Hi Dominik,
I have set ssl = required in 10-ssl.conf globally but no ssl here:
service managesieve-login {
inet_listener sieve {
port = 4190
}
...
}
Nevertheless, STARTTLS is offered
"IMPLEMENTATION" "Dovecot Pigeonhole"
"SIEVE" "fileinto reject envelope encoded-character vacation
subaddress comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate mime
foreverypart extracttext"
"NOTIFY" "mailto"
"SASL" ""
"STARTTLS"
"VERSION" "1.0"
OK "service active"
and the connection will be encrypted (tested with roudcube webmail)
> STARTTLS
< OK "Begin TLS negotiation now."
...
You can check if it works with tcpdump:
tcpdump -nn -l -A -i eth0 port 4190
Best regards
Gerald
> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at digineo.de>:
>
> Sure, here you go (I've masked a few unimportant fields, though):
>
>
> # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.21 (92477967)
> # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS
> auth_default_realm = masked
> auth_master_user_separator = *
> auth_mechanisms = plain login scram-sha-1
> default_vsz_limit = 4 G
> doveadm_worker_count = 8
> log_path = /dev/stderr
> mail_attachment_dir = /var/mail/sis
> mail_attachment_hash = %{sha256}
> mail_location = mdbox:~/mdbox
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment mailbox date
index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve
vnd.dovecot.imapsieve
> mdbox_rotate_size = 128 M
> namespace inbox {
> inbox = yes
> location > mailbox Drafts {
> auto = subscribe
> special_use = \Drafts
> }
> mailbox Junk {
> auto = subscribe
> special_use = \Junk
> }
> mailbox Sent {
> auto = subscribe
> special_use = \Sent
> }
> mailbox Trash {
> auto = subscribe
> special_use = \Trash
> }
> prefix > }
> passdb {
> args = username_format=%n /etc/dovecot/passwd.masterusers
> driver = passwd-file
> master = yes
> pass = yes
> }
> passdb {
> args = username_format=%n /etc/dovecot/passwd
> driver = passwd-file
> }
> plugin {
> imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve
> imapsieve_mailbox1_cause = COPY FLAG
> imapsieve_mailbox1_name = Junk
> imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve
> imapsieve_mailbox2_causes = COPY
> imapsieve_mailbox2_from = Junk
> imapsieve_mailbox2_name = *
> sieve = ~/dovecot.sieve
> sieve_after = /etc/dovecot/sieve/after
> sieve_dir = ~/sieve
> sieve_extensions = +vacation-seconds
> sieve_global_extensions = +vnd.dovecot.pipe
> sieve_pipe_bin_dir = /etc/dovecot/sieve
> sieve_plugins = sieve_imapsieve sieve_extprograms
> sieve_vacation_default_period = 1d
> sieve_vacation_max_period = 30d
> sieve_vacation_min_period = 1d
> }
> protocols = imap lmtp sieve
> service auth {
> unix_listener /var/spool/postfix/private/dovecot-auth {
> group = postfix
> mode = 0600
> user = postfix
> }
> }
> service imap-login {
> inet_listener imap {
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> process_limit = 128
> }
> service lmtp {
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
> }
> }
> service managesieve-login {
> inet_listener sieve {
> port = 4190
> ssl = yes
> }
> service_count = 1
> }
> service managesieve {
> process_limit = 256
> }
> ssl_cert = </masked/path/to/server.crt
> ssl_key = # hidden, use -P to show it
> userdb {
> args = uid=vmail gid=vmail home=/var/mail/users/%n
> driver = static
> }
> verbose_proctitle = yes
> protocol lmtp {
> mail_plugins = " sieve notify push_notification"
> ssl = no
> }
> protocol imap {
> mail_plugins = " imap_sieve"
> }
> protocol sieve {
> mail_debug = yes
> managesieve_max_line_length = 65536
> }
>
>
> --Dominik
>
>
> On 1/11/19 9:44 AM, Aki Tuomi wrote:
>> On 10.1.2019 18.28, Dominik Menke wrote:
>>> I've missed a part at the end:
>>>
>>>> This leads me to my question: How do I force Dovecot to print
at
>>>> least a STARTTLS line after a client connects to port 4190?
Looking
>>>
>>> ... at the default configuration files in /etc/dovecot/conf.d/ I
don't
>>> see an obvious difference.
>>>
>>>
>>> --Dominik
>> Can you provide output of `doveconf -n`
>> Aki
>
> --
> Digineo GmbH
> Fahrenheitstra?e 15
> 28359 Bremen
>
> Telefon: +49 421 167 66 090
> Telefax: +49 421 167 66 099
>
> E-Mail: dom at digineo.de
> Internet: www.digineo.de
>
> Gesch?ftsf?hrer: Dipl.-Inf. Julian Kornberger
> Amtsgericht Bremen HRB 25061
> USt-ID: DE 815023724
Hello Gerald, that did the trick, thank you very much! --Dominik On 1/11/19 10:54 AM, Gerald Galster wrote:> Hi Dominik, > > I have set ssl = required in 10-ssl.conf globally but no ssl here: > > service managesieve-login { > inet_listener sieve { > port = 4190 > } > ... > } > > > Nevertheless, STARTTLS is offered > > "IMPLEMENTATION" "Dovecot Pigeonhole" > "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext" > "NOTIFY" "mailto" > "SASL" "" > "STARTTLS" > "VERSION" "1.0" > OK "service active" > > > and the connection will be encrypted (tested with roudcube webmail) > > >> STARTTLS > < OK "Begin TLS negotiation now." > > ... > > > You can check if it works with tcpdump: > > tcpdump -nn -l -A -i eth0 port 4190 > > > Best regards > Gerald > > >> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at digineo.de>: >> >> Sure, here you go (I've masked a few unimportant fields, though): >> >> >> # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.21 (92477967) >> # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS >> auth_default_realm = masked >> auth_master_user_separator = * >> auth_mechanisms = plain login scram-sha-1 >> default_vsz_limit = 4 G >> doveadm_worker_count = 8 >> log_path = /dev/stderr >> mail_attachment_dir = /var/mail/sis >> mail_attachment_hash = %{sha256} >> mail_location = mdbox:~/mdbox >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve >> mdbox_rotate_size = 128 M >> namespace inbox { >> inbox = yes >> location >> mailbox Drafts { >> auto = subscribe >> special_use = \Drafts >> } >> mailbox Junk { >> auto = subscribe >> special_use = \Junk >> } >> mailbox Sent { >> auto = subscribe >> special_use = \Sent >> } >> mailbox Trash { >> auto = subscribe >> special_use = \Trash >> } >> prefix >> } >> passdb { >> args = username_format=%n /etc/dovecot/passwd.masterusers >> driver = passwd-file >> master = yes >> pass = yes >> } >> passdb { >> args = username_format=%n /etc/dovecot/passwd >> driver = passwd-file >> } >> plugin { >> imapsieve_mailbox1_before = file:/etc/dovecot/sieve/learn-spam.sieve >> imapsieve_mailbox1_cause = COPY FLAG >> imapsieve_mailbox1_name = Junk >> imapsieve_mailbox2_before = file:/etc/dovecot/sieve/learn-ham.sieve >> imapsieve_mailbox2_causes = COPY >> imapsieve_mailbox2_from = Junk >> imapsieve_mailbox2_name = * >> sieve = ~/dovecot.sieve >> sieve_after = /etc/dovecot/sieve/after >> sieve_dir = ~/sieve >> sieve_extensions = +vacation-seconds >> sieve_global_extensions = +vnd.dovecot.pipe >> sieve_pipe_bin_dir = /etc/dovecot/sieve >> sieve_plugins = sieve_imapsieve sieve_extprograms >> sieve_vacation_default_period = 1d >> sieve_vacation_max_period = 30d >> sieve_vacation_min_period = 1d >> } >> protocols = imap lmtp sieve >> service auth { >> unix_listener /var/spool/postfix/private/dovecot-auth { >> group = postfix >> mode = 0600 >> user = postfix >> } >> } >> service imap-login { >> inet_listener imap { >> port = 143 >> } >> inet_listener imaps { >> port = 993 >> ssl = yes >> } >> process_limit = 128 >> } >> service lmtp { >> unix_listener /var/spool/postfix/private/dovecot-lmtp { >> group = postfix >> mode = 0600 >> user = postfix >> } >> } >> service managesieve-login { >> inet_listener sieve { >> port = 4190 >> ssl = yes >> } >> service_count = 1 >> } >> service managesieve { >> process_limit = 256 >> } >> ssl_cert = </masked/path/to/server.crt >> ssl_key = # hidden, use -P to show it >> userdb { >> args = uid=vmail gid=vmail home=/var/mail/users/%n >> driver = static >> } >> verbose_proctitle = yes >> protocol lmtp { >> mail_plugins = " sieve notify push_notification" >> ssl = no >> } >> protocol imap { >> mail_plugins = " imap_sieve" >> } >> protocol sieve { >> mail_debug = yes >> managesieve_max_line_length = 65536 >> } >> >> >> --Dominik >> >> >> On 1/11/19 9:44 AM, Aki Tuomi wrote: >>> On 10.1.2019 18.28, Dominik Menke wrote: >>>> I've missed a part at the end: >>>> >>>>> This leads me to my question: How do I force Dovecot to print at >>>>> least a STARTTLS line after a client connects to port 4190? Looking >>>> >>>> ... at the default configuration files in /etc/dovecot/conf.d/ I don't >>>> see an obvious difference. >>>> >>>> >>>> --Dominik >>> Can you provide output of `doveconf -n` >>> Aki >>
Op 11/01/2019 om 16:05 schreef Dominik Menke:> Hello Gerald, > > that did the trick, thank you very much! > > --Dominik > > > On 1/11/19 10:54 AM, Gerald Galster wrote: >> Hi Dominik, >> >> I have set ssl = required in 10-ssl.conf globally but no ssl here: >> >> service managesieve-login { >> ?? inet_listener sieve { >> ???? port = 4190 >> ?? } >> ?? ... >> } >>For reference: if you put ssl=yes there, the TLS layer is established immediately. However, the standard ManageSieve protocol does not support that (not currently anyway): only the establishment of the TLS layer using the STARTTLS command is part of the standard. That is why your clients fail to connect: they're speaking plaintext while the server is speaking TLS. Still, Dovecot supports configuring it that way, which is what you did. Regards, Stephan.>> >> Nevertheless, STARTTLS is offered >> >> "IMPLEMENTATION" "Dovecot Pigeonhole" >> "SIEVE" "fileinto reject envelope encoded-character vacation >> subaddress comparator-i;ascii-numeric relational regex imap4flags >> copy include variables body enotify environment mailbox date index >> ihave duplicate mime foreverypart extracttext" >> "NOTIFY" "mailto" >> "SASL" "" >> "STARTTLS" >> "VERSION" "1.0" >> OK "service active" >> >> >> and the connection will be encrypted (tested with roudcube webmail) >> >> >>> STARTTLS >> < OK "Begin TLS negotiation now." >> >> ... >> >> >> You can check if it works with tcpdump: >> >> tcpdump -nn -l -A -i eth0 port 4190 >> >> >> Best regards >> Gerald >> >> >>> Am 11.01.2019 um 09:59 schrieb Dominik Menke <dom at digineo.de>: >>> >>> Sure, here you go (I've masked a few unimportant fields, though): >>> >>> >>> ??? # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf >>> ??? # Pigeonhole version 0.4.21 (92477967) >>> ??? # OS: Linux 4.15.0-42-generic x86_64 Ubuntu 18.04.1 LTS >>> ??? auth_default_realm = masked >>> ??? auth_master_user_separator = * >>> ??? auth_mechanisms = plain login scram-sha-1 >>> ??? default_vsz_limit = 4 G >>> ??? doveadm_worker_count = 8 >>> ??? log_path = /dev/stderr >>> ??? mail_attachment_dir = /var/mail/sis >>> ??? mail_attachment_hash = %{sha256} >>> ??? mail_location = mdbox:~/mdbox >>> ??? managesieve_notify_capability = mailto >>> ??? managesieve_sieve_capability = fileinto reject envelope >>> encoded-character vacation subaddress comparator-i;ascii-numeric >>> relational regex imap4flags copy include variables body enotify >>> environment mailbox date index ihave duplicate mime foreverypart >>> extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve >>> ??? mdbox_rotate_size = 128 M >>> ??? namespace inbox { >>> ????? inbox = yes >>> ????? location >>> ????? mailbox Drafts { >>> ??????? auto = subscribe >>> ??????? special_use = \Drafts >>> ????? } >>> ????? mailbox Junk { >>> ??????? auto = subscribe >>> ??????? special_use = \Junk >>> ????? } >>> ????? mailbox Sent { >>> ??????? auto = subscribe >>> ??????? special_use = \Sent >>> ????? } >>> ????? mailbox Trash { >>> ??????? auto = subscribe >>> ??????? special_use = \Trash >>> ????? } >>> ????? prefix >>> ??? } >>> ??? passdb { >>> ????? args = username_format=%n /etc/dovecot/passwd.masterusers >>> ????? driver = passwd-file >>> ????? master = yes >>> ????? pass = yes >>> ??? } >>> ??? passdb { >>> ????? args = username_format=%n /etc/dovecot/passwd >>> ????? driver = passwd-file >>> ??? } >>> ??? plugin { >>> ????? imapsieve_mailbox1_before = >>> file:/etc/dovecot/sieve/learn-spam.sieve >>> ????? imapsieve_mailbox1_cause = COPY FLAG >>> ????? imapsieve_mailbox1_name = Junk >>> ????? imapsieve_mailbox2_before = >>> file:/etc/dovecot/sieve/learn-ham.sieve >>> ????? imapsieve_mailbox2_causes = COPY >>> ????? imapsieve_mailbox2_from = Junk >>> ????? imapsieve_mailbox2_name = * >>> ????? sieve = ~/dovecot.sieve >>> ????? sieve_after = /etc/dovecot/sieve/after >>> ????? sieve_dir = ~/sieve >>> ????? sieve_extensions = +vacation-seconds >>> ????? sieve_global_extensions = +vnd.dovecot.pipe >>> ????? sieve_pipe_bin_dir = /etc/dovecot/sieve >>> ????? sieve_plugins = sieve_imapsieve sieve_extprograms >>> ????? sieve_vacation_default_period = 1d >>> ????? sieve_vacation_max_period = 30d >>> ????? sieve_vacation_min_period = 1d >>> ??? } >>> ??? protocols = imap lmtp sieve >>> ??? service auth { >>> ????? unix_listener /var/spool/postfix/private/dovecot-auth { >>> ??????? group = postfix >>> ??????? mode = 0600 >>> ??????? user = postfix >>> ????? } >>> ??? } >>> ??? service imap-login { >>> ????? inet_listener imap { >>> ??????? port = 143 >>> ????? } >>> ????? inet_listener imaps { >>> ??????? port = 993 >>> ??????? ssl = yes >>> ????? } >>> ????? process_limit = 128 >>> ??? } >>> ??? service lmtp { >>> ????? unix_listener /var/spool/postfix/private/dovecot-lmtp { >>> ??????? group = postfix >>> ??????? mode = 0600 >>> ??????? user = postfix >>> ????? } >>> ??? } >>> ??? service managesieve-login { >>> ????? inet_listener sieve { >>> ??????? port = 4190 >>> ??????? ssl = yes >>> ????? } >>> ????? service_count = 1 >>> ??? } >>> ??? service managesieve { >>> ????? process_limit = 256 >>> ??? } >>> ??? ssl_cert = </masked/path/to/server.crt >>> ??? ssl_key =? # hidden, use -P to show it >>> ??? userdb { >>> ????? args = uid=vmail gid=vmail home=/var/mail/users/%n >>> ????? driver = static >>> ??? } >>> ??? verbose_proctitle = yes >>> ??? protocol lmtp { >>> ????? mail_plugins = " sieve notify push_notification" >>> ????? ssl = no >>> ??? } >>> ??? protocol imap { >>> ????? mail_plugins = " imap_sieve" >>> ??? } >>> ??? protocol sieve { >>> ????? mail_debug = yes >>> ????? managesieve_max_line_length = 65536 >>> ??? } >>> >>> >>> --Dominik >>> >>> >>> On 1/11/19 9:44 AM, Aki Tuomi wrote: >>>> On 10.1.2019 18.28, Dominik Menke wrote: >>>>> I've missed a part at the end: >>>>> >>>>>> This leads me to my question: How do I force Dovecot to print at >>>>>> least a STARTTLS line after a client connects to port 4190? Looking >>>>> >>>>> ... at the default configuration files in /etc/dovecot/conf.d/ I >>>>> don't >>>>> see an obvious difference. >>>>> >>>>> >>>>> --Dominik >>>> Can you provide output of `doveconf -n` >>>> Aki >>>