dovecot - Apr 2017 - several misc questions, public folders and sharing, quota, ssl

Hello,

I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to
optimize how the system is running and have a few misc questions.

First ssl, is my cipher list good? I'm trying for pfs and wanting to
ensure these cipherlist is appropriate:

ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

Next, a new feature that I'm trying for is virtual folders that store
All messages. My understanding of this is that it stores a version of
every received message in one place? I've got the virtual plugin
loaded and have:

  mailbox virtual/All {
    comment = All my messages
    special_use = \All
  }

I've got a directory /home/vmail/example.com/username/virtual under
which is an ALL folder both directories are accessible to the vmail
user, yet there's no contents in this folder and it's showing up
nowhere.

Next, quota warnings, are not being sent at all. I set up a testuser
with a quota of 2 mb, then sent a message to that user getting the box
to 95% full, and no message. Took the user overquota with the next
message, still nothing, and a third message did trigger my custom
quota exceeded message and the message was bounced.

 I'm wanting to implement public folders. My mailboxes are all
virtual, and they are stored under /home/vmail/example.com/username
and /home/vmail/example.org/username in the maildir format. I've got
one user uid and gid of 999 name of vmail who owns all the mailboxes.
I've separated out public folders storing them under
/home/vmail/public. I've created one mailbox called TestFolder and
new, cur, and tmp directories under it. This is what it looks like:

ls -la /home/vmail/public
total 24
drwx------  4 vmail  vmail  512 Apr 13 18:23 ./
drwx------  8 vmail  vmail  512 Mar 15 10:34 ../
drwxr-xr-x  5 vmail  vmail  512 Apr 13 18:16 TestFolder/
drwxr-xr-x  5 vmail  vmail  512 Apr 13 18:25 TestFolder1/
-rw-------  1 vmail  vmail    8 Apr 13 18:15 dovecot-uidvalidity
-r--r--r--  1 vmail  vmail    0 Apr 13 18:15 dovecot-uidvalidity.58eff89a
-rw-------  1 vmail  vmail  688 Apr 13 18:24 dovecot.list.index.log

ls -la /home/vmail/public/TestFolder
total 28
drwxr-xr-x  5 vmail  vmail  512 Apr 13 18:16 ./
drwx------  4 vmail  vmail  512 Apr 13 18:23 ../
drwxr-xr-x  2 vmail  vmail  512 Apr 13 18:13 cur/
-rw-r--r--  1 vmail  vmail   51 Apr 13 18:16 dovecot-uidlist
-rw-r--r--  1 vmail  vmail  304 Apr 13 18:16 dovecot.index.log
drwxr-xr-x  2 vmail  vmail  512 Apr 13 18:13 new/
drwxr-xr-x  2 vmail  vmail  512 Apr 13 18:13 tmp/

ls -la /home/vmail/public/TestFolder1
total 20
drwxr-xr-x  5 vmail  vmail  512 Apr 13 18:25 ./
drwx------  4 vmail  vmail  512 Apr 13 18:23 ../
drwxr-xr-x  2 vmail  vmail  512 Apr 13 18:25 cur/
drwxr-xr-x  2 vmail  vmail  512 Apr 13 18:25 new/
drwxr-xr-x  2 vmail  vmail  512 Apr 13 18:25 tmp/

The public/TestFolder is showing up fine and I can switch to it. The
public/TestFolder1 is not showing up at all so I'm not seeing it and
can't switch to it. Any ideas?

My second question involves public folders and domain sharing. Are
public folders accessible to all users and all domains? I've got two
domains example.com and example.org i'd like to create a folder that
some users in example.com can share with some users in example.org,
not necessarily all users in those domains should be able to see the
folders.

Ideas welcome.

Thanks.
Dave.

doveconf -n
# 2.2.29 (13ebc01): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
# OS: FreeBSD 10.3-RELEASE-p11 amd64  ufs
auth_cache_size = 8 k
auth_default_realm = example.com
auth_mechanisms = plain login cram-md5
auth_realms = example.com example.org
auth_socket_path = /var/run/dovecot/auth-userdb
dict {
  sqlquota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
first_valid_gid = 999
first_valid_uid = 999
hostname = mail.example.com
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
last_valid_gid = 999
last_valid_uid = 999
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 127.0.0.1 xxx.xxx.xxx.xxx
mail_fsync = never
mail_gid = vmail
mail_home = /home/vmail/%d/%n/home
mail_location = maildir:/home/vmail/%d/%n:LAYOUT=fs
mail_plugins = acl mail_log notify quota trash virtual welcome zlib
mail_server_admin = mailto:postmaster at example.com
mail_uid = vmail
mailbox_list_index = yes
maildir_broken_filename_sizes = yes
maildir_empty_new = yes
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext imapflags notify imapsieve vnd.dovecot.imapsieve
namespace {
  hidden = no
  list = yes
  location =
maildir:/home/vmail/public/:LAYOUT=fs:CONTROL=/home/vmail/public/:INDEX=/home/vmail/public/
  prefix = public/
  separator = /
  subscriptions = yes
  type = public
}
namespace inbox {
  hidden = no
  inbox = yes
  list = yes
  location   mailbox "Deleted Messages" {
    auto = no
    autoexpunge = 30 days
    special_use = \Trash
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Junk
  }
  mailbox "Junk E-mail" {
    auto = no
    autoexpunge = 30 days
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Items" {
    auto = no
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Spam {
    auto = no
    autoexpunge = 30 days
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    autoexpunge = 30 days
    special_use = \Trash
  }
  mailbox virtual/All {
    comment = All my messages
    special_use = \All
  }
  prefix   separator = /
  subscriptions = yes
  type = private
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  imapsieve_mailbox1_before file:/usr/local/lib/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  last_login_dict = redis:host=127.0.0.1:port=6379
  last_login_key = last-login/%u
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
  quota = dict:User quota::proxy::sqlquota
  quota2 = maildir:Shared quota:ns=public/
  quota_exceeded_message = Storage quota for this account has been
exceeded, please try again later.
  quota_grace = 10%%
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_warning = storage=100%% quota-warning 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=85%% quota-warning 85 %u
  quota_warning5 = storage=75%% quota-warning 75 %u
  sieve =
/home/vmail/%d/%n/sieve/scripts;active=/home/vmail/%d/%n/sieve/.dovecot.sieve
  sieve_before = /usr/local/etc/dovecot/sieve/dovecot.sieve
  sieve_default = /usr/local/etc/dovecot/sieve/dovecot.sieve
  sieve_dir = /usr/local/etc/dovecot/sieve
  sieve_extensions = +notify +imapflags
  sieve_global_dir = /usr/local/etc/dovecot/sieve/
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
  sieve_max_redirects = 30
  sieve_max_script_size = 1M
  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_user_log = /home/vmail/%d/%n/sieve/sieve_error.log
  trash = /usr/local/etc/dovecot/dovecot-trash.conf.ext
  welcome_script = welcome %u
  welcome_wait = yes
}
postmaster_address = postmaster at example.com
protocols = imap sieve
sendmail_path = /usr/local/sbin/sendmail
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  service_count = 1
}
service imap {
  client_limit = 1
}
service lmtp {
  unix_listener dovecot-lmtp {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    address = 127.0.0.1
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
    address = 127.0.0.1
    port = 12345
  }
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0666
    user = vmail
  }
  user = vmail
}
service welcome {
  executable = script /usr/local/bin/welcome.sh
  unix_listener welcome {
    user = vmail
  }
  user = vmail
}
ssl_cert = </usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
ssl_options = no_compression
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  driver = prefetch
}
userdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
userdb {
  args = uid=vmail gid=vmail home=/home/vmail/%d/%n
  driver = static
}
protocol lmtp {
  mail_plugins = acl mail_log notify quota trash virtual welcome zlib sieve
}
protocol lda {
  mail_fsync = optimized
  mail_plugins = acl mail_log notify quota trash virtual welcome zlib
quota sieve
}
protocol imap {
  mail_max_userip_connections = 30
  mail_plugins = acl mail_log notify quota trash virtual welcome zlib
imap_acl imap_quota imap_sieve imap_zlib last_login
}
protocol sieve {
  managesieve_implementation_string = Dovecot Pigeonhole
  managesieve_max_compile_errors = 5
  managesieve_max_line_length = 65536
}

/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
connect = host=/tmp/mysql.sock dbname=dbname user=user password=password

# CREATE TABLE quota (
#   username varchar(100) not null,
#   bytes bigint not null default 0,
#   messages integer not null default 0,
#   primary key (username)
# );

map {
  pattern = priv/quota/storage
  table = quota
  username_field = username
  value_field = bytes
}
map {
  pattern = priv/quota/messages
  table = quota
  username_field = username
  value_field = messages
}

# CREATE TABLE expires (
#   username varchar(100) not null,
#   mailbox varchar(255) not null,
#   expire_stamp integer not null,
#   primary key (username, mailbox)
# );

#map {
  #pattern = shared/expire/$user/$mailbox
  #table = expires
  #value_field = expire_stamp

  #fields {
    #username = $user
    #mailbox = $mailbox
  #}
#}

> On April 14, 2017 at 3:04 AM David Mehler <dave.mehler at gmail.com>
wrote:
> 
> 
> Hello,
> 
> I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to
> optimize how the system is running and have a few misc questions.
> 
> First ssl, is my cipher list good? I'm trying for pfs and wanting to
> ensure these cipherlist is appropriate:
> 
> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
> 
I would add @STRENGTH to the end, so it'll get sorted by strengthness.
> Next, a new feature that I'm trying for is virtual folders that store
> All messages. My understanding of this is that it stores a version of
> every received message in one place? I've got the virtual plugin
> loaded and have:
> 
>   mailbox virtual/All {
>     comment = All my messages
>     special_use = \All
>   }
> 
> I've got a directory /home/vmail/example.com/username/virtual under
> which is an ALL folder both directories are accessible to the vmail
> user, yet there's no contents in this folder and it's showing up
> nowhere.
> 
Configuring virtual all folder:

namespace {
  prefix = virtual
  location = virtual:/etc/dovecot/virtual:INDEX=%h/virtual
  comment = All my messages
  special_use = \All
  mailbox All {
    auto = subscribe
  }
}

==== /etc/dovecot/virtual/All/dovecot-virtual ===* 
  all
==== EOF ==
> Next, quota warnings, are not being sent at all. I set up a testuser
> with a quota of 2 mb, then sent a message to that user getting the box
> to 95% full, and no message. Took the user overquota with the next
> message, still nothing, and a third message did trigger my custom
> quota exceeded message and the message was bounced.
>
I would recommend you using

mail_plugins = $mail_plugins quota quota_clone

plugin {
  quota = count:User quota
  quota_clone_dict = proxy::sqlquota
  quota_vsizes = true
}

Also,

"Note that the warning is ONLY executed at the exact time when the limit is
being crossed, so when you're testing it you have to do it by crossing the
limit by saving a new mail. If something else besides Dovecot updates quota so
that the limit is crossed, the warning is never executed."
>  I'm wanting to implement public folders. My mailboxes are all
> virtual, and they are stored under /home/vmail/example.com/username
> and /home/vmail/example.org/username in the maildir format. I've got
> one user uid and gid of 999 name of vmail who owns all the mailboxes.
> I've separated out public folders storing them under
> /home/vmail/public. I've created one mailbox called TestFolder and
> new, cur, and tmp directories under it. This is what it looks like:
<snip />
 
> The public/TestFolder is showing up fine and I can switch to it. The
> public/TestFolder1 is not showing up at all so I'm not seeing it and
> can't switch to it. Any ideas?
> 
Not sure why it's not showing up, *but*, you could add :INDEXPVT=%h/public
to the folder, to keep per-user indexes separate.
> My second question involves public folders and domain sharing. Are
> public folders accessible to all users and all domains? I've got two
> domains example.com and example.org i'd like to create a folder that
> some users in example.com can share with some users in example.org,
> not necessarily all users in those domains should be able to see the
> folders.
> 
Dovecot does not, as per such, care about your domains. It cares about user
names. If you want to do this kind of thing, please consult ACL plugin.
https://wiki2.dovecot.org/ACL
> Ideas welcome.
> 
> Thanks.
> Dave.
> 
Some other comments, if you are using SSL, you can drop cram-md5 as auth mech,
it's not storage-safe.

you should use mail_location = maildir:~/maildir:LAYOUT=fs

to avoid your other things in user's home being interprepted as mail
directories.

why are you setting these?
maildir_broken_filename_sizes = yes
maildir_empty_new = yes
maildir_very_dirty_syncs = yes

and in general I see lots of overconfiguring, dovecot defaults are usually
right, and setting various things just for the fun of it, can cause problems.

Aki

Please keep responses on the list. Thank you. =)

Without ACL plugin there is no way to restrict access, it's free for all.

my site is a very tiny few user site, but ...

auth_mechanisms = login plain
mail_attribute_dict = file:%h/Mail/dovecot-attributes
mail_location = sdbox:~/Mail
mail_plugins = stats quota fts fts_lucene
namespace inbox {
  inbox = yes
  list = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Spam {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix   separator = .
  subscriptions = yes
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  fts = lucene
  fts_lucene = whitespace_chars=@.
  imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  quota = count:User quota
  quota_vsizes = yes
  recipient_delimiter = +
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
  sieve_extensions = +notify +imapflags
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
  sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
  stats_refresh = 30
}
protocols = imap lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  user = $default_internal_user
}
service doveadm {
  inet_listener http {
    address = 127.0.0.1
    port = 38080
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  inet_listener lmtp {
    address = 127.0.0.1
    port = 8025
  }
}
service stats {
  fifo_listener stats-mail {
    mode = 0666
  }
}
ssl = required
ssl_cert = # 
ssl_cipher_list =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA
ssl_dh_parameters_length = 4096
ssl_key =  # 
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
submission_host = 127.0.0.1:25
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol imap {
  mail_plugins = stats quota fts fts_lucene imap_stats imap_sieve
}
protocol lmtp {
  mail_plugins = stats quota fts fts_lucene sieve
}
protocol lda {
  mail_plugins = stats quota fts fts_lucene sieve
}

Aki
> On April 14, 2017 at 7:21 PM David Mehler <dave.mehler at gmail.com>
wrote:
> 
> 
> Hello Aki,
> 
> Thank you for your reply.
> 
> I've implemented your changes and thanks for the @STRENGTH reminder, I
> had forgotten about that one.
> 
> I'll check out the acl plugin. Is it required when sharing a public
> folder or are public folders usable by all? I know it is for shared
> folders.
> 
> The TestFolder1 is still not showing up in public not sure why
> everything looks good.
> 
> My configuration was migrated from 2.0 to 2.1 then 2.2, various ports
> along the way.
> 
> I was wondering if I could take a look at your dovecot configuration
> files and a doveconf -n output?
> 
> Thanks.
> Dave.
> 
> 
> On 4/14/17, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >
> >> On April 14, 2017 at 3:04 AM David Mehler <dave.mehler at
gmail.com> wrote:
> >>
> >>
> >> Hello,
> >>
> >> I'm running dovecot 2.29 on a freebsd 10.3 system. I'm
wanting to
> >> optimize how the system is running and have a few misc questions.
> >>
> >> First ssl, is my cipher list good? I'm trying for pfs and
wanting to
> >> ensure these cipherlist is appropriate:
> >>
> >> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
> >>
> >
> > I would add @STRENGTH to the end, so it'll get sorted by
strengthness.
> >
> >> Next, a new feature that I'm trying for is virtual folders
that store
> >> All messages. My understanding of this is that it stores a version
of
> >> every received message in one place? I've got the virtual
plugin
> >> loaded and have:
> >>
> >>   mailbox virtual/All {
> >>     comment = All my messages
> >>     special_use = \All
> >>   }
> >>
> >> I've got a directory /home/vmail/example.com/username/virtual
under
> >> which is an ALL folder both directories are accessible to the
vmail
> >> user, yet there's no contents in this folder and it's
showing up
> >> nowhere.
> >>
> >
> > Configuring virtual all folder:
> >
> > namespace {
> >   prefix = virtual
> >   location = virtual:/etc/dovecot/virtual:INDEX=%h/virtual
> >   comment = All my messages
> >   special_use = \All
> >   mailbox All {
> >     auto = subscribe
> >   }
> > }
> >
> > ==== /etc/dovecot/virtual/All/dovecot-virtual ===> > *
> >   all
> > ==== EOF ==> >
> >> Next, quota warnings, are not being sent at all. I set up a
testuser
> >> with a quota of 2 mb, then sent a message to that user getting the
box
> >> to 95% full, and no message. Took the user overquota with the next
> >> message, still nothing, and a third message did trigger my custom
> >> quota exceeded message and the message was bounced.
> >>
> >
> > I would recommend you using
> >
> > mail_plugins = $mail_plugins quota quota_clone
> >
> > plugin {
> >   quota = count:User quota
> >   quota_clone_dict = proxy::sqlquota
> >   quota_vsizes = true
> > }
> >
> > Also,
> >
> > "Note that the warning is ONLY executed at the exact time when
the limit is
> > being crossed, so when you're testing it you have to do it by
crossing the
> > limit by saving a new mail. If something else besides Dovecot updates
quota
> > so that the limit is crossed, the warning is never executed."
> >
> >>  I'm wanting to implement public folders. My mailboxes are all
> >> virtual, and they are stored under
/home/vmail/example.com/username
> >> and /home/vmail/example.org/username in the maildir format.
I've got
> >> one user uid and gid of 999 name of vmail who owns all the
mailboxes.
> >> I've separated out public folders storing them under
> >> /home/vmail/public. I've created one mailbox called TestFolder
and
> >> new, cur, and tmp directories under it. This is what it looks
like:
> >
> > <snip />
> >
> >> The public/TestFolder is showing up fine and I can switch to it.
The
> >> public/TestFolder1 is not showing up at all so I'm not seeing
it and
> >> can't switch to it. Any ideas?
> >>
> >
> > Not sure why it's not showing up, *but*, you could add
:INDEXPVT=%h/public
> > to the folder, to keep per-user indexes separate.
> >
> >> My second question involves public folders and domain sharing. Are
> >> public folders accessible to all users and all domains? I've
got two
> >> domains example.com and example.org i'd like to create a
folder that
> >> some users in example.com can share with some users in
example.org,
> >> not necessarily all users in those domains should be able to see
the
> >> folders.
> >>
> >
> > Dovecot does not, as per such, care about your domains. It cares about
user
> > names. If you want to do this kind of thing, please consult ACL
plugin.
> > https://wiki2.dovecot.org/ACL
> >
> >> Ideas welcome.
> >>
> >> Thanks.
> >> Dave.
> >>
> >
> > Some other comments, if you are using SSL, you can drop cram-md5 as
auth
> > mech, it's not storage-safe.
> >
> > you should use mail_location = maildir:~/maildir:LAYOUT=fs
> >
> > to avoid your other things in user's home being interprepted as
mail
> > directories.
> >
> > why are you setting these?
> > maildir_broken_filename_sizes = yes
> > maildir_empty_new = yes
> > maildir_very_dirty_syncs = yes
> >
> > and in general I see lots of overconfiguring, dovecot defaults are
usually
> > right, and setting various things just for the fun of it, can cause
> > problems.
> >
> > Aki
> >

Hi Aki,

Thanks for your reply. Sorry, hit the reply to and not the reply to all option.

So, even when a folder is a public folder I'm still needing to use the
acl plugin?


The public/TestFolder is showing up, the public/TestFolder1 is not.

Thanks.
Dave.


On 4/14/17, Aki Tuomi <aki.tuomi at dovecot.fi>
wrote:
> Please keep responses on the list. Thank you. =)
>
> Without ACL plugin there is no way to restrict access, it's free for
all.
>
> my site is a very tiny few user site, but ...
>
> auth_mechanisms = login plain
> mail_attribute_dict = file:%h/Mail/dovecot-attributes
> mail_location = sdbox:~/Mail
> mail_plugins = stats quota fts fts_lucene
> namespace inbox {
>   inbox = yes
>   list = yes
>   location >   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   prefix >   separator = .
>   subscriptions = yes
>   type = private
> }
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> plugin {
>   fts = lucene
>   fts_lucene = whitespace_chars=@.
>   imapsieve_mailbox1_before = file:/usr/lib/dovecot/sieve/report-spam.sieve
>   imapsieve_mailbox1_causes = COPY
>   imapsieve_mailbox1_name = Spam
>   imapsieve_mailbox2_before = file:/usr/lib/dovecot/sieve/report-ham.sieve
>   imapsieve_mailbox2_causes = COPY
>   imapsieve_mailbox2_from = Spam
>   imapsieve_mailbox2_name = *
>   quota = count:User quota
>   quota_vsizes = yes
>   recipient_delimiter = +
>   sieve = ~/.dovecot.sieve
>   sieve_dir = ~/sieve
>   sieve_extensions = +notify +imapflags
>   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
>   sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
>   sieve_plugins = sieve_imapsieve sieve_extprograms
>   stats_refresh = 30
> }
> protocols = imap lmtp
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
>   user = $default_internal_user
> }
> service doveadm {
>   inet_listener http {
>     address = 127.0.0.1
>     port = 38080
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 143
>   }
>   inet_listener imaps {
>     port = 993
>     ssl = yes
>   }
> }
> service lmtp {
>   inet_listener lmtp {
>     address = 127.0.0.1
>     port = 8025
>   }
> }
> service stats {
>   fifo_listener stats-mail {
>     mode = 0666
>   }
> }
> ssl = required
> ssl_cert = #
> ssl_cipher_list >
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA
> ssl_dh_parameters_length = 4096
> ssl_key =  #
> ssl_prefer_server_ciphers = yes
> ssl_protocols = !SSLv2 !SSLv3
> submission_host = 127.0.0.1:25
> userdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext
>   driver = sql
> }
> protocol imap {
>   mail_plugins = stats quota fts fts_lucene imap_stats imap_sieve
> }
> protocol lmtp {
>   mail_plugins = stats quota fts fts_lucene sieve
> }
> protocol lda {
>   mail_plugins = stats quota fts fts_lucene sieve
> }
>
> Aki
>
>> On April 14, 2017 at 7:21 PM David Mehler <dave.mehler at
gmail.com> wrote:
>>
>>
>> Hello Aki,
>>
>> Thank you for your reply.
>>
>> I've implemented your changes and thanks for the @STRENGTH
reminder, I
>> had forgotten about that one.
>>
>> I'll check out the acl plugin. Is it required when sharing a public
>> folder or are public folders usable by all? I know it is for shared
>> folders.
>>
>> The TestFolder1 is still not showing up in public not sure why
>> everything looks good.
>>
>> My configuration was migrated from 2.0 to 2.1 then 2.2, various ports
>> along the way.
>>
>> I was wondering if I could take a look at your dovecot configuration
>> files and a doveconf -n output?
>>
>> Thanks.
>> Dave.
>>
>>
>> On 4/14/17, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> >
>> >> On April 14, 2017 at 3:04 AM David Mehler <dave.mehler at
gmail.com>
>> >> wrote:
>> >>
>> >>
>> >> Hello,
>> >>
>> >> I'm running dovecot 2.29 on a freebsd 10.3 system. I'm
wanting to
>> >> optimize how the system is running and have a few misc
questions.
>> >>
>> >> First ssl, is my cipher list good? I'm trying for pfs and
wanting to
>> >> ensure these cipherlist is appropriate:
>> >>
>> >> ssl_cipher_list =
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
>> >>
>> >
>> > I would add @STRENGTH to the end, so it'll get sorted by
strengthness.
>> >
>> >> Next, a new feature that I'm trying for is virtual folders
that store
>> >> All messages. My understanding of this is that it stores a
version of
>> >> every received message in one place? I've got the virtual
plugin
>> >> loaded and have:
>> >>
>> >>   mailbox virtual/All {
>> >>     comment = All my messages
>> >>     special_use = \All
>> >>   }
>> >>
>> >> I've got a directory
/home/vmail/example.com/username/virtual under
>> >> which is an ALL folder both directories are accessible to the
vmail
>> >> user, yet there's no contents in this folder and it's
showing up
>> >> nowhere.
>> >>
>> >
>> > Configuring virtual all folder:
>> >
>> > namespace {
>> >   prefix = virtual
>> >   location = virtual:/etc/dovecot/virtual:INDEX=%h/virtual
>> >   comment = All my messages
>> >   special_use = \All
>> >   mailbox All {
>> >     auto = subscribe
>> >   }
>> > }
>> >
>> > ==== /etc/dovecot/virtual/All/dovecot-virtual ===>> > *
>> >   all
>> > ==== EOF ==>> >
>> >> Next, quota warnings, are not being sent at all. I set up a
testuser
>> >> with a quota of 2 mb, then sent a message to that user getting
the box
>> >> to 95% full, and no message. Took the user overquota with the
next
>> >> message, still nothing, and a third message did trigger my
custom
>> >> quota exceeded message and the message was bounced.
>> >>
>> >
>> > I would recommend you using
>> >
>> > mail_plugins = $mail_plugins quota quota_clone
>> >
>> > plugin {
>> >   quota = count:User quota
>> >   quota_clone_dict = proxy::sqlquota
>> >   quota_vsizes = true
>> > }
>> >
>> > Also,
>> >
>> > "Note that the warning is ONLY executed at the exact time
when the limit
>> > is
>> > being crossed, so when you're testing it you have to do it by
crossing
>> > the
>> > limit by saving a new mail. If something else besides Dovecot
updates
>> > quota
>> > so that the limit is crossed, the warning is never executed."
>> >
>> >>  I'm wanting to implement public folders. My mailboxes are
all
>> >> virtual, and they are stored under
/home/vmail/example.com/username
>> >> and /home/vmail/example.org/username in the maildir format.
I've got
>> >> one user uid and gid of 999 name of vmail who owns all the
mailboxes.
>> >> I've separated out public folders storing them under
>> >> /home/vmail/public. I've created one mailbox called
TestFolder and
>> >> new, cur, and tmp directories under it. This is what it looks
like:
>> >
>> > <snip />
>> >
>> >> The public/TestFolder is showing up fine and I can switch to
it. The
>> >> public/TestFolder1 is not showing up at all so I'm not
seeing it and
>> >> can't switch to it. Any ideas?
>> >>
>> >
>> > Not sure why it's not showing up, *but*, you could add
>> > :INDEXPVT=%h/public
>> > to the folder, to keep per-user indexes separate.
>> >
>> >> My second question involves public folders and domain sharing.
Are
>> >> public folders accessible to all users and all domains?
I've got two
>> >> domains example.com and example.org i'd like to create a
folder that
>> >> some users in example.com can share with some users in
example.org,
>> >> not necessarily all users in those domains should be able to
see the
>> >> folders.
>> >>
>> >
>> > Dovecot does not, as per such, care about your domains. It cares
about
>> > user
>> > names. If you want to do this kind of thing, please consult ACL
plugin.
>> > https://wiki2.dovecot.org/ACL
>> >
>> >> Ideas welcome.
>> >>
>> >> Thanks.
>> >> Dave.
>> >>
>> >
>> > Some other comments, if you are using SSL, you can drop cram-md5
as
>> > auth
>> > mech, it's not storage-safe.
>> >
>> > you should use mail_location = maildir:~/maildir:LAYOUT=fs
>> >
>> > to avoid your other things in user's home being interprepted
as mail
>> > directories.
>> >
>> > why are you setting these?
>> > maildir_broken_filename_sizes = yes
>> > maildir_empty_new = yes
>> > maildir_very_dirty_syncs = yes
>> >
>> > and in general I see lots of overconfiguring, dovecot defaults are
>> > usually
>> > right, and setting various things just for the fun of it, can
cause
>> > problems.
>> >
>> > Aki
>> >
>

On 04/14/2017 02:04 AM, David Mehler wrote:
>
> First ssl, is my cipher list good? I'm trying for pfs and wanting to
> ensure these cipherlist is appropriate:
>
> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
You can check the quality of your SSL/TLS setup via
https://www.htbridge.com/ssl/

Regards, Olaf


-- 
Karlsruher Institut f?r Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakult?t f?r Informatik

Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -

Am Fasanengarten 5, Geb?ude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp at kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5304 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20170415/7c08036f/attachment.p7s>