thr3ads.net - dovecot - [solved] managesieve configuration [Jan 2019]

If this information is useful, please help other people find it:
Share via:

Gerald Galster

2019-Jan-11 09:54 UTC

managesieve configuration

Hi Dominik,

I have set ssl = required in 10-ssl.conf globally but no ssl here:

service managesieve-login {
  inet_listener sieve {
    port = 4190
  }  
  ...
}


Nevertheless, STARTTLS is offered 

"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate mime
foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "service active"


and the connection will be encrypted (tested with roudcube webmail)

> STARTTLS< OK "Begin TLS negotiation now."

...


You can check if it works with tcpdump:

tcpdump -nn -l -A -i eth0 port 4190


Best regards
Gerald

> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at digineo.de>:
> 
> Sure, here you go (I've masked a few unimportant fields, though):
> 
> 
>    # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
>    # Pigeonhole version 0.4.21 (92477967)
>    # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
>    auth_default_realm = masked
>    auth_master_user_separator = *
>    auth_mechanisms = plain login scram-sha-1
>    default_vsz_limit = 4 G
>    doveadm_worker_count = 8
>    log_path = /dev/stderr
>    mail_attachment_dir = /var/mail/sis
>    mail_attachment_hash = %{sha256}
>    mail_location = mdbox:~/mdbox
>    managesieve_notify_capability = mailto
>    managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment mailbox date
index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve
vnd.dovecot.imapsieve
>    mdbox_rotate_size = 128 M
>    namespace inbox {
>      inbox = yes
>      location >      mailbox Drafts {
>        auto = subscribe
>        special_use = \Drafts
>      }
>      mailbox Junk {
>        auto = subscribe
>        special_use = \Junk
>      }
>      mailbox Sent {
>        auto = subscribe
>        special_use = \Sent
>      }
>      mailbox Trash {
>        auto = subscribe
>        special_use = \Trash
>      }
>      prefix >    }
>    passdb {
>      args = username_format=%n /etc/dovecot/passwd.masterusers
>      driver = passwd-file
>      master = yes
>      pass = yes
>    }
>    passdb {
>      args = username_format=%n /etc/dovecot/passwd
>      driver = passwd-file
>    }
>    plugin {
>      imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
>      imapsieve_mailbox1_cause = COPY FLAG
>      imapsieve_mailbox1_name = Junk
>      imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
>      imapsieve_mailbox2_causes = COPY
>      imapsieve_mailbox2_from = Junk
>      imapsieve_mailbox2_name = *
>      sieve = ~/dovecot.sieve
>      sieve_after = /etc/dovecot/sieve/after
>      sieve_dir = ~/sieve
>      sieve_extensions = +vacation-seconds
>      sieve_global_extensions = +vnd.dovecot.pipe
>      sieve_pipe_bin_dir = /etc/dovecot/sieve
>      sieve_plugins = sieve_imapsieve sieve_extprograms
>      sieve_vacation_default_period = 1d
>      sieve_vacation_max_period = 30d
>      sieve_vacation_min_period = 1d
>    }
>    protocols = imap lmtp sieve
>    service auth {
>      unix_listener /var/spool/postfix/private/dovecot-auth {
>        group = postfix
>        mode = 0600
>        user = postfix
>      }
>    }
>    service imap-login {
>      inet_listener imap {
>        port = 143
>      }
>      inet_listener imaps {
>        port = 993
>        ssl = yes
>      }
>      process_limit = 128
>    }
>    service lmtp {
>      unix_listener /var/spool/postfix/private/dovecot-lmtp {
>        group = postfix
>        mode = 0600
>        user = postfix
>      }
>    }
>    service managesieve-login {
>      inet_listener sieve {
>        port = 4190
>        ssl = yes
>      }
>      service_count = 1
>    }
>    service managesieve {
>      process_limit = 256
>    }
>    ssl_cert = </masked/path/to/server.crt
>    ssl_key =  # hidden, use -P to show it
>    userdb {
>      args = uid=vmail gid=vmail home=/var/mail/users/%n
>      driver = static
>    }
>    verbose_proctitle = yes
>    protocol lmtp {
>      mail_plugins = " sieve notify push_notification"
>      ssl = no
>    }
>    protocol imap {
>      mail_plugins = " imap_sieve"
>    }
>    protocol sieve {
>      mail_debug = yes
>      managesieve_max_line_length = 65536
>    }
> 
> 
> --Dominik
> 
> 
> On 1/11/19 9:44 AM, Aki Tuomi wrote:
>> On 10.1.2019 18.28, Dominik Menke wrote:
>>> I've missed a part at the end:
>>> 
>>>> This leads me to my question: How do I force Dovecot to print
at
>>>> least a STARTTLS line after a client connects to port 4190?
Looking
>>> 
>>> ... at the default configuration files in /etc/dovecot/conf.d/ I
don't
>>> see an obvious difference.
>>> 
>>> 
>>> --Dominik
>> Can you provide output of `doveconf -n`
>> Aki
> 
> -- 
> Digineo GmbH
> Fahrenheitstra?e 15
> 28359 Bremen
> 
> Telefon: +49 421 167 66 090
> Telefax: +49 421 167 66 099
> 
> E-Mail: dom at digineo.de
> Internet: www.digineo.de
> 
> Gesch?ftsf?hrer: Dipl.-Inf. Julian Kornberger
> Amtsgericht Bremen HRB 25061
> USt-ID: DE 815023724

Dominik Menke

2019-Jan-11 15:05 UTC

head link

[solved] managesieve configuration

Hello Gerald,

that did the trick, thank you very much!

--Dominik


On 1/11/19 10:54 AM, Gerald Galster wrote:> Hi Dominik,
> 
> I have set ssl = required in 10-ssl.conf globally but no ssl here:
> 
> service managesieve-login {
>    inet_listener sieve {
>      port = 4190
>    }
>    ...
> }
> 
> 
> Nevertheless, STARTTLS is offered
> 
> "IMPLEMENTATION" "Dovecot Pigeonhole"
> "SIEVE" "fileinto reject envelope encoded-character vacation
subaddress comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate mime
foreverypart extracttext"
> "NOTIFY" "mailto"
> "SASL" ""
> "STARTTLS"
> "VERSION" "1.0"
> OK "service active"
> 
> 
> and the connection will be encrypted (tested with roudcube webmail)
> 
> 
>> STARTTLS
> < OK "Begin TLS negotiation now."
> 
> ...
> 
> 
> You can check if it works with tcpdump:
> 
> tcpdump -nn -l -A -i eth0 port 4190
> 
> 
> Best regards
> Gerald
> 
> 
>> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at digineo.de>:
>>
>> Sure, here you go (I've masked a few unimportant fields, though):
>>
>>
>>     # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
>>     # Pigeonhole version 0.4.21 (92477967)
>>     # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
>>     auth_default_realm = masked
>>     auth_master_user_separator = *
>>     auth_mechanisms = plain login scram-sha-1
>>     default_vsz_limit = 4 G
>>     doveadm_worker_count = 8
>>     log_path = /dev/stderr
>>     mail_attachment_dir = /var/mail/sis
>>     mail_attachment_hash = %{sha256}
>>     mail_location = mdbox:~/mdbox
>>     managesieve_notify_capability = mailto
>>     managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment mailbox date
index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve
vnd.dovecot.imapsieve
>>     mdbox_rotate_size = 128 M
>>     namespace inbox {
>>       inbox = yes
>>       location >>       mailbox Drafts {
>>         auto = subscribe
>>         special_use = \Drafts
>>       }
>>       mailbox Junk {
>>         auto = subscribe
>>         special_use = \Junk
>>       }
>>       mailbox Sent {
>>         auto = subscribe
>>         special_use = \Sent
>>       }
>>       mailbox Trash {
>>         auto = subscribe
>>         special_use = \Trash
>>       }
>>       prefix >>     }
>>     passdb {
>>       args = username_format=%n /etc/dovecot/passwd.masterusers
>>       driver = passwd-file
>>       master = yes
>>       pass = yes
>>     }
>>     passdb {
>>       args = username_format=%n /etc/dovecot/passwd
>>       driver = passwd-file
>>     }
>>     plugin {
>>       imapsieve_mailbox1_before =
file:/etc/dovecot/sieve/learn-spam.sieve
>>       imapsieve_mailbox1_cause = COPY FLAG
>>       imapsieve_mailbox1_name = Junk
>>       imapsieve_mailbox2_before =
file:/etc/dovecot/sieve/learn-ham.sieve
>>       imapsieve_mailbox2_causes = COPY
>>       imapsieve_mailbox2_from = Junk
>>       imapsieve_mailbox2_name = *
>>       sieve = ~/dovecot.sieve
>>       sieve_after = /etc/dovecot/sieve/after
>>       sieve_dir = ~/sieve
>>       sieve_extensions = +vacation-seconds
>>       sieve_global_extensions = +vnd.dovecot.pipe
>>       sieve_pipe_bin_dir = /etc/dovecot/sieve
>>       sieve_plugins = sieve_imapsieve sieve_extprograms
>>       sieve_vacation_default_period = 1d
>>       sieve_vacation_max_period = 30d
>>       sieve_vacation_min_period = 1d
>>     }
>>     protocols = imap lmtp sieve
>>     service auth {
>>       unix_listener /var/spool/postfix/private/dovecot-auth {
>>         group = postfix
>>         mode = 0600
>>         user = postfix
>>       }
>>     }
>>     service imap-login {
>>       inet_listener imap {
>>         port = 143
>>       }
>>       inet_listener imaps {
>>         port = 993
>>         ssl = yes
>>       }
>>       process_limit = 128
>>     }
>>     service lmtp {
>>       unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>         group = postfix
>>         mode = 0600
>>         user = postfix
>>       }
>>     }
>>     service managesieve-login {
>>       inet_listener sieve {
>>         port = 4190
>>         ssl = yes
>>       }
>>       service_count = 1
>>     }
>>     service managesieve {
>>       process_limit = 256
>>     }
>>     ssl_cert = </masked/path/to/server.crt
>>     ssl_key =  # hidden, use -P to show it
>>     userdb {
>>       args = uid=vmail gid=vmail home=/var/mail/users/%n
>>       driver = static
>>     }
>>     verbose_proctitle = yes
>>     protocol lmtp {
>>       mail_plugins = " sieve notify push_notification"
>>       ssl = no
>>     }
>>     protocol imap {
>>       mail_plugins = " imap_sieve"
>>     }
>>     protocol sieve {
>>       mail_debug = yes
>>       managesieve_max_line_length = 65536
>>     }
>>
>>
>> --Dominik
>>
>>
>> On 1/11/19 9:44 AM, Aki Tuomi wrote:
>>> On 10.1.2019 18.28, Dominik Menke wrote:
>>>> I've missed a part at the end:
>>>>
>>>>> This leads me to my question: How do I force Dovecot to
print at
>>>>> least a STARTTLS line after a client connects to port 4190?
Looking
>>>>
>>>> ... at the default configuration files in /etc/dovecot/conf.d/
I don't
>>>> see an obvious difference.
>>>>
>>>>
>>>> --Dominik
>>> Can you provide output of `doveconf -n`
>>> Aki
>>

Stephan Bosch

2019-Jan-12 19:39 UTC

head link

[solved] managesieve configuration

Op 11/01/2019 om 16:05 schreef Dominik Menke:> Hello Gerald,
>
> that did the trick, thank you very much!
>
> --Dominik
>
>
> On 1/11/19 10:54 AM, Gerald Galster wrote:
>> Hi Dominik,
>>
>> I have set ssl = required in 10-ssl.conf globally but no ssl here:
>>
>> service managesieve-login {
>> ?? inet_listener sieve {
>> ???? port = 4190
>> ?? }
>> ?? ...
>> }
>>For reference: if you put ssl=yes there, the TLS layer is established 
immediately. However, the standard ManageSieve protocol does not support 
that (not currently anyway): only the establishment of the TLS layer 
using the STARTTLS command is part of the standard. That is why your 
clients fail to connect: they're speaking plaintext while the server is 
speaking TLS. Still, Dovecot supports configuring it that way, which is 
what you did.

Regards,

Stephan.

>>
>> Nevertheless, STARTTLS is offered
>>
>> "IMPLEMENTATION" "Dovecot Pigeonhole"
>> "SIEVE" "fileinto reject envelope encoded-character
vacation
>> subaddress comparator-i;ascii-numeric relational regex imap4flags 
>> copy include variables body enotify environment mailbox date index 
>> ihave duplicate mime foreverypart extracttext"
>> "NOTIFY" "mailto"
>> "SASL" ""
>> "STARTTLS"
>> "VERSION" "1.0"
>> OK "service active"
>>
>>
>> and the connection will be encrypted (tested with roudcube webmail)
>>
>>
>>> STARTTLS
>> < OK "Begin TLS negotiation now."
>>
>> ...
>>
>>
>> You can check if it works with tcpdump:
>>
>> tcpdump -nn -l -A -i eth0 port 4190
>>
>>
>> Best regards
>> Gerald
>>
>>
>>> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at
digineo.de>:
>>>
>>> Sure, here you go (I've masked a few unimportant fields,
though):
>>>
>>>
>>> ??? # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
>>> ??? # Pigeonhole version 0.4.21 (92477967)
>>> ??? # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
>>> ??? auth_default_realm = masked
>>> ??? auth_master_user_separator = *
>>> ??? auth_mechanisms = plain login scram-sha-1
>>> ??? default_vsz_limit = 4 G
>>> ??? doveadm_worker_count = 8
>>> ??? log_path = /dev/stderr
>>> ??? mail_attachment_dir = /var/mail/sis
>>> ??? mail_attachment_hash = %{sha256}
>>> ??? mail_location = mdbox:~/mdbox
>>> ??? managesieve_notify_capability = mailto
>>> ??? managesieve_sieve_capability = fileinto reject envelope 
>>> encoded-character vacation subaddress comparator-i;ascii-numeric 
>>> relational regex imap4flags copy include variables body enotify 
>>> environment mailbox date index ihave duplicate mime foreverypart 
>>> extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve
>>> ??? mdbox_rotate_size = 128 M
>>> ??? namespace inbox {
>>> ????? inbox = yes
>>> ????? location >>> ????? mailbox Drafts {
>>> ??????? auto = subscribe
>>> ??????? special_use = \Drafts
>>> ????? }
>>> ????? mailbox Junk {
>>> ??????? auto = subscribe
>>> ??????? special_use = \Junk
>>> ????? }
>>> ????? mailbox Sent {
>>> ??????? auto = subscribe
>>> ??????? special_use = \Sent
>>> ????? }
>>> ????? mailbox Trash {
>>> ??????? auto = subscribe
>>> ??????? special_use = \Trash
>>> ????? }
>>> ????? prefix >>> ??? }
>>> ??? passdb {
>>> ????? args = username_format=%n /etc/dovecot/passwd.masterusers
>>> ????? driver = passwd-file
>>> ????? master = yes
>>> ????? pass = yes
>>> ??? }
>>> ??? passdb {
>>> ????? args = username_format=%n /etc/dovecot/passwd
>>> ????? driver = passwd-file
>>> ??? }
>>> ??? plugin {
>>> ????? imapsieve_mailbox1_before = 
>>> file:/etc/dovecot/sieve/learn-spam.sieve
>>> ????? imapsieve_mailbox1_cause = COPY FLAG
>>> ????? imapsieve_mailbox1_name = Junk
>>> ????? imapsieve_mailbox2_before = 
>>> file:/etc/dovecot/sieve/learn-ham.sieve
>>> ????? imapsieve_mailbox2_causes = COPY
>>> ????? imapsieve_mailbox2_from = Junk
>>> ????? imapsieve_mailbox2_name = *
>>> ????? sieve = ~/dovecot.sieve
>>> ????? sieve_after = /etc/dovecot/sieve/after
>>> ????? sieve_dir = ~/sieve
>>> ????? sieve_extensions = +vacation-seconds
>>> ????? sieve_global_extensions = +vnd.dovecot.pipe
>>> ????? sieve_pipe_bin_dir = /etc/dovecot/sieve
>>> ????? sieve_plugins = sieve_imapsieve sieve_extprograms
>>> ????? sieve_vacation_default_period = 1d
>>> ????? sieve_vacation_max_period = 30d
>>> ????? sieve_vacation_min_period = 1d
>>> ??? }
>>> ??? protocols = imap lmtp sieve
>>> ??? service auth {
>>> ????? unix_listener /var/spool/postfix/private/dovecot-auth {
>>> ??????? group = postfix
>>> ??????? mode = 0600
>>> ??????? user = postfix
>>> ????? }
>>> ??? }
>>> ??? service imap-login {
>>> ????? inet_listener imap {
>>> ??????? port = 143
>>> ????? }
>>> ????? inet_listener imaps {
>>> ??????? port = 993
>>> ??????? ssl = yes
>>> ????? }
>>> ????? process_limit = 128
>>> ??? }
>>> ??? service lmtp {
>>> ????? unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>> ??????? group = postfix
>>> ??????? mode = 0600
>>> ??????? user = postfix
>>> ????? }
>>> ??? }
>>> ??? service managesieve-login {
>>> ????? inet_listener sieve {
>>> ??????? port = 4190
>>> ??????? ssl = yes
>>> ????? }
>>> ????? service_count = 1
>>> ??? }
>>> ??? service managesieve {
>>> ????? process_limit = 256
>>> ??? }
>>> ??? ssl_cert = </masked/path/to/server.crt
>>> ??? ssl_key =? # hidden, use -P to show it
>>> ??? userdb {
>>> ????? args = uid=vmail gid=vmail home=/var/mail/users/%n
>>> ????? driver = static
>>> ??? }
>>> ??? verbose_proctitle = yes
>>> ??? protocol lmtp {
>>> ????? mail_plugins = " sieve notify push_notification"
>>> ????? ssl = no
>>> ??? }
>>> ??? protocol imap {
>>> ????? mail_plugins = " imap_sieve"
>>> ??? }
>>> ??? protocol sieve {
>>> ????? mail_debug = yes
>>> ????? managesieve_max_line_length = 65536
>>> ??? }
>>>
>>>
>>> --Dominik
>>>
>>>
>>> On 1/11/19 9:44 AM, Aki Tuomi wrote:
>>>> On 10.1.2019 18.28, Dominik Menke wrote:
>>>>> I've missed a part at the end:
>>>>>
>>>>>> This leads me to my question: How do I force Dovecot to
print at
>>>>>> least a STARTTLS line after a client connects to port
4190? Looking
>>>>>
>>>>> ... at the default configuration files in
/etc/dovecot/conf.d/ I
>>>>> don't
>>>>> see an obvious difference.
>>>>>
>>>>>
>>>>> --Dominik
>>>> Can you provide output of `doveconf -n`
>>>> Aki
>>>

Seemingly Similar Threads

Search for more apparently analagous threads

dovecot - Jan 2019 - [solved] managesieve configuration

managesieve configuration

[solved] managesieve configuration

[solved] managesieve configuration

Seemingly Similar Threads