dovecot - Jun 2017 - v2.2.30 released

At least doveconf -n output would help. I guess related to authentication
settings. Are there any errors in logs?
> On 1 Jun 2017, at 12.14, Odhiambo Washington <odhiambo at gmail.com>
wrote:
> 
>> On 30 May 2017 at 21:16, Timo Sirainen <tss at iki.fi> wrote:
>> 
>> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz
>> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz.sig
>> 
>> * auth: Use timing safe comparisons for everything related to
>>   passwords. It's unlikely that these could have been used for
>>   practical attacks, especially because Dovecot delays and flushes all
>>   failed authentications in 2 second intervals. Also it could have
>>   worked only when passwords were stored in plaintext in the passdb.
>> * master process sends SIGQUIT to all running children at shutdown,
>>   which instructs them to close all the socket listeners immediately.
>>   This way restarting Dovecot should no longer fail due to some
>>   processes keeping the listeners open for a long time.
>> 
>> + auth: Add passdb { mechanisms=none } to match separate passdb lookup
>> + auth: Add passdb { username_filter } to use passdb only if user
>>   matches the filter. See https://wiki2.dovecot.org/PasswordDatabase
>> + dsync: Add dsync_commit_msgs_interval setting. It attempts to commit
>>   the transaction after saving this many new messages. Because of the
>>   way dsync works, it may not always be possible if mails are copied
>>   or UIDs need to change.
>> + imapc: Support imapc_features=search without ESEARCH extension.
>> + imapc: Add imapc_features=fetch-bodystructure to pass through remote
>>   server's FETCH BODY and BODYSTRUCTURE.
>> + imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the
>>   remote server.
>> + passdb imap: Add allow_invalid_cert and ssl_ca_file parameters.
>> + If dovecot.index.cache corruption is detected, reset only the one
>>   corrupted mail instead of the whole file.
>> + doveadm mailbox status: Add "firstsaved" field.
>> + director_flush_socket: Add old host's up/down and vhost count as
>> parameters
>> - More fixes to automatically fix corruption in dovecot.list.index
>> - dsync-server: Fix support for dsync_features=empty-header-workaround
>> - imapc: Various bugfixes, including infinite loops on some errors
>> - IMAP NOTIFY wasn't working for non-INBOX if IMAP client
hadn't
>>   enabled modseq tracking via CONDSTORE/QRESYNC.
>> - fts-lucene: Fix it to work again with mbox format
>> - Some internal error messages may have contained garbage in v2.2.29
>> - mail-crypt: Re-encrypt when copying/moving mails and per-mailbox keys
>>   are used. Otherwise the copied mails can't be opened.
>> - vpopmail: Fix compiling
>> 
> 
> 
> Upgraded a 2.2.29 to this one and all hell broke loose! All users (MS
> Outlook!) were being prompted for mail password! They'd enter it, mail
is
> fetched, and on the next check (even though the password had always been
> saved) they'd be prompted again. So I quickly reverted to 2.2.29 and
peace
> prevailed.
> 
> Now I am just wondering what exactly is causing this and how to fix it if I
> am to come to 2.2.30.1
> 
> 
> 
> -- 
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."

Nothing in the error log, because authentication is actually successful.

 2.2.29 (13ebc01): /opt/dovecot2.2/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.3-STABLE i386  ufs
auth_cache_size = 20 M
auth_master_user_separator = *
auth_mechanisms = plain login digest-md5
auth_socket_path = /var/run/dovecot/auth-userdb
base_dir = /var/run/dovecot/
default_login_user = dovecot
disable_plaintext_auth = no
first_valid_gid = 0
first_valid_uid = 26
hostname = gw.localdomain
info_log_path = /var/log/dovecot.log
mail_location = maildir:/var/spool/virtual/%d/%n/Maildir:INDEX=MEMORY
mail_plugins = " quota"
namespace inbox {
  inbox = yes
  location   mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix }
passdb {
  args = /opt/dovecot2.2/etc/dovecot/passwd.master_users.ext
  driver = passwd-file
  master = yes
  pass = yes
}
passdb {
  args = /opt/dovecot2.2/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  mail_log_fields = uid box msgid size
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  quota_warning3 = -storage=100%% quota-warning below %u
}
postmaster_address = postmaster at localdomain
service auth {
  unix_listener auth-client {
    mode = 0600
    user = mailnull
  }
  unix_listener auth-userdb {
    group = mailnull
    user = mailnull
  }
}
service quota-warning {
  executable = script /opt/dovecot2.2/scripts/quota-warning.sh
  unix_listener quota-warning {
    user = mailnull
  }
  user = dovecot
}
ssl_cert = </usr/local/etc/letsencrypt/live/gw.localdomain/fullchain.pem
ssl_key =  # hidden, use -P to show it
userdb {
  args = /opt/dovecot2.2/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lda {
  mail_plugins = quota
}
protocol imap {
  mail_max_userip_connections = 2
  mail_plugins = " quota imap_quota"
}
protocol pop3 {
  mail_max_userip_connections = 5
}



On 1 June 2017 at 15:00, Timo Sirainen <tss at iki.fi> wrote:
> At least doveconf -n output would help. I guess related to authentication
> settings. Are there any errors in logs?
>
> > On 1 Jun 2017, at 12.14, Odhiambo Washington <odhiambo at
gmail.com> wrote:
> >
> >> On 30 May 2017 at 21:16, Timo Sirainen <tss at iki.fi>
wrote:
> >>
> >> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz
> >> https://dovecot.org/releases/2.2/dovecot-2.2.30.tar.gz.sig
> >>
> >> * auth: Use timing safe comparisons for everything related to
> >>   passwords. It's unlikely that these could have been used for
> >>   practical attacks, especially because Dovecot delays and flushes
all
> >>   failed authentications in 2 second intervals. Also it could have
> >>   worked only when passwords were stored in plaintext in the
passdb.
> >> * master process sends SIGQUIT to all running children at
shutdown,
> >>   which instructs them to close all the socket listeners
immediately.
> >>   This way restarting Dovecot should no longer fail due to some
> >>   processes keeping the listeners open for a long time.
> >>
> >> + auth: Add passdb { mechanisms=none } to match separate passdb
lookup
> >> + auth: Add passdb { username_filter } to use passdb only if user
> >>   matches the filter. See
https://wiki2.dovecot.org/PasswordDatabase
> >> + dsync: Add dsync_commit_msgs_interval setting. It attempts to
commit
> >>   the transaction after saving this many new messages. Because of
the
> >>   way dsync works, it may not always be possible if mails are
copied
> >>   or UIDs need to change.
> >> + imapc: Support imapc_features=search without ESEARCH extension.
> >> + imapc: Add imapc_features=fetch-bodystructure to pass through
remote
> >>   server's FETCH BODY and BODYSTRUCTURE.
> >> + imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on
the
> >>   remote server.
> >> + passdb imap: Add allow_invalid_cert and ssl_ca_file parameters.
> >> + If dovecot.index.cache corruption is detected, reset only the
one
> >>   corrupted mail instead of the whole file.
> >> + doveadm mailbox status: Add "firstsaved" field.
> >> + director_flush_socket: Add old host's up/down and vhost
count as
> >> parameters
> >> - More fixes to automatically fix corruption in dovecot.list.index
> >> - dsync-server: Fix support for
dsync_features=empty-header-workaround
> >> - imapc: Various bugfixes, including infinite loops on some errors
> >> - IMAP NOTIFY wasn't working for non-INBOX if IMAP client
hadn't
> >>   enabled modseq tracking via CONDSTORE/QRESYNC.
> >> - fts-lucene: Fix it to work again with mbox format
> >> - Some internal error messages may have contained garbage in
v2.2.29
> >> - mail-crypt: Re-encrypt when copying/moving mails and per-mailbox
keys
> >>   are used. Otherwise the copied mails can't be opened.
> >> - vpopmail: Fix compiling
> >>
> >
> >
> > Upgraded a 2.2.29 to this one and all hell broke loose! All users (MS
> > Outlook!) were being prompted for mail password! They'd enter it,
mail is
> > fetched, and on the next check (even though the password had always
been
> > saved) they'd be prompted again. So I quickly reverted to 2.2.29
and
> peace
> > prevailed.
> >
> > Now I am just wondering what exactly is causing this and how to fix it
> if I
> > am to come to 2.2.30.1
> >
> >
> >
> > --
> > Best regards,
> > Odhiambo WASHINGTON,
> > Nairobi,KE
> > +254 7 3200 0004/+254 7 2274 3223
> > "Oh, the cruft."
>
>

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Hi,

Same symptoms here when upgrading from 2.2.29 to 2.2.30. Getting back to 2.2.29
resolve the problem.

The client here is a webmail ( rainloop ). User automatically logout as if the
auth did'nt succed although log show successfull login attempt

My configuration

 2.2.29.1 (e0b76e3): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
# OS: Linux 4.11.2-gentoo-xxxx-std-ipv6-64 x86_64 Gentoo Base System release
2.4.1
auth_cache_size = 10 M
auth_default_realm = aprogsys.com
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_username_format = %Ln
auth_worker_max_count = 80
dict {
  acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u
first_valid_uid = 1001
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_access_groups = dovecot
mail_location = mdbox:~/mdbox
mail_plugins = " acl fts fts_lucene notify replication virtual"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext
namespace {
  list = children
  location = mdbox:%%h/mdbox
  prefix = shared/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace {
  location = virtual:~/virtual
  prefix = virtual/
  separator = /
}
namespace inbox {
  inbox = yes
  list = yes
  location = 
  mailbox Drafts {
    auto = no
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox SPAM {
    auto = create
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Trash {
    auto = no
    special_use = \Trash
  }
  prefix = 
  separator = /
}
passdb {
  args = cache_key=%s%u *
  driver = pam
}
plugin {
  acl = vfile
  acl_anyone = allow
  acl_shared_dict = proxy::acl
  antispam_backend = mailtrain
  antispam_mail_notspam = learn_ham
  antispam_mail_sendmail = /usr/bin/rspamc
  antispam_mail_sendmail_args = -h;localhost:11334;-P;q1
  antispam_mail_spam = learn_spam
  antispam_spam = SPAM
  antispam_trash = Trash
  fts = lucene
  fts_autoindex = yes
  fts_lucene = whitespace_chars=@.
  mail_replica = remote:root at 192.168.1.7
  replication_dsync_parameters = -d -U
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_before = /var/lib/dovecot/sieve
  sieve_default = /var/lib/dovecot/sieve/spam.sieve
  sieve_dir = ~/sieve
}
protocols = imap pop3 lmtp sieve
replication_max_conns = 2
service aggregator {
  fifo_listener replication-notify-fifo {
    mode = 0666
  }
  unix_listener replication-notify {
    mode = 0666
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-client {
    mode = 0666
  }
  unix_listener auth-userdb {
    mode = 0777
  }
}
service dict {
  unix_listener dict {
    mode = 0666
  }
}
service imap-login {
  process_min_avail = 4
  service_count = 0
  vsz_limit = 256 M
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  inet_listener sieve_deprecated {
    port = 2000
  }
}
service replicator {
  process_min_avail = 1
  unix_listener replicator-doveadm {
    mode = 0666
  }
}
ssl_cert = </etc/letsencrypt/live/aprogsys.com/fullchain.pem
ssl_key =  # hidden, use -P to show it
userdb {
  driver = passwd
}
protocol lda {
  mail_plugins = " acl fts fts_lucene notify replication virtual
sieve"
}
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
  mail_max_userip_connections = 40
  mail_plugins = " acl fts fts_lucene notify replication virtual antispam
imap_acl"
}
local_name imap.agrobioconso.org {
  ssl_cert = </etc/letsencrypt/live/agrobioconso.org/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
local_name imap.aprogsys.com {
  ssl_cert = </etc/letsencrypt/live/imap.aprogsys.com/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
local_name imap.lesmontreursdours.fr {
  ssl_cert = </etc/letsencrypt/live/imap.lesmontreursdours.fr/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
local_name pop.aprogsys.com {
  ssl_cert = </etc/letsencrypt/live/pop.aprogsys.com/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
local_name imap.caves-explorer.com {
  ssl_cert = </etc/letsencrypt/live/caves-explorer.com/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}
local_name imap.vetienne.net {
  ssl_cert = </etc/letsencrypt/live/vetienne.net/fullchain.pem
  ssl_key =  # hidden, use -P to show it
}

Regards,
Vincent ETIENNE

1 juin 2017 18:48 "Odhiambo Washington" <odhiambo at gmail.com>
a ?crit:
> Nothing in the error log, because authentication is actually successful.
>

Hi Vincent,

The problem was resolved in 2.2.30.2 so feel free to update to that.

On 13 June 2017 at 13:11, <ve at vetienne.net> wrote:
> Hi,
>
> Same symptoms here when upgrading from 2.2.29 to 2.2.30. Getting back to
> 2.2.29 resolve the problem.
>
> The client here is a webmail ( rainloop ). User automatically logout as if
> the auth did'nt succed although log show successfull login attempt
>
> My configuration
>
>  2.2.29.1 (e0b76e3): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.18 (29cc74d)
> # OS: Linux 4.11.2-gentoo-xxxx-std-ipv6-64 x86_64 Gentoo Base System
> release 2.4.1
> auth_cache_size = 10 M
> auth_default_realm = aprogsys.com
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_username_format = %Ln
> auth_worker_max_count = 80
> dict {
>   acl = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
> }
> disable_plaintext_auth = no
> dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u
> first_valid_uid = 1001
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> mail_access_groups = dovecot
> mail_location = mdbox:~/mdbox
> mail_plugins = " acl fts fts_lucene notify replication virtual"
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace {
>   list = children
>   location = mdbox:%%h/mdbox
>   prefix = shared/%%n/
>   separator = /
>   subscriptions = no
>   type = shared
> }
> namespace {
>   location = virtual:~/virtual
>   prefix = virtual/
>   separator = /
> }
> namespace inbox {
>   inbox = yes
>   list = yes
>   location >   mailbox Drafts {
>     auto = no
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox SPAM {
>     auto = create
>     special_use = \Junk
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     auto = no
>     special_use = \Sent
>   }
>   mailbox Trash {
>     auto = no
>     special_use = \Trash
>   }
>   prefix >   separator = /
> }
> passdb {
>   args = cache_key=%s%u *
>   driver = pam
> }
> plugin {
>   acl = vfile
>   acl_anyone = allow
>   acl_shared_dict = proxy::acl
>   antispam_backend = mailtrain
>   antispam_mail_notspam = learn_ham
>   antispam_mail_sendmail = /usr/bin/rspamc
>   antispam_mail_sendmail_args = -h;localhost:11334;-P;q1
>   antispam_mail_spam = learn_spam
>   antispam_spam = SPAM
>   antispam_trash = Trash
>   fts = lucene
>   fts_autoindex = yes
>   fts_lucene = whitespace_chars=@.
>   mail_replica = remote:root at 192.168.1.7
>   replication_dsync_parameters = -d -U
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   sieve_before = /var/lib/dovecot/sieve
>   sieve_default = /var/lib/dovecot/sieve/spam.sieve
>   sieve_dir = ~/sieve
> }
> protocols = imap pop3 lmtp sieve
> replication_max_conns = 2
> service aggregator {
>   fifo_listener replication-notify-fifo {
>     mode = 0666
>   }
>   unix_listener replication-notify {
>     mode = 0666
>   }
> }
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
>   unix_listener auth-client {
>     mode = 0666
>   }
>   unix_listener auth-userdb {
>     mode = 0777
>   }
> }
> service dict {
>   unix_listener dict {
>     mode = 0666
>   }
> }
> service imap-login {
>   process_min_avail = 4
>   service_count = 0
>   vsz_limit = 256 M
> }
> service managesieve-login {
>   inet_listener sieve {
>     port = 4190
>   }
>   inet_listener sieve_deprecated {
>     port = 2000
>   }
> }
> service replicator {
>   process_min_avail = 1
>   unix_listener replicator-doveadm {
>     mode = 0666
>   }
> }
> ssl_cert = </etc/letsencrypt/live/aprogsys.com/fullchain.pem
> ssl_key =  # hidden, use -P to show it
> userdb {
>   driver = passwd
> }
> protocol lda {
>   mail_plugins = " acl fts fts_lucene notify replication virtual
sieve"
> }
> protocol imap {
>   imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
> tb-lsub-flags
>   mail_max_userip_connections = 40
>   mail_plugins = " acl fts fts_lucene notify replication virtual
antispam
> imap_acl"
> }
> local_name imap.agrobioconso.org {
>   ssl_cert = </etc/letsencrypt/live/agrobioconso.org/fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
> local_name imap.aprogsys.com {
>   ssl_cert = </etc/letsencrypt/live/imap.aprogsys.com/fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
> local_name imap.lesmontreursdours.fr {
>   ssl_cert = </etc/letsencrypt/live/imap.lesmontreursdours.fr/
> fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
> local_name pop.aprogsys.com {
>   ssl_cert = </etc/letsencrypt/live/pop.aprogsys.com/fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
> local_name imap.caves-explorer.com {
>   ssl_cert = </etc/letsencrypt/live/caves-explorer.com/fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
> local_name imap.vetienne.net {
>   ssl_cert = </etc/letsencrypt/live/vetienne.net/fullchain.pem
>   ssl_key =  # hidden, use -P to show it
> }
>
> Regards,
> Vincent ETIENNE
>
> 1 juin 2017 18:48 "Odhiambo Washington" <odhiambo at
gmail.com> a ?crit:
> > Nothing in the error log, because authentication is actually
successful.
> >
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."