Re: log failed plaintext password for specific user only
Hi, Thank you both for the additional suggestions! MJ
Re: log failed plaintext password for specific user only
Op 23-03-2022 om 12:29 schreef Aki Tuomi: 1. Try hashing possible password candidates and compare 2. Temporarily log everyone's passwords and then sanitize logs after you're done. No way to enable that option for a single user. Thank you! I will follow your advise.
Re: log failed plaintext password for specific user only
Op 23-03-2022 om 11:11 schreef Aki Tuomi: Well, is the sha1 value same every time? If it is, then they are trying same password each time. Aki Yes, understood. :-) The SHA1 changes, but each SHA1 is tried multiple times. The question is: can we find out, just for this specific user, WHAT the attempted passwords are?
log failed plaintext password for specific user only
Hi, We are logging failed authentication attempts, with the attempted password as auth_verbose_passwords=sha1 The question: is it possible to configure auth_verbose_passwords=plain for a specific user only? Turning it on globally would be too much sensitive information for the purpose. Reason: We are currently observing a high number of failed authentications for a specific user, coming from *many* diffirent IPs across the globe, with most IPs only trying once or twice, making this difficult to block. The number of failed authentications cause this account to regularly become blocked in AD. We would like to know if they are trying older actual passwords from the user, or if it's just dictionary attack. Thanks!
Re: quota warnings not sent out anymore
Hi Christian, Thanks for replying! It seems that your comments (or perhaps some of my recent config tinkering) helped, because once I tried just now to make it go from 89% to 91%, and I did receive the quota warning! Thanks! MJ Op 15-12-2021 om 15:23 schreef Christian Mack: Hello Just to clarify. You only will getting an over quota once, you step over one or multiple of those quota warning limits while storing an email. Therefore you will not get any warning, just because you are over that 85% limit. If you receive another email in that account, and go at least over 90%, then dovecot will call your script once. If you also go over 100% with that same mail, you will not get one for 90% or 95%, but only one for 100%. You also should check, if you have any environment variables set, which are not present, when your script is run by dovecot. Do you have any logging in it? Kind regards, Christian Mack Am 15.12.21 um 14:06 schrieb mj: Hi, I am still struggling with this, and would appreciate any help ayone can give. Let me try to explain step for step. I created a test account t...@company.com: root@dovecot:/# doveadm quota get -u test Quota name Type Value Limit % STORAGE 1209 1368 88 MESSAGE 35 - 0 As you can see, the test mailbox is 88% full, so it should receive warnings, because in dovecot.conf I have set: plugin { quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u } We use a script to send out the email warnings, configured like this: service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail mode = 0666 } user = vmail } When running this script manually as vmail, the warning is delivered to the test user: sudo -H -u vmail bash -c '/usr/local/bin/quota-warning.sh 90 test' However, in practice: dovecot never sends out any quota-warnings. It just starts generating delivery failures when the mailbox is over 100%. We define the per-user quota in the first line of each user's maildirsize file, for the test user: /var/vmail/test/Maildir/maildirsize Here is a debug=yes log file of 88% full incoming mailbox delivery: Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Loading modules from directory: /usr/lib/dovecot/modules Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_lazy_expunge_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: Module loaded: /usr/lib/dovecot/modules/lib90_sieve_plugin.so Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: auth USER input: test uid=5000 gid=5000 home=/var/vmail/test Dec 15 13:56:07 mail dovecot: auth: Debug: master in: USER#0111#011t...@company.com#011service=lda Dec 15 13:56:07 mail dovecot: auth: Debug: userdb out: USER#0111#011test#011uid=5000#011gid=5000#011home=/var/vmail/test Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug: changed username to test Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Effective uid=5000, gid=5000, home=/var/vmail/test Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: lazy_expunge: No lazy_expunge setting - plugin disabled Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Quota root: name= backend=maildir args= Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Quota rule: root= mailbox=? bytes=5368709120 messages=0 Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Quota rule: root= mailbox=Trash bytes=+104857600 messages=0 Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Quota warning: bytes=5207647846 (97%) messages=0 reverse=no command=quota-warning 97 test Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Quota warning: bytes=5100273664 (95%) messages=0 r
Re: quota warnings not sent out anymore
eve: Loading script /var/lib/dovecot/default.sieve Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: sieve: Script binary /var/lib/dovecot/default.svbin successfully loaded Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: sieve: binary save: not saving binary /var/lib/dovecot/default.svbin, because it is already stored Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: sieve: Executing script from `/var/lib/dovecot/default.svbin' Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Mailbox INBOX: Mailbox opened because: lib-lda delivery Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Quota root : Recalculated relative rules with bytes=140 count=0. Now grace=14 Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: Mailbox INBOX: saving UID 0: Opened mail because: mail stream Dec 15 13:56:07 mail dovecot: lda(test)<20290>: save: box=INBOX, uid=20, msgid=<46e7b334-80a0-3a99-4494-bc6fd07aa...@external.com>, from=user name , subject=test Dec 15 13:56:07 mail dovecot: lda(test)<20290>: sieve: u...@external.com | test | msgid=<46e7b334-80a0-3a99-4494-bc6fd07aa...@external.com>: stored mail into mailbox 'INBOX' Dec 15 13:56:07 mail postfix/pipe[20088]: 76722819170D6: to=, relay=dovecot, delay=0.24, delays=0.2/0.02/0/0.03, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 15 13:56:07 mail postfix/qmgr[19577]: 76722819170D6: removed I would appreciate any help. :-) Finally, our dovecont -n running-config: root@dovecot:# dovecot -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.11 xfs # Hostname: mail.company.com auth_debug = yes auth_failure_delay = 10 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = sha1 default_vsz_limit = 512 M deliver_log_format = %f | %s | msgid=%m: %$ lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Dovecot ready. login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c lport=%a mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_shared_explicit_inbox = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/deny.imap deny = yes driver = passwd-file } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { mode = 0666 user = vmail } user = vmail } service stats { unix_listener stats-reader { group = vmail mode = 0666 user = vmail } unix_listener stats-writer { group = vmail mode = 0666 user = vmail } } shutdown_clients = no ssl = required ssl_cert = Thanks very much for your help! MJ
Re: quota warnings not sent out anymore
Hi, I set mail_debug=yes, and sent a test email to a 90% full mailbox: I would expect a warning about it. These lines are logged: Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: fs: root=/var/vmail/username/Maildir, index=, indexpvt=, control=, inbox=, alt= Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: acl: initializing backend with data: vfile Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: acl: acl username = username Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: acl: owner = 1 Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: acl vfile: Global ACLs disabled Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: quota: quota_over_flag check: quota_over_script unset - skipping Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota root: name= backend=maildir args= Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota rule: root= mailbox=? bytes=5368709120 messages=0 Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota rule: root= mailbox=Trash bytes=+104857600 messages=0 Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota warning: bytes=5207647846 (97%) messages=0 reverse=no command=quota-warning 97 raw mail user Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota warning: bytes=5100273664 (95%) messages=0 reverse=no command=quota-warning 95 raw mail user Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota warning: bytes=4831838208 (90%) messages=0 reverse=no command=quota-warning 90 raw mail user Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota warning: bytes=4563402752 (85%) messages=0 reverse=no command=quota-warning 85 raw mail user Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota warning: bytes=4294967296 (80%) messages=0 reverse=no command=quota-warning 80 raw mail user Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota warning: bytes=5368709120 (100%) messages=0 reverse=yes command=quota-warning below raw mail user Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota grace: root= bytes=536870912 (10%) Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: quota: quota_over_flag check: quota_over_script unset - skipping Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Destination address: (source: -a parameter) Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Mailbox INBOX: Mailbox opened because: lib-lda delivery Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Quota root : Recalculated relative rules with bytes=15737418240 count=0. Now grace=1573741824 Dec 8 11:31:57 mail dovecot: lda(username)<14734>: Debug: Mailbox INBOX: saving UID 0: Opened mail because: mail stream Dec 8 11:31:57 mail dovecot: lda(username)<14734>: save: box=INBOX, uid=86077, msgid=, from=, subject=test Dec 8 11:31:57 mail dovecot: lda(username)<14734>: sieve: usern...@gmail.com | test | msgid=: stored mail into mailbox 'INBOX' Does "quota: quota_over_flag check: quota_over_script unset - skipping" mean I forgot to set some specific flag in order to make our script run? MJ
app-specific passwords for dovecot
Hi all, I have read these documents on the subject of app-specific passwords: https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecotand https://www.happyassassin.net/posts/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ But since both articles are rather old, I'd like to ask if there are other/new ways of implementing app-specific passwords for dovecot/imap and postfix/smtp. Also perhaps (web?) GUI's exist, to make it possible for the users themselves to generate/edit those passwords..? Thanks for your suggestions! MJ
Re: quota warnings not sent out anymore
Additional info: there seems to be permission-related issue anyway, as we also see messages like these in our logs: 2021-12-03T19:06:15.032873+01:00 hostname dovecot - - - quota-warning: Error: lda(username,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied But are permissions of stats-writer related to not sending out quota notifications? MJ Op 06-12-2021 om 12:10 schreef mj: Hi, We suddenly realised that our maildir quota warnings are no longer sent out. We don't understand why not. This is dovecot 2.3.4.1 on debian 10.11. We use a script to send out the notification, adapted from the dovecot wiki here: (https://doc.dovecot.org/configuration_manual/quota/) Our quota notification script is: #!/bin/sh PERCENT=$1 USER=$2 cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir::noenforcing" From: nore...@domain.com Subject: quota warning Your mailbox is now $PERCENT% full. Please delete or archive items to decrease your mailbox size. Our complete doveconf -n output is at the end of this email. When calling the script manually as user root, it works perfectly. But as user vmail or dovecot, no notifications are sent at all. I guess this is relevant: root@dovecot:/etc/dovecot# ls -l /var/run/dovecot/ total 8 srw--- 1 root root 0 Dec 6 00:00 anvil srw--- 1 root root 0 Dec 6 00:00 anvil-auth-penalty srw--- 1 dovecot root 0 Dec 6 11:34 auth-client srw--- 1 dovecot root 0 Dec 6 11:34 auth-login srw--- 1 root root 0 Dec 6 11:34 auth-master -rw--- 1 root root 32 Jul 19 17:39 auth-token-secret.dat srw-rw-rw- 1 vmail vmail 0 Dec 6 11:34 auth-userdb srw--- 1 dovecot root 0 Dec 6 11:34 auth-worker srw--- 1 root root 0 Dec 6 11:34 config srw-rw 1 root dovecot 0 Dec 6 11:34 dict srw-rw 1 root dovecot 0 Dec 6 11:34 dict-async srw--- 1 root root 0 Dec 6 11:34 director-admin srw-rw-rw- 1 root root 0 Dec 6 11:34 dns-client srw--- 1 root root 0 Dec 6 11:34 doveadm-server lrwxrwxrwx 1 root root 25 Dec 6 00:00 dovecot.conf -> /etc/dovecot/dovecot.conf drwxr-xr-x 2 root root 40 Jul 19 17:39 empty srw-rw 1 root dovecot 0 Dec 6 11:34 imap-hibernate srw--- 1 root root 0 Dec 6 11:34 imap-master srw-rw-rw- 1 root root 0 Dec 6 11:34 imap-urlauth srw--- 1 dovecot root 0 Dec 6 11:34 imap-urlauth-worker srw-rw-rw- 1 root root 0 Dec 6 11:34 indexer srw--- 1 dovecot root 0 Dec 6 11:34 indexer-worker srw--- 1 dovecot root 0 Dec 6 11:34 ipc srw-rw-rw- 1 root root 0 Dec 6 11:34 lmtp srw--- 1 root root 0 Dec 6 11:34 log-errors drwxr-x--- 2 root nogroup 120 Dec 6 11:34 login srw--- 1 root root 0 Dec 6 11:34 master -rw--- 1 root root 6 Dec 6 00:00 master.pid srw--- 1 root root 0 Dec 6 11:34 old-stats prw--- 1 root root 0 Dec 6 11:34 old-stats-mail prw--- 1 root root 0 Dec 6 11:34 old-stats-user srw--- 1 vmail root 0 Dec 6 11:34 quota-warning srw--- 1 root root 0 Dec 6 11:34 replication-notify prw--- 1 root root 0 Dec 6 11:34 replication-notify-fifo srw--- 1 dovecot root 0 Dec 6 11:34 replicator srw-rw 1 vmail vmail 0 Dec 6 11:34 stats-reader srw-rw 1 vmail vmail 0 Dec 6 11:34 stats-writer drwxr-x--- 2 root nogroup 80 Dec 6 11:34 token-login Can anyone help, and explain what is going on here? Thank you very much in advance for a reply! MJ The doveconf -n output: root@imap:/etc/dovecot# doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.11 xfs # Hostname: mail.company.com auth_debug = yes auth_failure_delay = 10 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = sha1 default_vsz_limit = 512 M deliver_log_format = %f | %s | msgid=%m: %$ lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Dovecot ready. login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c lport=%a mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_shared_explicit_inbox = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type =
quota warnings not sent out anymore
Hi, We suddenly realised that our maildir quota warnings are no longer sent out. We don't understand why not. This is dovecot 2.3.4.1 on debian 10.11. We use a script to send out the notification, adapted from the dovecot wiki here: (https://doc.dovecot.org/configuration_manual/quota/) Our quota notification script is: #!/bin/sh PERCENT=$1 USER=$2 cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o "plugin/quota=maildir::noenforcing" From: nore...@domain.com Subject: quota warning Your mailbox is now $PERCENT% full. Please delete or archive items to decrease your mailbox size. Our complete doveconf -n output is at the end of this email. When calling the script manually as user root, it works perfectly. But as user vmail or dovecot, no notifications are sent at all. I guess this is relevant: root@dovecot:/etc/dovecot# ls -l /var/run/dovecot/ total 8 srw--- 1 rootroot 0 Dec 6 00:00 anvil srw--- 1 rootroot 0 Dec 6 00:00 anvil-auth-penalty srw--- 1 dovecot root 0 Dec 6 11:34 auth-client srw--- 1 dovecot root 0 Dec 6 11:34 auth-login srw--- 1 rootroot 0 Dec 6 11:34 auth-master -rw--- 1 rootroot 32 Jul 19 17:39 auth-token-secret.dat srw-rw-rw- 1 vmail vmail 0 Dec 6 11:34 auth-userdb srw--- 1 dovecot root 0 Dec 6 11:34 auth-worker srw--- 1 rootroot 0 Dec 6 11:34 config srw-rw 1 rootdovecot 0 Dec 6 11:34 dict srw-rw 1 rootdovecot 0 Dec 6 11:34 dict-async srw--- 1 rootroot 0 Dec 6 11:34 director-admin srw-rw-rw- 1 rootroot 0 Dec 6 11:34 dns-client srw--- 1 rootroot 0 Dec 6 11:34 doveadm-server lrwxrwxrwx 1 rootroot 25 Dec 6 00:00 dovecot.conf -> /etc/dovecot/dovecot.conf drwxr-xr-x 2 rootroot 40 Jul 19 17:39 empty srw-rw 1 rootdovecot 0 Dec 6 11:34 imap-hibernate srw--- 1 rootroot 0 Dec 6 11:34 imap-master srw-rw-rw- 1 rootroot 0 Dec 6 11:34 imap-urlauth srw--- 1 dovecot root 0 Dec 6 11:34 imap-urlauth-worker srw-rw-rw- 1 rootroot 0 Dec 6 11:34 indexer srw--- 1 dovecot root 0 Dec 6 11:34 indexer-worker srw--- 1 dovecot root 0 Dec 6 11:34 ipc srw-rw-rw- 1 rootroot 0 Dec 6 11:34 lmtp srw--- 1 rootroot 0 Dec 6 11:34 log-errors drwxr-x--- 2 rootnogroup 120 Dec 6 11:34 login srw--- 1 rootroot 0 Dec 6 11:34 master -rw--- 1 rootroot 6 Dec 6 00:00 master.pid srw--- 1 rootroot 0 Dec 6 11:34 old-stats prw--- 1 rootroot 0 Dec 6 11:34 old-stats-mail prw--- 1 rootroot 0 Dec 6 11:34 old-stats-user srw--- 1 vmail root 0 Dec 6 11:34 quota-warning srw--- 1 rootroot 0 Dec 6 11:34 replication-notify prw--- 1 rootroot 0 Dec 6 11:34 replication-notify-fifo srw--- 1 dovecot root 0 Dec 6 11:34 replicator srw-rw 1 vmail vmail 0 Dec 6 11:34 stats-reader srw-rw 1 vmail vmail 0 Dec 6 11:34 stats-writer drwxr-x--- 2 rootnogroup 80 Dec 6 11:34 token-login Can anyone help, and explain what is going on here? Thank you very much in advance for a reply! MJ The doveconf -n output: root@imap:/etc/dovecot# doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.11 xfs # Hostname: mail.company.com auth_debug = yes auth_failure_delay = 10 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = sha1 default_vsz_limit = 512 M deliver_log_format = %f | %s | msgid=%m: %$ lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Dovecot ready. login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c lport=%a mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_shared_explicit_inbox = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = sepa
prevent INBOX rename
Hi, One of our users managed to rename her INOX folder to ' ' (space) This caused a new INBOX directory to be created, and all older emails to become 'invisible' to her. My question: Is there a (dovecot config) way to prevent this from happening? We cannot image any scenario where we would like a user to be able to rename INBOX. imap(username)<12135>: Mailbox renamed: INBOX -> Debian buster, dovecot 2.3.4.1 Thanks!
Re: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
Hi, Nobody? It happens so rarely, and the system appears to be running fine otherwise, should I just ignore it? Still makes me wonder way it would happen at all..? MJ On 10/22/20 12:53 PM, mj wrote: Hi, We are getting very occasional messags from dovecot: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied Over the last week, the message appeared five times. (on a mail server with over 100 users, to that's basically almost never) doveconf -n below # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-10-amd64 x86_64 Debian 10.6 xfs snip... service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } and the on-disk permissions are: root@dovecot:~# ls -l /var/run/dovecot/*stat* srw--- 1 root root 0 Oct 6 00:25 /var/run/dovecot/old-stats prw--- 1 root root 0 Oct 6 00:25 /var/run/dovecot/old-stats-mail prw--- 1 root root 0 Oct 6 00:25 /var/run/dovecot/old-stats-user srw-rw 1 vmail vmail 0 Oct 6 00:25 /var/run/dovecot/stats-reader srw-rw 1 vmail vmail 0 Oct 6 00:25 /var/run/dovecot/stats-writer We're not sure what makes the Permission denied error happen... Anyone with an idea? MJ
net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
Hi, We are getting very occasional messags from dovecot: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied Over the last week, the message appeared five times. (on a mail server with over 100 users, to that's basically almost never) doveconf -n below # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-10-amd64 x86_64 Debian 10.6 xfs snip... service stats { unix_listener stats-reader { group = vmail mode = 0660 user = vmail } unix_listener stats-writer { group = vmail mode = 0660 user = vmail } } and the on-disk permissions are: root@dovecot:~# ls -l /var/run/dovecot/*stat* srw--- 1 root root 0 Oct 6 00:25 /var/run/dovecot/old-stats prw--- 1 root root 0 Oct 6 00:25 /var/run/dovecot/old-stats-mail prw--- 1 root root 0 Oct 6 00:25 /var/run/dovecot/old-stats-user srw-rw 1 vmail vmail 0 Oct 6 00:25 /var/run/dovecot/stats-reader srw-rw 1 vmail vmail 0 Oct 6 00:25 /var/run/dovecot/stats-writer We're not sure what makes the Permission denied error happen... Anyone with an idea? MJ
Re: identify 143 vs 993 clients
Thanks to all who participated in the interesting discussion. It seems my initial thought might have been best after all, and discontinuing port 143 might be the safest way proceed. Thanks again, valuable insights! MJ On 5/29/20 11:48 AM, Jean-Daniel wrote: Le 29 mai 2020 à 11:17, Stuart Henderson <mailto:s...@spacehopper.org>> a écrit : On 2020-05-26, mj mailto:li...@merit.unu.edu>> wrote: Hi, On 25/05/2020 23:04, Voytek wrote: jumping here with a question, if I use 143 with STARTTLS, and, force TLS/SSL in configuration, that's equivalent from security POV, isn't it? and, same for 110 STARTTLS? Or am I missing something? Interesting point, after some googling, I think you are right, and as long as we have set "disable_plaintext_auth = yes" (and we have that) we should be fine keeping 143 open. Right? In the case of 143, nothing stops the client *sending* a plaintext login request. Login may be denied, but the password is already leaked. Also if you have only the server side (not the client side) deny plaintext logins, a MITM can just strip off the STARTSSL capability from the server response. And doing that it can as easily inject a LOGIN capability, making non-broken client also send the password in plain text. (Only broken client will send password if LOGIN is not present). That’s why this RFC exists: https://tools.ietf.org/html/rfc8314 In a setting where you want to protect the clients from accidentally exposing secrets by misconfiguration, allowing only 993/995 (and 465 for SMTP; 25/587 have the same problem) is the safe way. Port 25 is a special case and should never be used by client, but only for (unauthenticated) server to server communication. There is no way to use implicit TLS for SMTP as the SMTP transport MX infrastructure has no way to specify a port. Client should always use the submission port (587, or 465 for submission over TLS).
Re: identify 143 vs 993 clients
Hi Markus, Thank you very much. MJ On 26/05/2020 10:25, Markus Winkler wrote: Hi, On 26.05.20 09:21, mj wrote: One doubt I had: "disable_plaintext_auth = yes" sounds as if only the authentication part is secured, and the rest is kept plain text, whereas with 993/SSL, *everything* would be encrypted? Or am I missing something? (then perhaps someone can point it out?) here you can read the details: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/ "There are a couple of different ways to specify when SSL/TLS is required: [...]" Regards, Markus
Re: identify 143 vs 993 clients
Hi, On 25/05/2020 23:04, Voytek wrote: jumping here with a question, if I use 143 with STARTTLS, and, force TLS/SSL in configuration, that's equivalent from security POV, isn't it? and, same for 110 STARTTLS? Or am I missing something? Interesting point, after some googling, I think you are right, and as long as we have set "disable_plaintext_auth = yes" (and we have that) we should be fine keeping 143 open. Right? One doubt I had: "disable_plaintext_auth = yes" sounds as if only the authentication part is secured, and the rest is kept plain text, whereas with 993/SSL, *everything* would be encrypted? Or am I missing something? (then perhaps someone can point it out?) Thanks, MJ
Re: identify 143 vs 993 clients
On 25/05/2020 20:52, Aki Tuomi wrote: You could use https://doc.dovecot.org/settings/core/#login-log-format-elements to log this. Yes! Perfect! Thanks! :-)
identify 143 vs 993 clients
Hi, I am trying to find a nice way to identify dovecot clients that are still configured to use port 143 to connect to our mailserver, from the dovecot logs. I would then ask them to move over to 993, and finally disable port 143 altogether. When looking at the dovecot logs, it seems this is not logged in any obvious way. Of course I could use netflow etc, but that would not give us usernames, but IP's, etc. So, is there a nice way to somehow indicate in the dovecot logs, if a client connected on 143 or on 993? Thanks!
Re: sieve question
On 4/21/20 7:54 PM, Ralph Seichter wrote: No, it does not. An auto-reply message, even if it is actually read by the sender, can be ignored without penalty. An MTA rejection puts the ball into the sender's court because the message has never been accepted by the recipient's MX. By the way, a rejection is "legally safe", while your catch-all-and-let-messages-rot approach is not, in case you have not considered that. Of course, you can do as you please, but that does not change the facts and mechanics involved. Thank you for your feedback, we will take it into consideration. MJ
Re: sieve question
Hi all, Thanks for the interesting discussion. The idea behind the catch-all mailbox is basically to have a transitional period between now and the nullmx config we did not know about. (thanks for mentioning that, we will do it!) Our autoreply message reads: "Your email has not been read nor forwarded", which is also the case, forcing the sender to take action. It is just kept in a simple catch-all mailbox, for a couple of weeks/months, in case we discover that something important was accidentally still sent to the old domain. And yes, that would be neither fish nor flesh for the time being, but only during the transitional period. Afterwards we will put the nullmx config in place. Thanks for again for all your thoughts: appreciated. MJ On 4/21/20 4:02 AM, LuKreme wrote: On Apr 20, 2020, at 19:13, @lbutlr wrote: The other thing you can do is NOMX the old domain. Sorry, nullmx is what I meant. Btw, I think this is the best solution. Sent from my iPhone
Re: sieve question
Hi Ralph! Thanks for your reply! On 4/20/20 12:19 PM, Ralph Seichter wrote: I suggest you don't use Sieve for this, but simply configure Postfix to reject messages to @old.domain.com with the desired message. MTA rejections signal clearly that the message has not been delivered, and you can also include an URL pointing to a web page with more detailed information. However, this means those emails are not actually delivered anymore. For now, I would like them to *be* delivered, so we still have them in case something important comes in. Your postfix suggestion would be my next step, in a couple of months perhaps. Hopefully someone has a suggestion for my sieve script. Thanks again, MJ
sieve question
Hi, We are trying to auto-reply to emails that still use one of our old domains. To do this, I have setup a catch-all mailbox for anything sent to that old domain using postfix virtual: @old.domain.com catch-...@new.domain.com Then I defined a sieve script for catch-...@new.domain.com, like: require ["vacation"]; if allof ( not exists ["list-help", "list-unsubscribe", "list-subscribe", "list-owner", "list-post", "list-archive", "list-id", "Mailing-List"] ) { vacation text: This message is sent automatically, and your message has NOT been read nor forwarded. Please update your addressbooks! All the best! :-) . ; } However, sieve never sends any auto-reply, because it logs: discarding vacation response for implicitly delivered message; no known (envelope) recipient address found in message headers (recipient=, and no additional `:addresses' are specified) I have googled this, but adding :addresses in this case will not work, as we are trying to answer (basically) emails sent to any email addresses sent to that domain, and thus I cannot define specific :addresses Can anyone suggest what to do here? Thanks and stay healthy! MJ
Re: dovecot 2 samba ad-dc
Hi, No expert, but: We always use the postmap utility to check that the right mailboxes are actually found: postmap -q t...@test.loc ldap:/etc/postfix/ldap-config.cf And perhaps show us your postfix main.cf? MJ On 2/20/20 8:46 AM, phil wrote: Helo you, I try to build a mail server based on Centos 7, postfix and dovecot 2. My backend is a Samba4 ad-dc. I tried a lot and I don't know what else I could try.I'm new to this mailing list so please forgive me if I don't give right information or anything Samba4 ad-dc is up incl. dns. Win10 Client joined domain and authentication works. Postfix is up and checks against ldap whether recipient address exists. It takes mail via telnet and queues them. But can't give it to dovecot. my master.cf locks like that: [root@mail1t postfix]# cat master.cf smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy postlog unix-dgram n - n - 1 postlogd my ldap.conf on mailserver: [root@mail1t openldap]# cat ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 URI ldaps://ldap1t.test.loc:636 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERTDIR /etc/openldap/certs TLS_CACERTDIR /etc/pki/tls/certs/ka # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on TLS_REQCERT never dovecot.conf: [root@mail1t dovecot]# cat dovecot.conf auth_mechanisms = plain login mail_uid = vmail mail_gid = vmail ssl_cert = method=%m rip=%r lip=%l mpid=%e %c %k" #mail_plugins = quota ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA log_timestamp = "%Y-%m-%d %H:%M:%S " log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot-info.log debug_log_path = /var/log/do
Re: Mail account brute force / harassment
Hi, On 4/12/19 11:05 PM, Joseph Tam via dovecot wrote: "www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists? The ones we are using are: "file:///etc/ipset-blacklist/ip-blacklist-custom.list" # optional, for your personal nemeses (no typo, plural) In this file we have our own manual additions "https://www.projecthoneypot.org/list_of_ips.php?t=d=1; # Project Honey Pot Directory of Dictionary Attacker IPs "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1; # TOR Exit Nodes "https://www.maxmind.com/en/high-risk-ip-sample-list; # MaxMind GeoIP Anonymous Proxies "http://danger.rulez.sk/projects/bruteforceblocker/blist.php; # BruteForceBlocker IP List "https://www.spamhaus.org/drop/drop.lasso; # Spamhaus Don't Route Or Peer List (DROP) "http://cinsscore.com/list/ci-badguys.txt; # C.I. Army Malicious IP List "https://lists.blocklist.de/lists/all.txt; # blocklist.de attackers "http://blocklist.greensnow.co/greensnow.txt; # GreenSnow "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset; # Firehol Level 1 "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset; # Stopforumspam via Firehol MJ
Re: Mail account brute force / harassment
Hi, What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset. That way, the known bad IPs never even talk to dovecot, but are dropped immediately. We have the feeling it helps a lot. MJ On 4/12/19 10:27 AM, James via dovecot wrote: On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: On 12.4.2019 10.34, James via dovecot wrote: On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: Weakforced uses Lua so you can easily integrate DNSBL support into it. How does this help Dovecot block? A link to some documentation or example perhaps? https://wiki.dovecot.org/Authentication/Policy You can configure weakforced to return status -1 when DNSBL matches, which causes the user authentication to fail before any other processing happens. Thank you. I will study this - although I dispute your "easily"! James.
AD ldap, filter to exclude various kinds of expired, disabled etc etc users
Hi, I was revising our AD ldap user_filter and pass_filter to exclude more types of expired / disabled accounts. I started adding things like: (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608))) but then I thought, why not simply do: (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512)) as 512 would your regular active user accounts only, excluding all other account types. Looking here (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) there are some many different userAccountControl to check, that it might be smarter to only allow userAccountControl=512, or? Any ideas on this..? (or examples of how you do it?) MJ
Re: AW: Calendar function ?
Hi, On 10/21/2018 01:22 PM, Maurizio Caloro wrote: Please this are a complet Grouware solutions, are possible to use from this only the Calendar Synchronization and Date, Appontment functionality ? If that is hat you need, perhas you should checkout sogo: https://sogo.nu/ We have been running it for years, with the same backend-components you are using: postfix and dovecot. (and active directory) MJ
Re: Storing Messages in the cloud
Hi, If you consider ceph as "the cloud", this could also apply: https://github.com/ceph-dovecot/dovecot-ceph-plugin MJ
Re: Looking into a solution for Caldav (and possibly carddav) support
Hi, It sounds as if you want to be looking at sogo.nu: https://sogo.nu/ It re-uses your imap/mail setup, and implements caldav/carddav, and also ActiveSync to interact with the same contacts/calendars. Take a look: It's modern and very well-maintained, plus light-weight. MJ On 06/30/2018 02:06 AM, Nathan Coulson wrote: We have an existing Dovecot/Postfix/Roundcube email solution, which I was hoping to add Caldav (and carddav?) support to, with the goal of 3rd party email clients being able to keep contacts and calendars in sync (as well as having the same information in roundcube) In doing research, I came across traces of it being considered for Dovecot at one time (https://www.dovecot.org/list/dovecot/2015-September/101996.html), and I was wondering where this went. Specifically, https://www.dovecot.org/list/dovecot/2015-September/101997.html seemed to hint that metadata support was a prerequisite for this (mainstream as of the email), and I was wondering if this meant there was potentially a solution built on top of this. Thank you
Re: why is dovecot "Allowing any password"
On 03/22/2018 11:34 AM, Jochen Bern wrote: The configuration guide describes (in 4.3.) a scenario where SOGo's user population backend (LDAP) is set up from scratch, which implies that the preexisting IMAP server supposedly is*not* using the same backend/data/passwords. I'ld guess that*if* you have the IMAP server configured to look up the same backend/data (including support for exotic authentication methods, "Exchange style" cross-user access rights management, yadda yadda), the requirement to defeat authentication from SOGo to the IMAP server may become moot. But until then - Exchange takes its entire auth from AD, and SOGo's LDAP,*not* the IMAP server's passdb, is the analogue of that. I have read the above again and again, but I don't understand what you are trying to say, I'm sorry. Chapter 4.3 doesn't apply to us and my question, since we are (and were) always using (samba) AD. Everything connects to this same AD backend, including SOGo and imap. MJ
Re: why is dovecot "Allowing any password"
On 03/22/2018 09:56 AM, Aki Tuomi wrote: I would recommend using master password (that is, replace nopassword=y with password=staticpassword). I know that from localhost perspective this isn't much different, but it will reduce accidents. ok, I'll see if I can get the SOGo developers attention on this. :-) MJ
Re: why is dovecot "Allowing any password"
On 03/22/2018 09:34 AM, Aki Tuomi wrote: I have no idea*WHY* it is required by SOGo. It does not make sense. Well, the thing is: SOGo has this ability to behave like a *real* exchange server, as if it's running on a windows server. And this enables Outlook to connect to it like it would to an exchange server. (so: not in imap mode, and not using regular username/password authentication) Normally, SOGo simply reuses the provided username/password to connect to the imap server, but in the above scenario, these are not available. The same goes for a SAML2 authenticated SOGo webmail logon. In these scenarios, SOGo uses the 127.0.0.1 connection, to logon to imap. Since it does know the username. I guess a better solution would be for SOGo to be able to do 'transformations' to the username/password, to change the regular username/unknownpassword into username*master/masterpassword, and get rid of the 127.0.0.1 passwordless listener. Right? But SOGo doesn't do that. (afaik) MJ
Re: why is dovecot "Allowing any password"
On 03/21/2018 10:34 PM, @lbutlr wrote: The question is does it allow remote users to login with no password? Yes, and the answer is: no. If not, then the message ie nearly notification that login without a password is potentially possible. Yes, but a worrying one. That's why i decided to post here. I have no idea why you would have nopassword=y set in the first place, so it seems the simplest way to eliminate this problem is to take that out and have a secure environment for sending mail. Yes, however, for SOGo with Native Outlook compatibility or SAML logon, the config is required. (https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html) Thanks, MJ
Re: why is dovecot "Allowing any password"
ok, fyi: I have now also tested/confirmed this, while looking at the logs, and indeed: Even when the connection is denied because of a wrong password, the message "Allowing any password" is showing up in the logs. Perhaps it is because we have set debug options: auth_debug = yes auth_debug_passwords = yes auth_verbose = yes It would be nice if the "Allowing any password" could be rephrased, or taken out. It really had me scared for a while. Thanks Aki, MJ
Re: why is dovecot "Allowing any password"
Hi Aki, On 03/21/2018 05:43 PM, Aki Tuomi wrote: Mar 21 07:13:48 mail dovecot: auth: static(username,1.2.3.4,): allow_nets check failed: IP not in allowed networks this indicates that the request is marked failed. So, what you are saying is: the logline "Allowing any password" is 'wrong'? Access was actually DENIED, even though it says "Allowing any password" and even though one line later it says: "auth: Debug: auth client connected (pid=6174)"? This is all very misleading MJ
Re: why is dovecot "Allowing any password"
Hi AKi, Thanks for the quick answer! On 03/21/2018 05:24 PM, Aki Tuomi wrote: This is what 'nopassword=y' does. I'm guessing this is an attempt to allow logging in from localhost without password, but I'd use master password (for applications or webmails), or Yes, the config is taken from the SOGo configuration guide, which can be seen here: https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html Yes, but we have args = nopassword=y allow_nets=127.0.0.1/32 so it should only allow passwordless logins from localhost, right..? And in "Debug: static(username,1.2.3.4,): Allowing any password" 1.2.3.4 is NOT localhost... (obviously 1.2.3.4 is not the *real* ip, bit it's a *real* ip from the internet, NOT localhost... MJ
why is dovecot "Allowing any password"
Hi, I noticed the following in the logs of our debian wheezy server: Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,): bind search: base=CN=Users, DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA ccountName=username)(!(userAccountControl=514))) Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,): result: uid=username; uid unused Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,): result: uid=username Mar 21 07:13:48 mail dovecot: auth: ldap(username,1.2.3.4,): invalid credentials (given password: invalid_password) Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,): lookup Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,): allow_nets: Matching for network 127.0.0.1/32 Mar 21 07:13:48 mail dovecot: auth: static(username,1.2.3.4,): allow_nets check failed: IP not in allowed networks Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,): Allowing any password Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174) The line second last line "Allowing any password" comes as a surprise..? Why would dovecot Allow any password..? We had the following bit in our config, but I removed it now: #passdb { # driver = static # args = nopassword=y allow_nets=127.0.0.1/32 #} Could anyone expain the "Allowing any password"? And lastly our current doveconf -n: # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-5-amd64 x86_64 Debian 7.11 xfs auth_debug = yes auth_debug_passwords = yes auth_failure_delay = 10 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } shutdown_clients = no ssl_ca = MJ
Re: Howto authenticate smartPhone via Active Directory
Hi, Not much time to reply now. On 12/05/2017 05:21 AM, Mark Foley wrote: mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready to try my config (have to do so after hours), but I have some probably simple-minded questions: Well, that looks as if you are testing/trying out on your production machine. Why not setup a seperate (virtual?) test server to play with..? Use the same os version, with the same dovecot version. Or clone your production machine, so you can test as much as you like, without time pressure, at any given time. Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me differences in your config from the "original"? You've kept the hosts, base, ldap_version, scope, deref, debug_level, and auth_bind_userdn settings in your config, right? Not the complete file, no. I just provided the essentials. Your dn is: dn = cn=search_dovecit,cn=users,dc=company,dc=com Mine (original) is: dn = cn=user_for_bind,cn=Users,dc=dom Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need in order to make this work? It's the user that dovecot uses to search for your user, Can be anything, as long as it can authenticate using the password in: My dnpass (original) is: dnpass = your example is: dnpass = top_secret Use the password of whatever user you use. If meta, what is actually supposed to go there? The password of user_for_bind With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from my installed original. https://social.msdn.microsoft.com/Forums/vstudio/en-US/77f48af7-bbef-4cd7-9c83-d9359b255534/ldap-query-get-nonlockeddisabled-accounts?forum=netfxbcl For the rest: my advise is that you *really* need to pay around with this much more. Get yourself a test environment, and play and test. Plus: read some dovecot/ad howto's, and try things in your own environment. Quick google returns: https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x Enjoy :-) MJ
Re: Howto authenticate smartPhone via Active Directory
On 12/04/2017 09:01 AM, Aki Tuomi wrote: It seems you'd have to configure OpenLDAP backend for Samba to have LDAP. No. As far as I know, samba in AD mode always does ldap. (AD *is* just that: microsoft-ized ldap) And you should configure dovecot simply as a regular ldap client. That's what we do, anyway. MJ
Re: Howto authenticate smartPhone via Active Directory
Hi Mark, Just to let you know that we are running dovecot with AD. (and I guess: *many* people are running that combination) It worked without issues, we are using in dovecot-ldap.conf.ext: > auth_bind = yes this user/passwd filter: = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > dn = cn=search_dovecit,cn=users,dc=company,dc=com > dnpass = top_secret And not the 3268 port, but regular 389. Hope that helps. MJ On 12/04/2017 01:38 AM, Mark Foley wrote: Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is: Active Directory When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx I have not been able to find an example of someone using Dovecot and ldap with AD. However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable. passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch } The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise: Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003gid=1 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session= Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are: auth_mechanisms = plain login gssapi THX, --Mark --Mark -Original Message- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tu...@dovecot.fi> To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org with passdb ldap i guess. ---Aki Tuomi Dovecot oy Original message From: Mark Foley <mfo...@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -Original Message- Date: Sun, 03 Dec 2017 15:22:56 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tu...@dovecot.fi> To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy Original message From: Mark Foley <mfo...@ohprs.org> Date: 03/12/2017 06:03 (G
Re: My sub-folder with Outlook work-around to date
Hi, What we do, on the dovecot side, is: mail_location = maildir:~/Maildir:LAYOUT=fs:DIRNAME=mAildir See: https://wiki2.dovecot.org/MailLocation/Maildir This has been working out very nicely for many years. I'm not sure though that there is a way to 'move' to that config without having to basically migrate all your mailboxes. MJ On 10/06/2017 04:08 AM, David.M.Clark wrote: Hi All, please be kind, this is my first e-mail to the list :-) I actively support CentOS based e-mail servers running Dovecot, Sendmail, Spammassassin and 3 x SOGo based setups. Dovecot is my goto IMAP server and have used it and modifications to it to net excellent results for years. Then we have people who insist on only using Outlook (and in some instances the MS Live Messenger thingy). Some shenanigans in recent years have arose with using sub-folders in the Outlook clients (2013 and 2016). Traditionally, placing a "/" after the name of a newly desired e-mail folder has netted the result of something like: "Rentals/" creating: /u/home/someuser/mail/Rentals/ Under which users then create actual e-mail folders under the "Rentals" Linux directory as such. With Outlook 2013 and 2016 this seems to have stopped working and so I implemented a work-around where the user creates a normal folder, example "Rentals++", and I have written a cron script that trawls the $HOMEs each minute and if it finds a folder with a "++" at the end, it creates the folder as a directory, so: /u/home/someuser/mail/Rentals++ becomes: /u/home/someuser/mail/Rentals/ and adds this new subscription to their .subscription folder. It also sends an e-mail to the user advising that the new folder is created and they can proceed to use the "Rentals" folder for adding sub-folders (as in real text based mail folders). The script was a quick work-around one weekend in a mad flurry to get things working and to date works but is not 'user-proof'. So I am now looking at developing an internal web interface to do the same thing and hoping with more controls, has no or far less margin for user error. Long times of Outlook folder refreshes don't help and users sometimes end up with issues that require my Linux command line help. I have been trawling e-mail forums for some time now and have not seen any other work-arounds (or perhaps I am living under a rock) but before I embark on this web interface adventure, I just wanted to make sure I had not missed some fundamental 'bit' that I should be observing. All servers are either CentOS 6.9 (or slightly less) and CentOS 7 with the latest updates and for things like Thunderbird and Roundcube and SOGo, work well. I need to experiment with the whole "/" for these but I am currently driven by the enforced Outlook chains. Any input from you guys on whether this is my best approach or 'hey mate, just do this', would be much appreciated. I am happy to share my travels script/web-wise if this is the only option to date.
librmb: Mail storage on RADOS with Dovecot
Hi ceph-ers, The email below was posted on the ceph mailinglist yesterday by Wido den Hollander. I guess this could be interesting for user here as well. MJ Forwarded Message Subject: [ceph-users] librmb: Mail storage on RADOS with Dovecot Date: Thu, 21 Sep 2017 10:40:03 +0200 (CEST) From: Wido den Hollander <w...@42on.com> To: ceph-us...@ceph.com Hi, A tracker issue has been out there for a while: http://tracker.ceph.com/issues/12430 Storing e-mail in RADOS with Dovecot, the IMAP/POP3/LDA server with a huge marketshare. It took a while, but last year Deutsche Telekom took on the heavy work and started a project to develop librmb: LibRadosMailBox Together with Deutsche Telekom and Tallence GmbH (DE) this project came to life. First, the Github link: https://github.com/ceph-dovecot/dovecot-ceph-plugin I am not going to repeat everything which is on Github, put a short summary: - CephFS is used for storing Mailbox Indexes - E-Mails are stored directly as RADOS objects - It's a Dovecot plugin We would like everybody to test librmb and report back issues on Github so that further development can be done. It's not finalized yet, but all the help is welcome to make librmb the best solution for storing your e-mails on Ceph with Dovecot. Danny Al-Gaaf has written a small blogpost about it and a presentation: - https://dalgaaf.github.io/CephMeetUpBerlin20170918-librmb/ - http://blog.bisect.de/2017/09/ceph-meetup-berlin-followup-librmb.html To get a idea of the scale: 4,7PB of RAW storage over 1.200 OSDs is the final goal (last slide in presentation). That will provide roughly 1,2PB of usable storage capacity for storing e-mail, a lot of e-mail. To see this project finally go into the Open Source world excites me a lot :-) A very, very big thanks to Deutsche Telekom for funding this awesome project! A big thanks as well to Tallence as they did an awesome job in developing librmb in such a short time. Wido
Re: Problem w/ Dovecot authentication against AD
Hi, Perhaps you need auth_bind = yes? MJ On 09/13/2017 01:34 PM, Garry Glendown wrote: Hi, I had to start using Dovecot on a machine as the new OS does not come with Cyrus IMAP anymore. After multiple problems, I managed to get everything working, including LDAP authentication against the (old) Novell LDAP server. Anyway, the authentication is supposed to be migrated to the new Windows AD. For other tools, I successfully migrated the config to use AD, but somehow Dovecot does not work as it should. I've been going back and forth, trying everything I could think of, but still can't get it to work. Here's the excerpt from the config file: hosts = 10.10.10.210 uris = ldap://10.10.10.210:389 dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net dnpass = PASSWORD tls = no debug_level = -1 auth_bind = yes ldap_version = 3 base = DC=srv,dc=SLD,dc=net deref = never scope = subtree user_attrs = sAMAccountName=user user_filter = (&(sAMAccountName=%n)(objectclass=person)) pass_attrs = sAMAccountName=user pass_filter = (&(sAMAccountName=%n)(objectclass=person)) iterate_attrs = mail=user iterate_filter = (objectclass=person) default_pass_scheme = PLAIN The problem might be caused by the referal-info sent by the AD, which I can see both in the results dovecot gets (checked with tcpdump), as well as in ldapsearch ... apart from the actual search result, I always get three additional results: # refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net # refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net # refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net From what I can see in the pcap as well as some of the logs, dovecot binds to the AD, sends out the LDAP query correctly, gets the lookup result with the user queried plus the above three referrals, then unbinds from the (named) bind, attempts a simple bind without dn/dnpass (multiple times), and finally sends three additional search requests under the search bases cn=Configuration,DC=srv,DC=SLD,DC=net DC=ForestDnsZones,DC=srv,DC=SLD,DC=net DC=DomainDnsZones,DC=srv,DC=SLD,DC=net These three requests are denied by the AD as they are not permitted without a successful prior bind. Dovecot then fails the auth process. Is there a way to stop Dovecot from using the referals? Openldap seems to have an option to disable referals, but Dovecot does not allow that option in its LDAP config, and having the option set in the global ldap.conf doesn't seem to help any, either. Is there possibly a way to disable the referal information on the AD side? Thanks, Garry
Re: Dovecot - Postfix Calender Synchronisation
Hi, I realise that this is in fact off-topic, but: like others, I'd also like to recommend SOGo. Someone in this thread said: it has too many dependancies, but I disagree, and in fact I consider it a good thing that it depends on other components. Consider SOGo like an exchange server. And they (inverse.ca) only implemented the missing bits, and for the rest they depend on stable and mature other components. While that means dependancies, yes, it also means: do what you're good at and what's missing, and for the rest: reuse what is readily available. Don't reinvent the wheel. Besides that: most places will have many of the requirements in place already. MJ On 08/24/2017 07:38 AM, Rupert Gallagher wrote: We tried installing Radicale months ago, and decided to postpone testing. Its footprint exceeds 140MB, because of python. It requires python, which is a security hazard on production servers. Security mitigations are absent: must use a virtual machine. Sent from ProtonMail Mobile On Thu, Aug 24, 2017 at 12:11 AM, Marcus Rueckert <da...@opensu.se> wrote: Lookup radicale. -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Re: unexpected delivery location
Hi, On 08/23/2017 09:56 PM, Noel wrote: Perhaps you can adjust your query or your database to return the desired result. Otherwise, use your scripting skills to generate a file, then automate the procedure. Thanks for the suggestion, I try something like that. Still feel that some simple config to make one domain an alias to another domain would be very useful. :-) MJ
Re: unexpected delivery location
Hi Noël, Thanks for your response! On 08/23/2017 06:03 PM, Noel wrote: Don't use wildcard aliases. They break recipient validation and cause postfix to accept all addresses. Instead use 1-1 aliases, such as user1@olddomaon user1@newdomain user2@olddomaon user2@newdomain But we have 500+ addresses in ldap, surely there must be some 'automated' way to 'transform' any incoming mail sent to ran...@olddomain.com into ran...@newdomain.com? (and then have it processed regularly, so that bounces still work for non-existant addresses and such) MJ
Re: under another kind of attack
On 07/29/2017 07:44 PM, Doug Barton wrote: On 07/25/2017 07:54 AM, mj wrote: Since we implemented country blocking, Please don't do that. Balkanizing the Internet doesn't really benefit anyone, and makes innovation a lot more difficult. Perhaps I need to be more specific: I block certain countries from accessing imap/smtp directly, as that is where all the botnets seem to be trying their passwords. I do not block entire countries from accessing us completely (the hammer) but rather block their access of imap and smtp for my mailserver. (this is what I like to see as a precision tool) For the record I improved my iptables rules a lot compared to the mail you replied to. I am now using a chain, like this: $IPTABLES -N filter_countries $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP and then: $IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries This makes it a lot more efficient, compared to the (many) rules I was using earlier. MJ
Re: under another kind of attack
Hi Doug, On 07/29/2017 07:44 PM, Doug Barton wrote: Instead, take a look at the fail2ban scenarios in this thread, which solve the actual problem with a precision tool, instead of a hammer. I have implemented (most of) those as well, and additionally choose to also block certain countries. It helps tremendously. MJ
Re: under another kind of attack
Hi Olaf, Since we implemented country blocking, everything seems nicely under control, with only 'normal levels' of knocking. We first have impemented: http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip Then we did: https://github.com/firehol/blocklist-ipsets And finale iptables rules like these: iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP I tried to combine the various dports in one single rule, but that didn't seem to work. Perhaps someone here knows how to combine --match "geoip" and "multiport" in one single rule? Anyway: for us these combined measures did the tric. Users in one of the imap-blocked countries will have to use ActiveSync (works over https), the webmail-interface, or launch the VPN first. This works for us. Only one thing on my wishlist: application specific passwords. I would very much appreciate a respond on that thread... (posted yesterday evening, with a pseudo-dovecot-config file...) Hope the above helps you a bit, Olaf. MJ On 07/25/2017 04:37 PM, Olaf Hopp wrote: Hi folks, "somehow" similar to the thread "under some kind oof attack" started by "MJ": I have dovecot shielded by fail2ban which works fine. But since a few days I see many many IPs per day knocking on my doors with wron password and/or users. But the rate at which they are knocking is very very low. So fail2ban will never catch them. For example one IP: Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): pam(eurodisc,101.231.247.210,): unknown user Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): pam(gergei,101.231.247.210,): pam_authenticate() failed: Authentication failure (password mismatch?) Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): pam(icpe,101.231.247.210,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Note the timestamps. If I look the other way round (tries to one account) I'll get Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): pam(endsulei,60.166.12.117,): unknown user Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): pam(endsulei,222.84.118.83,): unknown user Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): pam(endsulei,101.231.247.210,): unknown user Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): pam(endsulei,206.214.0.120,): unknown user Also note the timestamps! And I see many many distinct IPs per day (a few hundred) trying many many existing and non-existings accounts. As you see in the timestamps in my examples, this can not be handled by fail2ban without affecting regular users with typos. Is anybody observing something similar ? Anybody an idea against this ? Many of these observed IPs are chinese mobile IPs, if this matters. But we have also chinese students and researchers all abroad. Regards, Olaf
Re: under some kind of attack
Hi Joseph, On 07/21/2017 10:17 PM, Joseph Tam wrote: As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's what you want. Having read the wiki page on checkpassword, I am unsure how this would work with an ldap backend. Could you elaborate on that? Best, MJ
Re: application specific passwords
Hi Kirill, Thanks for your reply. Such a simple flat file approach would be perfect, and I don't mind at all to require app specific usernames *and* passwords. However, I am unsure how to combine your recipe below with our regular AD userdb/passdb. Perhaps someone can give me some pointers in that direction? MJ On 07/20/2017 06:50 PM, Kirill Miazine wrote: I'm not familiar with samba AD and with it's features and limitation. For my simple system I'm using plain files for passdb and userdb (aka. passwd-file). Application (or rather device) specific passwords are implementing by using having an additional "username" with a specific password for a particular application or device. E.g. some entries for myself: bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir userdb_quota_rule=*:bytes=10240M The files are generated automatically from a Single Source of Truth. In my case I'm selecting the username myself, but there's nothing preventing you from generating a username/password combination for your users. Note that in my setup users will have application specific username and password, not only application specific password. It was easier to implement it quickly this way. Greetz Kirill
Re: application specific passwords
Hi, Let me ask a more specific question. What I would like to configure, is: - for our internal users to use their regular AD usernam/passwords, just as everybody can currently do. but, new: - for external users, to ONLY be allowed to use an application specific password. (or username and password, fine as well) Step one: making ldap password authentication valid only from our internal network. I though: using allow_nets=192.168.1.0/24 for that passdb But I can't get that to work. :-( Unsure where exactly to define the allow_nets, tried many variations on the theme already. Perhaps someone can help with the step one, and also tell me if the approach outlined above is smart, valid and do-able in dovecot. Here are our sanitised configs: root@mails:/etc/dovecot# doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs auth_debug = yes auth_failure_delay = 2 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/dovecot/dovecot.debug deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no info_log_path = /var/log/dovecot/dovecot.info lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.err login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap skip = authenticated } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca = and our dovecot-ldap.conf.ext: hosts = ldap1 ldap2 ldap3 dn = cn=search,cn= dnpass = secretashell tls = no debug_level = 0 auth_bind = yes base = CN=Users, DC=. scope = subtree user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24 user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person) MJ
Re: under some kind of attack
On 07/20/2017 08:47 PM, Robert Schetterer wrote: Ok I understand, not a bad idea, report how it works for you That "report how it works for you" was exactly why I posted the fail2ban failregex back to the list. :-) So others can use it too. It works fantastic, and I ombined it now with blocking complete countries at the firewall-level. Users have their regular three login tries, and get a password dialogue if they changed their password. (which many did, in the light of this attack) And the last botnet attempts remaining, using "password" etc are blocked instantly. Works nicely. :-) Now I want to implement application specific passwords, I will post about that in a seperate message. As you have been such a great help, perhaps you can also help a little bit in that thread...? Thanks again, MJ
Re: under some kind of attack
Hi Robert, i dont understand why you focused on that ldap strings fail2ban should trigger on some "Authentication failure" regex in the related syslog perhaps this will help to make it more clear http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot Yes, but I have that as well. :-) I wanted two kinds of blockings: #1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, etc, etc) to become blocked *immediately* and for *always*. #2: I wanted all others have to have the 'regular' settings, with three shots at typing a password, etc. #2 being the 'regular fail2ban' settings, but during this attack, I wanted special settings, #1, for anyone trying one of the malicious passwords. I did NOT want to have them the usual three opportunities to try. In fact: this is a bit similar to your iptables solution, but that only works for non-ssl/non-tls connections. Your iptables solution makes sure that thy cannot authenticate *at all*, while the above solution makes sure they can only authnticate *once*. MJ
application specific passwords
Hi, Further to the other thread about password guessing activities against our dovecot, I would like to implement application specific passwords on our dovecot. Googling results in some documents, but they are all a bit older: https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/ https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot http://www.justinbuchanan.com/blog/category/RoundCube http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix Those articles are interesting, but also rather old. (I realse that this does not neccesarily mean: irrelevant or bad) Is there anone here with some additional notes, ideas, tips, trics on setting up application specific passwords with dovecot with virtual users? We are using samba AD as an authentication backend. MJ
Re: under some kind of attack
I have concoted something that seems to work. And for the archives, this is it: failregex = auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: .+ssword\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1qaz2wsx\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 123321\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1234567890\) auth: Info: ldap\(.+,,.+\): invalid credentials \(given password: 1q2w3e4r.+\) It's still reactive, and not pro-active. All the other suggestions are very much appreciated, including weakforced, however implementing that is a much larger project. Next I have to find out how to feed my fail2ban logs back to blocklist.de, to improve their mail.txt hit rate. Thanks again for all kind assistance. MJ On 07/20/2017 11:16 AM, mj wrote: Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. (since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier) So I need a specific fail2ban rule that extracts the from that line, and matches on "(given password: password)" Can anyone here help out with a failregex line that would match..?
Re: under some kind of attack
Hi all, If I may, one more question on this subject: I would like to create a fail2ban filer, that scans for these lines: Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): invalid credentials (given password: password) Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid credentials (given password: password) (as you can see, I have enabled auth_verbose_passwords to do this, making me very uncomfortable...) Anyway: since there are only a few password variations, I would like to block anyone using those passwords. (since the connections are over TLS/SSL, I cannot use iptables, as suggested earlier) So I need a specific fail2ban rule that extracts the from that line, and matches on "(given password: password)" Can anyone here help out with a failregex line that would match..?
Re: under some kind of attack
Hi everybody, Thanks very much for the kind advises given yesterday and today. I have now implemented the blocklist on * http://list.blocklist.de/lists/all.txt using the scripts here: * https://forum.blocklist.de/viewtopic.php?f=11=84# (a combi of bash and php) For now, my server appears to handle that approach (with the seperate iptables rules) quite nicely. But I will keep the ipset solution in mind. Anyone aware of other blocklists that are worth bocking? Because the list.blocklist.de/lists/all.txt blocks some, but not anywhere near all. I now know how to block large lists of ips, so if anyone has additional lists to block? MJ On 07/19/2017 12:42 PM, Dave wrote: On 19/07/2017 11:23, mj wrote: Hi Robert, On 07/18/2017 11:43 PM, Robert Schetterer wrote: i guess not, but typical bots arent using ssl, check it however fail2ban sometimes is to slow I have configured dovecot with auth_failure_delay = 10 secs I hope that before the 10 sec are over, dovecot will have logged about the failed login attempt, and fail2ban will have blocked the ip by then. I realise this is orthogonal to dovecot, but if you are attempting to block a very large number of IPs, it is more efficient to use a single ipset than thousands of iptables rules: For example, given a single firewall rule: iptables -A INPUT -p tcp --dport 143 -m set --match-set imap-bl src -j DROP /etc/fail2ban/jail.conf: [imap] ... action = ipset[name=imap-bl] /etc/fail2ban/action.d/ipset.conf: [Definition] # fail2ban tracks, so we dont use ipset timeout actionstart = /usr/sbin/ipset -exist create hash:ip maxelem 131072 actionstop = /usr/sbin/ipset -exist flush actioncheck = actionban = /usr/sbin/ipset -exist add actionunban = /usr/sbin/ipset -exist del You may have to ensure the ipset is present before referencing it in iptables, for example, Redhat-alikes will have an ipset init script that operates in exactly the same way as iptables (start/stop/save), with the configuration stored under /etc/sysconfig/ipset: create imap-bl hash:ip family inet hashsize 1024 maxelem 131072 chkconfig ipset on service ipset start (create iptables rules, ipset created on boot prior to iptables, other distros likely have similar configuration) I've found that the slowest component tends to be fail2ban itself, which has difficulty tracking a large number of IPs or even tailing sufficiently busy logfiles.
Re: under some kind of attack
Hi Robert, On 07/18/2017 11:43 PM, Robert Schetterer wrote: i guess not, but typical bots arent using ssl, check it however fail2ban sometimes is to slow I have configured dovecot with auth_failure_delay = 10 secs I hope that before the 10 sec are over, dovecot will have logged about the failed login attempt, and fail2ban will have blocked the ip by then. MJ
Re: under some kind of attack
Hi Robert, On 07/18/2017 10:15 PM, mj wrote: Robert, your iptables suggestions are _very_ interesting! However, will they also work on imaps/993, because of the ssl? I have adjusted and put into place your iptables suggestion like this: iptables -I INPUT -p tcp --dport 143 -m string --algo bm --string '1q2w3e4r' -j DROP iptables -I INPUT -p tcp --dport 993 -m string --algo bm --string '1q2w3e4r' -j DROP However, I don't think it's working, as the login attempts just keep coming. Probably the reason is: smtp is plain text, and imap TLS/SSL is not, so the rules never get triggered. MJ
Re: under some kind of attack
Hi, Thanks for the quick follow-ups! Much appreciated. After posting this, I immediately started working on fail2ban. And between my initial posting and now, fail2ban already blocked 114 IPs. I have fail2ban with maxretry=1 and bantime=1800 However, it seems almost all IPs are different, and I don't think I can keep the above settings permanently. Robert, your iptables suggestions are _very_ interesting! However, will they also work on imaps/993, because of the ssl? Thanks for the quick replies! MJ On 07/18/2017 09:52 PM, Robert Schetterer wrote: Am 18.07.2017 um 21:44 schrieb mj: Hi all, It seems we are under some kind of password guessing attack: Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:36:13 auth: Info: ldap(username2,117.243.180.225,): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:50 auth: Info: ldap(username2,58.59.103.230,): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:56 auth: Info: ldap(username4,58.215.13.154,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:18 auth: Info: ldap(username3,220.175.154.205,): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:25 auth: Info: ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:27 auth: Info: ldap(username4,119.1.98.121,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:54 auth: Info: ldap(username3,218.76.156.11,): invalid credentials (given password: 1q2w3e4r) Different IPs, different usernames, but all (almost) the same password. Any idea what we can do about this?? Any advice you could give us would be very much appreciated. MJ perhaps this https://wiki.dovecot.org/HowTo/Fail2Ban or you may adapt this https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/ https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ to pop3(s)/imap(s) and your needs Best Regards MfG Robert Schetterer
under some kind of attack
Hi all, It seems we are under some kind of password guessing attack: Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:36:13 auth: Info: ldap(username2,117.243.180.225,): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:50 auth: Info: ldap(username2,58.59.103.230,): invalid credentials (given password: 1q2w3e4r) Jul 18 21:36:56 auth: Info: ldap(username4,58.215.13.154,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:18 auth: Info: ldap(username3,220.175.154.205,): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:25 auth: Info: ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials (given password: 1q2w3e4r) Jul 18 21:37:27 auth: Info: ldap(username4,119.1.98.121,): invalid credentials (given password: 1q2w3e4r5t) Jul 18 21:37:54 auth: Info: ldap(username3,218.76.156.11,): invalid credentials (given password: 1q2w3e4r) Different IPs, different usernames, but all (almost) the same password. Any idea what we can do about this?? Any advice you could give us would be very much appreciated. MJ
Re: how to make user iteration work (with active directory ldap)
Hi Aki, Wow that was a quick reply! :-) userdb { args = uid=vmail gid=vmail home=/var/vmail/%n allow_all_users=yes driver = static } This needs to use driver = ldap, static userdb's are not iteratable. Did that, and after changing args to point to a filename, everything popped into place :-) Thanks for your assistance! MJ
how to make user iteration work (with active directory ldap)
We received no replies to this email that we sent a few days ago. We're not sure why. If we miss something that is obvious to everybody, kindly point it out. We ẃould like to get iteration working, to be able to mass-delete specific emails from all mailboxes, in case of for example received virusses... Here is my question again: Hi, User iteration doesn't work, we're getting: auth: Error: Trying to iterate users, but userdbs don't support it The way I understand it, I need to set iterate_attrs and iterate_filter for iteration to work. I have set it (see configs below) and yet dovecot says "userdbs don't support it". What else do I need to do to enable it? Our config is against samba Active Directory ldap and generally works fine. Can anyone here take a quick look at the configs below, and tell me how to make doveadm user -u "*" work? Below are our configs. Any tips would be appreciated...! MJ root@dovetest:/etc/dovecot# doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs auth_debug = yes auth_debug_passwords = yes auth_failure_delay = 400 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/dovecot/dovecot.debug deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no info_log_path = /var/log/dovecot/dovecot.info lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.err login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = failure_show_msg=yes dovecot driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap skip = authenticated } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca = and dovecot-ldap.conf.ext: hosts = 127.0.0.1:391 dn = cn=search,cn=users,dc=company,dc=com dnpass = secret tls = no debug_level = 0 auth_bind = yes base = CN=Users, DC=samba, DC=cmpany, DC=com scope = subtree user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person)
how to make user iteration work (ldap)
Hi, User iteration doesn't work, we're getting: auth: Error: Trying to iterate users, but userdbs don't support it The way I understand it, I need to set iterate_attrs and iterate_filter for iteration to work. I have set it, and yet it does't work with the above failure. Our config is against ldap (active directory) and generdoveadm user -u "*" oalally works fine. Can anyone here take a quick look, and tell me how to make > doveadm user -u "*" work? Below are the required configs. Any tips would be appreciated...! MJ root@dovetest:/etc/dovecot# doveconf -n # 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs auth_debug = yes auth_debug_passwords = yes auth_failure_delay = 400 secs auth_master_user_separator = * auth_mechanisms = plain login auth_username_format = %Ln auth_verbose = yes auth_verbose_passwords = plain debug_log_path = /var/log/dovecot/dovecot.debug deliver_log_format = %f | %s | msgid=%m: %$ disable_plaintext_auth = no info_log_path = /var/log/dovecot/dovecot.info lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes log_path = /var/log/dovecot/dovecot.err login_greeting = Dovecot ready. mail_gid = vmail mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir mail_plugins = acl lazy_expunge zlib quota mail_log notify mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u prefix = shared/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted items" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent items" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox inbox { auto = subscribe } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = failure_show_msg=yes dovecot driver = pam } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap skip = authenticated } plugin { acl = vfile acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename append mail_log_fields = uid box msgid from subject quota = maildir quota_rule = ?:storage=5G quota_rule2 = Trash:storage=+100M quota_warning = storage=97%% quota-warning 97 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=85%% quota-warning 85 %u quota_warning5 = storage=80%% quota-warning 80 %u quota_warning6 = -storage=100%% quota-warning below %u sieve = ~/.dovecot.sieve sieve_default = /var/lib/dovecot/default.sieve sieve_dir = ~/sieve } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } } service imap-login { process_limit = 500 process_min_avail = 2 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca = and dovecot-ldap.conf.ext: hosts = 127.0.0.1:391 dn = cn=search,cn=users,dc=company,dc=com dnpass = secret tls = no debug_level = 0 auth_bind = yes base = CN=Users, DC=samba, DC=cmpany, DC=com scope = subtree user_attrs = =home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person)
Re: letsencrypt
Yes: I'm using the acme.sh client, and I can do: > acme.sh --issue --standalone -d example.com --httpport 88 It does what you'd expect: it runs using a small webserver on port 88 I only just discovered that option myself :-) MJ On 03/03/2017 08:22 PM, David Mehler wrote: Hello, Thanks. Is there another way of doing this? I've got a web server running on 80 and 443. Are there any other options? Thanks. Dave.
Re: two listeners with different "driver = " configs
Hi Sami, It is difficult. So it seems. :-) Thanks for your suggestions. Perhaps I just have to accept that what I would like is not possible. Thanks again for all suggestions! MJ
Re: two listeners with different "driver = " configs
Hi Aki, list, On 12/31/2016 11:50 AM, Aki Tuomi wrote: or maybe you can try local 0.0.0.0/0:144 { passdb { } } That makes dovecot complain: "Auth settings not supported inside local/remote blocks: passdb" MJ
Re: two listeners with different "driver = " configs
On 01/01/2017 10:10 PM, Charles Marcus wrote: Or. maybe it is the holidays and people actually have a life? I was just trying to make sure (after patiently waiting two days) that I wasn't missing some config option obvious to everyone except me. And a propos holidays: Happy new year to everybody :-) (and thanks Aki Tuomi for your relies) MJ
Re: two listeners with different "driver = " configs
Hi, Does the lack of replies mean that what I'm asking is not possible? (or am I missing something SO obvious that nobody bothers to point it out..?) MJ On 12/29/2016 09:23 PM, mj wrote: Hi, I would like to have two seperate imap listeners, with different authentication settings, but the mailstore and userbase etc will be identical. I know I can do this: service imap-login { inet_listener imap { port = 143 } inet_listener imap2 { port = 144 } } But I'm unsure how to configure imap/143 with "driver = ldap" and imap2/144 with "driver = pam" Just to explain why i would like this: I am using pam-script-saml (https://github.com/ck-ws/pam-script-saml) to enable saml-based access to dovecot. I would like to have one listener 144 to only serve this saml authentication listener, and the regular 143 listener with driver = ldap. Is that config possible? Best regards, MJ
Re: two listeners with different "driver = " configs
On 12/29/2016 09:23 PM, mj wrote: Hi, I would like to have two seperate imap listeners, with different authentication settings, but the mailstore and userbase etc will be identical. I know I can do this: service imap-login { inet_listener imap { port = 143 } inet_listener imap2 { port = 144 } } For the record, I'm using dovecot 2.2.26 on debian. MJ
two listeners with different "driver = " configs
Hi, I would like to have two seperate imap listeners, with different authentication settings, but the mailstore and userbase etc will be identical. I know I can do this: service imap-login { inet_listener imap { port = 143 } inet_listener imap2 { port = 144 } } But I'm unsure how to configure imap/143 with "driver = ldap" and imap2/144 with "driver = pam" Just to explain why i would like this: I am using pam-script-saml (https://github.com/ck-ws/pam-script-saml) to enable saml-based access to dovecot. I would like to have one listener 144 to only serve this saml authentication listener, and the regular 143 listener with driver = ldap. Is that config possible? Best regards, MJ
Re: SAML | Input buffer full (no auth attempts in 0 secs)
On 12/03/2016 08:04 PM, Timo Sirainen wrote: If SOGo used AUTHENTICATE PLAIN instead of LOGIN, it should work. The SASL authentication buffer is larger (8 kB) than regular commands' buffer (~1 kB). Thanks Timo, that worked! :-) MJ
SAML | Input buffer full (no auth attempts in 0 secs)
Hi, In my journey to enable SAML auth for our webmail (sogo.nu) I have created a password-less dovecot imap listener on 127.0.0.1/32, so that once a user is SAML authenticated for the SOGo webmail, SOGo can connect to dovecot on 127.0.0.1:143 with something like "01 LOGIN username randompassword". Watching this (tcpflow) as it happens,i can see the following auth attempt coming from sogo: 1 login "username" "eF7VVm1vmzAQ/iuI77wY8kJQEy1t2inSukpJVU37UhlzJN7AjmyzZPv1Owfgkdjfkgkfldlkfjg9jQNMvaNZMm7RvifC/Pc/ecfaFpkcdTrUEZLoW1K3Kh4+rn2C6ViCXVXMeCFqBjw+Ll9PZDHLh+TFsPu3ERmozttTGb2PO22627DV2pVl7g+8T7dPthydZQUIcLbahgYFsPoDQmHNsYzbbms7E9nz32B8kIEuY7oxFETi8bpE6U9MAZjiiLUiABzdB1rnUJ8zqSQX+fDBwSOH54T6I49GPiu2Q4+GxPLmps9Wk1qUrTWBtP3QIUN24pShfS0qOlWXsKaF5or7ZceId++yDLMvkCzDQhPyId85l1I1VBsYLf8URcUjPHUyerj8al0BtgPOOQ2pM1lBsuvjbp9jGbBE26KykyXjlWnbkFs5bpy11hRZwAVaBa8CcCzaih1kdp7sSdmmYG1C8U9mM/2lNoLbDaDYeK55ZALVcyPOJwefde1qwFjuYrIYWzkdpgp8QC9EYKDfdybD/eDC9JQAbX08tr0huSYBDOZv3+VUD6/evQJ4HtTRo2TtR9ZGqYQopSXvGjK0yXgETDiZnoAL0InHTAm+jTMkXwDBCFUZxVeY4s9VzhWL3CSgGGpkh8A6+N22I6mWc/hk8Au8xmLZaGGiiwL9YUx1e8LgZrCbrS21yksBvbgzDssWGUOQFLe04vooDwoscmtAwGpIBBEHYzlCdAcswsGsFcPjrKsddsIBs8uK6YDGrzuEWOdBAx8ZTgi7aCdsTW4cMtLQY7FBSGuioOTZYlcRQPzy16X5FuvOYxaSbgTsOK2daNwKNL8+z4edokyJkthqoMdaW05DzQvwcLtGJvvGzy+w+" Note, the actual 'password' is even longer. This connection attempt is causing dovecot to throw the following error: > Dec 02 22:34:33 imap-login: Info: Disconnected: Input buffer full (no > auth attempts in 0 secs): user=<>, rip=x.y.z.32, lip=x.y.z.68, > session=<d+o3tLNCaOvAV48g> and BYE Input buffer full, aborting So this doesn't work. :-( The question: is there a way to make this work? (make the input buffer larger, for example..?) Or any other ideas to make this work? Thanks in advance, MJ
Re: any news Enterprise Repository Access?
On 07/31/2016 07:04 PM, mj wrote: What exactly is a "ce repository"? Guessing now: Community Edition... Such a repo would be very much welcomed by us! (currently running wheezy with it's original dovecot, 2.1.7) MJ
Re: any news Enterprise Repository Access?
Hi, On 07/31/2016 04:36 PM, aki.tu...@dovecot.fi wrote: We are discussing about making ce repos at some point. This would probably help some people. Aki We're following this thread with interest. What exactly is a "ce repository"? (google doesn't help) MJ
Re: Migrating to dovecot from gmail apps
On 03/28/2016 05:05 PM, aki.tu...@dovecot.fi wrote: On March 28, 2016 at 5:43 PM Phil Lello <p...@dunlop-lello.uk> wrote: Hi, I'm considering migrating away from gmail for my (one-man) company, and I'm trying to decide if dovecot is the right option (I'm committed to self-hosting). I'm a developer, so happy to do my own tooling if needed. *Is there currently a good webmail interface to dovecot, or work-in progress?* If not, would a web interface be out-of-scope for dovecot? I want to use SAML for authentication, so a solution that relies on POP/IMAP doesn't meet my needs - unless I add Kerberos into the mix, which is an additional learning curve, and possibly not widely supported. Open-Xchage appsuite might fit your needs. Or you could take a look at SOGo: http://sogo.nu/ MJ
Re: Timout for LDAP connection
On 03/11/2016 03:30 PM, Gordon Grubert wrote: Of course, such a WORKAROUND could be used and I'm sure that this works. But Timo says, dovecot is using the LDAP API. The openldap client can handle network timeouts. Therefore, dovecot has to be able to use these timeouts, too, like described in ldap.conf(5). Sure sure, absolutely agreed.
Re: Timout for LDAP connection
Hi, We're now running with ldap via haproxy, as was suggested in this thread by Timo. So far, so good: it seems to work very well. MJ On 03/10/2016 04:15 PM, Gordon Grubert wrote: Hi Timo, On 01.03.2016 22:51, Timo Sirainen wrote: On 29 Feb 2016, at 17:18, Gordon Grubert <gordon.grubert+li...@uni-greifswald.de> wrote: Hi, we are using a round robin dns record for connections to our ldap system. This works fine for almost all cases. In particular, for dovecot does this mean, when an ldap server is stopped, dovecot instantly reconnects to another ldap server. But when the network connection to the active ldap server is broken, dovecot sticks to the failed ldap server. Is there any possibility to define a connection timeout? What should happen is that as long as new requests keep coming, Dovecot realizes after about 60 seconds that the LDAP server is hanging. It then reconnects and the reconnection should work. But... First of all, 60 seconds is likely a much too long timeout. But more importantly it looks like there's something weird now going on with OpenLDAP library. I added this somewhat recently and tested that it works: https://github.com/dovecot/core/commit/fb3178a1924dae52151d88c4d4ded879df43dd3f But now that I'm testing it, the timeout doesn't seem to be triggering. I don't know what happened to it that it suddenly doesn't work.. This also means that OpenLDAP seems to be internally stuck trying to connect to a server that isn't responding. Dovecot doesn't currently make the decisions on which LDAP server to connect to. It just passes through all the hosts to OpenLDAP library and lets it handle it. And it seems like OpenLDAP library can't right now do this failover. So maybe Dovecot should be responsible for that as well.. Anyway, for now you could set up haproxy to localhost and configure Dovecot LDAP to connect to haproxy and haproxy connect to the actual LDAP servers. today I've upgraded to 2.2.21-1~auto+171 on debian 8 and made a lot of "interruption tests". Your fix not really solved the problem. But I found another interesting fact: The openldap client on debian 8 can handle hard communication interrupts correctly. I've added NETWORK_TIMEOUT 5 TIMEOUT 5 to ldap.conf because man 5 ldap.conf says: NETWORK_TIMEOUT Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. TIMEOUT Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also used for any ldap_result(3) calls where a NULL timeout parameter is supplied. We are using the ISC DHCP server with dynamic ldap connections. This daemon uses - like dovecot - the LDAP API of the openldap client for access to the ldap server. The DHCP opens a persistent ldap connection to handle all dhcp requests (same behavior like dovecot). Here, the timeouts for connection loss are working. Therefore, my question: Why does this not work for dovecot, too, when dovecot uses the same API? Dovecot does not get a response from the LDAP server and has to reconnect, only. IMAP server world domination requires a reconnect in case of connection timeouts ;-) Best regards, Gordon
Re: Timout for LDAP connection
Hi, We have experienced the same or similar problem, and not just with dovecot but also with postfix. Thanks for your HAProxy suggestion! We have the feeling that when the ldap connection is actually DOWN (gone, terminated), OpenLDAP will reconnect to another server. But if the ldap server becomes 'stuck' (as in: returning no data anymore, but not actually terminating the connection) a failover does not happen. (we have had the second scenario, with samba4 AD ldap) MJ On 03/01/2016 10:51 PM, Timo Sirainen wrote: But now that I'm testing it, the timeout doesn't seem to be triggering. I don't know what happened to it that it suddenly doesn't work.. This also means that OpenLDAP seems to be internally stuck trying to connect to a server that isn't responding. Dovecot doesn't currently make the decisions on which LDAP server to connect to. It just passes through all the hosts to OpenLDAP library and lets it handle it. And it seems like OpenLDAP library can't right now do this failover. So maybe Dovecot should be responsible for that as well.. Anyway, for now you could set up haproxy to localhost and configure Dovecot LDAP to connect to haproxy and haproxy connect to the actual LDAP servers.
Re: Enterprise Repository Access?
On 01/08/2016 04:41 PM, Timo Sirainen wrote: The plan for now at least is to let existing accounts use it, but not add any new ones. This might change at some point. Does this mean that using the latest dovecot versions (aka the Dovecot Enterprise Repository Access) is being phased out? And in the (perhaps even near) future, those who are using it will have to start looking elsewhere..? Compiling our own dovecot for production use sounds less appealing, and the xi.rename-it.nl repo is marked as unstable and not recommended for production use... That would be a disappointment... and I also don't seem to find paid dovecot plans/subscriptions, licenses on the open-xchange site..? (they mostly talk about an "OX App Suite") I hope I'm missing something..? MJ