Hello,
I'm setting up a dovecot-2.0.beta6 install and I'm experiencing the
following issues/questions :
1. Converting the config file
# /usr/local/dovecot-2/bin/doveconf -n -c
/usr/local/dovecot-1.2.12/etc/dovecot.conf :
[...]
doveconf: Fatal: Error in configuration file
/usr/local/dovecot-1.2.12/etc/dovecot.conf line 176: Unknown setting:
process_limit
but
# grep -i process_limit /usr/local/dovecot-1.2.12/etc/dovecot.conf
#
Well, it doesn't bother me much since I made the dovecot-2 conf from scratch
anyway.
2. Changing the process limit
In 10-master.conf, I changed 'service imap''s
'process_limit' from 1024 to 4096 which caused :
Warning: service auth { client_limit=4096 } is lower than required under max.
load (5320)
Where does the 5320 come from ?
3. The = <file syntax
Is there anything to know about this new syntax other than files are introduced
by "<" ?
4. The "filter" hierarchy
My understanding is that protocol, remote, local must be specified in the
following order
protocol name {
remote <ip|name> {
local <ip|name> {
and that for a match in several blocks, the more specific wins.
but it's not clear to me where they are valid and if we can negate (with a !
for instance) an argument.
For instance, I want to implement the typical case of "let clients from the
inside network perform a plain auth over a clear connection, require SSL before
auth for the outside network clients".
For that, I want to put
remote <internal network address> {
disable_plaintext_auth = no
}
in 10-auth.conf
and let the 'disable_plaintext_auth = yes' in dovecot.conf
But :
. why is this default not in 10-auth.conf file ?
. would I have been allowed to do, for instance, in that file at the same line
protocol imap {
remote <internal network address> {
disable_plaintext_auth = no
}
?
. would I have been allowed to do, for instance, in that file at the same line
protocol ! imap ...
or
remote ! <some address>
?
Besides, if I set ssl=required, do I still need disable_plaintext_auth = yes ?
4. auth unix listner
Default is the unix socket 'auth-userdb'. Which processes communicate
through this one ? Does that mean the the auth process is not the
process which performs the actual passdb/userdb lookup ? In that case
what is the 'userdb process' ?
Same question : what is the auth-client socket used for ?
Finally, would it make sense to declare other auth listeners than the two
listed by default in the 10-master.conf file ?
--
Thomas Hummel | Institut Pasteur
<hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau
On Wed, 2010-06-23 at 16:54 +0200, Thomas Hummel wrote:> Hello, > > I'm setting up a dovecot-2.0.beta6 install and I'm experiencing the > following issues/questions : > > 1. Converting the config file > > # /usr/local/dovecot-2/bin/doveconf -n -c /usr/local/dovecot-1.2.12/etc/dovecot.conf : > > [...] > doveconf: Fatal: Error in configuration file /usr/local/dovecot-1.2.12/etc/dovecot.conf line 176: Unknown setting: process_limitThis was caused by the old settings translator. What was in line 176? Did you have managesieve installed for v1.2?> 2. Changing the process limit > > In 10-master.conf, I changed 'service imap''s 'process_limit' from 1024 to 4096 which caused : > > Warning: service auth { client_limit=4096 } is lower than required under max. load (5320) > > Where does the 5320 come from ?imap process_limit + pop3 process_limit + whatever other protocols you have enabled and + their process_limit.> 3. The = <file syntax > > Is there anything to know about this new syntax other than files are introduced by "<" ?Nope. Well, if you don't want to use files, you can also do: ssl_cert = ----- BEGIN CERTIFICATE ----- \ line2 \ line3 \ etc.> 4. The "filter" hierarchy > > My understanding is that protocol, remote, local must be specified in the following order > > protocol name { > remote <ip|name> { > local <ip|name> {I think remote is under local, but you'll anyway get an error message if you try the wrong order.> and that for a match in several blocks, the more specific wins.Yeah.> but it's not clear to me where they are validAlmost everywhere, except where they don't make sense anyway. Currently auth settings don't support local/remote blocks, but that should get fixed some day.> and if we can negate (with a ! for instance) an argument.protocol !imap { } works. But local/remote doesn't support it.> For instance, I want to implement the typical case of "let clients from the > inside network perform a plain auth over a clear connection, require SSL before > auth for the outside network clients". > > For that, I want to put > > remote <internal network address> { > disable_plaintext_auth = no > } > > in 10-auth.conf > > and let the 'disable_plaintext_auth = yes' in dovecot.confThat should work.> But : > > . why is this default not in 10-auth.conf file ?You mean why isn't there an example remote {} block there? Disabling plaintext auth even for internal network isn't such a great idea..> . would I have been allowed to do, for instance, in that file at the same line > > protocol imap { > remote <internal network address> { > disable_plaintext_auth = no > } > > ?Yes.> . would I have been allowed to do, for instance, in that file at the same line > > protocol ! imap ...yes.> or > remote ! <some address>no.> Besides, if I set ssl=required, do I still need disable_plaintext_auth = yes ?If you only use plaintext authentication mechanisms (which people usually do), the ssl=required and disable_plaintext_auth=yes are equivalent. The difference comes only if you use e.g. CRAM-MD5 etc.> 4. auth unix listner > > Default is the unix socket 'auth-userdb'. Which processes communicate > through this one ?1) dovecot-lda 2) imap, when using shared mailboxes and referring to other users' mails via their home directory 3) doveadm user .. maybe others..> Does that mean the the auth process is not the > process which performs the actual passdb/userdb lookup ?No. It's a "userdb client" socket.> Same question : what is the auth-client socket used for ?For authentication ("is this user+pass correct?"), usually used by MTAs for SMTP AUTH.> Finally, would it make sense to declare other auth listeners than the two > listed by default in the 10-master.conf file ?The defaults also have one example auth(-client) socket commented out for Postfix. You can create more of them if you want, but unless something actually uses them they're a bit pointless.
On Mon, 2010-06-28 at 19:04 +0200, Thomas Hummel wrote:> On Fri, Jun 25, 2010 at 09:06:53PM +0100, Timo Sirainen wrote: > > > That alone doesn't break it with my tests. Could you send me the entire > > config file so I could get this fixed? > > Here it is (I anonymised some path and addresses) in attachmentdoveconf -n -c dovecot.conf > /dev/null gives only some warnings with me. No errors..: doveconf: Warning: Obsolete setting in dovecot.conf:176: login_max_processes_count has been replaced by service { process_limit }> > default_client_limit: This is mainly for non-imap/pop3 processes, since > > they have overridden it. 1 client = 1 connection, usually from another > > Dovecot process. > > You mean connexions between internal dovecot processes other than > login/auth/imap or pop3 processes ?Look at "doveconf -a service" output. For each service 1) that has service_count=1, the client limits have no effect. only a single client is ever served. 2) that has client_limit != 0, that limit is used 3) otherwise, default_client_limit is used
On Mon, Jul 05, 2010 at 12:10:42PM +0100, Timo Sirainen wrote:> > cd /usr/local/dovecot-2/bin > > ./doveconf -c -n /usr/local/dovecot/etc/dovecot.conf > > That should have worked. What if you try this: > http://dovecot.org/list/dovecot/2010-July/050305.htmlSame error : # cat test.conf mail_drop_priv_before_exec = yes ssl = no # ./doveconf -c test.conf > /dev/null doveconf: Warning: Obsolete setting in test.conf:1: mail_drop_priv_before_exec has been replaced by service { drop_priv_before_exec } doveconf: Fatal: Error in configuration file test.conf line 1: Unknown setting: drop_priv_before_exec -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau
On Mon, 2010-07-05 at 14:22 +0200, Thomas Hummel wrote:> # ./doveconf -c test.conf > /dev/null > doveconf: Warning: Obsolete setting in test.conf:1: > mail_drop_priv_before_exec has been replaced by service { drop_priv_before_exec } > doveconf: Fatal: Error in configuration file test.conf line 1: Unknown setting: drop_priv_before_execAh, got it: http://hg.dovecot.org/dovecot-2.0/rev/8f6703ce6528