Re: log failed plaintext password for specific user only

[mj]

Hi,

Thank you both for the additional suggestions!

MJ

Re: log failed plaintext password for specific user only

[mj]

Op 23-03-2022 om 12:29 schreef Aki Tuomi:


1. Try hashing possible password candidates and compare
2. Temporarily log everyone's passwords and then sanitize logs after you're 
done.

No way to enable that option for a single user.


Thank you! I will follow your advise.

Re: log failed plaintext password for specific user only

[mj]

Op 23-03-2022 om 11:11 schreef Aki Tuomi:


Well, is the sha1 value same every time? If it is, then they are trying same 
password each time.

Aki


Yes, understood. :-)

The SHA1 changes, but each SHA1 is tried multiple times.

The question is: can we find out, just for this specific user, WHAT the 
attempted passwords are?

log failed plaintext password for specific user only

[mj]

Hi,

We are logging failed authentication attempts, with the attempted 
password as auth_verbose_passwords=sha1


The question: is it possible to configure auth_verbose_passwords=plain 
for a specific user only? Turning it on globally would be too much 
sensitive information for the purpose.


Reason:

We are currently observing a high number of failed authentications for a 
specific user, coming from *many* diffirent IPs across the globe, with 
most IPs only trying once or twice, making this difficult to block. The 
number of failed authentications cause this account to regularly become 
blocked in AD.


We would like to know if they are trying older actual passwords from the 
user, or if it's just dictionary attack.


Thanks!

Re: quota warnings not sent out anymore

[mj]

Hi Christian,

Thanks for replying!

It seems that your comments (or perhaps some of my recent config 
tinkering) helped, because once I tried just now to make it go from 89% 
to 91%, and I did receive the quota warning!


Thanks!

MJ

Op 15-12-2021 om 15:23 schreef Christian Mack:

Hello

Just to clarify.
You only will getting an over quota once, you step over one or multiple
of those quota warning limits while storing an email.

Therefore you will not get any warning, just because you are over that
85% limit.
If you receive another email in that account, and go at least over 90%,
then dovecot will call your script once.
If you also go over 100% with that same mail, you will not get one for
90% or 95%, but only one for 100%.

You also should check, if you have any environment variables set, which
are not present, when your script is run by dovecot.
Do you have any logging in it?


Kind regards,
Christian Mack

Am 15.12.21 um 14:06 schrieb mj:

Hi,

I am still struggling with this, and would appreciate any help ayone can
give. Let me try to explain step for step.

I created a test account t...@company.com:


root@dovecot:/# doveadm quota get -u test
Quota name Type    Value
Limit
%
    STORAGE  1209
1368
88
    MESSAGE    35
-
0


As you can see, the test mailbox is 88% full, so it should receive
warnings, because in dovecot.conf I have set:


plugin {
   quota = maildir
   quota_rule = ?:storage=5G
   quota_rule2 = Trash:storage=+100M
   quota_warning = storage=97%% quota-warning 97 %u
   quota_warning2 = storage=95%% quota-warning 95 %u
   quota_warning3 = storage=90%% quota-warning 90 %u
   quota_warning4 = storage=85%% quota-warning 85 %u
   quota_warning5 = storage=80%% quota-warning 80 %u
   quota_warning6 = -storage=100%% quota-warning below %u
}


We use a script to send out the email warnings, configured like this:


service quota-warning {
   executable = script /usr/local/bin/quota-warning.sh
   unix_listener quota-warning {
     user = vmail
     mode = 0666
   }
   user = vmail
}


When running this script manually as vmail, the warning is delivered to
the test user:


sudo -H -u vmail bash -c '/usr/local/bin/quota-warning.sh 90 test'


However, in practice: dovecot never sends out any quota-warnings. It
just starts generating delivery failures when the mailbox is over 100%.

We define the per-user quota in the first line of each user's
maildirsize file, for the test user: /var/vmail/test/Maildir/maildirsize

Here is a debug=yes log file of 88% full incoming mailbox delivery:


Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Loading modules from directory: /usr/lib/dovecot/modules
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib02_lazy_expunge_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib15_notify_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib20_mail_log_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
Module loaded: /usr/lib/dovecot/modules/lib90_sieve_plugin.so
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
auth USER input: test uid=5000 gid=5000 home=/var/vmail/test
Dec 15 13:56:07 mail dovecot: auth: Debug: master in:
USER#0111#011t...@company.com#011service=lda
Dec 15 13:56:07 mail dovecot: auth: Debug: userdb out:
USER#0111#011test#011uid=5000#011gid=5000#011home=/var/vmail/test
Dec 15 13:56:07 mail dovecot: lda(t...@company.com)<20290><>: Debug:
changed username to test
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: Effective uid=5000,
gid=5000, home=/var/vmail/test
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: lazy_expunge: No
lazy_expunge setting - plugin disabled
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: Quota root: name=
backend=maildir args=
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: Quota rule: root=
mailbox=? bytes=5368709120 messages=0
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: Quota rule: root=
mailbox=Trash bytes=+104857600 messages=0
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: Quota warning:
bytes=5207647846 (97%) messages=0 reverse=no command=quota-warning 97
test
Dec 15 13:56:07 mail dovecot:
lda(test)<20290>: Debug: Quota warning:
bytes=5100273664 (95%) messages=0 r

Re: quota warnings not sent out anymore

[mj]

eve: Loading script /var/lib/dovecot/default.sieve
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: 
sieve: Script binary /var/lib/dovecot/default.svbin successfully loaded
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: 
sieve: binary save: not saving binary /var/lib/dovecot/default.svbin, because it is already 
stored
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: 
sieve: Executing script from `/var/lib/dovecot/default.svbin'
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: 
Mailbox INBOX: Mailbox opened because: lib-lda delivery
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: 
Quota root : Recalculated relative rules with bytes=140 count=0. Now grace=14
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: Debug: 
Mailbox INBOX: saving UID 0: Opened mail because: mail stream
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: save: box=INBOX, 
uid=20, msgid=<46e7b334-80a0-3a99-4494-bc6fd07aa...@external.com>, from=user name 
, subject=test
Dec 15 13:56:07 mail dovecot: lda(test)<20290>: sieve: 
u...@external.com | test | msgid=<46e7b334-80a0-3a99-4494-bc6fd07aa...@external.com>: 
stored mail into mailbox 'INBOX'
Dec 15 13:56:07 mail postfix/pipe[20088]: 76722819170D6: to=, 
relay=dovecot, delay=0.24, delays=0.2/0.02/0/0.03, dsn=2.0.0, status=sent (delivered 
via dovecot service)
Dec 15 13:56:07 mail postfix/qmgr[19577]: 76722819170D6: removed


I would appreciate any help. :-)

Finally, our dovecont -n running-config:


root@dovecot:# dovecot -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.11 xfs
# Hostname: mail.company.com
auth_debug = yes
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = sha1
default_vsz_limit = 512 M
deliver_log_format = %f | %s | msgid=%m: %$
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c 
lport=%a
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox "Deleted items" {

special_use = \Trash
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent items" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox inbox {
auto = subscribe
  }
  prefix = 
  separator = /

  type = private
}
passdb {
  args = /etc/dovecot/deny.imap
  deny = yes
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
  result_failure = return-fail
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
append
  mail_log_fields = uid box msgid from subject
  quota = maildir
  quota_rule = ?:storage=5G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=97%% quota-warning 97 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=80%% quota-warning 80 %u
  quota_warning6 = -storage=100%% quota-warning below %u
  sieve = ~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/default.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service imap-login {
  process_limit = 500
  process_min_avail = 2
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
mode = 0666
user = vmail
  }
  user = vmail
}
service stats {
  unix_listener stats-reader {
group = vmail
mode = 0666
user = vmail
  }
  unix_listener stats-writer {
group = vmail
mode = 0666
user = vmail
  }
}
shutdown_clients = no
ssl = required
ssl_cert = 

Thanks very much for your help!

MJ

Re: quota warnings not sent out anymore

[mj]

Hi,

I set mail_debug=yes, and sent a test email to a 90% full mailbox: I 
would expect a warning about it. These lines are logged:



Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: fs: root=/var/vmail/username/Maildir, index=, indexpvt=, control=, inbox=, alt=
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: acl: initializing backend with data: vfile
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: acl: acl username = username
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: acl: owner = 1
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: acl vfile: Global ACLs disabled
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: quota: quota_over_flag check: quota_over_script unset - skipping
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota root: name= backend=maildir args=
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota rule: root= mailbox=? bytes=5368709120 messages=0
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota rule: root= mailbox=Trash bytes=+104857600 messages=0
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota warning: bytes=5207647846 (97%) messages=0 reverse=no command=quota-warning 97 
raw mail user
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota warning: bytes=5100273664 (95%) messages=0 reverse=no command=quota-warning 95 
raw mail user
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota warning: bytes=4831838208 (90%) messages=0 reverse=no command=quota-warning 90 
raw mail user
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota warning: bytes=4563402752 (85%) messages=0 reverse=no command=quota-warning 85 
raw mail user
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota warning: bytes=4294967296 (80%) messages=0 reverse=no command=quota-warning 80 
raw mail user
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota warning: bytes=5368709120 (100%) messages=0 reverse=yes command=quota-warning 
below raw mail user
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota grace: root= bytes=536870912 (10%)
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: quota: quota_over_flag check: quota_over_script unset - skipping
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: Debug: 
Destination address:  (source: -a parameter)
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Mailbox INBOX: Mailbox opened because: lib-lda delivery
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Quota root : Recalculated relative rules with bytes=15737418240 count=0. Now 
grace=1573741824
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: 
Debug: Mailbox INBOX: saving UID 0: Opened mail because: mail stream
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: save: 
box=INBOX, uid=86077, msgid=, 
from=, subject=test
Dec  8 11:31:57 mail dovecot: lda(username)<14734>: sieve: 
usern...@gmail.com | test | msgid=: stored 
mail into mailbox 'INBOX'


Does "quota: quota_over_flag check: quota_over_script unset - skipping" 
mean I forgot to set some specific flag in order to make our script run?


MJ

app-specific passwords for dovecot

[mj]

Hi all,

I have read these documents on the subject of app-specific passwords:

https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecotand
https://www.happyassassin.net/posts/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/


But since both articles are rather old, I'd like to ask if there are 
other/new ways of implementing app-specific passwords for dovecot/imap 
and postfix/smtp.


Also perhaps (web?) GUI's exist, to make it possible for the users 
themselves to generate/edit those passwords..?


Thanks for your suggestions!

MJ

Re: quota warnings not sent out anymore

[mj]

Additional info: there seems to be permission-related issue anyway, as 
we also see messages like these in our logs:



2021-12-03T19:06:15.032873+01:00 hostname dovecot - - -  quota-warning: Error: 
lda(username,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: 
Permission denied


But are permissions of stats-writer related to not sending out quota 
notifications?


MJ

Op 06-12-2021 om 12:10 schreef mj:

Hi,

We suddenly realised that our maildir quota warnings are no longer sent 
out. We don't understand why not.


This is dovecot 2.3.4.1 on debian 10.11. We use a script to send out the 
notification, adapted from the dovecot wiki here: 
(https://doc.dovecot.org/configuration_manual/quota/)


Our quota notification script is:


#!/bin/sh
PERCENT=$1
USER=$2
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o 
"plugin/quota=maildir::noenforcing"

From: nore...@domain.com
Subject: quota warning

Your mailbox is now $PERCENT% full.

Please delete or archive items to decrease your mailbox size.


Our complete doveconf -n output is at the end of this email.

When calling the script manually as user root, it works perfectly. But 
as user vmail or dovecot, no notifications are sent at all.


I guess this is relevant:


root@dovecot:/etc/dovecot# ls -l /var/run/dovecot/
total 8
srw--- 1 root    root  0 Dec  6 00:00 anvil
srw--- 1 root    root  0 Dec  6 00:00 anvil-auth-penalty
srw--- 1 dovecot root  0 Dec  6 11:34 auth-client
srw--- 1 dovecot root  0 Dec  6 11:34 auth-login
srw--- 1 root    root  0 Dec  6 11:34 auth-master
-rw--- 1 root    root 32 Jul 19 17:39 auth-token-secret.dat
srw-rw-rw- 1 vmail   vmail 0 Dec  6 11:34 auth-userdb
srw--- 1 dovecot root  0 Dec  6 11:34 auth-worker
srw--- 1 root    root  0 Dec  6 11:34 config
srw-rw 1 root    dovecot   0 Dec  6 11:34 dict
srw-rw 1 root    dovecot   0 Dec  6 11:34 dict-async
srw--- 1 root    root  0 Dec  6 11:34 director-admin
srw-rw-rw- 1 root    root  0 Dec  6 11:34 dns-client
srw--- 1 root    root  0 Dec  6 11:34 doveadm-server
lrwxrwxrwx 1 root    root 25 Dec  6 00:00 dovecot.conf -> 
/etc/dovecot/dovecot.conf

drwxr-xr-x 2 root    root 40 Jul 19 17:39 empty
srw-rw 1 root    dovecot   0 Dec  6 11:34 imap-hibernate
srw--- 1 root    root  0 Dec  6 11:34 imap-master
srw-rw-rw- 1 root    root  0 Dec  6 11:34 imap-urlauth
srw--- 1 dovecot root  0 Dec  6 11:34 imap-urlauth-worker
srw-rw-rw- 1 root    root  0 Dec  6 11:34 indexer
srw--- 1 dovecot root  0 Dec  6 11:34 indexer-worker
srw--- 1 dovecot root  0 Dec  6 11:34 ipc
srw-rw-rw- 1 root    root  0 Dec  6 11:34 lmtp
srw--- 1 root    root  0 Dec  6 11:34 log-errors
drwxr-x--- 2 root    nogroup 120 Dec  6 11:34 login
srw--- 1 root    root  0 Dec  6 11:34 master
-rw--- 1 root    root  6 Dec  6 00:00 master.pid
srw--- 1 root    root  0 Dec  6 11:34 old-stats
prw--- 1 root    root  0 Dec  6 11:34 old-stats-mail
prw--- 1 root    root  0 Dec  6 11:34 old-stats-user
srw--- 1 vmail   root  0 Dec  6 11:34 quota-warning
srw--- 1 root    root  0 Dec  6 11:34 replication-notify
prw--- 1 root    root  0 Dec  6 11:34 replication-notify-fifo
srw--- 1 dovecot root  0 Dec  6 11:34 replicator
srw-rw 1 vmail   vmail 0 Dec  6 11:34 stats-reader
srw-rw 1 vmail   vmail 0 Dec  6 11:34 stats-writer
drwxr-x--- 2 root    nogroup  80 Dec  6 11:34 token-login


Can anyone help, and explain what is going on here?

Thank you very much in advance for a reply!

MJ

The doveconf -n output:


root@imap:/etc/dovecot# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.11 xfs
# Hostname: mail.company.com
auth_debug = yes
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = sha1
default_vsz_limit = 512 M
deliver_log_format = %f | %s | msgid=%m: %$
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e 
%c lport=%a

mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave

namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u 


  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type =

quota warnings not sent out anymore

[mj]

Hi,

We suddenly realised that our maildir quota warnings are no longer sent 
out. We don't understand why not.


This is dovecot 2.3.4.1 on debian 10.11. We use a script to send out the 
notification, adapted from the dovecot wiki here: 
(https://doc.dovecot.org/configuration_manual/quota/)


Our quota notification script is:


#!/bin/sh
PERCENT=$1
USER=$2
cat << EOF | /usr/lib/dovecot/dovecot-lda -d $USER -o 
"plugin/quota=maildir::noenforcing"
From: nore...@domain.com
Subject: quota warning

Your mailbox is now $PERCENT% full.

Please delete or archive items to decrease your mailbox size.


Our complete doveconf -n output is at the end of this email.

When calling the script manually as user root, it works perfectly. But 
as user vmail or dovecot, no notifications are sent at all.


I guess this is relevant:


root@dovecot:/etc/dovecot# ls -l /var/run/dovecot/
total 8
srw--- 1 rootroot  0 Dec  6 00:00 anvil
srw--- 1 rootroot  0 Dec  6 00:00 anvil-auth-penalty
srw--- 1 dovecot root  0 Dec  6 11:34 auth-client
srw--- 1 dovecot root  0 Dec  6 11:34 auth-login
srw--- 1 rootroot  0 Dec  6 11:34 auth-master
-rw--- 1 rootroot 32 Jul 19 17:39 auth-token-secret.dat
srw-rw-rw- 1 vmail   vmail 0 Dec  6 11:34 auth-userdb
srw--- 1 dovecot root  0 Dec  6 11:34 auth-worker
srw--- 1 rootroot  0 Dec  6 11:34 config
srw-rw 1 rootdovecot   0 Dec  6 11:34 dict
srw-rw 1 rootdovecot   0 Dec  6 11:34 dict-async
srw--- 1 rootroot  0 Dec  6 11:34 director-admin
srw-rw-rw- 1 rootroot  0 Dec  6 11:34 dns-client
srw--- 1 rootroot  0 Dec  6 11:34 doveadm-server
lrwxrwxrwx 1 rootroot 25 Dec  6 00:00 dovecot.conf -> 
/etc/dovecot/dovecot.conf
drwxr-xr-x 2 rootroot 40 Jul 19 17:39 empty
srw-rw 1 rootdovecot   0 Dec  6 11:34 imap-hibernate
srw--- 1 rootroot  0 Dec  6 11:34 imap-master
srw-rw-rw- 1 rootroot  0 Dec  6 11:34 imap-urlauth
srw--- 1 dovecot root  0 Dec  6 11:34 imap-urlauth-worker
srw-rw-rw- 1 rootroot  0 Dec  6 11:34 indexer
srw--- 1 dovecot root  0 Dec  6 11:34 indexer-worker
srw--- 1 dovecot root  0 Dec  6 11:34 ipc
srw-rw-rw- 1 rootroot  0 Dec  6 11:34 lmtp
srw--- 1 rootroot  0 Dec  6 11:34 log-errors
drwxr-x--- 2 rootnogroup 120 Dec  6 11:34 login
srw--- 1 rootroot  0 Dec  6 11:34 master
-rw--- 1 rootroot  6 Dec  6 00:00 master.pid
srw--- 1 rootroot  0 Dec  6 11:34 old-stats
prw--- 1 rootroot  0 Dec  6 11:34 old-stats-mail
prw--- 1 rootroot  0 Dec  6 11:34 old-stats-user
srw--- 1 vmail   root  0 Dec  6 11:34 quota-warning
srw--- 1 rootroot  0 Dec  6 11:34 replication-notify
prw--- 1 rootroot  0 Dec  6 11:34 replication-notify-fifo
srw--- 1 dovecot root  0 Dec  6 11:34 replicator
srw-rw 1 vmail   vmail 0 Dec  6 11:34 stats-reader
srw-rw 1 vmail   vmail 0 Dec  6 11:34 stats-writer
drwxr-x--- 2 rootnogroup  80 Dec  6 11:34 token-login


Can anyone help, and explain what is going on here?

Thank you very much in advance for a reply!

MJ

The doveconf -n output:


root@imap:/etc/dovecot# doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.11 xfs
# Hostname: mail.company.com
auth_debug = yes
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = sha1
default_vsz_limit = 512 M
deliver_log_format = %f | %s | msgid=%m: %$
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c 
lport=%a
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_shared_explicit_inbox = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox "Deleted items" {

special_use = \Trash
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent items" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox inbox {
auto = subscribe
  }
  prefix = 
  sepa

prevent INBOX rename

[mj]

Hi,

One of our users managed to rename her INOX folder to ' ' (space)

This caused a new INBOX directory to be created, and all older emails to 
become 'invisible' to her.


My question: Is there a (dovecot config) way to prevent this from 
happening? We cannot image any scenario where we would like a user to be 
able to rename INBOX.



imap(username)<12135>: Mailbox renamed: INBOX ->


Debian buster, dovecot 2.3.4.1

Thanks!

Re: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

[mj]

Hi,

Nobody?

It happens so rarely, and the system appears to be running fine 
otherwise, should I just ignore it?


Still makes me wonder way it would happen at all..?

MJ

On 10/22/20 12:53 PM, mj wrote:

Hi,

We are getting very occasional messags from dovecot:


net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied


Over the last week, the message appeared five times. (on a mail server 
with over 100 users, to that's basically almost never)


doveconf -n below


# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-10-amd64 x86_64 Debian 10.6 xfs


snip...


service stats {
  unix_listener stats-reader {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener stats-writer {
    group = vmail
    mode = 0660
    user = vmail
  }
}


and the on-disk permissions are:


root@dovecot:~# ls -l /var/run/dovecot/*stat*
srw--- 1 root  root  0 Oct  6 00:25 /var/run/dovecot/old-stats
prw--- 1 root  root  0 Oct  6 00:25 /var/run/dovecot/old-stats-mail
prw--- 1 root  root  0 Oct  6 00:25 /var/run/dovecot/old-stats-user
srw-rw 1 vmail vmail 0 Oct  6 00:25 /var/run/dovecot/stats-reader
srw-rw 1 vmail vmail 0 Oct  6 00:25 /var/run/dovecot/stats-writer


We're not sure what makes the Permission denied error happen...

Anyone with an idea?

MJ

net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied

[mj]

Hi,

We are getting very occasional messags from dovecot:


net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied


Over the last week, the message appeared five times. (on a mail server 
with over 100 users, to that's basically almost never)


doveconf -n below


# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-10-amd64 x86_64 Debian 10.6 xfs


snip...


service stats {
  unix_listener stats-reader {
group = vmail
mode = 0660
user = vmail
  }
  unix_listener stats-writer {
group = vmail
mode = 0660
user = vmail
  }
}


and the on-disk permissions are:


root@dovecot:~# ls -l /var/run/dovecot/*stat*
srw--- 1 root  root  0 Oct  6 00:25 /var/run/dovecot/old-stats
prw--- 1 root  root  0 Oct  6 00:25 /var/run/dovecot/old-stats-mail
prw--- 1 root  root  0 Oct  6 00:25 /var/run/dovecot/old-stats-user
srw-rw 1 vmail vmail 0 Oct  6 00:25 /var/run/dovecot/stats-reader
srw-rw 1 vmail vmail 0 Oct  6 00:25 /var/run/dovecot/stats-writer


We're not sure what makes the Permission denied error happen...

Anyone with an idea?

MJ

Re: identify 143 vs 993 clients

[mj]

Thanks to all who participated in the interesting discussion.

It seems my initial thought might have been best after all, and 
discontinuing port 143 might be the safest way proceed.


Thanks again, valuable insights!

MJ

On 5/29/20 11:48 AM, Jean-Daniel wrote:



Le 29 mai 2020 à 11:17, Stuart Henderson <mailto:s...@spacehopper.org>> a écrit :


On 2020-05-26, mj mailto:li...@merit.unu.edu>> 
wrote:

Hi,

On 25/05/2020 23:04, Voytek wrote:

jumping here with a question, if I use 143 with STARTTLS, and, force
TLS/SSL in configuration, that's equivalent from security POV, isn't
it? and, same for 110 STARTTLS? Or am I missing something?

Interesting point, after some googling, I think you are right, and as
long as we have set "disable_plaintext_auth = yes" (and we have that) we
should be fine keeping 143 open. Right?


In the case of 143, nothing stops the client *sending* a plaintext login
request. Login may be denied, but the password is already leaked. Also
if you have only the server side (not the client side) deny plaintext
logins, a MITM can just strip off the STARTSSL capability from the server
response.


And doing that it can as easily inject a LOGIN capability, making 
non-broken client also send the password in plain text. (Only broken 
client will send password if LOGIN is not present).


That’s why this RFC exists: https://tools.ietf.org/html/rfc8314


In a setting where you want to protect the clients from accidentally
exposing secrets by misconfiguration, allowing only 993/995 (and 465 for
SMTP; 25/587 have the same problem) is the safe way.


Port 25 is a special case and should never be used by client, but only 
for (unauthenticated) server to server communication.
There is no way to use implicit TLS for SMTP as the SMTP transport MX 
  infrastructure has no way to specify a port.


Client should always use the submission port (587, or 465 for submission 
over TLS).

Re: identify 143 vs 993 clients

[mj]

Hi Markus,

Thank you very much.

MJ

On 26/05/2020 10:25, Markus Winkler wrote:

Hi,

On 26.05.20 09:21, mj wrote:
One doubt I had: "disable_plaintext_auth = yes" sounds as if only the 
authentication part is secured, and the rest is kept plain text, 
whereas with 993/SSL, *everything* would be encrypted?


Or am I missing something? (then perhaps someone can point it out?)


here you can read the details:

https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/

"There are a couple of different ways to specify when SSL/TLS is required:
[...]"

Regards,
Markus

Re: identify 143 vs 993 clients

[mj]

Hi,

On 25/05/2020 23:04, Voytek wrote:

jumping here with a question, if I use 143 with STARTTLS, and, force
TLS/SSL in configuration, that's equivalent from security POV, isn't
it? and, same for 110 STARTTLS? Or am I missing something?
Interesting point, after some googling, I think you are right, and as 
long as we have set "disable_plaintext_auth = yes" (and we have that) we 
should be fine keeping 143 open. Right?


One doubt I had: "disable_plaintext_auth = yes" sounds as if only the 
authentication part is secured, and the rest is kept plain text, whereas 
with 993/SSL, *everything* would be encrypted?


Or am I missing something? (then perhaps someone can point it out?)

Thanks,
MJ

Re: identify 143 vs 993 clients

[mj]

On 25/05/2020 20:52, Aki Tuomi wrote:


You could use

https://doc.dovecot.org/settings/core/#login-log-format-elements

to log this.



Yes! Perfect!

Thanks! :-)

identify 143 vs 993 clients

[mj]

Hi,

I am trying to find a nice way to identify dovecot clients that are 
still configured to use port 143 to connect to our mailserver, from the 
dovecot logs.
I would then ask them to move over to 993, and finally disable port 143 
altogether.


When looking at the dovecot logs, it seems this is not logged in any 
obvious way.


Of course I could use netflow etc, but that would not give us usernames, 
but IP's, etc.


So, is there a nice way to somehow indicate in the dovecot logs, if a 
client connected on 143 or on 993?


Thanks!

Re: sieve question

[mj]

On 4/21/20 7:54 PM, Ralph Seichter wrote:

No, it does not. An auto-reply message, even if it is actually read by
the sender, can be ignored without penalty. An MTA rejection puts the
ball into the sender's court because the message has never been accepted
by the recipient's MX. By the way, a rejection is "legally safe", while
your catch-all-and-let-messages-rot approach is not, in case you have
not considered that.

Of course, you can do as you please, but that does not change the facts
and mechanics involved.


Thank you for your feedback, we will take it into consideration.

MJ

Re: sieve question

[mj]

Hi all,

Thanks for the interesting discussion.

The idea behind the catch-all mailbox is basically to have a 
transitional period between now and the nullmx config we did not know 
about. (thanks for mentioning that, we will do it!)


Our autoreply message reads: "Your email has not been read nor 
forwarded", which is also the case, forcing the sender to take action.
It is just kept in a simple catch-all mailbox, for a couple of 
weeks/months, in case we discover that something important was 
accidentally still sent to the old domain.


And yes, that would be neither fish nor flesh for the time being, but 
only during the transitional period. Afterwards we will put the nullmx 
config in place.


Thanks for again for all your thoughts: appreciated.

MJ

On 4/21/20 4:02 AM, LuKreme wrote:

On Apr 20, 2020, at 19:13, @lbutlr  wrote:


The other thing you can do is NOMX the old domain.


Sorry, nullmx is what I meant.

Btw, I think this is the best solution.

Sent from my iPhone

Re: sieve question

[mj]

Hi Ralph!

Thanks for your reply!

On 4/20/20 12:19 PM, Ralph Seichter wrote:

I suggest you don't use Sieve for this, but simply configure Postfix
to reject messages to @old.domain.com with the desired message. MTA
rejections signal clearly that the message has not been delivered, and
you can also include an URL pointing to a web page with more detailed
information.


However, this means those emails are not actually delivered anymore.

For now, I would like them to *be* delivered, so we still have them in 
case something important comes in.


Your postfix suggestion would be my next step, in a couple of months 
perhaps.


Hopefully someone has a suggestion for my sieve script.

Thanks again,
MJ

sieve question

[mj]

Hi,

We are trying to auto-reply to emails that still use one of our old 
domains. To do this, I have setup a catch-all mailbox for anything sent 
to that old domain using postfix virtual:


@old.domain.com  catch-...@new.domain.com

Then I defined a sieve script for catch-...@new.domain.com, like:


require ["vacation"];
if allof ( not exists ["list-help", "list-unsubscribe", "list-subscribe", "list-owner", "list-post", 
"list-archive", "list-id", "Mailing-List"] )

{ vacation text:
This message is sent automatically, and your message has NOT been read nor 
forwarded.

Please update your addressbooks!

All the best! :-)
.
;
}


However, sieve never sends any auto-reply, because it logs:


discarding vacation response for implicitly delivered message; no
known (envelope) recipient address found in message headers
(recipient=, and no additional `:addresses'
are specified)
I have googled this, but adding :addresses in this case will not work, 
as we are trying to answer (basically) emails sent to any email 
addresses sent to that domain, and thus I cannot define specific :addresses


Can anyone suggest what to do here?

Thanks and stay healthy!

MJ

Re: dovecot 2 samba ad-dc

[mj]

Hi,

No expert, but:

We always use the postmap utility to check that the right mailboxes are 
actually found:


postmap -q t...@test.loc  ldap:/etc/postfix/ldap-config.cf

And perhaps show us your postfix main.cf?

MJ

On 2/20/20 8:46 AM, phil wrote:

Helo you,

I try to build a mail server based on Centos 7, postfix and dovecot 2.
My backend is a Samba4 ad-dc.

I tried a lot and I don't know what else I could try.I'm new to this
mailing list so please forgive me if I don't give right information or
anything

Samba4 ad-dc is up incl. dns. Win10 Client joined domain and
authentication works.

Postfix is up and checks against ldap whether recipient address exists.
It takes mail via telnet and queues them. But can't give it to dovecot.


my master.cf locks like that:


[root@mail1t postfix]# cat master.cf
smtp  inet  n   -   -   -   -   smtpd
submission inet n   -   -   -   -   smtpd
   -o smtpd_enforce_tls=yes
   -o smtpd_tls_security_level=encrypt
   -o tls_preempt_cipherlist=yes
pickup    fifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgr    unix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounce    unix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verify    unix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scache    unix  -   -   -   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -   n   n   -   -   pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix  -   n   n   -   2   pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -   n   n   -   -   pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}
dovecot   unix  -   n   n   -   -   pipe
   flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f
${sender} -d ${user}@${nexthop}
#smtp  inet  n   -   n   -   1   postscreen
#smtpd pass  -   -   n   -   -   smtpd
#dnsblog   unix  -   -   n   -   0   dnsblog
#tlsproxy  unix  -   -   n   -   0   tlsproxy
postlog   unix-dgram n  -   n   -   1   postlogd


my ldap.conf on mailserver:

[root@mail1t openldap]# cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldaps://ldap1t.test.loc:636

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never

#TLS_CACERTDIR    /etc/openldap/certs
TLS_CACERTDIR /etc/pki/tls/certs/ka

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

TLS_REQCERT never


dovecot.conf:

[root@mail1t dovecot]# cat dovecot.conf
auth_mechanisms = plain login
mail_uid = vmail
mail_gid = vmail
ssl_cert =  method=%m rip=%r lip=%l mpid=%e
%c %k"
#mail_plugins = quota
ssl_cipher_list =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

log_timestamp = "%Y-%m-%d %H:%M:%S "
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
debug_log_path = /var/log/do

Re: Mail account brute force / harassment

[mj via dovecot]

Hi,

On 4/12/19 11:05 PM, Joseph Tam via dovecot wrote:

"www.blocklist.de" is a nifty source.  Could you suggest other publically
available blacklists?



The ones we are using are:


"file:///etc/ipset-blacklist/ip-blacklist-custom.list" # optional, for your 
personal nemeses (no typo, plural)


In this file we have our own manual additions


"https://www.projecthoneypot.org/list_of_ips.php?t=d=1; # Project Honey 
Pot Directory of Dictionary Attacker IPs
"https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1;  # TOR 
Exit Nodes
"https://www.maxmind.com/en/high-risk-ip-sample-list; # MaxMind GeoIP 
Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php; # 
BruteForceBlocker IP List
"https://www.spamhaus.org/drop/drop.lasso; # Spamhaus Don't Route Or Peer 
List (DROP)
"http://cinsscore.com/list/ci-badguys.txt; # C.I. Army Malicious IP List
"https://lists.blocklist.de/lists/all.txt; # blocklist.de attackers
"http://blocklist.greensnow.co/greensnow.txt; # GreenSnow

"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset;
 # Firehol Level 1

"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset;
 # Stopforumspam via Firehol


MJ

Re: Mail account brute force / harassment

[mj via dovecot]

Hi,

What we do is: use https://github.com/trick77/ipset-blacklist to block 
IPs (from various existing blacklists) at the iptables level using an ipset.


That way, the known bad IPs never even talk to dovecot, but are dropped 
immediately. We have the feeling it helps a lot.


MJ

On 4/12/19 10:27 AM, James via dovecot wrote:

On 12/04/2019 08:42, Aki Tuomi via dovecot wrote:

On 12.4.2019 10.34, James via dovecot wrote:

On 12/04/2019 08:24, Aki Tuomi via dovecot wrote:


Weakforced uses Lua so you can easily integrate DNSBL support into it.

How does this help Dovecot block?
A link to some documentation or example perhaps?



https://wiki.dovecot.org/Authentication/Policy

You can configure weakforced to return status -1 when DNSBL matches,
which causes the user authentication to fail before any other processing
happens.


Thank you.  I will study this - although I dispute your "easily"!



James.

AD ldap, filter to exclude various kinds of expired, disabled etc etc users

[mj via dovecot]

Hi,

I was revising our AD ldap user_filter and pass_filter to exclude more 
types of expired / disabled accounts.


I started adding things like:


(&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608)))


but then I thought, why not simply do:


(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))


as 512 would your regular active user accounts only, excluding all other 
account types.


Looking here 
(https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) 
there are some many different userAccountControl to check, that it might 
be smarter to only allow userAccountControl=512, or?


Any ideas on this..?

(or examples of how you do it?)

MJ

Re: AW: Calendar function ?

[mj]

Hi,

On 10/21/2018 01:22 PM, Maurizio Caloro wrote:
Please this are a complet Grouware solutions, are possible to use from 
this only the Calendar Synchronization and


Date, Appontment functionality ?



If that is hat you need, perhas you should checkout sogo:

https://sogo.nu/

We have been running it for years, with the same backend-components you 
are using: postfix and dovecot. (and active directory)


MJ

Re: Storing Messages in the cloud

[mj]

Hi,

If you consider ceph as "the cloud", this could also apply:

https://github.com/ceph-dovecot/dovecot-ceph-plugin

MJ

Re: Looking into a solution for Caldav (and possibly carddav) support

[mj]

Hi,

It sounds as if you want to be looking at sogo.nu:

https://sogo.nu/

It re-uses your imap/mail setup, and implements caldav/carddav, and also 
ActiveSync to interact with the same contacts/calendars.


Take a look: It's modern and very well-maintained, plus light-weight.

MJ


On 06/30/2018 02:06 AM, Nathan Coulson wrote:
We have an existing Dovecot/Postfix/Roundcube email solution, which I 
was hoping to add Caldav (and carddav?) support to, with the goal of 3rd 
party email clients being able to keep contacts and calendars in sync 
(as well as having the same information in roundcube)


In doing research, I came across traces of it being considered for 
Dovecot at one time 
(https://www.dovecot.org/list/dovecot/2015-September/101996.html), and I 
was wondering where this went.



Specifically, 
https://www.dovecot.org/list/dovecot/2015-September/101997.html seemed 
to hint that metadata support was a prerequisite for this (mainstream as 
of the email), and I was wondering if this meant there was potentially a 
solution built on top of this.



Thank you

Re: why is dovecot "Allowing any password"

[mj]

On 03/22/2018 11:34 AM, Jochen Bern wrote:

The configuration guide describes (in 4.3.) a scenario where SOGo's user
population backend (LDAP) is set up from scratch, which implies that the
preexisting IMAP server supposedly is*not*  using the same
backend/data/passwords.

I'ld guess that*if*  you have the IMAP server configured to look up the
same backend/data (including support for exotic authentication methods,
"Exchange style" cross-user access rights management, yadda yadda), the
requirement to defeat authentication from SOGo to the IMAP server may
become moot.

But until then - Exchange takes its entire auth from AD, and SOGo's
LDAP,*not*  the IMAP server's passdb, is the analogue of that.


I have read the above again and again, but I don't understand what you 
are trying to say, I'm sorry.


Chapter 4.3 doesn't apply to us and my question, since we are (and were) 
always using (samba) AD.


Everything connects to this same AD backend, including SOGo and imap.

MJ

Re: why is dovecot "Allowing any password"

[mj]

On 03/22/2018 09:56 AM, Aki Tuomi wrote:


I would recommend using master password (that is, replace nopassword=y
with password=staticpassword). I know that from localhost perspective
this isn't much different, but it will reduce accidents.


ok, I'll see if I can get the SOGo developers attention on this. :-)

MJ

Re: why is dovecot "Allowing any password"

[mj]

On 03/22/2018 09:34 AM, Aki Tuomi wrote:

I have no idea*WHY*  it is required by SOGo. It does not make sense.


Well, the thing is: SOGo has this ability to behave like a *real* 
exchange server, as if it's running on a windows server. And this 
enables Outlook to connect to it like it would to an exchange server. 
(so: not in imap mode, and not using regular username/password 
authentication)


Normally, SOGo simply reuses the provided username/password to connect 
to the imap server, but in the above scenario, these are not available.


The same goes for a SAML2 authenticated SOGo webmail logon.

In these scenarios, SOGo uses the 127.0.0.1 connection, to logon to 
imap. Since it does know the username.


I guess a better solution would be for SOGo to be able to do 
'transformations' to the username/password, to change the regular 
username/unknownpassword into username*master/masterpassword, and get 
rid of the 127.0.0.1 passwordless listener.


Right?

But SOGo doesn't do that. (afaik)

MJ

Re: why is dovecot "Allowing any password"

[mj]

On 03/21/2018 10:34 PM, @lbutlr wrote:

The question is does it allow remote users to login with no password?

Yes, and the answer is: no.


If not, then the message ie nearly notification that login without a password 
is potentially possible.

Yes, but a worrying one. That's why i decided to post here.


I have no idea why you would have nopassword=y set in the first place, so it 
seems the simplest way to eliminate this problem is to take that out and have a 
secure environment for sending mail.


Yes, however, for SOGo with Native Outlook compatibility or SAML logon, 
the config is required.


(https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html)

Thanks,
MJ

Re: why is dovecot "Allowing any password"

[mj]

ok, fyi:

I have now also tested/confirmed this, while looking at the logs, and 
indeed:


Even when the connection is denied because of a wrong password, the 
message "Allowing any password" is showing up in the logs.


Perhaps it is because we have set debug options:


auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes


It would be nice if the "Allowing any password" could be rephrased, or 
taken out. It really had me scared for a while.


Thanks Aki,
MJ

Re: why is dovecot "Allowing any password"

[mj]

Hi Aki,

On 03/21/2018 05:43 PM, Aki Tuomi wrote:

Mar 21 07:13:48 mail dovecot: auth: 
static(username,1.2.3.4,): allow_nets check failed: IP not in 
allowed networks

this indicates that the request is marked failed.


So, what you are saying is: the logline "Allowing any password" is 
'wrong'? Access was actually DENIED, even though it says "Allowing any 
password" and even though one line later it says: "auth: Debug: auth 
client connected (pid=6174)"?


This is all very misleading

MJ

Re: why is dovecot "Allowing any password"

[mj]

Hi AKi,

Thanks for the quick answer!

On 03/21/2018 05:24 PM, Aki Tuomi wrote:

This is what 'nopassword=y' does. I'm guessing this is an attempt to allow 
logging in from localhost without password, but I'd use master password (for 
applications or webmails), or


Yes, the config is taken from the SOGo configuration guide, which can be 
seen here:

https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html

Yes, but we have args = nopassword=y allow_nets=127.0.0.1/32
so it should only allow passwordless logins from localhost, right..?

And in "Debug: static(username,1.2.3.4,): Allowing any 
password" 1.2.3.4 is NOT localhost...


(obviously 1.2.3.4 is not the *real* ip, bit it's a *real* ip from the 
internet, NOT localhost...


MJ

why is dovecot "Allowing any password"

[mj]

Hi,

I noticed the following in the logs of our debian wheezy server:


Mar 21 07:13:47 mail dovecot: auth: Debug: 
ldap(username,1.2.3.4,): bind search: base=CN=Users, DC=samba, 
DC=company, DC=com filter=(&(objectclass=person)(sAMA
ccountName=username)(!(userAccountControl=514)))
Mar 21 07:13:47 mail dovecot: auth: Debug: 
ldap(username,1.2.3.4,): result: uid=username; uid unused
Mar 21 07:13:47 mail dovecot: auth: Debug: 
ldap(username,1.2.3.4,): result: uid=username
Mar 21 07:13:48 mail dovecot: auth: ldap(username,1.2.3.4,): 
invalid credentials (given password: invalid_password)
Mar 21 07:13:48 mail dovecot: auth: Debug: 
static(username,1.2.3.4,): lookup
Mar 21 07:13:48 mail dovecot: auth: Debug: 
static(username,1.2.3.4,): allow_nets: Matching for network 
127.0.0.1/32
Mar 21 07:13:48 mail dovecot: auth: 
static(username,1.2.3.4,): allow_nets check failed: IP not in 
allowed networks
Mar 21 07:13:48 mail dovecot: auth: Debug: 
static(username,1.2.3.4,): Allowing any password
Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174)


The line second last line "Allowing any password" comes as a surprise..? 
Why would dovecot Allow any password..?


We had the following bit in our config, but I removed it now:


#passdb {
#  driver = static
#  args = nopassword=y allow_nets=127.0.0.1/32
#}


Could anyone expain the "Allowing any password"?

And lastly our current doveconf -n:


# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-5-amd64 x86_64 Debian 7.11 xfs
auth_debug = yes
auth_debug_passwords = yes
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
deliver_log_format = %f | %s | msgid=%m: %$
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Dovecot ready.
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox "Deleted items" {

special_use = \Trash
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent items" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox inbox {
auto = subscribe
  }
  prefix = 
  separator = /

  type = private
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
append
  mail_log_fields = uid box msgid from subject
  quota = maildir
  quota_rule = ?:storage=5G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=97%% quota-warning 97 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=80%% quota-warning 80 %u
  quota_warning6 = -storage=100%% quota-warning below %u
  sieve = ~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/default.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service imap-login {
  process_limit = 500
  process_min_avail = 2
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
user = vmail
  }
  user = dovecot
}
shutdown_clients = no
ssl_ca = 

MJ

Re: Howto authenticate smartPhone via Active Directory

[mj]

Hi,

Not much time to reply now.

On 12/05/2017 05:21 AM, Mark Foley wrote:

mj - thanks! That the first useful example I've received from any forum/list. 
I'm getting ready
to try my config (have to do so after hours), but I have some probably 
simple-minded questions:
Well, that looks as if you are testing/trying out on your production 
machine. Why not setup a seperate (virtual?) test server to play with..? 
Use the same os version, with the same dovecot version.
Or clone your production machine, so you can test as much as you like, 
without time pressure, at any given time.



Your example is not the complete dovecot-ldap.conf.ext file, right? Have you 
just given me
differences in your config from the "original"? You've kept the hosts, base, 
ldap_version,
scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

Not the complete file, no. I just provided the essentials.


Your dn is:

dn = cn=search_dovecit,cn=users,dc=company,dc=com

Mine (original) is:

dn = cn=user_for_bind,cn=Users,dc=dom

Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that 
something I need
in order to make this work?
It's the user that dovecot uses to search for your user, Can be 
anything, as long as it can authenticate using the password in:



My dnpass (original) is:

dnpass = 

your example is:

dnpass = top_secret

Use the password of whatever user you use.


If meta, what is actually supposed to go there?

The password of user_for_bind


With your "this user/passwd filter". Can you tell me why you have 
"userAccountControl=514"? Is
that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* 
different from
my installed original.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/77f48af7-bbef-4cd7-9c83-d9359b255534/ldap-query-get-nonlockeddisabled-accounts?forum=netfxbcl

For the rest: my advise is that you *really* need to pay around with 
this much more. Get yourself a test environment, and play and test.


Plus: read some dovecot/ad howto's, and try things in your own environment.

Quick google returns:
https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x

Enjoy :-)

MJ

Re: Howto authenticate smartPhone via Active Directory

[mj]

On 12/04/2017 09:01 AM, Aki Tuomi wrote:

It seems you'd have to configure OpenLDAP backend for Samba to have LDAP.


No. As far as I know, samba in AD mode always does ldap. (AD *is* just 
that: microsoft-ized ldap)


And you should configure dovecot simply as a regular ldap client. That's 
what we do, anyway.


MJ

Re: Howto authenticate smartPhone via Active Directory

[mj]

Hi Mark,

Just to let you know that we are running dovecot with AD. (and I guess: 
*many* people are running that combination)


It worked without issues, we are using in dovecot-ldap.conf.ext:

> auth_bind = yes

this user/passwd filter:

= (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))


> dn = cn=search_dovecit,cn=users,dc=company,dc=com
> dnpass = top_secret

And not the 3268 port, but regular 389.

Hope that helps.

MJ



On 12/04/2017 01:38 AM, Mark Foley wrote:

Unfortunately, I tried for weeks to figure out passdb ldap without success. I 
guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The 
dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says 
is:

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP 
fields are
available in port 3268. Use whatever works. 
http://technet.microsoft.com/en-us/library/cc978012.aspx

I have not been able to find an example of someone using Dovecot and ldap with 
AD.

However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required 
parameters back
to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
pointing to my
checkpassword executable.

passdb {
  driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

The one issue I have with this at the moment is that dovecot runs checkpassword 
for every user,
smartphone or otherwise:

Dec 03 18:56:32 auth-worker(14903): Info: 
shadow(charmaine,192.168.0.52,): unknown user  - trying the 
next passdb
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Received input:
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): exit_status=1
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Credentials:
Dec 03 18:56:32 auth: Debug: client passdb out: OK  1   user=charmaine  
original_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001  14902   1   
586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): lookup
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): username changed charmaine 
-> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001  
HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003gid=1 
  home=/home/HPRS/charmaine   
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 
auth_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, 
rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)

Notice after the "shadow" auth fails it says, "unknown user - trying the next 
passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also 
succeeds.  Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My 
mechanisms are:

auth_mechanisms = plain login gssapi

THX, --Mark

--Mark

-Original Message-
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <aki.tu...@dovecot.fi>
To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org

with passdb ldap i guess.

---Aki Tuomi
Dovecot oy

 Original message 
From: Mark Foley <mfo...@ohprs.org>
Date: 03/12/2017  21:18  (GMT+02:00)
To: dovecot@dovecot.org
Subject: Re: Howto authenticate smartPhone via Active Directory

Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-

Date: Sun, 03 Dec 2017 15:22:56 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <aki.tu...@dovecot.fi>
To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org

Actually you are authenticating gssapi clients from ad and everyone else from 
shadow. maybe you need to configure pam module?
---Aki TuomiDovecot oy

 Original message 
From: Mark Foley <mfo...@ohprs.org>
Date: 03/12/2017  06:03  (G

Re: My sub-folder with Outlook work-around to date

[mj]

Hi,

What we do, on the dovecot side, is:

mail_location = maildir:~/Maildir:LAYOUT=fs:DIRNAME=mAildir

See: https://wiki2.dovecot.org/MailLocation/Maildir

This has been working out very nicely for many years.

I'm not sure though that there is a way to 'move' to that config without 
having to basically migrate all your mailboxes.


MJ

On 10/06/2017 04:08 AM, David.M.Clark wrote:

Hi All, please be kind, this is my first e-mail to the list :-)

I actively support CentOS based e-mail servers running Dovecot, 
Sendmail, Spammassassin and 3 x SOGo based setups.


Dovecot is my goto IMAP server and have used it and modifications to it 
to net excellent results for years.


Then we have people who insist on only using Outlook (and in some 
instances the MS Live Messenger thingy).


Some shenanigans in recent years have arose with using sub-folders in 
the Outlook clients (2013 and 2016).


Traditionally, placing a "/" after the name of a newly desired e-mail 
folder has netted the result of something like:


"Rentals/"

creating:

/u/home/someuser/mail/Rentals/

Under which users then create actual e-mail folders under the "Rentals" 
Linux directory as such.


With Outlook 2013 and 2016 this seems to have stopped working and so I 
implemented a work-around where the user creates a normal folder, 
example "Rentals++", and I have written a cron script that trawls the 
$HOMEs each minute and if it finds a folder with a "++" at the end, it 
creates the folder as a directory, so:


/u/home/someuser/mail/Rentals++

becomes:

/u/home/someuser/mail/Rentals/

and adds this new subscription to their .subscription folder. It also 
sends an e-mail to the user advising that the new folder is created and 
they can proceed to use the "Rentals" folder for adding sub-folders (as 
in real text based mail folders).


The script was a quick work-around one weekend in a mad flurry to get 
things working and to date works but is not 'user-proof'. So I am now 
looking at developing an internal web interface to do the same thing and 
hoping with more controls, has no or far less margin for user error. 
Long times of Outlook folder refreshes don't help and users sometimes 
end up with issues that require my Linux command line help.


I have been trawling e-mail forums for some time now and have not seen 
any other work-arounds (or perhaps I am living under a rock) but before 
I embark on this web interface adventure, I just wanted to make sure I 
had not missed some fundamental 'bit' that I should be observing.


All servers are either CentOS 6.9 (or slightly less) and CentOS 7 with 
the latest updates and for things like Thunderbird and Roundcube and 
SOGo, work well. I need to experiment with the whole "/" for these but I 
am currently driven by the enforced Outlook chains.


Any input from you guys on whether this is my best approach or 'hey 
mate, just do this', would be much appreciated.


I am happy to share my travels script/web-wise if this is the only 
option to date.

librmb: Mail storage on RADOS with Dovecot

[mj]

Hi ceph-ers,

The email below was posted on the ceph mailinglist yesterday by Wido den 
Hollander. I guess this could be interesting for user here as well.


MJ

 Forwarded Message 
Subject: [ceph-users] librmb: Mail storage on RADOS with Dovecot
Date: Thu, 21 Sep 2017 10:40:03 +0200 (CEST)
From: Wido den Hollander <w...@42on.com>
To: ceph-us...@ceph.com

Hi,

A tracker issue has been out there for a while:
http://tracker.ceph.com/issues/12430

Storing e-mail in RADOS with Dovecot, the IMAP/POP3/LDA server with a 
huge marketshare.


It took a while, but last year Deutsche Telekom took on the heavy work 
and started a project to develop librmb: LibRadosMailBox


Together with Deutsche Telekom and Tallence GmbH (DE) this project came 
to life.


First, the Github link:
https://github.com/ceph-dovecot/dovecot-ceph-plugin

I am not going to repeat everything which is on Github, put a short summary:

- CephFS is used for storing Mailbox Indexes
- E-Mails are stored directly as RADOS objects
- It's a Dovecot plugin

We would like everybody to test librmb and report back issues on Github 
so that further development can be done.


It's not finalized yet, but all the help is welcome to make librmb the 
best solution for storing your e-mails on Ceph with Dovecot.


Danny Al-Gaaf has written a small blogpost about it and a presentation:

- https://dalgaaf.github.io/CephMeetUpBerlin20170918-librmb/
- http://blog.bisect.de/2017/09/ceph-meetup-berlin-followup-librmb.html

To get a idea of the scale: 4,7PB of RAW storage over 1.200 OSDs is the 
final goal (last slide in presentation). That will provide roughly 1,2PB 
of usable storage capacity for storing e-mail, a lot of e-mail.


To see this project finally go into the Open Source world excites me a 
lot :-)


A very, very big thanks to Deutsche Telekom for funding this awesome 
project!


A big thanks as well to Tallence as they did an awesome job in 
developing librmb in such a short time.


Wido

Re: Problem w/ Dovecot authentication against AD

[mj]

Hi,

Perhaps you need auth_bind = yes?

MJ

On 09/13/2017 01:34 PM, Garry Glendown wrote:

Hi,

I had to start using Dovecot on a machine as the new OS does not come
with Cyrus IMAP anymore. After multiple problems, I managed to get
everything working, including LDAP authentication against the (old)
Novell LDAP server.
Anyway, the authentication is supposed to be migrated to the new Windows
AD. For other tools, I successfully migrated the config to use AD, but
somehow Dovecot does not work as it should.

I've been going back and forth, trying everything I could think of, but
still can't get it to work.

Here's the excerpt from the config file:

hosts = 10.10.10.210
uris = ldap://10.10.10.210:389
dn = cn=Administrator,cn=Users,dc=srv,dc=SLD,dc=net
dnpass = PASSWORD
tls = no
debug_level = -1
auth_bind = yes
ldap_version = 3
base = DC=srv,dc=SLD,dc=net
deref = never
scope = subtree
user_attrs =  sAMAccountName=user
user_filter = (&(sAMAccountName=%n)(objectclass=person))
pass_attrs = sAMAccountName=user
pass_filter = (&(sAMAccountName=%n)(objectclass=person))
iterate_attrs = mail=user
iterate_filter = (objectclass=person)
default_pass_scheme = PLAIN

The problem might be caused by the referal-info sent by the AD, which I
can see both in the results dovecot gets (checked with tcpdump), as well
as in ldapsearch ... apart from the actual search result, I always get
three additional results:

#
refldap://DomainDnsZones.srv.SLD.net/DC=DomainDnsZones,DC=srv,DC=SLD,DC=net

#
refldap://ForestDnsZones.srv.SLD.net/DC=ForestDnsZones,DC=srv,DC=SLD,DC=net

# refldap://srv.SLD.net/CN=Configuration,DC=srv,DC=SLD,DC=net

 From what I can see in the pcap as well as some of the logs, dovecot
binds to the AD, sends out the LDAP query correctly, gets the lookup
result with the user queried plus the above three referrals, then
unbinds from the (named) bind, attempts a simple bind without dn/dnpass
(multiple times), and finally sends three additional search requests
under the search bases

cn=Configuration,DC=srv,DC=SLD,DC=net
DC=ForestDnsZones,DC=srv,DC=SLD,DC=net
DC=DomainDnsZones,DC=srv,DC=SLD,DC=net

These three requests are denied by the AD as they are not permitted
without a successful prior bind.
Dovecot then fails the auth process.

Is there a way to stop Dovecot from using the referals? Openldap seems
to have an option to disable referals, but Dovecot does not allow that
option in its LDAP config, and having the option set in the global
ldap.conf doesn't seem to help any, either. Is there possibly a way to
disable the referal information on the AD side?

Thanks, Garry

Re: Dovecot - Postfix Calender Synchronisation

[mj]

Hi,

I realise that this is in fact off-topic, but: like others, I'd also 
like to recommend SOGo.


Someone in this thread said: it has too many dependancies, but I 
disagree, and in fact I consider it a good thing that it depends on 
other components.


Consider SOGo like an exchange server. And they (inverse.ca) only 
implemented the missing bits, and for the rest they depend on stable and 
mature other components.


While that means dependancies, yes, it also means: do what you're good 
at and what's missing, and for the rest: reuse what is readily 
available. Don't reinvent the wheel.


Besides that: most places will have many of the requirements in place 
already.


MJ


On 08/24/2017 07:38 AM, Rupert Gallagher wrote:

We tried installing Radicale months ago, and decided to postpone testing. Its 
footprint exceeds 140MB, because of python. It requires python, which is a 
security hazard on production servers. Security mitigations are absent: must 
use a virtual machine.

Sent from ProtonMail Mobile

On Thu, Aug 24, 2017 at 12:11 AM, Marcus Rueckert <da...@opensu.se> wrote:


Lookup radicale. -- openSUSE - SUSE Linux is my linux openSUSE is good for you 
www.opensuse.org

Re: unexpected delivery location

[mj]

Hi,

On 08/23/2017 09:56 PM, Noel wrote:

Perhaps you can adjust your query or your database to return the
desired result.  Otherwise, use your scripting skills to generate a
file, then automate the procedure.


Thanks for the suggestion, I try something like that.

Still feel that some simple config to make one domain an alias to 
another domain would be very useful. :-)


MJ

Re: unexpected delivery location

[mj]

Hi Noël,

Thanks for your response!

On 08/23/2017 06:03 PM, Noel wrote:

Don't use wildcard aliases.  They break recipient validation and
cause postfix to accept all addresses.

Instead use 1-1 aliases, such as
user1@olddomaon  user1@newdomain
user2@olddomaon  user2@newdomain


But we have 500+ addresses in ldap, surely there must be some 
'automated' way to 'transform' any incoming mail sent to 
ran...@olddomain.com into ran...@newdomain.com?


(and then have it processed regularly, so that bounces still work for 
non-existant addresses and such)


MJ

Re: under another kind of attack

[mj]

On 07/29/2017 07:44 PM, Doug Barton wrote:

On 07/25/2017 07:54 AM, mj wrote:

Since we implemented country blocking,


Please don't do that. Balkanizing the Internet doesn't really benefit 
anyone, and makes innovation a lot more difficult.


Perhaps I need to be more specific:

I block certain countries from accessing imap/smtp directly, as that is 
where all the botnets seem to be trying their passwords.


I do not block entire countries from accessing us completely (the 
hammer) but rather block their access of imap and smtp for my 
mailserver. (this is what I like to see as a precision tool)


For the record I improved my iptables rules a lot compared to the mail 
you replied to. I am now using a chain, like this:



$IPTABLES -N filter_countries
$IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP
$IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP


and then:


$IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries
$IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries
$IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries


This makes it a lot more efficient, compared to the (many) rules I was 
using earlier.


MJ

Re: under another kind of attack

[mj]

Hi Doug,

On 07/29/2017 07:44 PM, Doug Barton wrote:
Instead, take a look at the fail2ban scenarios in this thread, which 
solve the actual problem with a precision tool, instead of a hammer.


I have implemented (most of) those as well, and additionally choose to 
also block certain countries. It helps tremendously.


MJ

Re: under another kind of attack

[mj]

Hi Olaf,

Since we implemented country blocking, everything seems nicely under 
control, with only 'normal levels' of knocking.


We first have impemented:
http://blog.jeshurun.ca/technology/block-countries-ubuntu-iptables-xtables-geoip

Then we did:
https://github.com/firehol/blocklist-ipsets

And finale iptables rules like these:


iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 143 -m geoip --src-cc CR,MZ -j DROP

iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 993 -m geoip --src-cc CR,MZ -j DROP

iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
CN,AG,MX,NI,MF,VE,CO,AR,RU,UA -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
MD,SD,SS,GA,CN,AZ,IN,ID,KZ,LA -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc 
MY,MN,SG,VN,TH,TW,HK,KR,KP,HT -j DROP
iptables -A INPUT -p tcp --dport 465 -m geoip --src-cc CR,MZ -j DROP


I tried to combine the various dports in one single rule, but that 
didn't seem to work. Perhaps someone here knows how to combine --match 
"geoip" and "multiport" in one single rule?


Anyway: for us these combined measures did the tric.

Users in one of the imap-blocked countries will have to use ActiveSync 
(works over https), the webmail-interface, or launch the VPN first.


This works for us.

Only one thing on my wishlist: application specific passwords. I would 
very much appreciate a respond on that thread... (posted yesterday 
evening, with a pseudo-dovecot-config file...)


Hope the above helps you a bit, Olaf.

MJ

On 07/25/2017 04:37 PM, Olaf Hopp wrote:

Hi folks,

"somehow" similar to the thread "under some kind oof attack" started by 
"MJ":


I have dovecot shielded by fail2ban which works fine.
But since a few days I see many many IPs per day knocking on
my doors with wron password and/or users. But the rate at which they are 
knocking

is very very low. So fail2ban will never catch them.

For example one IP:

Jul 25 14:03:17 irams1 dovecot: auth-worker(2212): 
pam(eurodisc,101.231.247.210,): unknown user
Jul 25 15:16:36 irams1 dovecot: auth-worker(11047): 
pam(gergei,101.231.247.210,): pam_authenticate() 
failed: Authentication failure (password mismatch?)
Jul 25 16:08:51 irams1 dovecot: auth-worker(3379): 
pam(icpe,101.231.247.210,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user


Note the timestamps.
If I look the other way round (tries to one account) I'll get

Jul 25 01:30:48 irams1 dovecot: auth-worker(11276): 
pam(endsulei,60.166.12.117,): unknown user
Jul 25 01:31:26 irams1 dovecot: auth-worker(11276): 
pam(endsulei,222.243.211.200,<s0+6nBhVabHe89PI>): unknown user
Jul 25 13:29:22 irams1 dovecot: auth-worker(4745): 
pam(endsulei,60.2.50.114,<4elhpCJVtcw8AjJy>): unknown user
Jul 25 13:30:27 irams1 dovecot: auth-worker(4747): 
pam(endsulei,222.84.118.83,): unknown user
Jul 25 16:10:47 irams1 dovecot: auth-worker(4250): 
pam(endsulei,101.231.247.210,): unknown user
Jul 25 16:11:45 irams1 dovecot: auth-worker(5933): 
pam(endsulei,206.214.0.120,): unknown user


Also note the timestamps!

And I see many many distinct IPs per day (a few hundred) trying many 
many existing and non-existings accounts.
As you see in the timestamps in my examples, this can not be handled by 
fail2ban without affecting

regular users with typos.
Is anybody observing something similar ?
Anybody an idea against this ?
Many of these observed IPs are chinese mobile IPs, if this matters. But 
we have also chinese students and

researchers all abroad.


Regards,
Olaf

Re: under some kind of attack

[mj]

Hi Joseph,

On 07/21/2017 10:17 PM, Joseph Tam wrote:

As per my post: checkpassword.  You can then use one password on Mondays,
Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday
fetched from a rot-13 database, and only from prime numbered IP addresses
on weekends, if that's what you want.


Having read the wiki page on checkpassword, I am unsure how this would 
work with an ldap backend.


Could you elaborate on that?

Best,
MJ

Re: application specific passwords

[mj]

Hi Kirill,

Thanks for your reply. Such a simple flat file approach would be 
perfect, and I don't mind at all to require app specific usernames *and* 
passwords.


However, I am unsure how to combine your recipe below with our regular 
AD userdb/passdb.


Perhaps someone can give me some pointers in that direction?

MJ

On 07/20/2017 06:50 PM, Kirill Miazine wrote:

I'm not familiar with samba AD and with it's features and limitation.
For my simple system I'm using plain files for passdb and userdb (aka.
passwd-file). Application (or rather device) specific passwords are
implementing by using having an additional "username" with a specific
password for a particular application or device. E.g. some entries for
myself:

 bbmutt:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir 
userdb_quota_rule=*:bytes=10240M
 kmozilla:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir 
userdb_quota_rule=*:bytes=10240M
 sailpad:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir 
userdb_quota_rule=*:bytes=10240M
 workphone:*:10001:10001::/krot/mail/km::userdb_mail=maildir:~/Maildir 
userdb_quota_rule=*:bytes=10240M

The files are generated automatically from a Single Source of Truth.

In my case I'm selecting the username myself, but there's nothing
preventing you from generating a username/password combination for your
users.

Note that in my setup users will have application specific username and
password, not only application specific password. It was easier to
implement it quickly this way.

Greetz
Kirill

Re: application specific passwords

[mj]

Hi,

Let me ask a more specific question.

What I would like to configure, is:

- for our internal users to use their regular AD usernam/passwords, just 
as everybody can currently do.


but, new:
- for external users, to ONLY be allowed to use an application specific 
password. (or username and password, fine as well)


Step one: making ldap password authentication valid only from our 
internal network. I though: using allow_nets=192.168.1.0/24 for that passdb


But I can't get that to work. :-( Unsure where exactly to define the 
allow_nets, tried many variations on the theme already.


Perhaps someone can help with the step one, and also tell me if the 
approach outlined above is smart, valid and do-able in dovecot.


Here are our sanitised configs:


root@mails:/etc/dovecot# doveconf -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs
auth_debug = yes
auth_failure_delay = 2 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot/dovecot.debug
deliver_log_format = %f | %s | msgid=%m: %$
disable_plaintext_auth = no
info_log_path = /var/log/dovecot/dovecot.info
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot/dovecot.err
login_greeting = Dovecot ready.
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox "Deleted items" {

special_use = \Trash
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent items" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox inbox {
auto = subscribe
  }
  prefix = 
  separator = /

  type = private
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
  skip = authenticated
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
append
  mail_log_fields = uid box msgid from subject
  quota = maildir
  quota_rule = ?:storage=5G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=97%% quota-warning 97 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=80%% quota-warning 80 %u
  quota_warning6 = -storage=100%% quota-warning below %u
  sieve = ~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/default.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service imap-login {
  process_limit = 500
  process_min_avail = 2
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
user = vmail
  }
  user = dovecot
}
ssl_ca = 

and our dovecot-ldap.conf.ext:


hosts = ldap1 ldap2 ldap3
dn = cn=search,cn=
dnpass = secretashell
tls = no
debug_level = 0
auth_bind = yes
base = CN=Users, DC=.
scope = subtree
user_attrs = 
=home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,allow_nets=192.168.1.0/24
user_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
iterate_attrs = sAMAccountName=user
iterate_filter = (objectClass=person)


MJ

Re: under some kind of attack

[mj]

On 07/20/2017 08:47 PM, Robert Schetterer wrote:

Ok I understand, not a bad idea, report how it works for you


That "report how it works for you" was exactly why I posted the fail2ban 
failregex back to the list. :-) So others can use it too.


It works fantastic, and I ombined it now with blocking complete 
countries at the firewall-level.


Users have their regular three login tries, and get a password dialogue 
if they changed their password.


(which many did, in the light of this attack)

And the last botnet attempts remaining, using "password" etc are blocked 
instantly.


Works nicely. :-)

Now I want to implement application specific passwords, I will post 
about that in a seperate message. As you have been such a great help, 
perhaps you can also help a little bit in that thread...?


Thanks again,
MJ

Re: under some kind of attack

[mj]

Hi Robert,


i dont understand why you focused on that ldap strings
fail2ban should trigger on some "Authentication failure" regex in the
related syslog

perhaps this will help to make it more clear

http://www.stefan-seelmann.de/wiki/fail2ban#postfix-and-dovecot


Yes, but I have that as well. :-)

I wanted two kinds of blockings:

#1: Everybody trying the well-known passwords (password, 123321, 1q2w3e, 
etc, etc) to become blocked *immediately* and for *always*.


#2: I wanted all others have to have the 'regular' settings, with three 
shots at typing a password, etc.


#2 being the 'regular fail2ban' settings, but during this attack, I 
wanted special settings, #1, for anyone trying one of the malicious 
passwords.


I did NOT want to have them the usual three opportunities to try.

In fact: this is a bit similar to your iptables solution, but that only 
works for non-ssl/non-tls connections.


Your iptables solution makes sure that thy cannot authenticate *at all*, 
while the above solution makes sure they can only authnticate *once*.


MJ

application specific passwords

[mj]

Hi,

Further to the other thread about password guessing activities against 
our dovecot, I would like to implement application specific passwords on 
our dovecot.


Googling results in some documents, but they are all a bit older:


https://www.happyassassin.net/2014/08/26/adding-application-specific-passwords-to-dovecot-when-using-system-user-accounts/



https://www.dgsiegel.net/news/2013_05_21-application_specific_passwords_for_dovecot



http://www.justinbuchanan.com/blog/category/RoundCube



http://www.justinbuchanan.com/blog/post/2012/12/02/Application-Specific-Passwords-for-Dovecot-and-Postfix


Those articles are interesting, but also rather old. (I realse that this 
does not neccesarily mean: irrelevant or bad)


Is there anone here with some additional notes, ideas, tips, trics on 
setting up application specific passwords with dovecot with virtual 
users? We are using samba AD as an authentication backend.


MJ

Re: under some kind of attack

[mj]

I have concoted something that seems to work. And for the archives, this 
is it:



failregex = auth: Info: ldap\(.+,,.+\): invalid credentials \(given 
password: .+ssword\)
auth: Info: ldap\(.+,,.+\): invalid credentials \(given 
password: 1qaz2wsx\)
auth: Info: ldap\(.+,,.+\): invalid credentials \(given 
password: 123321\)
auth: Info: ldap\(.+,,.+\): invalid credentials \(given 
password: 1234567890\)
auth: Info: ldap\(.+,,.+\): invalid credentials \(given 
password: 1q2w3e4r.+\)


It's still reactive, and not pro-active.

All the other suggestions are very much appreciated, including 
weakforced, however implementing that is a much larger project.


Next I have to find out how to feed my fail2ban logs back to 
blocklist.de, to improve their mail.txt hit rate.


Thanks again for all kind assistance.

MJ

On 07/20/2017 11:16 AM, mj wrote:

Hi all,

If I may, one more question on this subject:

I would like to  create a fail2ban filer, that scans for these lines:

Jul 20 11:10:09 auth: Info: 
ldap(user1,60.166.35.162,): invalid credentials 
(given password: password)
Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,<V+nyHbxU+wA9NUIE>): 
invalid credentials (given password: password)


(as you can see, I have enabled auth_verbose_passwords to do this, 
making me very uncomfortable...)


Anyway: since there are only a few password variations, I would like to 
block anyone using those passwords.


(since the connections are over TLS/SSL, I cannot use iptables, as 
suggested earlier)


So I need a specific fail2ban rule that extracts the  from that 
line, and matches on "(given password: password)"


Can anyone here help out with a failregex line that would match..?

Re: under some kind of attack

[mj]

Hi all,

If I may, one more question on this subject:

I would like to  create a fail2ban filer, that scans for these lines:


Jul 20 11:10:09 auth: Info: ldap(user1,60.166.35.162,): 
invalid credentials (given password: password)
Jul 20 11:10:19 auth: Info: ldap(user2,61.53.66.4,): invalid 
credentials (given password: password)


(as you can see, I have enabled auth_verbose_passwords to do this, 
making me very uncomfortable...)


Anyway: since there are only a few password variations, I would like to 
block anyone using those passwords.


(since the connections are over TLS/SSL, I cannot use iptables, as 
suggested earlier)


So I need a specific fail2ban rule that extracts the  from that 
line, and matches on "(given password: password)"


Can anyone here help out with a failregex line that would match..?

Re: under some kind of attack

[mj]

Hi everybody,

Thanks very much for the kind advises given yesterday and today.

I have now implemented the blocklist on
* http://list.blocklist.de/lists/all.txt
using the scripts here:
* https://forum.blocklist.de/viewtopic.php?f=11=84#

(a combi of bash and php)

For now, my server appears to handle that approach (with the seperate 
iptables rules) quite nicely. But I will keep the ipset solution in mind.


Anyone aware of other blocklists that are worth bocking? Because the 
list.blocklist.de/lists/all.txt blocks some, but not anywhere near all.


I now know  how to block large lists of ips, so if anyone has additional 
lists to block?


MJ

On 07/19/2017 12:42 PM, Dave wrote:

On 19/07/2017 11:23, mj wrote:

Hi Robert,

On 07/18/2017 11:43 PM, Robert Schetterer wrote:

i guess not, but typical bots arent using ssl, check it

however fail2ban sometimes is to slow


I have configured dovecot with
auth_failure_delay = 10 secs

I hope that before the 10 sec are over, dovecot will have logged about the
failed login attempt, and fail2ban will have blocked the ip by then.


I realise this is orthogonal to dovecot, but if you are attempting to block a
very large number of IPs, it is more efficient to use a single ipset than
thousands of iptables rules:

For example, given a single firewall rule:

iptables -A INPUT -p tcp --dport 143 -m set --match-set imap-bl src -j DROP

/etc/fail2ban/jail.conf:

[imap]

...
action = ipset[name=imap-bl]

/etc/fail2ban/action.d/ipset.conf:

[Definition]

# fail2ban tracks, so we dont use ipset timeout
actionstart = /usr/sbin/ipset -exist create  hash:ip maxelem 131072
actionstop  = /usr/sbin/ipset -exist flush  

actioncheck =

actionban   = /usr/sbin/ipset -exist add  
actionunban = /usr/sbin/ipset -exist del  

You may have to ensure the ipset is present before referencing it in iptables,
for example, Redhat-alikes will have an ipset init script that operates in
exactly the same way as iptables (start/stop/save), with the configuration
stored under /etc/sysconfig/ipset:

create imap-bl hash:ip family inet hashsize 1024 maxelem 131072

chkconfig ipset on
service ipset start

(create iptables rules, ipset created on boot prior to iptables, other distros
likely have similar configuration)

I've found that the slowest component tends to be fail2ban itself, which has
difficulty tracking a large number of IPs or even tailing sufficiently busy
logfiles.

Re: under some kind of attack

[mj]

Hi Robert,

On 07/18/2017 11:43 PM, Robert Schetterer wrote:

i guess not, but typical bots arent using ssl, check it

however fail2ban sometimes is to slow


I have configured dovecot with
auth_failure_delay = 10 secs

I hope that before the 10 sec are over, dovecot will have logged about 
the failed login attempt, and fail2ban will have blocked the ip by then.


MJ

Re: under some kind of attack

[mj]

Hi Robert,

On 07/18/2017 10:15 PM, mj wrote:
Robert, your iptables suggestions are _very_ interesting! However, will 
they also work on imaps/993, because of the ssl?


I have adjusted and put into place your iptables suggestion like this:

iptables -I INPUT -p tcp --dport 143 -m string --algo bm --string '1q2w3e4r' -j 
DROP
iptables -I INPUT -p tcp --dport 993 -m string --algo bm --string '1q2w3e4r' -j 
DROP


However, I don't think it's working, as the login attempts just keep 
coming. Probably the reason is: smtp is plain text, and imap TLS/SSL is 
not, so the rules never get triggered.


MJ

Re: under some kind of attack

[mj]

Hi,

Thanks for the quick follow-ups! Much appreciated. After posting this, I 
immediately started working on fail2ban. And between my initial posting 
and now, fail2ban already blocked 114 IPs.


I have fail2ban with maxretry=1 and bantime=1800

However, it seems almost all IPs are different, and I don't think I can 
keep the above settings permanently.


Robert, your iptables suggestions are _very_ interesting! However, will 
they also work on imaps/993, because of the ssl?


Thanks for the quick replies!

MJ

On 07/18/2017 09:52 PM, Robert Schetterer wrote:

Am 18.07.2017 um 21:44 schrieb mj:

Hi all,

It seems we are under some kind of password guessing attack:


Jul 18 21:33:33 auth: Info:
ldap(username1,103.6.223.61,): invalid credentials
(given password: 1q2w3e4r5t)
Jul 18 21:34:16 auth: Info:
ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): invalid credentials
(given password: 1q2w3e4r5t)
Jul 18 21:36:13 auth: Info:
ldap(username2,117.243.180.225,): invalid
credentials (given password: 1q2w3e4r)
Jul 18 21:36:50 auth: Info:
ldap(username2,58.59.103.230,): invalid credentials
(given password: 1q2w3e4r)
Jul 18 21:36:56 auth: Info:
ldap(username4,58.215.13.154,): invalid credentials
(given password: 1q2w3e4r5t)
Jul 18 21:37:18 auth: Info:
ldap(username3,220.175.154.205,): invalid
credentials (given password: 1q2w3e4r)
Jul 18 21:37:25 auth: Info:
ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): invalid credentials
(given password: 1q2w3e4r)
Jul 18 21:37:27 auth: Info:
ldap(username4,119.1.98.121,): invalid credentials
(given password: 1q2w3e4r5t)
Jul 18 21:37:54 auth: Info:
ldap(username3,218.76.156.11,): invalid credentials
(given password: 1q2w3e4r)


Different IPs, different usernames, but all (almost) the same password.

Any idea what we can do about this??

Any advice you could give us would be very much appreciated.

MJ


perhaps this

https://wiki.dovecot.org/HowTo/Fail2Ban


or you may adapt this

https://sys4.de/de/blog/2015/11/07/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp/

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

to pop3(s)/imap(s) and your needs




Best Regards
MfG Robert Schetterer

under some kind of attack

[mj]

Hi all,

It seems we are under some kind of password guessing attack:


Jul 18 21:33:33 auth: Info: ldap(username1,103.6.223.61,): 
invalid credentials (given password: 1q2w3e4r5t)
Jul 18 21:34:16 auth: Info: ldap(username1,221.4.61.180,<89WnmZxUrADdBD20>): 
invalid credentials (given password: 1q2w3e4r5t)
Jul 18 21:36:13 auth: Info: ldap(username2,117.243.180.225,): 
invalid credentials (given password: 1q2w3e4r)
Jul 18 21:36:50 auth: Info: ldap(username2,58.59.103.230,): 
invalid credentials (given password: 1q2w3e4r)
Jul 18 21:36:56 auth: Info: ldap(username4,58.215.13.154,): 
invalid credentials (given password: 1q2w3e4r5t)
Jul 18 21:37:18 auth: Info: ldap(username3,220.175.154.205,): 
invalid credentials (given password: 1q2w3e4r)
Jul 18 21:37:25 auth: Info: ldap(username5,14.142.29.142,<40zopJxUSgAOjh2O>): 
invalid credentials (given password: 1q2w3e4r)
Jul 18 21:37:27 auth: Info: ldap(username4,119.1.98.121,): 
invalid credentials (given password: 1q2w3e4r5t)
Jul 18 21:37:54 auth: Info: ldap(username3,218.76.156.11,): 
invalid credentials (given password: 1q2w3e4r)


Different IPs, different usernames, but all (almost) the same password.

Any idea what we can do about this??

Any advice you could give us would be very much appreciated.

MJ

Re: how to make user iteration work (with active directory ldap)

[mj]

Hi Aki,

Wow that was a quick reply! :-)


userdb {
   args = uid=vmail gid=vmail home=/var/vmail/%n allow_all_users=yes
   driver = static
}


This needs to use driver = ldap, static userdb's are not iteratable.


Did that, and after changing args to point to a filename, everything 
popped into place :-)


Thanks for your assistance!

MJ

how to make user iteration work (with active directory ldap)

[mj]

We received no replies to this email that we sent a few days ago. We're 
not sure why. If we miss something that is obvious to everybody, kindly 
point it out.
We ẃould like to get iteration working, to be able to mass-delete 
specific emails from all mailboxes, in case of for example received 
virusses...


Here is my question again:

Hi,

User iteration doesn't work, we're getting:

auth: Error: Trying to iterate users, but userdbs don't support it


The way I understand it, I need to set iterate_attrs and iterate_filter 
for iteration to work. I have set it (see configs below) and yet dovecot 
says "userdbs don't support it". What else do I need to do to enable it?


Our config is against samba Active Directory ldap and generally works 
fine. Can anyone here take a quick look at the configs below, and tell 
me how to make

 doveadm user -u "*"
work?

Below are our configs. Any tips would be appreciated...!

MJ


root@dovetest:/etc/dovecot# doveconf -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs
auth_debug = yes
auth_debug_passwords = yes
auth_failure_delay = 400 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot/dovecot.debug
deliver_log_format = %f | %s | msgid=%m: %$
disable_plaintext_auth = no
info_log_path = /var/log/dovecot/dovecot.info
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot/dovecot.err
login_greeting = Dovecot ready.
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox "Deleted items" {

special_use = \Trash
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent items" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox inbox {
auto = subscribe
  }
  prefix = 
  separator = /

  type = private
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = failure_show_msg=yes dovecot
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
  skip = authenticated
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
append
  mail_log_fields = uid box msgid from subject
  quota = maildir
  quota_rule = ?:storage=5G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=97%% quota-warning 97 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=80%% quota-warning 80 %u
  quota_warning6 = -storage=100%% quota-warning below %u
  sieve = ~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/default.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service imap-login {
  process_limit = 500
  process_min_avail = 2
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
user = vmail
  }
  user = dovecot
}
ssl_ca = 

and dovecot-ldap.conf.ext:

hosts = 127.0.0.1:391
dn = cn=search,cn=users,dc=company,dc=com
dnpass = secret
tls = no
debug_level = 0
auth_bind = yes
base = CN=Users, DC=samba, DC=cmpany, DC=com
scope = subtree
user_attrs = 
=home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n
user_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
iterate_attrs = sAMAccountName=user
iterate_filter = (objectClass=person)

how to make user iteration work (ldap)

[mj]

Hi,

User iteration doesn't work, we're getting:

auth: Error: Trying to iterate users, but userdbs don't support it


The way I understand it, I need to set iterate_attrs and iterate_filter 
for iteration to work. I have set it, and yet it does't work with the 
above failure.


Our config is against ldap (active directory) and generdoveadm user -u "*"
oalally works fine. Can anyone here take a quick look, and tell me how 
to make

> doveadm user -u "*"
work?

Below are the required configs. Any tips would be appreciated...!

MJ


root@dovetest:/etc/dovecot# doveconf -n
# 2.2.26.0 (23d1de6): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.7 xfs
auth_debug = yes
auth_debug_passwords = yes
auth_failure_delay = 400 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot/dovecot.debug
deliver_log_format = %f | %s | msgid=%m: %$
disable_plaintext_auth = no
info_log_path = /var/log/dovecot/dovecot.info
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
log_path = /var/log/dovecot/dovecot.err
login_greeting = Dovecot ready.
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  list = children
  location = 
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location = 
  mailbox "Deleted items" {

special_use = \Trash
  }
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent items" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  mailbox inbox {
auto = subscribe
  }
  prefix = 
  separator = /

  type = private
}
passdb {
  args = /etc/dovecot/master-users
  driver = passwd-file
  master = yes
}
passdb {
  args = failure_show_msg=yes dovecot
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
  skip = authenticated
}
plugin {
  acl = vfile
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename 
append
  mail_log_fields = uid box msgid from subject
  quota = maildir
  quota_rule = ?:storage=5G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=97%% quota-warning 97 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=80%% quota-warning 80 %u
  quota_warning6 = -storage=100%% quota-warning below %u
  sieve = ~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/default.sieve
  sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
  }
}
service imap-login {
  process_limit = 500
  process_min_avail = 2
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
user = vmail
  }
  user = dovecot
}
ssl_ca = 

and dovecot-ldap.conf.ext:

hosts = 127.0.0.1:391
dn = cn=search,cn=users,dc=company,dc=com
dnpass = secret
tls = no
debug_level = 0
auth_bind = yes
base = CN=Users, DC=samba, DC=cmpany, DC=com
scope = subtree
user_attrs = 
=home=/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n,=mail=maildir:/var/vmail/%n/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%n/shared/%n
user_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
iterate_attrs = sAMAccountName=user
iterate_filter = (objectClass=person)

Re: letsencrypt

[mj]

Yes:

I'm using the acme.sh client, and I can do:

> acme.sh --issue --standalone -d example.com --httpport 88

It does what you'd expect: it runs using a small webserver on port 88

I only just discovered that option myself :-)

MJ

On 03/03/2017 08:22 PM, David Mehler wrote:

Hello,

Thanks. Is there another way of doing this? I've got a web server
running on 80 and 443. Are there any other options?

Thanks.
Dave.

Re: two listeners with different "driver = " configs

[mj]

Hi Sami,


It is difficult.

So it seems. :-)

Thanks for your suggestions.

Perhaps I just have to accept that what I would like is not possible.

Thanks again for all suggestions!

MJ

Re: two listeners with different "driver = " configs

[mj]

Hi Aki, list,

On 12/31/2016 11:50 AM, Aki Tuomi wrote:

or maybe you can try

local 0.0.0.0/0:144 {
passdb {
}
}



That makes dovecot complain:

"Auth settings not supported inside local/remote blocks: passdb"

MJ

Re: two listeners with different "driver = " configs

[mj]

On 01/01/2017 10:10 PM, Charles Marcus wrote:

Or. maybe it is the holidays and people actually have a life?


I was just trying to make sure (after patiently waiting two days) that I 
wasn't missing some config option obvious to everyone except me.


And a propos holidays: Happy new year to everybody :-)

(and thanks Aki Tuomi for your relies)

MJ

Re: two listeners with different "driver = " configs

[mj]

Hi,

Does the lack of replies mean that what I'm asking is not possible?

(or am I missing something SO obvious that nobody bothers to point it 
out..?)


MJ

On 12/29/2016 09:23 PM, mj wrote:

Hi,

I would like to have two seperate imap listeners, with different
authentication settings, but the mailstore and userbase etc will be
identical.

I know I can do this:


service imap-login {
   inet_listener imap {
 port = 143
   }
   inet_listener imap2 {
 port = 144
   }
}


But I'm unsure how to configure imap/143 with "driver = ldap" and
imap2/144 with "driver = pam"

Just to explain why i would like this:

I am using pam-script-saml (https://github.com/ck-ws/pam-script-saml) to
enable saml-based access to dovecot. I would like to have one listener
144 to only serve this saml authentication listener, and the regular 143
listener with driver = ldap.

Is that config possible?

Best regards,
MJ

Re: two listeners with different "driver = " configs

[mj]

On 12/29/2016 09:23 PM, mj wrote:

Hi,

I would like to have two seperate imap listeners, with different
authentication settings, but the mailstore and userbase etc will be
identical.

I know I can do this:


service imap-login {
   inet_listener imap {
 port = 143
   }
   inet_listener imap2 {
 port = 144
   }
}


For the record, I'm using dovecot 2.2.26 on debian.

MJ

two listeners with different "driver = " configs

[mj]

Hi,

I would like to have two seperate imap listeners, with different 
authentication settings, but the mailstore and userbase etc will be 
identical.


I know I can do this:


service imap-login {
   inet_listener imap {
 port = 143
   }
   inet_listener imap2 {
 port = 144
   }
}


But I'm unsure how to configure imap/143 with "driver = ldap" and 
imap2/144 with "driver = pam"


Just to explain why i would like this:

I am using pam-script-saml (https://github.com/ck-ws/pam-script-saml) to 
enable saml-based access to dovecot. I would like to have one listener 
144 to only serve this saml authentication listener, and the regular 143 
listener with driver = ldap.


Is that config possible?

Best regards,
MJ

Re: SAML | Input buffer full (no auth attempts in 0 secs)

[mj]

On 12/03/2016 08:04 PM, Timo Sirainen wrote:


If SOGo used AUTHENTICATE PLAIN instead of LOGIN, it should work. The
SASL authentication buffer is larger (8 kB) than regular commands'
buffer (~1 kB).

Thanks Timo, that worked! :-)

MJ

SAML | Input buffer full (no auth attempts in 0 secs)

[mj]

Hi,

In my journey to enable SAML auth for our webmail (sogo.nu) I have
created a password-less dovecot imap listener on 127.0.0.1/32, so that
once a user is SAML authenticated for the SOGo webmail, SOGo can connect 
to dovecot on 127.0.0.1:143 with something like "01 LOGIN username 
randompassword".


Watching this (tcpflow) as it happens,i can see the following auth 
attempt coming from sogo:



1 login "username" 
"eF7VVm1vmzAQ/iuI77wY8kJQEy1t2inSukpJVU37UhlzJN7AjmyzZPv1Owfgkdjfkgkfldlkfjg9jQNMvaNZMm7RvifC/Pc/ecfaFpkcdTrUEZLoW1K3Kh4+rn2C6ViCXVXMeCFqBjw+Ll9PZDHLh+TFsPu3ERmozttTGb2PO22627DV2pVl7g+8T7dPthydZQUIcLbahgYFsPoDQmHNsYzbbms7E9nz32B8kIEuY7oxFETi8bpE6U9MAZjiiLUiABzdB1rnUJ8zqSQX+fDBwSOH54T6I49GPiu2Q4+GxPLmps9Wk1qUrTWBtP3QIUN24pShfS0qOlWXsKaF5or7ZceId++yDLMvkCzDQhPyId85l1I1VBsYLf8URcUjPHUyerj8al0BtgPOOQ2pM1lBsuvjbp9jGbBE26KykyXjlWnbkFs5bpy11hRZwAVaBa8CcCzaih1kdp7sSdmmYG1C8U9mM/2lNoLbDaDYeK55ZALVcyPOJwefde1qwFjuYrIYWzkdpgp8QC9EYKDfdybD/eDC9JQAbX08tr0huSYBDOZv3+VUD6/evQJ4HtTRo2TtR9ZGqYQopSXvGjK0yXgETDiZnoAL0InHTAm+jTMkXwDBCFUZxVeY4s9VzhWL3CSgGGpkh8A6+N22I6mWc/hk8Au8xmLZaGGiiwL9YUx1e8LgZrCbrS21yksBvbgzDssWGUOQFLe04vooDwoscmtAwGpIBBEHYzlCdAcswsGsFcPjrKsddsIBs8uK6YDGrzuEWOdBAx8ZTgi7aCdsTW4cMtLQY7FBSGuioOTZYlcRQPzy16X5FuvOYxaSbgTsOK2daNwKNL8+z4edokyJkthqoMdaW05DzQvwcLtGJvvGzy+w+"


Note, the actual 'password' is even longer.

This connection attempt is causing dovecot to throw the
following error:

> Dec 02 22:34:33 imap-login: Info: Disconnected: Input buffer full (no
> auth attempts in 0 secs): user=<>, rip=x.y.z.32, lip=x.y.z.68,
> session=<d+o3tLNCaOvAV48g>
and

BYE Input buffer full, aborting


So this doesn't work. :-(

The question: is there a way to make this work? (make the input buffer 
larger, for example..?)


Or any other ideas to make this work?

Thanks in advance,

MJ

Re: any news Enterprise Repository Access?

[mj]

On 07/31/2016 07:04 PM, mj wrote:

What exactly is a "ce repository"?


Guessing now: Community Edition...

Such a repo would be very much welcomed by us! (currently running wheezy 
with it's original dovecot, 2.1.7)


MJ

Re: any news Enterprise Repository Access?

[mj]

Hi,

On 07/31/2016 04:36 PM, aki.tu...@dovecot.fi wrote:

We are discussing about making ce repos at some point. This would probably help 
some people.

Aki


We're following this thread with interest. What exactly is a "ce 
repository"?


(google doesn't help)

MJ

Re: Migrating to dovecot from gmail apps

[mj]

On 03/28/2016 05:05 PM, aki.tu...@dovecot.fi wrote:



On March 28, 2016 at 5:43 PM Phil Lello <p...@dunlop-lello.uk> wrote:


Hi,

I'm considering migrating away from gmail for my (one-man) company, and I'm
trying to decide if dovecot is the right option (I'm committed to
self-hosting). I'm a developer, so happy to do my own tooling if needed.

*Is there currently a good webmail interface to dovecot, or work-in
progress?* If not, would a web interface be out-of-scope for dovecot? I
want to use SAML for authentication, so a solution that relies on POP/IMAP
doesn't meet my needs - unless I add Kerberos into the mix, which is an
additional learning curve, and possibly not widely supported.



Open-Xchage appsuite might fit your needs.


Or you could take a look at SOGo: http://sogo.nu/

MJ

Re: Timout for LDAP connection

[mj]

On 03/11/2016 03:30 PM, Gordon Grubert wrote:

Of course, such a WORKAROUND could be used and I'm sure that this
works. But Timo says, dovecot is using the LDAP API. The openldap
client can handle network timeouts. Therefore, dovecot has to be able
to use these timeouts, too, like described in ldap.conf(5).

Sure sure, absolutely agreed.

Re: Timout for LDAP connection

[mj]

Hi,

We're now running with ldap via haproxy, as was suggested in this thread 
by Timo. So far, so good: it seems to work very well.


MJ

On 03/10/2016 04:15 PM, Gordon Grubert wrote:

Hi Timo,

On 01.03.2016 22:51, Timo Sirainen wrote:

On 29 Feb 2016, at 17:18, Gordon Grubert
<gordon.grubert+li...@uni-greifswald.de> wrote:


Hi,

we are using a round robin dns record for connections to our ldap
system. This works fine for almost all cases. In particular, for
dovecot does this mean, when an ldap server is stopped, dovecot
instantly reconnects to another ldap server.

But when the network connection to the active ldap server is broken,
dovecot sticks to the failed ldap server. Is there any possibility to
define a connection timeout?


What should happen is that as long as new requests keep coming,
Dovecot realizes after about 60 seconds that the LDAP server is
hanging. It then reconnects and the reconnection should work. But...
First of all, 60 seconds is likely a much too long timeout.

But more importantly it looks like there's something weird now going
on with OpenLDAP library. I added this somewhat recently and tested
that it works:

https://github.com/dovecot/core/commit/fb3178a1924dae52151d88c4d4ded879df43dd3f


But now that I'm testing it, the timeout doesn't seem to be
triggering. I don't know what happened to it that it suddenly doesn't
work.. This also means that OpenLDAP seems to be internally stuck
trying to connect to a server that isn't responding. Dovecot doesn't
currently make the decisions on which LDAP server to connect to. It
just passes through all the hosts to OpenLDAP library and lets it
handle it. And it seems like OpenLDAP library can't right now do this
failover. So maybe Dovecot should be responsible for that as well..

Anyway, for now you could set up haproxy to localhost and configure
Dovecot LDAP to connect to haproxy and haproxy connect to the actual
LDAP servers.



today I've upgraded to 2.2.21-1~auto+171 on debian 8 and made a lot of
"interruption tests". Your fix not really solved the problem.

But I found another interesting fact: The openldap client on debian 8
can handle hard communication interrupts correctly. I've added

NETWORK_TIMEOUT 5
TIMEOUT 5

to ldap.conf because man 5 ldap.conf says:

NETWORK_TIMEOUT 
Specifies the timeout (in seconds) after which the poll(2)/select(2)
following a connect(2) returns in case of no activity.

TIMEOUT 
Specifies  a  timeout  (in  seconds)  after  which  calls to
synchronous LDAP APIs will abort if no response is received.  Also
used for any ldap_result(3) calls where a NULL timeout parameter is
supplied.

We are using the ISC DHCP server with dynamic ldap connections. This
daemon uses - like dovecot - the LDAP API of the openldap client for
access to the ldap server. The DHCP opens a persistent ldap connection
to handle all dhcp requests (same behavior like dovecot). Here, the
timeouts for connection loss are working.

Therefore, my question: Why does this not work for dovecot, too, when
dovecot uses the same API? Dovecot does not get a response from the
LDAP server and has to reconnect, only.

IMAP server world domination requires a reconnect in case of connection
timeouts ;-)

Best regards,
Gordon

Re: Timout for LDAP connection

[mj]

Hi,

We have experienced the same or similar problem, and not just with 
dovecot but also with postfix. Thanks for your HAProxy suggestion!


We have the feeling that when the ldap connection is actually DOWN 
(gone, terminated), OpenLDAP will reconnect to another server.
But if the ldap server becomes 'stuck' (as in: returning no data 
anymore, but not actually terminating the connection) a failover does 
not happen.


(we have had the second scenario, with samba4 AD ldap)

MJ

On 03/01/2016 10:51 PM, Timo Sirainen wrote:

 But now that I'm testing it, the timeout doesn't seem to be
triggering. I don't know what happened to it that it suddenly doesn't
work.. This also means that OpenLDAP seems to be internally stuck
trying to connect to a server that isn't responding. Dovecot doesn't
currently make the decisions on which LDAP server to connect to. It
just passes through all the hosts to OpenLDAP library and lets it
handle it. And it seems like OpenLDAP library can't right now do this
failover. So maybe Dovecot should be responsible for that as well..

Anyway, for now you could set up haproxy to localhost and configure
Dovecot LDAP to connect to haproxy and haproxy connect to the actual
LDAP servers.

Re: Enterprise Repository Access?

[mj]

On 01/08/2016 04:41 PM, Timo Sirainen wrote:

The plan for now at least is to let existing accounts use it, but not
add any new ones. This might change at some point.


Does this mean that using the latest dovecot versions (aka the Dovecot 
Enterprise Repository Access) is being phased out?


And in the (perhaps even near) future, those who are using it will have 
to start looking elsewhere..?


Compiling our own dovecot for production use sounds less appealing, and 
the xi.rename-it.nl repo is marked as unstable and not recommended for 
production use...


That would be a disappointment... and I also don't seem to find paid 
dovecot plans/subscriptions, licenses on the open-xchange site..? (they 
mostly talk about an "OX App Suite")


I hope I'm missing something..?

MJ