dovecot - Dec 2017 - 2.1 to 2.2 server migration Qs: sanity check, config ?

I have an old Centos 6 running dovecot 2.1.17 with Postfix 2.1x, mysql
virtual domains, in the process of setting a new Centos 7 to migrate,
copied /etc/dovecot, made some minor edits to get rid of errors, added
Letsencrypt in place of self certified certs, it seems to work, using mail
client I can log on StartSSL/110/143, TLS/995/993 with no visible errors
when login on

is there any other sanity checks I should do ? before I start putting
users on it ?

attaching dovecot.conf at the end, appreciate any suggestion or correction

I see a lot of these warning, are they benign?

#grep Warning  /var/log/dovecot.log | wc
     74    1102    6900
# wc  /var/log/dovecot.log
  174  2299 19716 /var/log/dovecot.log


Dec 16 00:57:12 auth: Warning: auth client 0 disconnected with 1 pending
requests: Connection reset by peer
Dec 16 00:57:52 auth: Warning: auth client 0 disconnected with 1 pending
requests: EOF
Dec 16 00:57:59 auth: Warning: auth client 0 disconnected with 1 pending
requests: Connection reset by peer

( as I've re used an old host name, I can see some users already trying to
connect, they must've never removed this server name when it was shut
down, perhaps they're generating these errors, repeatedly logging on ?)

# doveadm who
username          # proto (pids)      (ips)
five at aaa.com.au  1 imap  (9047)      (35.196.255.170)
seven at aaa.com.au 1 imap  (9056)      (104.196.21.108)
eight at aaa.com.au 1 imap  (9062)      (35.196.255.170)
five at aa.com.au    2 imap  (9240 9044) (203.194.43.48 35.196.255.170)
six at aa.com.au     2 imap  (9248 9063) (203.194.43.48 35.185.44.87)
postbox at aa.com.au 1 imap  (9057)      (104.196.178.232)
eight at aa.com.au   2 imap  (9244 9050) (203.194.43.48 35.196.255.170)
seven at aa.com.au   2 imap  (9055 9242) (104.196.21.108 203.194.43.48)
six at aaa.com.au   1 imap  (9054)      (35.185.44.87)


doveconf -n -c /etc/dovecot/test/dovecot.conf >
/etc/dovecot/test/dovecot.conf.new

# cat dovecot.conf.new

# 2.2.33.2 (d6601f4ec): /etc/dovecot/test/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 3.10.0-693.11.1.el7.x86_64 x86_64 CentOS Linux release
7.4.1708 (Core)
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = *
log_path = /var/log/dovecot.log
mail_gid = 2000
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_plugins = quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date index ihave
duplicate mime foreverypart extracttext
namespace {
  inbox = yes
  location   prefix   separator = /
  type = private
}
namespace {
  list = children
  location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
passdb {
  args = /etc/dovecot/dovecot-master-users-password
  driver = passwd-file
  master = yes
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  autocreate = INBOX
  autocreate2 = Sent
  autocreate3 = Trash
  autocreate4 = Drafts
  autocreate5 = Junk
  autosubscribe = INBOX
  autosubscribe2 = Sent
  autosubscribe3 = Trash
  autosubscribe4 = Drafts
  autosubscribe5 = Junk
  quota = dict:user::proxy::quotadict
  quota_rule = *:storage=1G
  quota_warning = storage=85%% quota-warning 85 %u
  quota_warning2 = storage=90%% quota-warning 90 %u
  quota_warning3 = storage=95%% quota-warning 95 %u
  sieve = /%Lh/sieve/dovecot.sieve
  sieve_dir = /%Lh/sieve
  sieve_global_dir = /var/vmail/sieve
  sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = pop3 imap sieve
service auth {
  unix_listener /var/spool/postfix/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  process_limit = 500
  service_count = 1
}
service pop3-login {
  service_count = 1
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/..fullchain.pem
ssl_key =  # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  log_path = /var/log/sieve.log
  mail_plugins = quota sieve autocreate
  postmaster_address = root
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_max_userip_connections = 60
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}
#

Please read between the lines =)

at least you should remove autocreate plugin.
> On December 15, 2017 at 4:47 PM voytek at sbt.net.au wrote:
> 
> 
> I have an old Centos 6 running dovecot 2.1.17 with Postfix 2.1x, mysql
> virtual domains, in the process of setting a new Centos 7 to migrate,
> copied /etc/dovecot, made some minor edits to get rid of errors, added
> Letsencrypt in place of self certified certs, it seems to work, using mail
> client I can log on StartSSL/110/143, TLS/995/993 with no visible errors
> when login on
> 
> is there any other sanity checks I should do ? before I start putting
> users on it ?
> 
> attaching dovecot.conf at the end, appreciate any suggestion or correction
> 
> I see a lot of these warning, are they benign?
> 
> #grep Warning  /var/log/dovecot.log | wc
>      74    1102    6900
> # wc  /var/log/dovecot.log
>   174  2299 19716 /var/log/dovecot.log
> 
> 
> Dec 16 00:57:12 auth: Warning: auth client 0 disconnected with 1 pending
> requests: Connection reset by peer
> Dec 16 00:57:52 auth: Warning: auth client 0 disconnected with 1 pending
> requests: EOF
> Dec 16 00:57:59 auth: Warning: auth client 0 disconnected with 1 pending
> requests: Connection reset by peer
> 
> ( as I've re used an old host name, I can see some users already trying
to
> connect, they must've never removed this server name when it was shut
> down, perhaps they're generating these errors, repeatedly logging on ?)
> 
> # doveadm who
> username          # proto (pids)      (ips)
> five at aaa.com.au  1 imap  (9047)      (35.196.255.170)
> seven at aaa.com.au 1 imap  (9056)      (104.196.21.108)
> eight at aaa.com.au 1 imap  (9062)      (35.196.255.170)
> five at aa.com.au    2 imap  (9240 9044) (203.194.43.48 35.196.255.170)
> six at aa.com.au     2 imap  (9248 9063) (203.194.43.48 35.185.44.87)
> postbox at aa.com.au 1 imap  (9057)      (104.196.178.232)
> eight at aa.com.au   2 imap  (9244 9050) (203.194.43.48 35.196.255.170)
> seven at aa.com.au   2 imap  (9055 9242) (104.196.21.108 203.194.43.48)
> six at aaa.com.au   1 imap  (9054)      (35.185.44.87)
> 
> 
> doveconf -n -c /etc/dovecot/test/dovecot.conf >
> /etc/dovecot/test/dovecot.conf.new
> 
> # cat dovecot.conf.new
> 
> # 2.2.33.2 (d6601f4ec): /etc/dovecot/test/dovecot.conf
> # Pigeonhole version 0.4.21 (92477967)
> # OS: Linux 3.10.0-693.11.1.el7.x86_64 x86_64 CentOS Linux release
> 7.4.1708 (Core)
> auth_master_user_separator = *
> auth_mechanisms = PLAIN LOGIN
> dict {
>   acl = mysql:/etc/dovecot/dovecot-share-folder.conf
>   quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
> }
> first_valid_uid = 2000
> last_valid_uid = 2000
> listen = *
> log_path = /var/log/dovecot.log
> mail_gid = 2000
> mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
The INDEX= is redundant.
> mail_plugins = quota
> mail_uid = 2000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
> copy include variables body enotify environment mailbox date index ihave
> duplicate mime foreverypart extracttext
> namespace {
>   inbox = yes
>   location >   prefix >   separator = /
>   type = private
> }
> namespace {
>   list = children
>   location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
You should read https://wiki.dovecot.org/SharedMailboxes/Shared
>   prefix = Shared/%%u/
>   separator = /
>   subscriptions = yes
>   type = shared
> }
> passdb {
>   args = /etc/dovecot/dovecot-mysql.conf
>   driver = sql
> }
> passdb {
>   args = /etc/dovecot/dovecot-master-users-password
>   driver = passwd-file
>   master = yes
> }
> plugin {
>   acl = vfile
>   acl_shared_dict = proxy::acl
>   auth_socket_path = /var/run/dovecot/auth-master
>   autocreate = INBOX
>   autocreate2 = Sent
>   autocreate3 = Trash
>   autocreate4 = Drafts
>   autocreate5 = Junk
>   autosubscribe = INBOX
>   autosubscribe2 = Sent
>   autosubscribe3 = Trash
>   autosubscribe4 = Drafts
>   autosubscribe5 = Junk
autocreate & autosubscribe should be converted into 

namespace {
  mailbox INBOX {
    auto = subscribe # (or just create if subscribing is not required)
  }
}
>   quota = dict:user::proxy::quotadict
>   quota_rule = *:storage=1G
>   quota_warning = storage=85%% quota-warning 85 %u
>   quota_warning2 = storage=90%% quota-warning 90 %u
>   quota_warning3 = storage=95%% quota-warning 95 %u
>   sieve = /%Lh/sieve/dovecot.sieve
>   sieve_dir = /%Lh/sieve
>   sieve_global_dir = /var/vmail/sieve
>   sieve_global_path = /var/vmail/sieve/dovecot.sieve
> }
> protocols = pop3 imap sieve
> service auth {
>   unix_listener /var/spool/postfix/dovecot-auth {
>     group = postfix
>     mode = 0666
>     user = postfix
>   }
This could be mode = 0600
>   unix_listener auth-master {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0660
>     user = vmail
>   }
> }
You sure you need these?
> service dict {
>   unix_listener dict {
>     group = vmail
>     mode = 0660
>     user = vmail
>   }
> }
> service imap-login {
>   process_limit = 500
>   service_count = 1
> }
> service pop3-login {
>   service_count = 1
> }
> service quota-warning {
>   executable = script /usr/local/bin/dovecot-quota-warning.sh
>   unix_listener quota-warning {
>     group = vmail
>     mode = 0660
>     user = vmail
>   }
> }
> ssl = required
> ssl_cert = </etc/letsencrypt/..fullchain.pem
> ssl_key =  # hidden, use -P to show it
> userdb {
>   args = /etc/dovecot/dovecot-mysql.conf
>   driver = sql
> }
> protocol lda {
>   auth_socket_path = /var/run/dovecot/auth-master
should not be needed
>   lda_mailbox_autocreate = yes
>   log_path = /var/log/sieve.log
>   mail_plugins = quota sieve autocreate
>   postmaster_address = root
> }
> protocol imap {
>   imap_client_workarounds = tb-extra-mailbox-sep
>   mail_max_userip_connections = 60
>   mail_plugins = quota imap_quota
> }
> protocol pop3 {
>   mail_plugins = quota
>   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>   pop3_uidl_format = %08Xu%08Xv
> }
> #
> 
> 
>
Aki

On Sat, December 16, 2017 2:34 am, Aki Tuomi wrote:
> Please read between the lines =)
> at least you should remove autocreate plugin.
Aki, thanks.

I forgot to write this is meant as a plain vanilla pop/imap multi
user/multi domain server, no special requirements or deviations should be
needed

>> mail_gid = 2000 mail_location =
maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
>>
>
> The INDEX= is redundant.
so I go from
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
to
mail_location = maildir:/%Lh/Maildir/



>> private }
>> namespace { list = children location >>
maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
>>
>
> You should read https://wiki.dovecot.org/SharedMailboxes/Shared
(not sure whether I might have tried shareing my mailbox across two
domains for myself once?...maybe that's why it's there... not sure)

so I just remove this whole block:

namespace {
    type = shared
    separator = /
    prefix = Shared/%%u/
    location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
    # this namespace should handle its own subscriptions or not.
    subscriptions = yes
    list = children
}

thanks again, sorry for dumb questions

Voytek