dovecot - Jan 2019 - managesieve configuration

On 10.1.2019 18.28, Dominik Menke wrote:
> I've missed a part at the end:
>
>> This leads me to my question: How do I force Dovecot to print at
>> least a STARTTLS line after a client connects to port 4190? Looking
>
> ... at the default configuration files in /etc/dovecot/conf.d/ I don't
> see an obvious difference.
>
>
> --Dominik
Can you provide output of `doveconf -n`

Aki

Sure, here you go (I've masked a few unimportant fields, though):


     # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
     # Pigeonhole version 0.4.21 (92477967)
     # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
     auth_default_realm = masked
     auth_master_user_separator = *
     auth_mechanisms = plain login scram-sha-1
     default_vsz_limit = 4 G
     doveadm_worker_count = 8
     log_path = /dev/stderr
     mail_attachment_dir = /var/mail/sis
     mail_attachment_hash = %{sha256}
     mail_location = mdbox:~/mdbox
     managesieve_notify_capability = mailto
     managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve
     mdbox_rotate_size = 128 M
     namespace inbox {
       inbox = yes
       location        mailbox Drafts {
         auto = subscribe
         special_use = \Drafts
       }
       mailbox Junk {
         auto = subscribe
         special_use = \Junk
       }
       mailbox Sent {
         auto = subscribe
         special_use = \Sent
       }
       mailbox Trash {
         auto = subscribe
         special_use = \Trash
       }
       prefix      }
     passdb {
       args = username_format=%n /etc/dovecot/passwd.masterusers
       driver = passwd-file
       master = yes
       pass = yes
     }
     passdb {
       args = username_format=%n /etc/dovecot/passwd
       driver = passwd-file
     }
     plugin {
       imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
       imapsieve_mailbox1_cause = COPY FLAG
       imapsieve_mailbox1_name = Junk
       imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
       imapsieve_mailbox2_causes = COPY
       imapsieve_mailbox2_from = Junk
       imapsieve_mailbox2_name = *
       sieve = ~/dovecot.sieve
       sieve_after = /etc/dovecot/sieve/after
       sieve_dir = ~/sieve
       sieve_extensions = +vacation-seconds
       sieve_global_extensions = +vnd.dovecot.pipe
       sieve_pipe_bin_dir = /etc/dovecot/sieve
       sieve_plugins = sieve_imapsieve sieve_extprograms
       sieve_vacation_default_period = 1d
       sieve_vacation_max_period = 30d
       sieve_vacation_min_period = 1d
     }
     protocols = imap lmtp sieve
     service auth {
       unix_listener /var/spool/postfix/private/dovecot-auth {
         group = postfix
         mode = 0600
         user = postfix
       }
     }
     service imap-login {
       inet_listener imap {
         port = 143
       }
       inet_listener imaps {
         port = 993
         ssl = yes
       }
       process_limit = 128
     }
     service lmtp {
       unix_listener /var/spool/postfix/private/dovecot-lmtp {
         group = postfix
         mode = 0600
         user = postfix
       }
     }
     service managesieve-login {
       inet_listener sieve {
         port = 4190
         ssl = yes
       }
       service_count = 1
     }
     service managesieve {
       process_limit = 256
     }
     ssl_cert = </masked/path/to/server.crt
     ssl_key =  # hidden, use -P to show it
     userdb {
       args = uid=vmail gid=vmail home=/var/mail/users/%n
       driver = static
     }
     verbose_proctitle = yes
     protocol lmtp {
       mail_plugins = " sieve notify push_notification"
       ssl = no
     }
     protocol imap {
       mail_plugins = " imap_sieve"
     }
     protocol sieve {
       mail_debug = yes
       managesieve_max_line_length = 65536
     }


--Dominik


On 1/11/19 9:44 AM, Aki Tuomi wrote:
> 
> On 10.1.2019 18.28, Dominik Menke wrote:
>> I've missed a part at the end:
>>
>>> This leads me to my question: How do I force Dovecot to print at
>>> least a STARTTLS line after a client connects to port 4190? Looking
>>
>> ... at the default configuration files in /etc/dovecot/conf.d/ I
don't
>> see an obvious difference.
>>
>>
>> --Dominik
> 
> Can you provide output of `doveconf -n`
> 
> Aki
> 
-- 
Digineo GmbH
Fahrenheitstra?e 15
28359 Bremen

Telefon: +49 421 167 66 090
Telefax: +49 421 167 66 099

E-Mail: dom at digineo.de
Internet: www.digineo.de

Gesch?ftsf?hrer: Dipl.-Inf. Julian Kornberger
Amtsgericht Bremen HRB 25061
USt-ID: DE 815023724

Hi Dominik,

I have set ssl = required in 10-ssl.conf globally but no ssl here:

service managesieve-login {
  inet_listener sieve {
    port = 4190
  }  
  ...
}


Nevertheless, STARTTLS is offered 

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate mime
foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "service active"


and the connection will be encrypted (tested with roudcube webmail)

> STARTTLS
< OK "Begin TLS negotiation now."

...


You can check if it works with tcpdump:

tcpdump -nn -l -A -i eth0 port 4190


Best regards
Gerald

> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at digineo.de>:
> 
> Sure, here you go (I've masked a few unimportant fields, though):
> 
> 
>    # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
>    # Pigeonhole version 0.4.21 (92477967)
>    # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
>    auth_default_realm = masked
>    auth_master_user_separator = *
>    auth_mechanisms = plain login scram-sha-1
>    default_vsz_limit = 4 G
>    doveadm_worker_count = 8
>    log_path = /dev/stderr
>    mail_attachment_dir = /var/mail/sis
>    mail_attachment_hash = %{sha256}
>    mail_location = mdbox:~/mdbox
>    managesieve_notify_capability = mailto
>    managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment mailbox date
index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve
vnd.dovecot.imapsieve
>    mdbox_rotate_size = 128 M
>    namespace inbox {
>      inbox = yes
>      location >      mailbox Drafts {
>        auto = subscribe
>        special_use = \Drafts
>      }
>      mailbox Junk {
>        auto = subscribe
>        special_use = \Junk
>      }
>      mailbox Sent {
>        auto = subscribe
>        special_use = \Sent
>      }
>      mailbox Trash {
>        auto = subscribe
>        special_use = \Trash
>      }
>      prefix >    }
>    passdb {
>      args = username_format=%n /etc/dovecot/passwd.masterusers
>      driver = passwd-file
>      master = yes
>      pass = yes
>    }
>    passdb {
>      args = username_format=%n /etc/dovecot/passwd
>      driver = passwd-file
>    }
>    plugin {
>      imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
>      imapsieve_mailbox1_cause = COPY FLAG
>      imapsieve_mailbox1_name = Junk
>      imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
>      imapsieve_mailbox2_causes = COPY
>      imapsieve_mailbox2_from = Junk
>      imapsieve_mailbox2_name = *
>      sieve = ~/dovecot.sieve
>      sieve_after = /etc/dovecot/sieve/after
>      sieve_dir = ~/sieve
>      sieve_extensions = +vacation-seconds
>      sieve_global_extensions = +vnd.dovecot.pipe
>      sieve_pipe_bin_dir = /etc/dovecot/sieve
>      sieve_plugins = sieve_imapsieve sieve_extprograms
>      sieve_vacation_default_period = 1d
>      sieve_vacation_max_period = 30d
>      sieve_vacation_min_period = 1d
>    }
>    protocols = imap lmtp sieve
>    service auth {
>      unix_listener /var/spool/postfix/private/dovecot-auth {
>        group = postfix
>        mode = 0600
>        user = postfix
>      }
>    }
>    service imap-login {
>      inet_listener imap {
>        port = 143
>      }
>      inet_listener imaps {
>        port = 993
>        ssl = yes
>      }
>      process_limit = 128
>    }
>    service lmtp {
>      unix_listener /var/spool/postfix/private/dovecot-lmtp {
>        group = postfix
>        mode = 0600
>        user = postfix
>      }
>    }
>    service managesieve-login {
>      inet_listener sieve {
>        port = 4190
>        ssl = yes
>      }
>      service_count = 1
>    }
>    service managesieve {
>      process_limit = 256
>    }
>    ssl_cert = </masked/path/to/server.crt
>    ssl_key =  # hidden, use -P to show it
>    userdb {
>      args = uid=vmail gid=vmail home=/var/mail/users/%n
>      driver = static
>    }
>    verbose_proctitle = yes
>    protocol lmtp {
>      mail_plugins = " sieve notify push_notification"
>      ssl = no
>    }
>    protocol imap {
>      mail_plugins = " imap_sieve"
>    }
>    protocol sieve {
>      mail_debug = yes
>      managesieve_max_line_length = 65536
>    }
> 
> 
> --Dominik
> 
> 
> On 1/11/19 9:44 AM, Aki Tuomi wrote:
>> On 10.1.2019 18.28, Dominik Menke wrote:
>>> I've missed a part at the end:
>>> 
>>>> This leads me to my question: How do I force Dovecot to print
at
>>>> least a STARTTLS line after a client connects to port 4190?
Looking
>>> 
>>> ... at the default configuration files in /etc/dovecot/conf.d/ I
don't
>>> see an obvious difference.
>>> 
>>> 
>>> --Dominik
>> Can you provide output of `doveconf -n`
>> Aki
> 
> -- 
> Digineo GmbH
> Fahrenheitstra?e 15
> 28359 Bremen
> 
> Telefon: +49 421 167 66 090
> Telefax: +49 421 167 66 099
> 
> E-Mail: dom at digineo.de
> Internet: www.digineo.de
> 
> Gesch?ftsf?hrer: Dipl.-Inf. Julian Kornberger
> Amtsgericht Bremen HRB 25061
> USt-ID: DE 815023724