-21 Thread justina colmena ~biz
On Sunday, March 21, 2021 12:16:28 PM AKDT María Arrea wrote:
> Hello.
>  
> We are running dovecot 2.3.13. Full doveconf -n output below
>  
> In 2.3.14 Changelog I found this:
>  
> * Remove XZ/LZMA write support. Read support will be removed in future
> release. 
> We are using mdbox + XZ/LZMA for alternate storage (messages older than 2
> weeks are moved to ALT storage via cron job), so we must convert from XZ to
> another thing (maybe zstd or bz2). 

Why can't you just pipe the output of "doveadm altmove" command through an 
external command to do the XZ/LZMA compression if dovecot no longer supports 
it internally?

From doveadm-altmove (1):
> This  command  can  be  used  with sdbox or mdbox storage to move mails to 
alternative
>   storage path when :ALT= is specified for the mail location.

And that's set in stone.

https://en.wikipedia.org/wiki/XZ_Utils

So what are the issues with xz? Security? Crashes or viruses on expanding 
invalid archives?

signature.asc
Description: This is a digitally signed message part.


Re: FW: imapsieve rules not matching at all?

2021-03-20 Thread Justina Colmena ~biz
I have not yet enabled imapsieve -- so far I have had fairly good luck avoiding 
spam simply by using SPF+DKIM+DMARC and enabling basic verification of incoming 
mail with opendkim and opendmarc.

Lately I have been reading some books on "fuzzy logic" and "fuzzy sets" with 
quite serious applications to artificial intelligence and neural networks that 
might be useful to classify "ham versus spam" based on actual content and 
context.

Spam versus ham is not the only sort of classification I would want to do on 
large volumes of email -- I might want to have separate folders to 
automatically classify incoming messages into separate categories for, say, 
friends-and-family, legal-related email, specific business interests, 
open-source-software or technical related email, mathematics, arts or crafts or 
literature or hobbies, etc.

This kind of stuff must be easily configurable -- per user -- by individual end 
users who are not experts in editing configuration files.

On March 19, 2021 11:38:19 PM AKDT, Aki Tuomi  
wrote:
>
>> On 20/03/2021 05:55 Gedalya  wrote:
>> 
>> 
>> On 3/20/21 7:37 AM, dove...@steve.wattlink.net wrote:
>> 
>> > plugin {
>> > imapsieve_mailbox1_before =
>file:/usr/local/etc/dovecot/sieve/report-spam.sieve
>> > imapsieve_mailbox1_causes = COPY APPEND
>> > imapsieve_mailbox1_name = Spam
>> > imapsieve_mailbox2_before =
>file:/usr/local/etc/dovecot/sieve/report-ham.sieve
>> > imapsieve_mailbox2_causes = COPY
>> > imapsieve_mailbox2_from = Spam
>> > imapsieve_mailbox2_name = *
>> > }
>> > - - - ->8 - - - -
>> > 
>> > I see that the static rule ought to have matched,
>> no!
>> 
>> > 
>> > 
>> > - - - - 8<- - - -
>> > Mar 19 16:21:48 mhv3 dovecot[47532]:
>imap(steve)<47541>: Debug: imapsieve: mailbox INBOX:
>APPEND event
>> > - - - ->8 - - - -
>> For INBOX (or * in your case) you only have COPY from Spam
>configured, not APPEND.
>> APPENDing to Spam should trigger the relevant script though.
>> If you want to enable ham training by uploading a message to INBOX
>you could add a third rule mentioning INBOX by name with APPEND as
>cause.
>> 
>>
>
>We provide this handy guide for teaching spam filters, see
>https://doc.dovecot.org/configuration_manual/howto/antispam_with_sieve/
>
>Aki

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Panic: file mdbox-map.c: line 1494 (mdbox_map_get_uid_validity): assertion failed: (map->view != NULL)

2021-03-11 Thread Justina Colmena ~biz
Is this a new zero-day denial-of-service attack or a new CVE being exploited? 
Dovecot suddenly started acting really strangely on my system lately. PAM 
authentication started failing randomly, so I reconfigured for shadow 
authentication instead, which works now, but messages I have received from 
other domains since about 11:00 am AKST today are "invisible" and not being 
synced in my inbox for some reason.

Something is really, really bad is going on.

On March 11, 2021 10:22:18 AM AKST, Marc  wrote:
> 
> 
>Does this mean I have some problems with filesystem uid's? Currently I
>have only u=rwx, go is nothing.
> 
> 
> 
> dovecot-2.2.36-6.el7_8.1.x86_64

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Virtual users @ virtual domains / better documentation?

2021-03-09 Thread justina colmena ~biz
I have configured postfix so it will deliver mail to virtual mailboxes. For 
some reason, the mail is not delivered to the virtual mailboxes unless both 
$virtual_alias_domains and $virtual_alias_maps are left undefined: these 
directives are apparently for aliasing virtual users "@" virtual domains to 
"real" unix users on the local system.

--%%==
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
virtual_mailbox_domains = domain1.example.org domain2.example.com
virtual_transport = virtual
#virtual_alias_domains = domain1.example.org domain2.example.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
#virtual_alias_maps = hash:/etc/postfix/virtual
==%--

If the $virtual_alias_maps directive invalidates virtual mailboxes, then "the 
usual" aliases (postmaster@, etc.) for the virtual domains would have to be 
listed in
/etc/aliases
along with the non-virtual aliases, but this does not work either, and 
generates a warning when "newaliases" is run.

postalias: warning: /etc/aliases, line 99: name must be local

So as far as I can tell, no aliasing at all is available for 
"virtual_mailbox_domains" in postfix

I am still unsure how to authenticate the virtual users on postfix. PAM 
authentication works fine for non-virtual users. The following command 
gives two options for authentication: cyrus-sasl and dovecot-sasl.

# postconf -a
cyrus
dovecot

Postfix also works with cyrus-sasl if the passwords are set in "/etc/sasldb2"
via the "saslpasswd2" command, but dovecot doesn't seem to work with
cyrus-sasl, and has its own type of sasl authentication.

I realize this is not a postfix list, so my real question here is, What do I 
need in order for dovecot to authenticate the virtual users and allow them to 
read their mail and obtain authorization to send mail via postfix on the same 
system?

signature.asc
Description: This is a digitally signed message part.


Re: Urgent Help required

2020-07-08 Thread Justina Colmena ~biz



On July 8, 2020 11:01:20 AM AKDT, Alexander Dalloz  wrote:
>Am 08.07.2020 um 20:28 schrieb Kishore Potnuru:
>> Thank you for the reply.
>> 
>> As per our current infrastructure, I can go maximum of the redhat 7.7
>> version. Not more than that. Am I able to install or upgrade to
>dovecot 2.3
>> version in redhat 7.7?

I am running Dovecot 2.2 "u" on CentOS from https://ius.io/. If there is a 
package there for 2.3, it should be possible to upgrade on either CentOS or 
RHEL.

I am still a little bit confused or concerned why mainstream packages seem to 
be lagging so far behind on CentOS and RHEL since the sudden acquisition or 
hostile corporate takeover of Red Hat by IBM.

Possibly a corporate labor-union work slowdown.  IBM is too big, too blue, and 
too politically correct. Something is a little bit off. Too many echoes in the 
hallways.

/Sorry for the rant.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


POP3Deleted flag issues

2020-06-29 Thread Justina Colmena ~biz
Hello,

I have been running my own mail server with Dovecot, Postfix, and Cyrus-SASL 
for authentication.

= dovecot22u.x86_64 1:2.2.36.4-1.el7.ius @ius

I am basically trying to tune the system for better performance. The flat files 
"/var/mail/justina" etc exhibit locking issues and conflicts when fetching mail 
at the same time new mail is being delivered by Postfix. Other mail is stored 
in "Maildir" type folders accessible via IMAP. These exhibit better performance 
with finer grained locking.

There's an "idea" that was posted to the list 7 years ago, shows up top rank on 
Google.

https://dovecot.org/pipermail/dovecot/2013-May/090114.html

I fear either an incomplete implementation of the feature or "here-be-dragons" 
code that may or may not be completely documented.

I would like all the "$POP3Deleted" mail to be moved to an "Archive" Maildir 
folder accessible via IMAP. How do I accomplish this?
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.