ciated
salt, and thus, were useless. The bcrypt hashes though, included
the salt and were vulnerable.)
Take away: use a strong password -- the hardest crypt algortihm in the
world can't save you if you don't.
Joseph Tam
CPU time.
However, for hashes that use non-trivial salts, you would need to
precompute an astronomically large number of tables. An attacker might
be better off with a straight CPU-bound brute force search.
Joseph Tam
#x27;t specify
INDEX, so maybe look in your mail spool or personal mail folder for
$WHATEVER/.imap/INBOX. Caches are regenerated if they go missing
(unless you use mdbox/sdbox formats: *don't* do this if you're using
them.)
Joseph Tam
orks for some accounts, and not for others.
Try rebuilding the user's index cache by removing it (save a copy!) and
see if that makes it work. If it does, you can send the buggy caches
to the developer and see if they can figure it out.
Joseph Tam
ctions, or perhaps process/memory limits
(e.g. process_limit, vsz_limit, etc.).
Joseph Tam
a plugin to define a virtual INBOX
https://wiki.dovecot.org/Plugins/Virtual
with search/selection criteria to limit the number of messages.
You can also try some LDA script (e.g. procmail) hackery to create INBOX
volumes of 300 messages, then do some shuffling around when the INBOX
gets emptied.
Joseph Tam
ly speed up step 4 and minimize
outage time.
0) Do an initial conversion that will do the bulk of the work
but does not guranatee consistency.
Joseph Tam
on't know what would cause this -- maybe some firewall state session
timeout?
Joseph Tam
tra fields.
https://wiki.dovecot.org/UserDatabase/ExtraFields
Joseph Tam
ing SHA512
($6$) salts, you can create your own by replacing gen_salt() with "$6$"
+ base64(long random value), and feed that to crypt().
Just as long as PostgreSQL uses the system crypt() and not its own
implementation, it should produce a usable hash.
Joseph Tam
renewal using the same
credentials as the certbot.)
If you use privilege separation, and run the certbot as a regular user
process, this won't work. You might have this scenario if, for example
using the context of web serving, you serve many virtual sites with
different owners, and you don't want give each owner administrative
access.
Joseph Tam
ail readers cope with restarts just fine, though.
Joseph Tam
il.yourdomain.com",
"imap.yourdomain.com", "smtp.yourdomain.com", etc.)
Certificates do not authenticate services or protocols, but server names
(typically).
Joseph Tam
If the IMAP account requires 2 externally supplied mailboxes or folders
(spam, ham) accessible via IMAP, you'll either have to copy them into
the IMAP user's mail/ folder, or setup special name spaces that maps to
the mailboxes' path. The mailboxes need appropriate file permissions
so that the IMAP user can access it.
Joseph Tam
nt to
curtail space usage by users? You want to force users to retain client
side copies of the messages?
(Mind you, you'll still could have the same problem with POP -- there's
nothing you can do to enforce the client to download/delete messages.
Whether you use IMAP or POP3, you'll probably need some client side
set up.)
Joseph Tam
. So the OP can confirm this is the problem by manually running
the libtool command but adding "-lssl", and if that works, then something
screwed
up Makefile or other build files.
Joseph Tam
#x27;re missing "-lssl" but have a spurious "-lcrypt". Probably all your
missing symbols are
actually in libssl.so.
Joseph Tam
\
--prefix=/Applications/dovecot-2.2.31.32 \
--with-ssl=openssl \
--with-ssldir=/Applications/dovecot-2.2.31.32/certs \
--with-storages=mbox,maildir,imapc,pop3c
I believe "--with-storages" option is now obsolete: all the storage
backends are built, whether you ask for it or not.
Joseph Tam
sword extension user={user}*{masterid},
password={masterppassword} in place of {user}/{userpasswqord} for imapsync
to get the job done.
Joseph Tam
sport:
the MITM attacker can merely open up a fake plaintext-only service port,
then proxy that to the target server. The client must deny non-secured
transport to be fully protected.
Joseph Tam
ememeral keys algorithms like ECDHE-*), but this
happens after SSL initiaton, whether by STARTTLS, or by connection to
SSL ports.
Joseph Tam
aking that
gets you to the same point.
Joseph Tam
mail_location=~/.mail:INBOX=/var/spool/mail/%Ln
He should be good now, no idea why a fedora install wouldn't have that
Unless I missed something in a previous pst, "~/.mail" is not typical
for personal mail folder, but "~/mail" is.
Joseph Tam
your clustered service, but why do
your nodes have to go offline? If these other nodes are using an older
certificate, it should still work as the previous/renewed certificate
usually have overlapping active begin/expiration dates.
Joseph Tam
ore: it just works.
The shorter cert lifetime also helps limit damage if your certificate
gets compromised.
Joseph Tam
It does get fixed automatically once the folder
is selected though.
I'm running it this way now (concurrent file and dovecot access) and most
users are blithe to it, so I guess it won't be too much worse. I'll try
aggressive caching and back off if it causes confusion.
Thanks.
Joseph Tam
and performance, or it's a
win-win all around?
(I just saw your previous response to someone else, which I'll read more
closely.)
Joseph Tam
tions, which may not suit everyone.
Joseph Tam
On Thu, 10 Aug 2017, Larry Rosenman wrote:
Which mail client on iOS?
Sorry, maybe not iOS, but definitely MacOSX Mail app.
Joseph Tam
trying to troubleshoot a moving target.
Joseph Tam
version
(or is only available as a patch), you can fix it right away rather than
waiting for the package maintainer to catch up to it.
Joseph Tam
ing the service before the DH parameters was ready.)
Joseph Tam
ng, so I don't actually have practical
experience doing it (but many on this list do, so I defer to their
superior knowledge). All the information I wrote above is derived from
reading the man page, and implicit knowledge.
Joseph Tam
= 0660
}
}
In my test setup, I use the first option
protocol imap {
...
rawlog_dir = /data/rawlogs/%u
}
You may also want it into your protocol pop3 section.
Joseph Tam
ight be better off using one of the other
transport methods. Do you actually need per-user syncing?
Joseph Tam
a hair-trigger blacklist policy is that it saves
you a few log entries showing futile attempts at finding weak passwords
(because you have strong passwords, don't you?) at the risk of dealing
with any of the above situations.
Joseph Tam
typos (like twaeking!): users could simply misspell
their username, or get mixed up with some another account or alias.
This is why I favour targetting known bad accounts, not merely accounts
that don't exist.
Joseph Tam
tication, or VPN, but they are hard/impossible to do with a large
userbase, or have high setup/amortization costs.
If you have a enforced strong password policy, these brute forcers have
little chance of succeeding, so maybe the easiest cheapest policy is to
ignore it.
Joseph Tam
"mourik jan c heupink" writes:
On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own
backend by taking over
authentication. You'll be accepting user/password inputs into your
checkpassword executable, then use the LDAP API (or some other system
table from C sources. It's more work, but if you need to do
everything on your wish list, I can't see any eaiser option.
One of the drawbacks is that a working password depends on both time
and source address, which will be adversely affect performance on a
busy server as authentication data cannot be cached.
Joseph Tam
ful these days.
Even if the success rate is 0.1%, you can do the arithmetic to see
that's still a huge number of accounts. But you're right, if you have
anything resembling a sensible password policy, they're just a log
bloating nuisance.
Joseph Tam
of abused passwords
will miss a lot. (A common one they use is $password=variations($user)
or variation($domain)). Number of auth failure limits should also be
a criteria for banning. Extinct users are also good candidates for
instant banning.
Joseph Tam
ll of ChinaNet. May produce false positives.
Joseph Tam
ocklist.de. You can also feed back fail2ban data and crowdsource BFD
data to them.
Joseph Tam
ash computation.
{SHA512} is a straight saltless hash -- the same password maps to the
same hash. This makes it prone to dictionary attacks (i.e. pre-generated
tables of plaintext/hash values).
If you support both schemes, SHA512-CRYPT is much stronger.
Joseph Tam
On Fri, 14 Jul 2017, Joseph Tam wrote:
... successful authentication via GSSAPI! From the log files you've shown,
you were able to authenticate "dsmith". Your mail reader tells you
otherwise?
Oops, I didn't see your previous comment
"The Kerberos/GSSAP
nd ...
Jul 11 19:30:18 imap-login: Info: Login: user=, method=GSSAPI,
rip=192.168.0.57, lip=192.168.0.2, mpid=3150, TLS, session=
... successful authentication via GSSAPI! From the log files you've shown,
you were able to authenticate "dsmith". Your mail reader tells you otherwise?
Joseph Tam
have a user database and an sqlite database?
Yes, you want a virtual user setup.
https://wiki.dovecot.org/VirtualUsers
You still need a user/password database of some sort unless you're
contemtemplating some wild free-for-all access with a single shared
password.
Joseph Tam
kups.
2) The LMTP can't deliver to a user's INBOX? If this is what
you're complaining about, you ought to supply
i) log entries demonstrating the problem
ii) a hint of your configuration i.e. doveconf -n
Joseph Tam
Jun 27 12:03:27 bubba dovecot: auth:
ldap(someu...@mydomain.com,127.0.0.1): invalid credentials
The only other thing I can think of - Postfix runs on this server and
uses Dovecot SASL. Is it possible the Dovecot auth log line is caused
by a Postfix connection attempt?
That would have been my
Is it just me receiving in Digest mode, or are all message submissions
to this list being duplicated?
Joseph Tam
x1 SELECT testbox
What do you get here and in your logs?
If this doesn't produce any usable diagnostics, I would pull out the
heavy duty process trace tool and trace the imap process to figure out
what it's really doing and where it's failing.
Joseph Tam
This is a consequence of writing secure software: it employs least
privilege so that a fault will not result in someone being able to mess
around with someone else's mail (or indices). GID can also govern access
to shared mailboxes.
Joseph Tam
ems] under inbox.
Pardon my naievty, but couldn't you just remove this namespace altogether
and get rid of at least one set of duplicates (although it probably keep
the non-preferred one).
Joseph Tam
e.
It works for me. From what I see, the ownership of the symlink is
ignored; it's the underlying file that counts. Maybe a subscription
issue?
Joseph Tam
as there may
be a race condition where another process is creating/deleting it at
the same time.
Joseph Tam
/e7d9dd003e6192b294507b9fbe9917a514e441f6
Joseph Tam
On Tue, 6 Jun 2017, Joseph Tam wrote:
Bots aren't known to exit cleanly, so it's probably related to prematurely
dropped connections. Apart from that, I'm not seeing this with real
users.
Never mind: getting mail in digest form has made me look stupid again.
Joseph Tam
not seeing this with real
users.
Joseph Tam
problem after a system failure. Our problem could be
solved by
rm /PATH/USER/mdbox/storage/dovecot.map.index*
doveadm -D -v force-resync -u USER INBOX
Not sure given the above URL whether this will solve your problem of make it
far worse. Better back up what you have before trying anything.
Joseph Tam
/{cachedir}/dovecot.index.log was locked for 105 seconds (Mailbox was
synchronized)
Not really an error, just bad performance.
Probably happens when a user is doing I/O on their large INBOX's via NFS, and
bogging down. Thanks for explaining this.
Joseph Tam
cation = ...:INDEX==MEMORY
...
}
I'm not sure how dovecot would react when NetApp pulls the rug out
from under one of the hourly snapshots and replace it with the next
hour's version.
Joseph Tam
/{cachedir}/dovecot.index.cache: Broken virtual size for mail UID
12032 in mailbox INBOX: read(/var/mail/user): FETCH BODY[] got too little data:
6199 vs 6201
From what you say, the changes would only affects the latter, so no big change.
Thanks for the info.
Joseph Tam
trigger index rebuilds when dovecot accesses them.
Joseph Tam
penssl s_client -starttls imap -connect localhost:143
So telnet doesn't work because it does not do SSL. Your MUA don't work
because of the same misunderstanding, or there's some network issue
at play.
You need to align your clients to use the security protocol you've
enabled.
Joseph Tam
I see mentions of this configuration variable in 7 year old dovecot posts,
so it's been around a long time. You should do
doveconf -a | grep sieve_global_path
since "-n" won't list unchanged (defaulted) configuration values.
Joseph Tam
large
mailboxes.
As Aki recommends, use something other than mbox unless you got some
legacy issue.
How would you do this when migrating from an old server to a new one?
Lots of third party scripts out there that will convert for you. I think
you can do dovecot->dovecot dsync to convert.
Joseph Tam
er
user's earlier connection.
How easy would it be to implement a hybrid solution that maps all
imap service for a unique UID to a single worker process. It would
result in modest performance gain for busy servers, and data leakage
security would be minimal.
Joseph Tam
osoft.com/Forums/ie/en-US/40eb0164-0bcf-499a-9401-b6a688b5fcfd/log-onto-incoming-mail-server-pop3-your-server-does-not-support-the-connection-encryption-type?forum=exchangesvrsecuremessaging
https://blog.zubairalexander.com/outlook-error-0x800ccc1/
Joseph Tam
ok2016. Kindly help.
Help us help you. Please include output of "dovecot -n" and any relevant
log entries.
As a wild ass guess, I think maybe the client is using used "STARTTLS"
intead of "SSL", or some other SSL requirement disagreement.
Joseph Tam
nfiguring some
reasonable connection throttles.
Joseph Tam
return results fast enough to keep the concurrent connections
count down.
Can anyone with Solr installed confirm/refute this: does installing
Solr keep iOS clients from roofing the connection count?
Joseph Tam
p folder. Then you can use the same certificate
for all TLS services hosted on that server.
Joseph Tam
You can do the DNS challenge method if your server has the ability to
update DNS entries, or you can use certbot clients in standalone-mode
that will act as a simple web server just long enough to serve out the
token to complete the authentication.
Joseph Tam
to expire at a certin time, then transition to the new definition.
Joseph Tam
(advanced usage)
In this way, you can reuse private key, as well as making it more
secure by removing a privileged operations (private key acces) allowing
dehydrated to be run as a non-privilged/separate user.
Joseph Tam
pies of mail data as well if you really want to
isolate your test.
Then you can gradually phase in your new version by swapping alternate
port/data with production port/data.
Joseph Tam
ls.
Or, doesn?t Dovecot expire the cache?d entry on failed authentication?
Dovecot does have a auth_cache_negative_ttl setting.
I think the best proactive approach is to keep auth_cache_ttl modest
(a few minutes) rather than hours or days.
Joseph Tam
ccess to the mail account until the TTL expires or user logs
in with new credentials. I've been burnt by this one.
Joseph Tam
| awk '/imap/{m+=$2}/pop3/{n+=$2}END{print m,n}'
Or you can parse the output of netstat.
I'm suprised you have so many POP3 connections though -- they tend to be
connect/process/disconnect. n=0 most of the time on my modest server.
Joseph Tam
I don't have problems building 2.2.27 on Solaris 10
(using Sun Workshop compiler 5.11).
... and I don't have problems with Solaris10/gcc, but I don't have
as many options as you do.
Joseph Tam
.
ssl = yes
ssl_cert =
Are you using client verification (i.e. mutual authentication of mail
client and server)?
If not, just comment out ssl_ca.
Joseph Tam
$CfKc0NdiRkWOisjL$kHAx2oxB?
Did you truncate the results? This hash looks far too short to be a real SHA512
hash.
Joseph Tam
Maybe use the checkpassword hook?
http://wiki.dovecot.org/AuthDatabase/CheckPassword
Joseph Tam
e POP3 scenario you want:
http://wiki.dovecot.org/MailLocation/mbox
(Section: Only /var/mail mboxes)
Don't need these
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
Joseph Tam
x27; >list
Needs shell escaping/sanitizing if you don't want to be the victim
of mischief (e.g. maildir='X;cd ..;rm -rf *').
Joseph Tam
CN and requested name
disagree.
The CN is supposed to be ignored in the presence of SANs. Looks like
I need to update wget
https://bugzilla.redhat.com/show_bug.cgi?id=903756
Thanks for setting me straight.
Joseph Tam
t.org' doesn't match
requested host name `dovecot.org'.
and indeed, the certificate CN and download URL is mismatched. The nice thing
about Let's Encrypt is that it's easy to (re)generate the certitcate with SANs
to get rid of this mismatch.
Browser didn't complain though.
Joseph Tam
awte, etc.) supplied by OpenSSL, and the second,
etc. are chained certificate lookups. You would replace the missing
cert with your own self-signed public pem file. e.g.
cp mypub.pem /etc/openssl/certs/cbf06781.0
For Windows, I don't know where it fetches it from.
Joseph Tam
tore) that asserts its own validity is suspect. You can either
get alpine to not complain e.g.
inbox-path={192.168.100.2:143/user=whatever/tls/novalidate-cert}
or add the public part of the cert into your system's trusted CA store.
Joseph Tam
w as I can
type faster than they can click buttons, scroll, and drag windows around.
However, it sort of sucks when you read formatted mail HTML with lots of
graphics).
Joseph Tam
searches.
2) Is there a client-side fix (e.g. connection limiting)?
Apple appears to be intransigent on addressing this.
3) Will maintaining search indices (e.g. solr) help with this?
Maybe the searches are taking too long and the connections pile
up waiting for previous searches to finish.
Thanks,
Joseph Tam
Or just force it somewhere by settings the *log_path configuration
values. Also your mail server's log when trying to deliver.
Joseph Tam
mand, I look at the log file which seems
to have more details. Try looking there for more diagnostics. Also,
look at your MTA's logs as well.
Joseph Tam
users cannot
arbitrarily write into this directory, you can "chmod 1777 /var/mail/" and
let dovecot auto-create it (might also want to set "lda_mailbox_autocreate
= yes".
Joseph Tam
client). If you get an error or failure, look inward: check logs and config.
Joseph Tam
the server process.
Joseph Tam
IMAP folders. So, for example, user "X" is
sitting idle in their INBOX.
Rebuilding caches? Do you get the same delay when going back to the folder
after the initial delay.
Joseph Tam
v4, I also turned on
both r/w delegation as well. The exported filesystem exhibited weird
locking or slow write operations on NFS clients (e.g. "touch newfile"
would take a second to complete). This went away when I turned off
write delegation.
Joseph Tam
rning off write delegation seemed
to have solved the problem. I still don't know why, though.
Joseph Tam
201 - 300 of 566 matches
Mail list logo
