data is transferred to the server.
The Nextcloud (or Dropbop) example is to have a encrypted FS on
the client side (e.g. VeraCrypt) and the whole container is sync'd
on the storage side (the server). At no point does the server side ever
get to see keys.
Joseph Tam
no point
setting flags on a message you'll expunge.
/usr/bin/doveadm expunge -A DELETED OR \( SEEN SENTBEFORE 12w \)
Joseph Tam
for all future versions) or should this patch be applied in
all cases?
Joseph Tam
-cryptic documentation on what it does
https://www.sendmail.org/~ca/email/doc8.12/cf/m4/mailers.html
Joseph Tam
robably stop words?
If your looking for the entire strings "Greetings of the day" anywhere,
then use
doveadm fetch ... TEXT "Greetings of the day"
else if any sequence of these words in the body, use
doveadm fetch ... BODY "Greetings" \
AND BODY "of" \
AND BODY "the"
AND DAY "day"
Joseph Tam
osite of what you want. Maybe
MAILSPACE=$( df -k | awk '/\/dev\/sdd/{print int($4/(1024*1024)}' )
Joseph Tam
tacks,
by convincing MacOSX clients that the target server does not support
SSL/TLS, then providing a cleartext listener or proxy.
Joseph Tam
ou're done
rm -rf /log/dir/marc
Joseph Tam
robably can't pre-empt them, so if even one
attempt per IP is too much to log, you may have to do both.
Joseph Tam
them, you can mulch through mail fairly
quickly.
Joseph Tam
certificate.
Joseph Tam
passing is required for Dovecot to work
An earlier post by me and James Lee pointed out this problem
on a different platform but maybe it has the same cause.
Try configuring with "--disable-hardening" and see if that
works.
Joseph Tam
using
echo 'base64-reply' | base64 -d | od -c
but as Aki mention, this is probably not relevant to your problem.
Joseph Tam
on
to avoid newbies who don't read the docs closely enough. For the longest
time, I held the same mistaken belief about the purpose of "ssl_ca".
Joseph Tam
ending intermediate and server certificates is what you're supposed
to do.
Joseph Tam
@@
/* submission: */
- size_t submission_max_mail_size;
+ uoff_t submission_max_mail_size;
unsigned int submission_max_recipients;
Joseph Tam
ot;,sizeof(long long),sizeof(off_t)); }
the output is "8 4".
Joseph Tam
.
Joseph Tam
.
I'll try building 64bit executables but I think that means I'll have to
build 64bit versions of third-party libraries.
Joseph Tam
rotector-strong" and "__stack_chk_guard" brings up
this issue often.
As for 1st, isn't gcc 3 rather old?
Yeah. I hoped we could retire together, but gcc3 violated the adage
"if it ain't broke, don't fix it". It broke, so ...
Thanks again for looking into this.
Joseph Tam
x0
i = 5
c = -1
ret = -4195172
ret2 = 4
config_path_specified = false
expand_vars = false
hide_key = false
parse_full_config = false
simple_output = false
dump_defaults = false
host_verify = false
print_plugin_banner = true
hide_passwords = true
Joseph Tam
if this has anything to
do with kernel maximum shared memory limits. I know that for some of
our Solaris 10 servers, I had to up these values in /etc/system to get
some of our services to work.
Joseph Tam
(i.e. authenticates, but does nothing).
3) Roofs your user IMAP connection limit when the client does
global mail searches.
Joseph Tam
assword hook that will accept
any username/password. The advantage is you can do post-analysis of
credentials as the script has access to them.
Joseph Tam
The irony is that even if it blunders onto a usable password, they wouldn't
know it.
Joseph Tam
.
It's a costly countermeasure, and do you really want to engage in
an internet fistfight where your opponent has anonymity, access to
compromised servers or botnet, and no scruples against launching a DDoS
attacks against you?
Block them and move on.
Joseph Tam
the
server's hostname.
Michael A. Peters writes:
With SMTP, the hostname should match the reverse IP though often it
does not.
In the context of certificate authenticity, a forward DNS mapping
suffices. Even for spam scoring, FcRDNS is only a weak inference to
authenticity.
Joseph Tam
rities _by law_.
Now probably you can imagine why they are giving the certificates out for
free. US authorities can compromise all of them - without any "open knowledge".
Wow, you packed a lot of fear, uncertainty and doubt (and some
misinformation) into one paragraph. I'll leave it at that.
Joseph Tam
be done is via filesystem magic i.e. filesystems with
copy-on-write that allow you to take a moment in time snapshot of your
entire filesystem e.g. LVM, ZFS and others. You can then rsync the
snapshot, but some of these filesystem also support methods to export
snapshots to a remote filesystem.
Joseph
I enabled this.
Joseph Tam
back
in during the final synching. (Add them to separate deny userdb?)
After the final sync [2], undo these steps.
Joseph Tam
domain.net \
'guid hdr.message-id' \
HEADER message-id '<1546519978.5...@paypal.com>'
Keep in mind search is for case-insensitive fragments, so this pattern
matches be a superset of the above '1546519978.5...@paypal.com'.
Joseph Tam
o.r...@someone.org>"
doveadm fetch -u my-mail...@domain.net 'guid hdr.message-id' ...
You're on your own for everything else.
Joseph Tam
.
Joseph Tam
,
as the document points out, it still need to be protected as if
it was plaintext because knowledge of the contents will give access.
Joseph Tam
On Thu, 20 Dec 2018, Joseph Tam wrote:
At the expense of sounding stupid, could you please expound on the
sequence? :)
If you want the nitty details
(Starting at bottom of page 18)
https://tools.ietf.org/html/rfc2831
Joseph Tam
password from sniffing when you can't use SSL.
However, there's many weaknesses: the password must be kept on the server
in plaintext, offline brute forcing, etc.
Joseph Tam
possible deliberate sabotage of curve parameters is a
distraction from the real problem: complexity makes implementation
fumbles easy with distrastous consequences.
https://cr.yp.to/newelliptic/nistecc-20160106.pdf
Joseph Tam
to grp1-secret@ if sender is approved
grp1: |/path/to/check-sender-filter
grp1-secret: :include:/path/to/grp1.list
If spoofing is a concern, you'll have to endow your filter with more
intelligence.
Joseph Tam
x. If you want it time order (i.e. newest first/last),
and the mailbox is not sorted this way, you'll incur the overhead
of sorting it each time you have an index view of your message
(unless your mail reader caches these things).
Joseph Tam
elcome to use it. There's probably a more elegant way with
doveadm/dsync. Using a mail reader to sort the merged mailbox, then
drag/drop/copy everything into a final mailbox could also work.
Joseph Tam
#!/bin/sh
#
# Merge multiple mbox's into one assuming that each message
# starts with /^
beloved FoobyBletch5000 mail reader to work.
Joseph Tam
un dovecot on the localhost interface, and use 2 stunnel proxies.
Joseph Tam
}
...
# End of file: deliver to inbox
:0 w
| /path/to/dovecot-lda -d {user}
Joseph Tam
ess method. If this
doesn't bother you or you can configure this (e.g. Kerberos, keyring,
etc.), IMAP access is preferable since you won't pull the indices out
from Dovecot's feet.
You'll also get a lot of innocuous griping in the log files about
UIDVALIDITY and mailbox corruption, but they can be safely ignore
?
http://lmgtfy.com/?q=Obtaining+a+CA+signed+certificate
Joseph Tam
Then set
the value of ssl_cert to this file.
Joseph Tam
doveconf -a | grep ' 100$'
You'll see your config value.
Joseph Tam
On Thu, 16 Aug 2018, Aki Tuomi wrote:
ps. Here is the symbols your mail got, if it's any use to you.
...
SUBJECT_ENDS_QUESTION
Subject ends with a question
(1)
I find this scoring humorous, as one of this list's purpose is to
ask questions.
Joseph Tam
protects all data.
Joseph Tam
content, if it's saved on
the hard disk.
Another privacy plugin that assumes the server operator is unmotivated or
respects your privacy anyways, and won't just skim your password right off
the top to look at your mail. A vault with steel walls and a dirt floor.
Joseph Tam
for mostly static mboxes, and moderately sized active mailboxes,
rsync will work fine, especially owing to its simplicity.
Joseph Tam
they want.
If you're concentrating on one/few case(s), it's worth deep diving.
If you're analyzing an entire log file, use a script.
Joseph Tam
.saved(=mtime). Once you
have accurate date.saved, then the "expunge savedbefore" works correctly.
Another reason I really ought to switch to maildir.
Joseph Tam
On Wed, 18 Jul 2018, Joseph Tam wrote:
I wrote about a related issue several years back, starting with
https://dovecot.org/list/dovecot/2012-March/134706.html
I'm not sure how I got over this and got usable "date.saved" cache values,
and why it stopped working. Maybe I n
3:08
You may or may not have the same problem I do -- your timestamps actually
differ, whereas mine are all the same.
Joseph Tam
t understanding what "savedbefore" means now? It
certainly has changed behaviour since <2.2, since my script used to
work before.
Joseph Tam
be able to force them
to download the message. That depends on the mail agent. Many mail
readers have "keep on server" configured, if server-side storage is
your concern.
Joseph Tam
the only 2 now participating),
then if need be, summarize it and put one final submission back
to the list for those interested in this thread.
Thanks.
Joseph Tam
th-Dovecot-and-Amazon-S3
Joseph Tam
On Fri, 22 Jun 2018, Joseph Tam wrote:
However, recent advances make this condition obsolete [*] and not
really safer, so a much faster way to generate a DH key is
openssl dhparam -dsaparam -out dh.pem 4096
DH generation is a one time operation, so if you're paranoid and you've
got
u're paranoid and you've
got time to burn, go ahead and generate the "safe" DH key.
[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Joseph Tam
ght, the problem here is more basic. Once you get over this, you can
move forward to success or the next problem.
Joseph Tam
config?
https://wiki2.dovecot.org/PasswordDatabase/PAM
Joseph Tam
define MASTER_LOGIN_TIMEOUT_SECS (30)
+#define MASTER_LOGIN_TIMEOUT_SECS (3*60)
@@ -101,1 +101,1 @@
-#define MASTER_AUTH_SERVER_TIMEOUT_SECS (MASTER_LOGIN_TIMEOUT_SECS<<1)
+#define MASTER_AUTH_SERVER_TIMEOUT_SECS (MASTER_LOGIN_TIMEOUT_SECS - 30)
Joseph Tam <jtam.h...@gmail.com>
don't want to enable.
Joseph Tam <jtam.h...@gmail.com>
https://tools.ietf.org/html/rfc2971
Joseph Tam <jtam.h...@gmail.com>
with the remote imap servers of my mail
providers.
Sounds vaguely like a file locking problem.
Does anybody know, why this happens or how I could debug this issue?
Turn on verbose logging, then see if you can trigger the problem. Also,
doveconf -n would help.
Joseph Tam <jtam.h...@gmail.com>
er-ip-rate-limiting-with-iptables/
It can't do it per user, but perhaps it is better to set a global limit
and let your downstream client better manage and conserve a limited
resource.
Joseph Tam <jtam.h...@gmail.com>
of that mailbox will be that slow, esp. if the messages
have large attachments. Even a simple operation like deleting/expunging the
the first message will cause data shuffling of the entire mailbox.
Joseph Tam <jtam.h...@gmail.com>
On Thu, 11 Jan 2018, Joseph Tam wrote:
I'd like to configure my dovecot service to use the IMAP SPECIAL-USE
extension, but have a few questions for those who have used them, or
are knowledgable about its use.
Thanks to all who contributed, even if the answer was "it depends&qu
the client
is using, or the optimization is broken and dovecot keeps having to
(re)read the mailbox to acquire the IMAP STATUS?
Joseph Tam <jtam.h...@gmail.com>
Tanstaafl <tansta...@libertytrek.org> writes:
Is this what you are looking for?
https://wiki2.dovecot.org/Plugins/MailboxAlias
It seems already be implemented...
A first step maybe, but no, not quite.
So what are the gotchas of using this? How much does this free lunch
cost?
Jose
admin
might have merge all existing mailboxes into the one actual mailbox to
keep the confusion down.
Joseph Tam <jtam.h...@gmail.com>
er does not manually configure
a mailbox for this purpose?
Q4) If I have an additional configuration
mailbox yyy {
special_use = \Sent
}
how does it affect Q2, Q3?
Thanks to any who can provide clarity on this.
Joseph Tam <jtam.h...@gmail.com>
stics logs to point out where server/client
cipher negotiations fail.
You can also try and run "openssl s_server -cipher 'kEECDH:+...'" on an
alternate port/host, point your client at it, and let this utility dump
out the SSL cipher negotions.
Joseph Tam <jtam.h...@gmail.com>
you're testing IMAP, try one or the other or both depending
of how many flavours of SSL you got going.
openssl s_client -starttls imap -connect mail.mydomain:143
openssl s_client -connect mail.mydomain:993
Joseph Tam <jtam.h...@gmail.com>
ot;. This will work both in Postfix, sendmail, and probably
most other MTAs.
If you actually want randomization (rather than sequential round-robin),
you can simplify because you won't need to record the last delivery. Use
/dev/urandom or unix time() mod 3 to select forwarding address.
Joseph Tam <jtam.h...@gmail.com>
cause the sendmail worker processes to dump
their cients, but if it did, SMTP is fault tolerant enough that delivery
should be retried later.
Joseph Tam <jtam.h...@gmail.com>
of a metric ton of BFD connections.
Joseph Tam <jtam.h...@gmail.com>
Joseph Tam <jtam.h...@gmail.com>
/user for further investigation.
For users, I think reporting a login origin audit will be helpful,
regardless of circumstances. However, it should be done out of band,
if the assumption is someone else has control of the account.
Joseph Tam <jtam.h...@gmail.com>
here a reason to explain this discrepancy?
Joseph Tam <jtam.h...@gmail.com>
ng way to prevent admin access
to user's email.
Don't ignore metadata; who/when/where (and headers?) could reveal much
information.
Joseph Tam <jtam.h...@gmail.com>
mail reader. However, metadata is still
accessible by your VPS provider.
If your VPS is the MTA that directly handles SMTP from your correspondees
sending you unencrypted messages, you can't lock out a sufficiently
skilled platform admin.
Joseph Tam <jtam.h...@gmail.com>
Steffen Kaiser
Hmm, this is a job for:
https://wiki2.dovecot.org/Plugins/Snarf
Cool! Can this be used with the imapc: driver to consolidate mail from
separate IMAP accounts into one? (Sort of like how you can configure
Gmail to slurp up mail into the Gmail account.)
Joseph Tam <jta
ing the symlinks with the instantiated local copies and
have almost zero downtime.
Joseph Tam <jtam.h...@gmail.com>
when the entire operation finishes. So the
final effect I saw of bumping mail_max_userip_connections from the
server perspective is that I get fewer "Maximum number of connections"
log messages.
Joseph Tam <jtam.h...@gmail.com>
not sending mail.)
Joseph Tam <jtam.h...@gmail.com>
experiences a small window of outage, but the system is
online for everybody else. This, of course, requires a lot more setup
and planning.
Joseph Tam <jtam.h...@gmail.com>
1; Windows 95)"
Not my website, nothing even close to that url is hosted on that server.
Common proxy target. They're testing whether your web server will support
anonymous web proxying. Almost exclusively from China.
Joseph Tam <jtam.h...@gmail.com>
$PART2" -le 127 ] && exec
"$@"
# Example 3 (dodgy, I haven't fully thought this through)
`echo "$IP" | { IFS=. read a b c PART2; [ "$a.$b.$c" = "12.34.56" -a "$PART2" -ge 0 -a
"$PART2" -le 127 ] && echo "exec $@"; }`
If you have a busy IMAP server, you'll probably want to use Aki's passdb
solution instead, rather than incurring the execution overhead for each
and every authentication.
Joseph Tam <jtam.h...@gmail.com>
s and process
limit values could also cause service flakiness. Apple mail readers
seems to gobble up IMAP connections like candy.
Joseph Tam <jtam.h...@gmail.com>
you've underscaled your
remote mail service?
Joseph Tam <jtam.h...@gmail.com>
r}:110
(from both inside and outside), as well as any matching log entries.
Joseph Tam <jtam.h...@gmail.com>
tion: strong hashes, password
compliance systems, brute force countermeasures, file permissions/OS
hardening, network origins vetting, anti-DoS measures, etc.
Keep this picture in mind that I found on CLCERT
https://www.clcert.cl/humor/img/weakest-link-road.jpg
Joseph Tam <jtam.h...@gmail.com>
thus, were useless. The bcrypt hashes though, included
the salt and were vulnerable.)
Take away: use a strong password -- the hardest crypt algortihm in the
world can't save you if you don't.
Joseph Tam <jtam.h...@gmail.com>
for hashes that use non-trivial salts, you would need to
precompute an astronomically large number of tables. An attacker might
be better off with a straight CPU-bound brute force search.
Joseph Tam <jtam.h...@gmail.com>
INDEX, so maybe look in your mail spool or personal mail folder for
$WHATEVER/.imap/INBOX. Caches are regenerated if they go missing
(unless you use mdbox/sdbox formats: *don't* do this if you're using
them.)
Joseph Tam <jtam.h...@gmail.com>
ling that it works for some accounts, and not for others.
Try rebuilding the user's index cache by removing it (save a copy!) and
see if that makes it work. If it does, you can send the buggy caches
to the developer and see if they can figure it out.
Joseph Tam <jtam.h...@gmail.com>
101 - 200 of 550 matches
Mail list logo
