similar to: Collecting S/MIME Certs from (incoming signed) E-Mails

On 03/22/2018 09:34 AM, Aki Tuomi wrote: >>> I have no idea why you would have nopassword=y set in the first >>> place, so it seems the simplest way to eliminate this problem is to >>> take that out and have a secure environment for sending mail. >> >> Yes, however, for SOGo with Native Outlook compatibility or SAML >> logon, the config is required.

Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited

On 10/25/2017 12:58 PM, Heiko Schlittermann wrote: > We could create new "role" users, share the password and create an > additional account within the mail client (thunderbird) they use. From > users perspective it is exactly what they want. But I dislike the idea > of sharing the password. For what reason exactly? It not being personalized, too easy to leak, potentially

On 11/17/2016 08:48 AM, Steve Litt wrote: > When I use an email client, its purpose is as a window into my Dovecot > IMAP, and as a mechanism to reply to and send emails. I don't do > filtering or calendaring on my email client (filtering via procmail > direct to Dovecot). > > What email clients are all of you using to look at your IMAP email? Plaintext or HTML mails?

On 05/16/2018 06:07 AM, Aki Tuomi wrote: >> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote: >> Is possible to implement and end-to-end encryption with dovecot, where >> server-side there is no private key to decrypt messages? > > You could probably automate this with sieve and e.g. GnuPG, which would mean > that all your

On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I > would need to create a test bed to simulate the listener rather than > use the server as is, where is. That may produce false or misleading > results. Since the forced command is tied to the specific keypair in the authorized_keys, you could -- test with a different

Hello everyone, I would like pointers on how to analyze the following situation, please: I'm running one test and one production dovecot IMAPS server for one of our platforms. The clients are essentially appliances we distribute, auth by client cert, virtual users only, mailboxes in maildir format: > auth_ssl_require_client_cert = yes > auth_ssl_username_from_cert = yes >

On 12/15/2018 12:34 AM, @lbutlr wrote: > On 14 Dec 2018, at 16:30, @lbutlr <kremels at kreme.com> wrote: >> Is it possible to override the POP3 delete on download command and make >> sure that messages stay on the server for at least X hours or X days? >> It is important that the messages be around long enough to hit a snapshot >> cycle (using rsnapshot to backup

On 26.10.20 17:45, Mihai Badici wrote: > So I guess it is not trivial to sort again all the mails and > deliver each one in a mailbox after you mixed all together in a single > catchall mailbox. Could be done for sure but it is some work to do...? Determining the intended recipient of a specific *copy* of an e-mail (info contained in the envelope) from that copy *after* "final"

On 09/11/2018 08:20 PM, Kai Schaetzl wrote: > I have to disable mail acceptance for example1.com. > If not, mail sent *from* that server (e.g. from a web form) to that domain > will not leave the server. > However, if I disable example1.com for mail dovecot lmtp will not deliver > mail to this mail box anymore, although the mailbox still exists. First and foremost, you are

On 12/05/2018 06:57 PM, admin (@awib.it) wrote: > I have a group alias (all at company.com). > (1) Only company.com accounts should be able to send an email to > everybody in that company via all at company.com. Do you have a means to identify "some suitable account was used" - as opposed to a trivially forged sender address - *other* than by watching the actual MUA-to-MSA

On 02/20/2019 07:51 AM, Mark D. Baushke wrote: > There are too just many cases where both OpenSSH interoperating with > itself as well as other SSH implementations have needed this version > number to properly deal with bugs in the code via negitations. FWIW, and without dismissing the possibility of fingerprinting a server in other ways, the fact that clients that *can* pass

Hi Jochen, On Wed, 12 Feb 2020 at 00:16, Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 02/11/2020 07:07 PM, Cl?ment P?ron wrote: > > - I have X devices (around 30) and one SSH server > > - Each of them have a unique public key and create one dynamic reverse > > port forwarding on the server > > - All of them connect with the same UNIX user (I don't

On 24.02.23 12:58, Keine Eile wrote: > does any one of you have a best practice on renewing ssh host keys on > cloned machines? > I have a customer who never thought about that, while cloning all VMs > from one template. Now all machines have the exact same host key. > My approach would be to store a machines MAC address(es). Then when > starting the sshd.service, check if

On 05.07.23 02:50, Damien Miller wrote: > Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-server How would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ?

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

A quick question, if I may: Today, I heard a rumour that "ssh" can be used as a TOTP *token* (i.e., accept or generate a secret for a configuration and generate TOTP codes from there on out, to be entered into some *other* software requesting them for 2FA). All I could find on the web so far are how-tos to a) make ssh*d* request and verify TOTP codes (usually with the help of PAM)

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote: > It appears the forced command either does not run or runs to completion > and exits immediately, as there is no process named "receive.ksh" in > the process tree. FWIW, two cents of mine: -- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen

On 03/01/2015 08:53 AM, Jim Pazarena wrote: > I wonder if there is an easy way to provide dovecot a flat text file of > ipv4 #'s which should be ignored or dropped? > > I have accumulated 45,000+ IPs which routinely try dictionary and > 12345678 password attempts. The file is too big to create firewall > drops [...] The inherent assumption here is that dovecot, using a

Hello everyone, my workplace has gotten the idea of centrally maintaining a file in ssh_config syntax so that employees do not need to discover every new machine and configure it on their own. Since it's a case of "let's get started now, and properly think it through later", right now, a typical entry might look like > Host [product]-[Customer] > Hostname