similar to: TLS communication director -> backend with X.509 cert checks?

Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 00:10:50 CEST): > Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 23:49:20 CEST): > ? > > > > Proxying in general does check that hostname matches the SSL certificate, because both the hostname and IP address are sent to login process. So it should work in a way that host=<hostname> and

Hi, still using 2.2.9, I've two directors, and these directors use both IPv4/IPv6 addresses. `host directors.<domain>` returns one A and AAA for each of the two directors: directors.<domain> has address 149.x.y.96 (director1) directors.<domain> has address 149.x.y.97 (director2) directors.<domain> has IPv6 address

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:02:59 CEST): ? > > On connection setup from a client the director connects to the > > selected backend. But it seems (not checked in the source yet), > > that for SSL certificate verification the director doesn't know the > > original host name anymore. The certificate's CN gets compared to > > the IP

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:36:40 CEST): ? > > I see: > > > > a) pass the host *names* to the director too, for CN verification > > purpose > > > > May be in struct mail_host could be a field for the original > > hostname we used to obtain the adress(es)? > > Does the attached patch work? Compiles,

On 14 Oct 2015, at 00:34, Heiko Schlittermann <hs at schlittermann.de> wrote: > > Hi Timo, > > Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23 CEST): >>> Does the attached patch work? Compiles, but untested. >> I'm about to test it. > > It seems to update the struct mail_host, but it looks as if the data > in mail_host

Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 00:46:11 CEST): ? > > And if I add -D to the director service, I can see "Debug: request <hash> refreshed timeout to ?", > but never I see "Debug: request <hash> added". And from what I > understand this would be the place where the mail_host info comes into > the game. > >

Hi Timo Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 01:10:20 CEST): ? > Ah, the information comes from the other director running. The other one > is using an unpatched version of dovecot. Your patch for backend-certificate verification works. Thank you for the good and fast work. Is there any chance that this will make it into Dovecot's next release? BTW: The

Hello, I'm using dovecot 2.2.9 and a director/backend setup. On the director I've the LMTP in proxy mode, mapping the users to one of the backends. The backends to quota check and return the OverQuota message already at RCPT TO time. Here is what I typed, connected to the director Connection to director1 2525 port [tcp/*] succeeded! 220 director1.rz.hs-example.de Dovecot

Timo Sirainen <tss at iki.fi> (Di 13 Okt 2015 21:02:59 CEST): > > the IP address the director connects to. > > Right. The hostnames are lost immediately at director startup. I've never really thought about needing this functionality for director, since they're usually in the same trusted network with backends.. > Ooo. What if director_mail_servers =

Hi Timo, Heiko Schlittermann <hs at schlittermann.de> (Di 13 Okt 2015 22:33:23 CEST): > > Does the attached patch work? Compiles, but untested. > I'm about to test it. It seems to update the struct mail_host, but it looks as if the data in mail_host do not propagate down to login_proxy_new(). In other words, in login_proxy_new() set->host contains the IP address,

Hi, I'm using dovecot 2.2.9 with a director/backend setup. The user base is about 4711 users currently. If I start at one of the directors doveadm search -A all savedbefore 5000d it terminates with doveadm(1rrissma): Error: doveadm server disconnected before handshake: EOF doveadm(1rrissma): Error: 2001:638:913:f33::5:ff:24245: Command search failed for 1phaaman: EOF

Hi, Heiko Schlittermann <hs at schlittermann.de> (Mo 21 Nov 2016 11:50:13 CET): > a) Routing stage > You need to interact with the user database dovecot uses. > Either you access the user database directory (flat file, LDAP, > whatever) or you use the ${readsocket?} feature of Exim to talk to > dovecot. The readsocket trick doesn't seem to work anymore. Using $

Hi, Peter Chiochetti <pch at myzel.net> (Di 31 Mai 2016 10:31:50 CEST): > Not having installed any of the two, I can say, as a Ubuntu user: > In ppa "/etc/init.d/dovecot" is a symlink to "/lib/init/upstart-job" The 2.2.24 on 16.04 installs both /etc/init.d/dovecot /lib/systemd/system/dovecot.service > While xi packages places its own init script

On 13 Oct 2015, at 22:31, Heiko Schlittermann <hs at schlittermann.de> wrote: > > Hi, > > still using 2.2.9, I've two directors, and these directors > use both IPv4/IPv6 addresses. > > `host directors.<domain>` returns one A and AAA for each > of the two directors: > > directors.<domain> has address 149.x.y.96 (director1)

Hi, Mark Foley <mfoley at ohprs.org> (Do 12 Nov 2015 23:31:39 CET): > According to a message to this list from Oli Schacher, > http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to do is copy the deleted > emails to their original folder and dovecot will take care of it: > ? > > exactly, just copy the mail from your backup back into the users > >

> On May 30, 2016 at 10:26 PM Heiko Schlittermann <hs at schlittermann.de> wrote: > > > Heiko Schlittermann <hs at schlittermann.de> (Mo 30 Mai 2016 21:18:09 CEST): > > Hi Aki, > > > > aki.tuomi at dovecot.fi <aki.tuomi at dovecot.fi> (Mo 30 Mai 2016 20:57:58 CEST): > > ? > > > You can get packages from http://xi.dovecot.fi/debian/,

Hi, I'm using dovecot 2.2.9 (but after checking src/auth/db-ldap.c in 2.2.13 there seems to be the same bug/feature). The userdb and passdb use LDAP. All further configuration is done in auth-ldap.conf.ext. uri = ldaps://<host>/ # tls = tls_cert_file = /etc/ssl/certs/client-cert.pem tls_key_file = /etc/ssl/certs/client-key.file Dovecot ignores the

Hi Heiko, Here is the router: virtual_aliases: driver = redirect debug_print = "R: Check address using virtual_aliases for $local_part@$domain" allow_fail allow_defer hide data = CHECK_VIRTUAL_ALIASES user = vmail group = mail local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept

Hello, I'm using a dovecot as proxy, connecting to one or more backends. The backends use X.509 certificates. The proxy's passdb returns extra fields: user=foo proxy host=backend1.<domain> ssl=yes nopassword=y Thus the proxy connects to the backend but can't verify the backends certificate. The following comment suggests using ssl_client_ca_file for

Hello, I'm just asking myself, how I get multiple quota rules into the LDAP userdb. Dovecot is 2.2.9 userdb_attrs = ? fooQuotaRule=quota_rule=%$ which allows me to have an user db entry as fooQuotaRule: *:storage=1000:messages=50 fooQuotaRule: Trash:storage=500 But, if I'd like to have another quota rule for a submailbox of that user? doveadm user returns the first