ed by:
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem
-keyout /etc/ssl/private/dovecot.pem
Are you using this as a server certificate or as a client certificate? Please
output your dovecot's configuration, esp. your SSL setup.
doveconf -n | grep ssl
Joseph Tam
b' \
configure ...
Based on your mail I've tried CFLAGS/LDFLAGS again, and
now Dovecot didn't even compile any longer.
I don't use the same OS as you, but what errors dis you get?
Joseph Tam
lf-compiled openssl, and the resulting executables load from where I
want.
Joseph Tam
affect where shared libraries are loaded using the
LD_LIBRARY_PATH environment variable. Try adding
LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH
to your service boot scripts.
Joseph Tam
files
based on their mtime.
The downside is that the Dovecot caches will be out of date. Perhaps
follow this up with a "doveadm index ..." operation.
Joseph Tam
label, but as a last resort, you can patch at src/lmtp/commands.c in
client_get_added_headers().
Joseph Tam
ted by
your MTA, not dovecot.
Joseph Tam
://wiki.dovecot.org/AuthDatabase/CheckPassword
I think there also some PAM module that you can stack into your
system that will enforce password policies.
Joseph Tam
/var/log/mail.log [2].
Don't know what this is about -- probably your Mac bailing out on
authentication.
Joseph Tam
Aki Tuomi wrote:
On 14.07.2016 21:26, Joseph Tam wrote:
I received a bunch of these log messages at a rate of a few thousand
per hour for one of my users -- she may have max'd out her quota. The
directory is a NFS directory containing mbox formatted INBOX's.
Other than allev
ed to take?
Joseph Tam
.hTue Jul 12 11:52:00 2016
@@ -80,1 +80,1 @@
- unsigned char [STATIC_ARRAY SHA1_RESULTLEN]);
+ unsigned char dummy[STATIC_ARRAY SHA1_RESULTLEN]);
Joseph Tam
. I'd
expect the same to happen for you also.
No, it will fail with both "int" and "unsigned char" without the dummy
argument "X", and works for both if one is inserted. I don't know why --
perhaps a bug with my version of gcc.
Joseph Tam
,81), it will fail.
I've reduced the problem to this:
void foo(int X[static 20]);
will compile but if you remove "X", it won't.
Joseph Tam
t; keyword from config.h allowed it to finish the compile.
Joseph Tam
er's INBOX (possibly digesting them into one message).
Joseph Tam
ate CA chain certificates and
your public key into ssl_cert.
See
http://wiki2.dovecot.org/SSL/DovecotConfiguration
Also, anything enlinghtening in the logs when ssl_verbose turned on?
Joseph Tam
mes, as temp key generation of this length
can result in a lot of candidate primailty testing.
Joseph Tam
S +OK
S PLAIN
S .
C AUTH PLAIN
S +
C
I dimly remember some Windows clients preferring either "LOGIN" or "PLAIN"
style mechanism. Have you tried allowing "LOGIN" style authentication?
auth_mechanisms = plain login
Joseph Tam
ings.
OK, thanks. I will comment these settings out since they're not useful.
Joseph Tam
lookups always results in file read
operation?
Joseph Tam
software do not
keep persistent IMAP connections open during a session unless they use
some IMAP proxy.
Are your IMAP connections connected to the webmail server or an IMAP proxy,
and is that connection active (despite webmail user disappearing)?
Joseph Tam
://wiki.dovecot.org/Timeouts
It's set to the RFC minimum of 30min. You'll have to recompile Dovecot
to lower this to a non-RFC compliant value. I'm not sure how this this
will affect clients, but 30min seems to be overly generous.
Joseph Tam
thinking this ought to be
protocols = imap pop3 sieve
Joseph Tam
openssl dhparam -noout 2048
to see how it varies for you. If what I suspect is true, you can try
using shorter keys. A followup post suggest a way you can precompute
the key
Joseph Tam
if needed).
It seems like a mailbox index issue. Removing, then recreating the
indices gets rid of the crash. I saved these indices if it will help.
Joseph Tam
3, size=36928
If I read this right, the client never tried to download any messages (no
top, no retr). Maybe the client downloaded the UIDLs and figured it
already had local copies of those messages.
Joseph Tam
les would be a good start. Maybe start with something like
log_path = /path/to/logfile
auth_verbose = yes
auth_debug = yes
mail_debug = yes
verbose_ssl = yes
Joseph Tam
be used in improving
the performance of clients or servers.
Joseph Tam
send such info.
As a result, dovecot does not have that info.
I regularly get such info in my logs e.g.
Feb 1 14:10:45 server dovecot: imap(user): ID sent: name=iPhone Mail,
version=12F70,
os=iOS, os-version=8.3 (12F70)
Only for IMAP (ID extension?).
Joseph Tam
mote block for webmail, but without success yet.
If you can get that working, that would be the better method. Running 2
different instances with 2 different config files might come in handy for
cases where you have very different policies between localhost/remote
networks.
Joseph Tam
rom 127.0.0.1, ::1)?
I don't know if there is another method, but at the very least, you
can start another dovecot instance with another config file that does
specific things for 127.0.0.1.
Joseph Tam
of
those mailboxes exist.
Got it.
Thanks, Timo.
Joseph Tam
ng different mailboxes to store deleted mail
if I keep the special_use lines?
2) I also expunge old mail in INBOX marked as deleted -- is
there any way to handle this case? Create virtual mailbox?
Joseph Tam
will get wiped out!)
Joseph Tam
2048". I can contribute
a patch to do this (read file, convert it into ssl-parameters.dat, then
set/behave like ssl_parameters_regenerate=0), but I couldn't figure
out the best place to do this. ssl_params_if_unchanged()?
Joseph Tam
u could use the service provided by ssllabs.com to scan your host.
I second this recommendation, if you can work out the port issue. Maybe using
a ncat | ncat pipe.
Joseph Tam
ave support for this (but Solaris11 does have File
Event Notification). Pity.
Joseph Tam
ximal memory conservation, or would that
break the security model dovecot uses?
Anyways, thanks for clearing up my confusion.
Joseph Tam
t's supposed to work?
Joseph Tam
it won't kill me...
Ah. Yes, you can use -A and iterate through users, subject to any constraints
such as first_valid_uid, last_valid_uid, etc.
Joseph Tam
yes, definitely. If you
mean to sequentially go through it and do a first/last/best match,
probably not.
Joseph Tam
irectly.
http://wiki2.dovecot.org/MailLocation
Joseph Tam
make it listen on
0.0.0.0:143 and [::]:143 causing the service being available to
the public which it should not. - IMHO this is a security issue.
I don't know much about systemd, but you'll probably need dovecot
configuration
listen = 127.0.0.1
Joseph Tam
ds in the wiki sentence is "index
files", not "indexing". Dovecot is still indexing, exept that it builds
it from scratch each and every time a worker process accesses a mailbox,
so incurs a fixed overhead that cannot be used for the next session.
Joseph Tam
r security reasons.
Joseph Tam
mostly harmless.
Joseph Tam
the latest service patch to handle SSLv3 disabled
sites. Try checking to make sure your Postfix SSL security settings and
your WinXP SSL capabilities are compatible.
Joseph Tam
Timo Sirainen wrote:
So all in all, you can now add to imap_logout_format:
...
Any thoughts on what else would be useful?
Maybe quota stats like number of quota errors, or quota usage? Bytes
used by Email marked \Deleted?
Joseph Tam
hentication part. This will at least tell you whether
it's a client side or server side issue. (However, since it is working
with other client, it's probably a client side issue.)
Joseph Tam
so
maybe an update will solve this.
Joseph Tam
the cache upon delivery,
but someone more knowlegable than I would have to help you with that.
The drawback of getting thing in digest form -- you look like a boob
when answering late. I defer to Steffen's superior knowledge.
Joseph Tam
chnical solution to a human
problem (someone did an oops).
Joseph Tam
the header pops out.
Another option is to add another flag/formatter that will squelch headers.
I'm cool with whatever you implement.
Joseph Tam
headers[i].title);
@@ -162,3 +162,3 @@
}
- fprintf(stderr, "\n");
+ printf("\n");
}
Joseph Tam
Jaime Ventura writes:
Is there an easy way to get how many connections are being handled at a
moment?
This works:
doveadm who -1 2>/dev/null | wc -l
If yopu only want to coutn IMAP connections (not POP3),
doveadm who -1 2>/dev/null | grep -Fc imap
Joseph Tam
zing, or dealing with
the odd crash that left indices in a unfixable state (which is more a
bug than an unsync problem).
Joseph Tam
ox
file ...
Error: read({file}) failed: Cached message size larger than expected ...
Joseph Tam
"
Only after all these steps are found to be unsatisfactory would I consider
writing your own scan and fix tool.
Joseph Tam
ill stay sync'd.
If you really have to do manual resyncing, comparing index/mailbox mtimes
might be one way to do it.
Joseph Tam
ow away the
mail2/mail3 folder and then do a symbolic link to the mail folder:
ln -s mail mail2
Again, namespace aliases might help: you can configure as many as
you like. It's a kludge though -- the behaviour you report is really
bizarre.
Joseph Tam
"David.M.Clark" writes:
I do have some customers using Outlook or Windows Live Mail, and these
are for the most part working fine with IMAP - I don't do POP.
...
The issue starts when you add an IMAP user to the Outlook client and
upon opening it, initially, it tries to find a "Sent" Items fold
erful methods you want to determine IMAP/POP/SMTP
network access policy, including DNSRBL or parsing a text file.
This thread seems to be spinning into non-dovecot subjects, and I'm not
helping, so I'll stop.
Joseph Tam
s which method you want to use. All I'm saying is
that using dovecot's allow_net facility is as difficult, if not
more so, than letting your firewall handle it.
Joseph Tam
ct dovecot will handle a comma separated string with 45K+ entries
any better. If you want to turn your global backlist into a per-user
whitelist, that would be perfectly doable though.
Joseph Tam
, modify the
snippets that differ, then include this alternate set of configurations
!include conf-2.d/*
Thanks for your suggestion.
You're welcome.
Joseph Tam
iles, specifying different
ports/addresses/ssl-configs/auth/access parameters. Then you can fire
them both up
dovecot -c /dovecot/etc/dovecot-1.conf
dovecot -c /dovecot/etc/dovecot-2.conf
That's the rough sketch of how to do it.
Joseph Tam
oying re-login requests.
It would be nice if this problem of mobile WiFi mail readers
acquiring (and abandoning) new IPs could be handled in a more
gracious way (reaping on a expedited schedule or LRU basis),
but unless you really have to and know what you are doing,
I would suggest not modifying timeouts.
Joseph Tam
{
idle_kill = 600
}
Joseph Tam
till cause your DNS resolver to go on wild goose chases. In either case,
it's probably not Dovecot related.
If you want to triage it, just enter static entries into your proxy's
/etc/hosts file. Or use bare IPs in your configurations.
Joseph Tam
me bum delegation or unsync'd data
you can report, but it will probably not be worth your time to chase
this to ground unless it's causing your client to get hung.
Joseph Tam
some sort of filesystem metadata performance problem.
Joseph Tam
use is process tracing.
Connect via IMAP, in another window/session process trace the IMAP worker
process (Linux: strace -r -otrace.dump {pid})), initiate the search and
quit. Then you can look through the trace and see whether it gets hung on
a particular operation.
Joseph Tam
re strategy
would be more appropriate. You can even copy the input message that
caused dpam to crash to an inspection queue for later perusal.
Joseph Tam
d, the LDA returns exit code 75, and the MTA will probably
issue a bounce Email to the sender.
If you really don't want the recipient to lose Email, you should
buffer the input into a file, run dspam on it, and if the output
is not-null, pipe it to dovecot-lda, otherwise pipe the original
input.
Joseph Tam
but you can also
pass stderr to stdout as well, and the recipient will get some diagnostic
message, which may or may not be helpful.
| /usr/bin/dspam --client --deliver=stdout --user "$EXT@$USER" 2>&1 |
...
Joseph Tam
From: Laeeth Isharc
In case you were not aware, I wanted to let you know that dovecot.org
has been very slow (often almost unusable) for at least several days now.
Not for me as of the writring of this Email. Seems OK to me. Check your
browser, network, etc.
Joseph Tam
A:EXP-EDH-DSS-DES-CBC-SHA:DES-CBC3-SHA:EXP-DES-CBC-SHA:IDEA-CBC-SHA:EXP-RC2-CBC-MD5:RC4-SHA:RC4-MD5:EXP-RC4-MD5
Joseph Tam
u would use challenge-response in situations where the communication
channel is insecure (i.e. non-SSL). However, the drawback is the password
database contains enough information for someone to authenticate if it
should fall into the wrong hands.
Joseph Tam
ch side of
the fence you should be looking at.
(Also, asks yourself the obvious question: did you change anything before
dovecot performance went down the tubes? New hardware? Patches?)
Joseph Tam
*and* deltas in the transaction log.
I suspect that you could remove the transaction logs (if you do not use
dbox) and dovecot should rebuild them (or more likely, rebuild the indices).
Joseph Tam
from a delivery problem into a reading (or
presentation) problem.
Seems sort of klunky though. In my opinion, your energy is better
invested in converting your POP3 holdouts to IMAP.
Joseph Tam
nutes, it is empty
also.
Would you please help me to solve this issue?
Another POP3 client accessing the same account but not configured
to keep message on server? Check logs to rule that out.
Joseph Tam
Jerry writes:
Personally, I am not a fan of this multiple file configuration scenario.
Then don't use it. Concatenate all the included files together and
throw out the settings you don't need. My (single) config file is
~340 lines, 2/3 of which are comments.
Joseph am
everything else is an +OK no-op. I patched Qualcomm's
qpopper to do this.
As to whether the OP *should* do this, definitely not. Find a better
solution.
Joseph Tam
t makes it infeasable
for reasonable strength passwords. It's simpler to implement, robust,
and fault tolerant (e.g. a user cannot accidentally lock themselves
out requiring administrative intervention to restore immediate access,
or repeated failures from a NAT'd network does not DoS everything
ation:
http://www.depesz.com/2012/06/10/why-is-upsert-so-complicated/
Joseph Tam
e, if that is the reason for the problem.
Which OS, *roff are you using? Maybe I'm able to reproduce the problem. :-)
It's Solaris10 nroff, and GNU groff 1.19.1. Ancient stuff so I wouldn't
spend too much time looking at it. It's weird that two independent
software implementations would do the same thing.
Joseph Tam
with my nroff, not dovecot's man pages. (Hmm, it
happens with groff too -- it appears to be some sort of line length bug.)
Also http://wiki2.dovecot.org/Tools/Doveadm/Move#section_example
shows the correct example.
Yes, this makes much more sense.
Joseph Tam
01 SINCE 01-Sep-2011
[Is this a typo: "2011-10-01" should be "INBOX"?]
The example is fairly close to what you want. Apart from the obvious change
to user and mailbox name, the condition would be "savedbefore ${NN}d". You
might have to follow this up with an expunge if this operation does not
do that.
Joseph Tam
f exploit, where the
exploiter already has an account but can arbitrarily change their
password. It's not as serious as the pre-login one, but worth addressing
if the narrow circumstances of using post-login bash scripts apply.
Joseph Tam
n what you want? Unless Postfix PCRE automatically right-anchors
these regexps, aren't you rejecting mail from some...@mail.twinpeaks.org,
or even twitter notifications (from *@bounce.twitter.com).
Joseph Tam
would be systems using the Pigeonhole
extprograms plugin with shell scripts.
Although I don't use it, it's plausible the checkpassword hook is also
vulnerable
via the MASTER_USER environment variable:
http://wiki2.dovecot.org/AuthDatabase/CheckPassword
Joseph Tam
particular attempt (assuming
it can work), but other values such as mailbox names could also be injected
post authentication.
Can someone with working knowlegde of dovecot's internals confirm/deny whether
this is a something that needs to be addressed?
Joseph Tam
ew auth cache entries, you can just
authenticate with a bad password. When a different (and possibly correct
password) is supplied, there will be a cache miss and the new credentials
will be cached.
echo "1 login someuser badpassword\n2 logout" | netcat --ssl
your-imap-server:993
Joseph Tam
ot;master_user=muser" where "muser" is the master user as defined in your
master password file?
Joseph Tam
On Tue, 9 Sep 2014, dovecot-requ...@dovecot.org wrote:
vsz_limit = 18446744073709551615 B
}
Still the same value? why not 265MB?
I guess this is Dovecot's approximation of infinity. It's the largest value
that fits into a 64-bit signed integer (2^64-1).
Joseph Tam
or less randomly distributed over that
interval. Does this happen at the top of each minute?
If what you observe is true, the only situation I can think of that
would cause this is a bunch of POP3 fetch clients running as a cron job
synchronized to a minute grid (i.e seconds=0).
Joseph Tam
-mobile-net-operator=Koodo, AGUID=...: user=<>,
rip={client-ip}, lip={server-ip}, TLS,
session=
If you want this info, upgrade, as a later poster suggests.
Joseph Tam
iple files, and
less forgetting some configuration squirreled away in some conf.d file.
Joseph Tam
301 - 400 of 566 matches
Mail list logo