search for: tls_

Hi, I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13 there seems to be the same bug/feature). The userdb and passdb use LDAP. All further configuration is done in auth-ldap.conf.ext. uri = ldaps://<host>/ # tls = tls_cert_file = /etc/ssl/certs/client-cert.pem tls_key_file = /etc/ssl/certs/client-key.file Dovecot ignores the tls_* options. If I use an ldap:// URI and switch on TLS using tls=yes it works as expected. But I do not see any reason why LDAPS should not read the tls_* settings. This small pa...

...m using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13 > there seems to be the same bug/feature). > > The userdb and passdb use LDAP. All further configuration is done in > auth-ldap.conf.ext. > > uri = ldaps://<host>/ > # tls = > tls_cert_file = /etc/ssl/certs/client-cert.pem > tls_key_file = /etc/ssl/certs/client-key.file > > Dovecot ignores the tls_* options. If I use an ldap:// URI and > switch on TLS using tls=yes it works as expected. > > But I do not see any reason why LDAPS should not read the t...

...nges. This fix includes some extra checks, which makes sure that if such a conflict still happens it's automatically fixed. In some situations such an automatic fix may now be unnecessarily triggered and an error logged. - director: Backend tags weren't working correctly. - ldap: tls_* settings weren't used for ldaps URIs. - ldap, mysql: Fixed setting connect timeout. - auth: userdb lookups via auth-worker couldn't change username - dsync: Fixed handling deleted directories. Make sure we don't go to infinite mailbox renaming loop. - imap: Fixed crash in NOTIFY...

...nges. This fix includes some extra checks, which makes sure that if such a conflict still happens it's automatically fixed. In some situations such an automatic fix may now be unnecessarily triggered and an error logged. - director: Backend tags weren't working correctly. - ldap: tls_* settings weren't used for ldaps URIs. - ldap, mysql: Fixed setting connect timeout. - auth: userdb lookups via auth-worker couldn't change username - dsync: Fixed handling deleted directories. Make sure we don't go to infinite mailbox renaming loop. - imap: Fixed crash in NOTIFY...

...error message is now written to a file in base_dir as well as to log file. When Dovecot starts the next time it shows this error message to user and asks to look into error log file. I'm hoping this will reduce "why dovecot exits silently after starting it?" questions. - LDAP: Added tls_* settings for using TLS with OpenLDAP. - POP3-only users shouldn't get dovecot.index.cache files created anymore when quota plugin is used - Fixed/optimized handling pipelined commands - rawlog: added -b parameter to log packet boundaries. - auth: %a and %b were broken -------------- next...

...nges. This fix includes some extra checks, which makes sure that if such a conflict still happens it's automatically fixed. In some situations such an automatic fix may now be unnecessarily triggered and an error logged. - director: Backend tags weren't working correctly. - ldap: tls_* settings weren't used for ldaps URIs. - ldap, mysql: Fixed setting connect timeout. - auth: userdb lookups via auth-worker couldn't change username - dsync: Fixed handling deleted directories. Make sure we don't go to infinite mailbox renaming loop. - imap: Fixed crash in NOTIFY...

...nges. This fix includes some extra checks, which makes sure that if such a conflict still happens it's automatically fixed. In some situations such an automatic fix may now be unnecessarily triggered and an error logged. - director: Backend tags weren't working correctly. - ldap: tls_* settings weren't used for ldaps URIs. - ldap, mysql: Fixed setting connect timeout. - auth: userdb lookups via auth-worker couldn't change username - dsync: Fixed handling deleted directories. Make sure we don't go to infinite mailbox renaming loop. - imap: Fixed crash in NOTIFY...

...c/auth/db-ldap.c description: auth ldap: Make sure config file path is included in all fatal error messages. changeset: 18359:ec2e7ae958c5 user: Timo Sirainen <tss at iki.fi> date: Mon Mar 16 23:17:39 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: If any tls_* settings are given when they're not supported, fail with fatal instead of just warning. These may be important for intended security, especially tls_cipher_suite. We shouldn't allow setting them and then somewhat silently just ignore them. .... - -- Steffen Kaiser -----BEGIN PGP SIGNA...

...ke sure config file path is included in all > fatal error messages. > > > changeset: 18359:ec2e7ae958c5 > user: Timo Sirainen <tss at iki.fi> > date: Mon Mar 16 23:17:39 2015 +0200 > files: src/auth/db-ldap.c > description: > auth ldap: If any tls_* settings are given when they're > not supported, fail with fatal instead of just warning. > These may be important for intended security, especially > tls_cipher_suite. > We shouldn't allow setting them and then somewhat silently > just ignore them. > > .... > &g...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 22 Jun 2015, lejeczek wrote: > On 22/06/15 09:43, Steffen Kaiser wrote: >> On Mon, 22 Jun 2015, lejeczek wrote: >>> On 22/06/15 09:16, lejeczek wrote: >>>> >>>> to=<me at my.domain>,orig_to=<root at localhost>, relay=dovecot, delay=39296, >>>> delays=39294/2.2/0/0.27,