Re: Auth-Trouble

2021-11-03 Thread Hanns Mattes 
Hi,

Am 01.11.21 um 18:00 schrieb infoomatic:
> please inform the mailing list if problems persist, thank you!
> 
> I am about to migrate to FreeBSD ...

it does. Fresh install with a config, that used to work:

# doveadm sync -u x...@zzz.de tcps:mail.bruecko.de
doveadm(x...@zzz.de): Panic: file array.c: line 10
(array_idx_modifiable_i): assertion failed: (idx < array->buffer->used /
array->element_size)
Abort

I'm clueless.

Regards Hanns

Re: Auth-Trouble

2021-11-01 Thread infoomatic 

please inform the mailing list if problems persist, thank you!

I am about to migrate to FreeBSD ...


On 01.11.21 13:53, Hanns Mattes wrote:

Hi,

Am 01.11.21 um 00:51 schrieb Hanns Mattes:

Hi,

Am 01.11.21 um 00:27 schrieb infoomatic:

does 2.3.17_1 from ports fix the problem?

I'm building own packages with poudriere and "pkg info dovecot" says
it's 2.3.17_1

Given the fact that this version is dated 2021-10-28 I'm not sure, if
its part of the problem or the solution.


I'll do a complete reinstallation of the server, there are obviously
more problems. For example: I can ssh to both servers (and i can connect
from them to my server at home) but they refuse to talk to each other.
Same with telnet etc. No idea why, so I'll start over and recheck things.

Regards Hanns

Re: Auth-Trouble

2021-11-01 Thread Hanns Mattes 
Hi,

Am 01.11.21 um 00:51 schrieb Hanns Mattes:
> Hi,
> 
> Am 01.11.21 um 00:27 schrieb infoomatic:
>> does 2.3.17_1 from ports fix the problem?
> 
> I'm building own packages with poudriere and "pkg info dovecot" says
> it's 2.3.17_1
> 
> Given the fact that this version is dated 2021-10-28 I'm not sure, if
> its part of the problem or the solution.
> 

I'll do a complete reinstallation of the server, there are obviously
more problems. For example: I can ssh to both servers (and i can connect
from them to my server at home) but they refuse to talk to each other.
Same with telnet etc. No idea why, so I'll start over and recheck things.

Regards Hanns

Re: Auth-Trouble

2021-10-31 Thread Hanns Mattes 
Hi,

Am 01.11.21 um 00:27 schrieb infoomatic:
> does 2.3.17_1 from ports fix the problem?

I'm building own packages with poudriere and "pkg info dovecot" says
it's 2.3.17_1

Given the fact that this version is dated 2021-10-28 I'm not sure, if
its part of the problem or the solution.

Regards Hanns

Re: Auth-Trouble

2021-10-31 Thread infoomatic 

does 2.3.17_1 from ports fix the problem?


On 01.11.21 00:01, Hanns Mattes wrote:

Hi,

Am 31.10.21 um 18:30 schrieb Hanns Mattes:

Hi, me again,
Hanns Mattes  schrieb:
I stand corrected and forgot to remove

things are working, except replication.

no, they don't.

okay, imap logins are working again.

Replication still failing. My guess is, that my master-user
configuration is the culprit.

Any Ideas?

Regards

Re: Auth-Trouble

2021-10-31 Thread Hanns Mattes 
Hi,

Am 31.10.21 um 18:30 schrieb Hanns Mattes:
> Hi, me again,
> Hanns Mattes  schrieb:
> I stand corrected and forgot to remove
>> things are working, except replication.
> no, they don't.

okay, imap logins are working again.

Replication still failing. My guess is, that my master-user
configuration is the culprit.

Any Ideas?

Regards

Re: Auth-Trouble

2021-10-31 Thread Hanns Mattes 
Hi, me again,


Hanns Mattes  schrieb:

I stand corrected and forgot to remove

>things are working, except replication.

no, they don't.

Regards Hanns

Auth-Trouble

2021-10-31 Thread Hanns Mattes 
Hi,

I've installed Dovecot on a freshly installed machine running Freebsd
13.4.

Configuration was copied from an earlier installation, which worked
perfectly, until I screwed an update.

AFAICS things are working, except replication. I see tons of Errors on
the remote and the local machine

Oct 31 16:15:30 freebsd dovecot[3248]: doveadm(x...@xx.de): Fatal:
connect(213.239.197.36:54321) failed: Interrupted system call

and some

Oct 31 16:47:33 freebsd dovecot[5509]: auth:
cram-md5(x...@xx.de,176.199.241.57,): Password mismatch

Oct 31 16:47:28 freebsd dovecot[5509]: doveadm(x...@yy.de): Fatal:
connect(213.239.197.36:54321) failed: Connection refused

and we also get

Oct 31 18:17:17 freebsd dovecot[934]:
imap(x...@wxxx.de)<1649>:
Panic: file array.c: line 10 (array_idx_modifiable_i): assertion failed:
(idx < array->buffer->used / array->element_size) Oct 31 18:17:17
freebsd dovecot[934]:
imap(x...@wxxx.de)<1649>:
Fatal: master: service(imap): child 1649 killed with signal 6 (core not
dumped - https://dovecot.org/bugreport.html#coredumps - set service imap
{ drop_priv_before_exec=yes })

not to forget

Oct 31 18:18:33 freebsd dovecot[934]: doveadm(xxx@xxx):
Fatal: connect(213.239.197.36:54321) failed: Connection refused


Users are authenticating with ldap.

I'm clueless, and I don't have any clue, if it is a misconfiguration of
dovecot or my freebsd-install.

Any ideas appreciated

Here is the output of doveconf -n
# 2.3.17 (e2aa53df5b): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.17 (054dddfa)
# OS: FreeBSD 13.0-RELEASE-p4 amd64  
# Hostname: freebsd.bruecko.de
auth_mechanisms = plain login digest-md5 cram-md5 apop
auth_username_chars = 
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890+.-_@
auth_verbose = yes
doveadm_password = # hidden, use -P to show it
doveadm_port = 54321
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
lmtp_save_to_detail_mailbox = yes
mail_location = mdbox:~/mdbox
mail_plugins = " quota fts fts_xapian trash zlib notify replication acl"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
namespace {
  hidden = no
  ignore_on_failure = no
  inbox = no
  list = children
  location = mdbox:%%h/mdbox
  prefix = shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
namespace {
  location = mdbox:/virtualmail/public:INDEXPVT=%h/mdbox/Public
  prefix = Public/
  separator = /
  subscriptions = yes
  type = public
}
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = INBOX/
  separator = /
}
passdb {
  args = /usr/local/etc/dovecot/master-users
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  acl = vfile
  acl_anyone = allow
  acl_shared_dict = file:/virtualmail/shared-mailboxes.db
  fts = xapian
  fts_autoindex = yes
  fts_autoindex_exclude = \Trash
  fts_enforced = yes
  fts_xapian = partial=3 full=20 verbose=0
  mail_replica = tcps:mail.bruecko.de
  quota = dict:User quota::file:%h/dovecot-quota
  quota_exceeded_message = Storage quota for this account has been exceeded, 
please try again later.
  quota_grace = 250M
  quota_rule = *:storage=2500M
  quota_rule2 = INBOX/Trash:storage=+10%%
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full / Mailbox ist voll
  quota_status_success = DUNNO
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  quota_warning3 = storage=75%% quota-warning 75 %u
  sieve = ~/dovecot.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /virtualmail
  sieve_max_actions = 0
  sieve_max_redirects = 128
  sieve_max_script_size = 0
  sieve_quota_max_scripts = 0
  trash = /usr/local/etc/dovecot/dovecot-trash.conf.ext
}
postmaster_address = ad...@bruecko.de
protocols = imap pop3 lmtp sieve
replication_dsync_parameters = -d -N -l 30 -U -x Public
service aggregator {
  fifo_listener replication-notify-fifo {
user = vmail
  }
  unix_listener replication-notify {
user = vmail
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
mode = 0666
  }
  unix_listener auth-userdb {
group = vmail
user = vmail
  }
}
service decode2text {
  executable = script /usr/local/libexec/dovecot/decode2text.sh
  unix_listener decode2text {
mode = 0666
  }
  user = dovecot
}
service doveadm {
  inet_listener {
port = 54321
ssl = yes
  }
  vsz_limit = 0
}
service im

Re: [Dovecot] auth trouble

2012-06-08 Thread Glenn English 

On Jun 8, 2012, at 10:25 AM, Timo Sirainen wrote:

> I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the 
> rhost. Upgrade.

Will do. What you say fits with what I see in the logs and 
is a lot simpler than many other suggestions. And you do 
have some credibility in this area :-)

Thanks.

-- 
Glenn English
hand-wrapped from my Apple Mail

Re: [Dovecot] auth trouble

2012-06-08 Thread Timo Sirainen 
On 6.6.2012, at 2.08, Glenn English wrote:

>> And these brute force attempts would be logged, each one.
> 
> They are, with no rhost. And there are other brute force attempts 
> that *do* have IPs.

I think the answer to this is simply that Dovecot v1.0 didn't tell PAM the 
rhost. Upgrade.

Re: [Dovecot] auth trouble

2012-06-05 Thread Glenn English 

On Jun 5, 2012, at 3:53 PM, /dev/rob0 wrote:

> What suspicions were confirmed?

At first I thought that somebody was TCP'ing in and somehow 
turning off the remote IP in the log so I couldn't block it. 
Then an answer from another mailing list, and a little thinking, 
made it occur to me that maybe my server had been penetrated.

> And these brute force attempts would be logged, each one.

They are, with no rhost. And there are other brute force attempts 
that *do* have IPs.

> I think you are overreacting.

I really hope so. What's your thinking? Have you seen this before? 
And most important: what is it, how does it work, and how do I get 
rid of it and keep it from coming back?

-- 
Glenn English
hand-wrapped from my Apple Mail

Re: [Dovecot] auth trouble

2012-06-05 Thread Joseph Tam 


Glenn English wrote:


Maybe someone is brute forcing your server's Postfix authenticated
SMTP service since Postfix can be configured to use Dovecot's SASL
authentication framework.


and for the suggestion -- I do have Postfix using Dovecot-Auth checking
for SASL.

I think I'm going to re-install and run Tripwire...


Tripwire?  If the purpose of your query is to automate blocking of brute
forcers, this software is not what you want (which detects tampering of
critical system files).

I suggest trying to find where Postfix failed login reports go, then use
your fail2ban or what-have-you to detect and block hosts that repeatedly
fail authentication.

(First Google hit I did on this subject)
http://scottlinux.com/2011/05/26/prevent-postfix-brute-force/

The log entries might look like

{timestamp} {servername} postfix/smtpd[{pid}]: lost connection after 
AUTH
from {remote-hostname}[{remote-ip}]

Joseph Tam

Re: [Dovecot] auth trouble

2012-06-05 Thread /dev/rob0 
On Tue, Jun 05, 2012 at 09:38:49AM -0600, Glenn English wrote:
> On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:
> > If dovecot-auth is getting input from a local socket, then rhost 
> > information is irrelevant since the host doing the asking is the 
> > server itself (maybe from another daemon connected to a remote 
> > host).
> 
> Thanks for the confirmation of my suspicions

What suspicions were confirmed?

> > Maybe someone is brute forcing your server's Postfix 
> > authenticated SMTP service since Postfix can be configured to
> > use Dovecot's SASL authentication framework.

And these brute force attempts would be logged, each one.

> and for the suggestion -- I do have Postfix using Dovecot-Auth 
> checking for SASL.
> 
> I think I'm going to re-install and run Tripwire...

I think you are overreacting.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: [Dovecot] auth trouble

2012-06-05 Thread Glenn English 

On Jun 4, 2012, at 8:45 PM, Joseph Tam wrote:

> If dovecot-auth is getting input from a local socket, then rhost
> information is irrelevant since the host doing the asking is the server
> itself (maybe from another daemon connected to a remote host).

Thanks for the confirmation of my suspicions

> Maybe someone is brute forcing your server's Postfix authenticated
> SMTP service since Postfix can be configured to use Dovecot's SASL
> authentication framework.

and for the suggestion -- I do have Postfix using Dovecot-Auth checking 
for SASL.

I think I'm going to re-install and run Tripwire...

-- 
Glenn English
hand-wrapped from my Apple Mail

Re: [Dovecot] auth trouble

2012-06-04 Thread Joseph Tam 

Glenn English writes:


I'm getting a lot of what I think is a local socket asking
dovecot:auth to verify username/passwords:


May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=


If dovecot-auth is getting input from a local socket, then rhost
information is irrelevant since the host doing the asking is the server
itself (maybe from another daemon connected to a remote host).

Maybe someone is brute forcing your server's Postfix authenticated
SMTP service since Postfix can be configured to use Dovecot's SASL
authentication framework.

Joseph Tam

Re: [Dovecot] auth trouble

2012-06-01 Thread Glenn English 
I forgot to include this config info:

> # 1.0.15: /etc/dovecot/dovecot.conf
> log_timestamp: %Y-%m-%d %H:%M:%S 
> protocols: imap pop3
> ssl_listen: *
> ssl_disable: yes
> disable_plaintext_auth: no
> login_dir: /var/run/dovecot/login
> login_executable(default): /usr/lib/dovecot/imap-login
> login_executable(imap): /usr/lib/dovecot/imap-login
> login_executable(pop3): /usr/lib/dovecot/pop3-login
> login_max_processes_count: 12
> mail_privileged_group: mail
> mail_executable(default): /usr/lib/dovecot/imap
> mail_executable(imap): /usr/lib/dovecot/imap
> mail_executable(pop3): /usr/lib/dovecot/pop3
> mail_plugin_dir(default): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap
> mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3
> pop3_uidl_format(default): 
> pop3_uidl_format(imap): 
> pop3_uidl_format(pop3): %08Xu%08Xv
> auth default:
>   mechanisms: plain login
>   verbose: yes
>   passdb:
> driver: pam
>   userdb:
> driver: passwd
>   socket:
> type: listen
> client:
>   path: /var/spool/postfix/private/auth
>   mode: 432
>   user: postfix
>   group: postfix


-- 
Glenn English
hand-wrapped from my Apple Mail

[Dovecot] auth trouble

2012-06-01 Thread Glenn English 
Debian Lenny, Dovecot v 1.0.15.

I'm getting a lot of what I think is a local socket asking 
dovecot:auth to verify username/passwords:

> May 31 09:00:54 server dovecot-auth: pam_unix(dovecot:auth): authentication 
> failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost= 

Note the empty 'rhost='. That's why I think it's on the 
server. I see others that look like bots:

> May 30 23:08:43 server dovecot-auth: pam_unix(dovecot:auth): authentication 
> failure; logname= uid=0 euid=0 tty=dovecot ruser=admin rhost=200.119.139.22 

And I know how to promote the latter to a firewall. But with no 
rhost, I'm stumped...

I've read books, googled, read docs, and asked for help on 
other mailing lists, and I've learned a lot. And I no longer 
think it really has much to do with Dovecot, other than the 
login attempt going through it to get to PAM.

But has anyone here seen this before? Is my current theory 
correct? What did you do to make it go away?

(I suspect that upgrading to Debian Squeeze might get rid of 
it, but I'm afraid that if I don't figure out what's going 
on, it might just come back.)

-- 
Glenn English
hand-wrapped from my Apple Mail