From 5948d266acee60544fd8ec54e0d6a5ad4c657dbd Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 15:40:13 +0300 Subject: [PATCH 01/22] configuration_manual/service_configuration: Add more targets --- .../service_configuration.rst | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source/configuration_manual/service_configuration.rst b/source/configuration_manual/service_configuration.rst index bb0d6ddf2..85185db12 100644 --- a/source/configuration_manual/service_configuration.rst +++ b/source/configuration_manual/service_configuration.rst @@ -9,10 +9,14 @@ This page describes Dovecot's services comprehensively. Most admins don't need t Service basics ============== +.. _service_configuration-executable: + executable ^^^^^^^^^^ The binary path to execute and its parameters. If the path doesn't begin with ``/``, it's relative to base_dir. +.. _service_configuration-type: + type ^^^^ Type of this service: @@ -22,6 +26,8 @@ Type of this service: * "login" is used by login processes. The login processes have "all processes full" notification fd. It's used by the processes to figure out when no more client connections can be accepted because client and process limits have been reached. The login processes can then kill some of their oldest connections that haven't logged in yet. * "log", "config" and "anvil" are treated specially by these specific processes. +.. _service_configuration-protocol: + protocol ^^^^^^^^ If non-empty, this service is enabled only when the protocol name is listed in protocols setting. @@ -47,26 +53,38 @@ Using ``4294967295 secs`` disables the idle-killing. Service privileges ================== +.. _service_configuration-user: + user ^^^^ UNIX user (UID) which runs this process.`` default_login_user`` setting's value should be used for type=login processes and ``default_internal_user`` should be used for other processes that don't require root privileges. +.. _service_configuration-group: + group ^^^^^ The primary UNIX group (GID) which runs this process. +.. _service_configuration-extra_groups: + extra_groups ^^^^^^^^^^^^ Secondary UNIX groups that this process belongs to. +.. _service_configuration-privileged_group: + privileged_group ^^^^^^^^^^^^^^^^ Secondary UNIX group, which is disabled by default, but can be enabled by the process. This setting is probably never needed directly. ``mail_privileged_group`` setting is a more user friendly way to use this setting for mail processes. +.. _service_configuration-chroot: + chroot ^^^^^^ The processes are chrooted to this directory at startup. Relative to ``base_dir``. +.. _service_configuration-drop_priv_before_exec: + drop_priv_before_exec ^^^^^^^^^^^^^^^^^^^^^ Drop all privileges after forking, but before executing the binary. This is mainly useful for dumping core files on non-Linux OSes, since the processes are no longer in `etuid` mode. This setting can't be used with non-empty chroot. @@ -93,6 +111,8 @@ client_limit ^^^^^^^^^^^^ Maximum number of simultaneous client connections per process. Once this number of connections is received, the next incoming connection will prompt Dovecot to spawn another process. If set to ``0``, ``default_client_limit`` is used instead. +.. _service_configuration-service_count: + service_count ^^^^^^^^^^^^^ @@ -105,6 +125,8 @@ process_limit Maximum number of processes that can exist for this service. If set to ``0``, ``default_process_limit`` is used instead. +.. _service_configuration-process_min_avail: + process_min_avail ^^^^^^^^^^^^^^^^^ Minimum number of processes that always should be available to accept more client connections. @@ -135,6 +157,8 @@ vsz_limit ^^^^^^^^^ Limit the process's address space (both ``RLIMIT_DATA`` and ``RLIMIT_AS`` if available). When the space is reached, some memory allocations may start failing with "Out of memory", or the kernel may kill the process with signal 9. This setting is mainly intended to prevent memory leaks from eating up all of the memory, but there can be also legitimate reasons why the process reaches this limit. For example a huge mailbox may not be accessed if this limit is too low. The default value (``18446744073709551615=2^64-1``) sets the limit to ``default_vsz_limit``, while 0 disables the limit entirely. +.. _service_configuration-listeners: + Service listeners ================= From 57ba52aad700f8982758ba7d16f4dccc1fd76779 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 17 Jul 2023 12:20:28 +0300 Subject: [PATCH 02/22] admin_manual/login_processes: Add target for high performance mode --- source/admin_manual/login_processes.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/admin_manual/login_processes.rst b/source/admin_manual/login_processes.rst index 6feab0fcf..93fa3651b 100644 --- a/source/admin_manual/login_processes.rst +++ b/source/admin_manual/login_processes.rst @@ -67,6 +67,8 @@ client. always kept around waiting for new connections. * ``vsz_limit`` should be fine at its default 64MB value. +.. _login_processes_high_performance: + High-performance mode ===================== From 2d809cdf1056d802c3389bea705a6f153d8a9a55 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 15:48:19 +0300 Subject: [PATCH 03/22] configuration_manual/performance_tuning: Migrate page --- .../performance_tuning.rst | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 source/configuration_manual/performance_tuning.rst diff --git a/source/configuration_manual/performance_tuning.rst b/source/configuration_manual/performance_tuning.rst new file mode 100644 index 000000000..faaf3c218 --- /dev/null +++ b/source/configuration_manual/performance_tuning.rst @@ -0,0 +1,93 @@ +================== +Performance tuning +================== + +Disk I/O optimization +--------------------- + +Usually heavily loaded IMAP and POP3 servers don't use much CPU, but +they use all the disk I/O they can get. So reducing disk I/O is probably +the most useful optimization you can do. + +- See :ref:`mbox_mbox_format` + for mbox-specific optimizations. + +- See :ref:`maildir_mbox_format` + for Maildir-specific optimizations. + +- See :ref:`dbox_mbox_format` + for Dovecot's own high-performance mailbox format. It usually gives + much better performance than mbox/Maildir. + +- See :ref:`full text search indexes ` + for optimizing IMAP SEARCH command. + +- See :ref:`pop3_server` for POP3 optimizations, especially + :dovecot_core:ref:`pop3_no_flag_updates=yes ` + +- :dovecot_core:ref:`mailbox_list_index=yes ` can help a lot by replying to IMAP STATUS + (and similar) lookups from a single index without having to open each + mailbox index separately. This is the default in v2.3+. + + - Also :dovecot_core:ref:`mailbox_list_index_very_dirty_syncs=yes ` makes Dovecot + assume that the list index is up-to-date. + +- :dovecot_core:ref:`mail_prefetch_count` setting may be helpful with some mailbox + formats + +- :dovecot_core:ref:`mail_location` ``= ...:VOLATILEDIR=/tmp/dovecot-volatile/%2.256Nu/%u`` + moves e.g. lock files to the volatile directory. This is helpful + especially if mail_location otherwise points to a remote filesystem + like NFS. (v2.2.32+) + +- If the acl plugin is used, but only global ACLs are needed, set + :dovecot_plugin:ref:`acl_globals_only=yes ` (v2.2.31+) + +CPU usage optimization +---------------------- + +- See :ref:`login_processes` + for optimizing CPU usage caused by logins + +- See :dovecot_core:ref:`auth_cache_size` setting for caching passdb and userdb lookups + + - To distribute password hash calculations to multiple CPU cores + (via auth-worker processes), set + :dovecot_core:ref:`auth_cache_verify_password_with_worker=yes `. (v2.2.34+) + +- Services having :ref:`client_limit>1 ` + and :ref:`process_limit>1 `, set + :ref:`process_min_avail ` to the number of CPU cores. + +- To reduce forks by reusing existing processes for new requests + increase :ref:`service { service_count } ` from 1 to higher (e.g. 100) + for imap and pop3 services. It's better not to set it too high or + unlimited (0), because different users use different amounts of + memory, and it's wasteful when a lot of processes end up having a lot + of "free" memory. + +Memory usage optimization +------------------------- + +There aren't many settings which affect Dovecot's memory usage. In +general Dovecot uses as much memory as it needs, which is usually quite +little. + +- :dovecot_core:ref:`auth_cache_size` controls maximum memory size for caching + passdb/userdb lookups + +- :ref:`High-performance mode for login processes `. + +- :dovecot_core:ref:`imap_hibernate_timeout` controls when to move IDLEing IMAP + connections to wait for changes in a shared imap-hibernate process. + This frees up the imap process. + +Note that these settings do not directly affect the memory usage: + +- :ref:`service { vsz_limit } `: These are simply safe guards against + potential memory leaks. If the process's virtual size reaches the + limit, the process is killed by the kernel. + +- :ref:`service { process_limit } ` and + :ref:`service { client_limit } `: These are mostly to + avoid DoS attacks using up all your memory. From 2f6aa97bbb096ceb0c1607a2d3bfa2168f548884 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 20 Jul 2023 11:04:58 +0300 Subject: [PATCH 04/22] admin_manual/known_issues: Add index page --- source/admin_manual/known_issues/index.rst | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 source/admin_manual/known_issues/index.rst diff --git a/source/admin_manual/known_issues/index.rst b/source/admin_manual/known_issues/index.rst new file mode 100644 index 000000000..66a56e484 --- /dev/null +++ b/source/admin_manual/known_issues/index.rst @@ -0,0 +1,9 @@ +============ +Known issues +============ + +.. toctree:: + :maxdepth: 1 + :glob: + + * From 802484d5e04b7d1fbd744eb13e89c4f9015e593a Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 15:59:00 +0300 Subject: [PATCH 05/22] admin_manual/known_issues: mbox problems Migrate page --- .../known_issues/mbox_problems.rst | 157 ++++++++++++++++++ source/admin_manual/mailbox_formats/mbox.rst | 6 + 2 files changed, 163 insertions(+) create mode 100644 source/admin_manual/known_issues/mbox_problems.rst diff --git a/source/admin_manual/known_issues/mbox_problems.rst b/source/admin_manual/known_issues/mbox_problems.rst new file mode 100644 index 000000000..4f43011fa --- /dev/null +++ b/source/admin_manual/known_issues/mbox_problems.rst @@ -0,0 +1,157 @@ +.. _known_issues_mbox_problems: + +============= +mbox problems +============= + +External modifications +---------------------- + +In general Dovecot doesn't mind if you modify the mbox file externally. +It's fine if external software expunges messages or appends new ones. +However moving around existing messages, inserting messages in the +middle of the file or modifying existing messages isn't allowed. + +Especially modifying existing messages (eg. removing attachments) may +cause all kinds of problems. If you do that, at the minimum go and +delete ``dovecot.index.cache`` file from the mailbox, otherwise weird +things may happen. However IMAP protocol guarantees that messages don't +change at all, and deleting Dovecot's cache file doesn't clear clients' +local caches, so it still may not work right. + +If you insert messages, or if you "undelete" messages (eg. replace mbox +from a backup), you may see errors in Dovecot's logs: + +:: + + mbox sync: UID inserted in the middle of mailbox /home/tss/mail/inbox (817 > 787, seq=18, idx_msgs=32) + +This is normal. Dovecot just assigned new UIDs for the messages. See +below for other reasons why UID insertions could happen. + +Debugging UID insertions +------------------------ + +The above error message can be read as: "18th message in the mbox file +contained X-UID: 787 header, however the index file at that position +told the message was supposed to have UID 817. There are 32 messages +currently in the index file." + +There are four possibilities why the error message could happen: + +1. Message with a X-UID: 787 header really was inserted in the mbox + file. For example you replaced mbox from a backup. + +2. Something changed the X-UID headers. Very unlikely. + +3. The message was expunged from the index file, but for some reason it + wasn't expunged from the mbox file. The index file is updated only + after a successful mbox file modification, so this shouldn't really + happen either. + +4. If this problem happens constantly, it could mean that you're sharing + the same index file for multiple different mboxes! + + - This could happen if you let Dovecot do mailbox autodetection and + it sometimes uses ``/var/mail/%u`` (when it exists) and other + times ``~/mail/inbox``. Use an explicit + :dovecot_core:ref:`mail_location` + setting to make sure the same INBOX is used. + + - Another possibility is that you're sharing index files between + multiple users. Each user must have their own home directory. + +It's possible that broken X-UID headers in mails and +:dovecot_core:ref:`mbox_lazy_writes=yes ` combination has some bugs. +If you're able to reproduce such an error, please let us know how. + +UIDVALIDITY changes +~~~~~~~~~~~~~~~~~~~ + +UIDVALIDITY is stored in X-IMAPbase: or X-IMAP: header of the first +message in mbox file. This is done by both Dovecot and UW-IMAP (and +Pine). It's also stored in ``dovecot.index`` file. It shouldn't normally +change, because if it does it means that client has to download all the +messages for the mailbox again. + +If the UIDVALIDITY in mbox file doesn't match the one in +``dovecot.index`` file, Dovecot logs an error: + +:: + + UIDVALIDITY changed (1100532544 -> 1178155834) in mbox file /home/user/mail/mailbox + +This can happen when the following happens: + +1. Dovecot accesses the mailbox saving the current UIDVALIDITY to + ``dovecot.index`` file. + +2. The UIDVALIDITY gets lost from the mbox file + + - X-IMAP: or X-IMAPbase: header gets lost because something else + than Dovecot or UW-IMAP deletes the first message + + - The whole file gets truncated + + - Something else than Dovecot deletes or renames the mbox + +3. The mailbox is accessed (or created if necessary) by UW-IMAP or Pine. + It notices that the mailbox is missing UIDVALIDITY, so it assigns a + new UIDVALIDITY and writes the X-IMAPbase: or X-IMAP: header. + + - Also Dovecot that's configured to not use index files behaves the + same. + +4. Dovecot accesses again the mailbox. UIDVALIDITY in the mbox file's + header doesn't match the one in ``dovecot.index`` file. It logs an + error and updates the UIDVALIDITY in the index file to the new one. + +Crashes +------- + +Dovecot's mbox code is a bit fragile because of the way it works. +However instead of just corrupting the mbox file, it usually +assert-crashes whenever it notices an inconsistency. You may see crashes +such as: + +:: + + Panic: mbox /home/user/mail/mailbox: seq=2 uid=45 uid_broken=0 originally needed 12 bytes, now needs 27 bytes + +This is a bit difficult problem to fix. Usually this crash has been +related to Dovecot rewriting some headers that were broken. If you see +these crashes, it would really help if you were able to reproduce the +crash. + +If you have such a mailbox which crashes every time when it's tried to +be opened, please put the mbox through `mbox +anonymizer `__ and send it, +the mailbox's ``dovecot.index`` and ``dovecot.index.log`` files to +dovecot@dovecot.org (see ``__. None of those files contain any actual message contents so +it's be safe to send them. + +Avoiding crashes and errors +--------------------------- + +Since the problems usually have been related to broken headers, you +should be able to avoid them by filtering out all the Dovecot's internal +metadata headers. This is a good idea to do in any case. If you use +:ref:`Dovecot LDA ` it does +this filtering automatically. Otherwise you could do this in your SMTP +server. The headers that you should filter out are: + +- Content-Length + +- Status + +- X-IMAP + +- X-IMAPbase + +- X-Keywords + +- X-Status + +- X-UID + +- X-UIDL (if you're using :dovecot_core:ref:`pop3_reuse_xuidl=yes `) diff --git a/source/admin_manual/mailbox_formats/mbox.rst b/source/admin_manual/mailbox_formats/mbox.rst index fc7e6a874..52acaef56 100644 --- a/source/admin_manual/mailbox_formats/mbox.rst +++ b/source/admin_manual/mailbox_formats/mbox.rst @@ -287,3 +287,9 @@ How a message is read stored in mbox extension whenever ``From_`` comes first. * It removes the last blank line and deletes the quoting of ``>From_`` lines and ``>>From_`` lines and so on. + + +See also +======== + + - :ref:`known_issues_mbox_problems` From 097634f80ce4c3b798034b7630e2a01a0ed292f4 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 16:16:07 +0300 Subject: [PATCH 06/22] admin_manual/ssl: Migrate certificate_client_importing --- .../ssl/certificate_client_importing.rst | 73 +++++++++++++++++++ source/admin_manual/ssl/index.rst | 1 + 2 files changed, 74 insertions(+) create mode 100644 source/admin_manual/ssl/certificate_client_importing.rst diff --git a/source/admin_manual/ssl/certificate_client_importing.rst b/source/admin_manual/ssl/certificate_client_importing.rst new file mode 100644 index 000000000..f05d3ccaf --- /dev/null +++ b/source/admin_manual/ssl/certificate_client_importing.rst @@ -0,0 +1,73 @@ +==================================== +SSL certificate importing to clients +==================================== + +You may import either the server's self-signed certificate or the CA +certificate (see :doc:`certificate_creation`). + +Windows 11 +---------- + +See ``__. + +Mac OS X +-------- + +- Doubleclick the certificate + +- Keychain should open + +- Add the certificate to X509 Anchors keychain + +Apple Mail uses the OS X's certificate store. + +Thunderbird +----------- + +Preferences -> Privacy -> Security -> View Certificates -> Authorities +-> Import -> Trust this CA to identify email users. + +Opera Mail +---------- + +Preferences -> Advanced > Security > Certificates > Import certificate +file. + +Evolution +--------- + +Preferences -> Certificates -> Authorities -> Import -> Trust this CA to +identify email users. + +Mutt +---- + +See ``__. + +Pine +---- + +``__ tells a story how to do +this. Basically it seems to be: + +1. Find out your OPENSSLDIR: ``openssl version -d`` + +2. Get a hash of your certificate: + ``openssl x509 -in cert.pem -hash -noout`` + +3. Copy the certificate to ``$OPENSSLDIR/certs/$hash.0`` + +This probably works only for self-signed certificates. + +KMail +----- + +See ``__. + +Claws Mail +---------- + +Configuration -> Edit accounts (Choose here your's one and press +'Edit'-button) + +Account -> SSL -> Certificate for receiving->Browse diff --git a/source/admin_manual/ssl/index.rst b/source/admin_manual/ssl/index.rst index 69d39374b..656ac154c 100644 --- a/source/admin_manual/ssl/index.rst +++ b/source/admin_manual/ssl/index.rst @@ -8,6 +8,7 @@ SSL :maxdepth: 1 certificate_creation + certificate_client_importing LetsEncrypt has a good primer on mail server SSL certificates, see https://www.eff.org/deeplinks/2019/01/encrypting-web-encrypting-net-primer-using-certbot-secure-your-mailserver. From ed026b171755a7b554929235ac7ab5f01063acf3 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 16:18:11 +0300 Subject: [PATCH 07/22] admin_manual/ssl: Migrate sni_support page --- source/admin_manual/ssl/index.rst | 1 + source/admin_manual/ssl/sni_support.rst | 31 +++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 source/admin_manual/ssl/sni_support.rst diff --git a/source/admin_manual/ssl/index.rst b/source/admin_manual/ssl/index.rst index 656ac154c..fa91d2c15 100644 --- a/source/admin_manual/ssl/index.rst +++ b/source/admin_manual/ssl/index.rst @@ -9,6 +9,7 @@ SSL certificate_creation certificate_client_importing + sni_support LetsEncrypt has a good primer on mail server SSL certificates, see https://www.eff.org/deeplinks/2019/01/encrypting-web-encrypting-net-primer-using-certbot-secure-your-mailserver. diff --git a/source/admin_manual/ssl/sni_support.rst b/source/admin_manual/ssl/sni_support.rst new file mode 100644 index 000000000..6f90402fa --- /dev/null +++ b/source/admin_manual/ssl/sni_support.rst @@ -0,0 +1,31 @@ +====================== +TLS SNI Client Support +====================== + +Works: + +- Thunderbird (Linux) + +- K-9 on Android (merged Sept 2015 - + ``__) + +- Apple Mail (according to + ``__ ) + +- Mutt (according to ``__ ) + +- NeoMutt (since 2016-03-07 according to + ``__) + +Doesn't work: + +- K-9 on Droid X2 (maybe fixed in newer versions - see above) + +- Apple Mail (Mac OS X 10.10 and lower AND iOS 9.3 and lower) + +- Outlook for Mac version 15 (according to + ``__ ) + +- Kindle Fire HD 8 + +- Outlook 2013 From 5edadccf6264b4ac7f683d93afefb05105328ca3 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 16:19:20 +0300 Subject: [PATCH 08/22] admin_manual/ssl: Point to configuration manual --- source/admin_manual/ssl/index.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/admin_manual/ssl/index.rst b/source/admin_manual/ssl/index.rst index fa91d2c15..a4aae2e4f 100644 --- a/source/admin_manual/ssl/index.rst +++ b/source/admin_manual/ssl/index.rst @@ -11,6 +11,8 @@ SSL certificate_client_importing sni_support +For configuring Dovecot to use SSL, see :ref:`dovecot_ssl_configuration`. + LetsEncrypt has a good primer on mail server SSL certificates, see https://www.eff.org/deeplinks/2019/01/encrypting-web-encrypting-net-primer-using-certbot-secure-your-mailserver. SSL works pretty much the same universally, so for more information about SSL From 8361c977667f76a4767a2f3ea867e97a14a30f69 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 16:29:47 +0300 Subject: [PATCH 09/22] configuration_manual: Migrate security tuning --- .../configuration_manual/security_tuning.rst | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 source/configuration_manual/security_tuning.rst diff --git a/source/configuration_manual/security_tuning.rst b/source/configuration_manual/security_tuning.rst new file mode 100644 index 000000000..a10cb207b --- /dev/null +++ b/source/configuration_manual/security_tuning.rst @@ -0,0 +1,23 @@ +=============== +Security tuning +=============== + +Dovecot has been designed with security in mind. It uses multiple processes and +privilege separation to isolate different parts from each others in case +a security hole is found from one part. + +Additional things you can configure: + +- Allocate each user their own UID and GID (see :ref:`system_users_used_by_dovecot`) + +- Use a separate *dovecot-auth* user for authentication process (see + :ref:`system_users_used_by_dovecot`) + +- You can chroot authentication and mail processes (see + :ref:`chrooting`) + +- There are some security related SSL settings (see + :ref:`dovecot_ssl_configuration`) + +- Set ``first/last_valid_uid/gid`` settings to contain only the range + actually used by mail processes From 95b84ae0c5c636880847dc24e3b6d26ab444bf0f Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 16:31:20 +0300 Subject: [PATCH 10/22] admin_manual: Migrate timeouts page --- source/admin_manual/timeouts.rst | 109 +++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 source/admin_manual/timeouts.rst diff --git a/source/admin_manual/timeouts.rst b/source/admin_manual/timeouts.rst new file mode 100644 index 000000000..f82e12e7d --- /dev/null +++ b/source/admin_manual/timeouts.rst @@ -0,0 +1,109 @@ +======== +Timeouts +======== + +Dovecot has a lot of timeouts in various components. Most of them have +hardcoded values, because there's normally no need to change them. Here +are some of them listed: + +Protocol proxies +---------------- + +- Dovecot proxy handles IMAP, POP3 and Submission pre-login timeouts and invalid + error command handling the same as Dovecot backend. After login the + proxy will continue proxying until the client or the backend + disconnects. + +- Connect timeout to backend is governed by :dovecot_core:ref:`login_proxy_timeout` which is + 30 seconds by default. Can be overridden by proxy_timeout passdb extra field. + +- After connection has been established, there's still a login timeout + ``CLIENT_LOGIN_TIMEOUT_MSECS = MASTER_LOGIN_TIMEOUT_SECS*1000`` = 3 minutes + (`login-common/client-common.h `__ + and + `lib-master/master-interface.h `__) + +IMAP +---- + +- Before login: ``CLIENT_LOGIN_TIMEOUT_MSECS = MASTER_LOGIN_TIMEOUT_SECS*1000`` = 3 minutes + (same as proxies) + + - This may be shorter if all the available connections are in use + (:ref:`service imap-login { client_limit * process_limit } `). In that + case the oldest non-logged in connection is disconnected. + +- After login: ``CLIENT_IDLE_TIMEOUT_MSECS`` = 30 minutes (minimum required + by :rfc:`2060#section-5.4`) + + - If IDLE command is started, Dovecot never disconnects. Only if the + connection is lost there will be a disconnection. A dead + connection is detected by Dovecot periodically sending "I'm still + here" notifications to client + (:dovecot_core:ref:`imap_idle_notify_interval` setting - + default every 2 minutes). + + - IMAP clients are supposed to send something before 30 minutes + are up, but several clients don't do this. Some Outlook + versions even stop receiving new mails entirely until manual + intervention if IMAP server disconnects the client. + +- Dovecot also disconnects an IMAP client that sends too many invalid + commands: + + - Before login: Disconnect on 3rd invalid command + (CLIENT_MAX_BAD_COMMANDS in + `imap-login/imap-login-client.c `__) + + - After login: Disconnect on 20th invalid command + (CLIENT_MAX_BAD_COMMANDS in + `imap/imap-common.h `__) + +POP3 +---- + +- Before login: ``CLIENT_LOGIN_TIMEOUT_MSECS = MASTER_LOGIN_TIMEOUT_SECS*1000`` = 3 minutes + (same as proxies) + + - This may be shorter if all the available connections are in use + (``service pop3-login { client_limit * process_limit }``). In that + case the oldest non-logged in connection is disconnected. + +- After login: ``CLIENT_IDLE_TIMEOUT_MSECS`` = 10 minutes + (`pop3/pop3-client.c `__) + +- Dovecot also disconnects an POP3 client that sends too many invalid + commands: + + - Before login: Disconnect on 3rd invalid command in v2.2.16+, 11th + on earlier versions (``CLIENT_MAX_BAD_COMMANDS`` in + `pop3-login/client.c `__) + + - After login: Disconnect on 20th invalid command + (``CLIENT_MAX_BAD_COMMANDS`` in + `pop3/pop3-client.c `__) + + +Submission and LMTP +------------------- +- Before login: ``CLIENT_LOGIN_TIMEOUT_MSECS = MASTER_LOGIN_TIMEOUT_SECS*1000`` = 3 minutes + (submission, same as proxies) + + - This may be shorter if all the available connections are in use + (``service submission-login { client_limit * process_limit }``). In that + case the oldest non-logged in connection is disconnected. + +- After login: ``CLIENT_IDLE_TIMEOUT_MSECS`` = 5 minutes for LMTP and 10 minutes for Submission. + (`lmtp/lmtp-client.c `__ and + `submission/submission-client.c `__) + +- Dovecot also disconnects an SMTP client that sends too many invalid + commands: + + - Before login: Disconnect on 10th invalid command. + (``CLIENT_MAX_BAD_COMMANDS`` in + `submission-login/client.c `__) + + - After login: Disconnect on 20th invalid command + (``CLIENT_MAX_BAD_COMMANDS`` in + `submission/submission-client.c `__) From e6eb70d9eba31421ebc7ccd210cb99cf5a737d03 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 17:03:30 +0300 Subject: [PATCH 11/22] configuration_manual: Migrate system_users page --- source/configuration_manual/system_users.rst | 124 +++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 source/configuration_manual/system_users.rst diff --git a/source/configuration_manual/system_users.rst b/source/configuration_manual/system_users.rst new file mode 100644 index 000000000..0fcd90ed2 --- /dev/null +++ b/source/configuration_manual/system_users.rst @@ -0,0 +1,124 @@ +.. _system_users: + +============ +System Users +============ + +System users are typically defined in ``/etc/passwd`` file, but this +isn't necessary. Using +`NSS `__ you can +configure the lookups to be done from elsewhere (e.g. LDAP). See +:ref:`passwd ` +userdb configuration for how to set this up. Especially if you're using +nss_ldap you must set ``blocking=yes``. + +System users usually have their own separate user IDs (UIDs). This is +good from a security point of view, because it means that the kernel will +also prevent users from accessing each others' mails. + +If the users have direct write access to the mail files (eg. the users +have shell access), they can easily cause all sorts of mailbox +corruptions. That may generate all kinds of error messages to Dovecot's +error logs, so it may be sometimes difficult to tell if there really is +a problem or if the user is doing something stupid. + +If users are going to access the mailboxes with other software than +Dovecot, it's important to make sure that their mailbox accesses are +compatible. This mostly means that with mboxes you must make sure that +everyone uses the :ref:`same locking methods in the same order `. + +Authentication +-------------- + +Admins often wish to use different passwords for IMAP and POP3 than for +other services (eg. SSH), because IMAP and POP3 clients often send the +password unencrypted over the internet without even bothering to give +users any warnings. Dovecot can easily support non-system passwords for +system users. + +If you wish to use system passwords, you'll want to use one of these +passdbs: + +- :ref:`PAM `: + Most commonly used in Linux and BSDs nowadays. + +- :ref:`BSDAuth `: + BSD authentication is used by OpenBSD. + +- :ref:`Passwd `: + System users (NSS, ``/etc/passwd``, or similar). This may work + instead of PAM (mostly in some BSDs). + +If you wish to use non-system passwords, you can use pretty much any of +the Dovecot's :ref:`password databases `, +but for simple installations you'll probably want to use +:ref:`passwd-file `. + +:ref:`User database ` +for system users is always :ref:`passwd `. + +Mail Location +------------- + +Usually UNIX systems are configured by default to deliver mails to +``/var/mail/username`` or ``/var/spool/mail/username`` mboxes. You may +decide to use these, or use the :ref:`maildir ` format instead. + +Dovecot detects the mailbox format and location automatically if +:dovecot_core:ref:`mail_location` setting isn't set, but it's still a good idea to +explicitly tell Dovecot where to find the mails. This ensures that +Dovecot behaves correctly also when the user's mailbox doesn't exist at +the moment (eg. a new user). If Dovecot can't figure out where the +existing mails are, it will give an error message and quits. It never +tries to create a missing mailbox when autodetection is used. + +See :ref:`mail_location_settings` for more information how to configure the mailbox location. +Below are the highlights for mbox and maildir. + +mbox +~~~~ + +The ``/var/mail/username`` mbox is called user's INBOX. IMAP protocol +supports multiple mailboxes however, so Dovecot needs some directory +where to store the other mailboxes. Typically they're stored in +``~/mail/`` or ``~/Mail/`` directory. All of these locations are +included in mailbox location autodetection. You can specify them +manually with: + +:: + + mail_location = mbox:~/mail:INBOX=/var/mail/%u + +Remember that the first path after ``mbox:`` is the mailbox root +directory, never try to give ``mbox:/var/mail/%u`` because that +isn't going to work (unless you really want to store mails under +``/var/mail/%u/`` directory). + +If you're also using other software than Dovecot to access mboxes, you +should try to figure out what locking methods exactly they're using and +update ``mbox_read_locks`` and ``mbox_write_locks`` settings +accordingly. See locking section in :ref:`mbox ` for +more information. + +Maildir +~~~~~~~ + +Maildir is typically stored in ``~/Maildir`` directory. You can specify +this manually with: + +:: + + mail_location = maildir:~/Maildir + +See :ref:`maildir_mbox_format` for more information. + +Chrooting +--------- + +Dovecot, including several other software, allow using "/./" in home +directory path to specify the chroot path. For example ``/home/./user`` +would chroot to ``/home``. If you want to enable this for Dovecot, add +the chroot path to ``valid_chroot_dirs`` setting (``/home`` in the +previous example). If this isn't done, Dovecot ignores the "/./". + +See :ref:`Chrooting` for more details. From 982701030dbe8380827e907e4ba063ff4b8672f8 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 17 Jul 2023 12:39:32 +0300 Subject: [PATCH 12/22] admin_manual/logging: Add target for syslog --- source/admin_manual/logging.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/admin_manual/logging.rst b/source/admin_manual/logging.rst index 042d6ca54..4fc2a5256 100644 --- a/source/admin_manual/logging.rst +++ b/source/admin_manual/logging.rst @@ -45,6 +45,8 @@ The warning and error messages go to the file specified by :dovecot_core:ref:`info_log_path` and debug messages goes to :dovecot_core:ref:`debug_log_path`. +.. _dovecot_logging_syslog: + Syslog ^^^^^^ From efe7bc88fe2ca815cf38c34464f2031caa44cb0b Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Jul 2023 16:52:40 +0300 Subject: [PATCH 13/22] configuration_manual: Migrate virtual users page --- .../howto/dovecot_cheat_sheet.rst | 6 + .../howto/dovecot_lda_postfix_admin_mysql.rst | 5 + .../howto/dovecot_ldap_cheat_sheet.rst | 6 + .../howto/dovecot_open_ldap.rst | 5 + .../howto/dovecot_postgresql.rst | 333 +++++++++ .../howto/virtual_hosting_with_exim.rst | 5 + .../howto/virtual_user_flat_files_postfix.rst | 635 ++++++++++++++++++ .../howto/virtual_users.rst | 58 ++ source/configuration_manual/virtual_users.rst | 257 +++++++ 9 files changed, 1310 insertions(+) create mode 100644 source/configuration_manual/howto/dovecot_cheat_sheet.rst create mode 100644 source/configuration_manual/howto/dovecot_lda_postfix_admin_mysql.rst create mode 100644 source/configuration_manual/howto/dovecot_ldap_cheat_sheet.rst create mode 100644 source/configuration_manual/howto/dovecot_open_ldap.rst create mode 100644 source/configuration_manual/howto/dovecot_postgresql.rst create mode 100644 source/configuration_manual/howto/virtual_hosting_with_exim.rst create mode 100644 source/configuration_manual/howto/virtual_user_flat_files_postfix.rst create mode 100644 source/configuration_manual/howto/virtual_users.rst create mode 100644 source/configuration_manual/virtual_users.rst diff --git a/source/configuration_manual/howto/dovecot_cheat_sheet.rst b/source/configuration_manual/howto/dovecot_cheat_sheet.rst new file mode 100644 index 000000000..df989e39e --- /dev/null +++ b/source/configuration_manual/howto/dovecot_cheat_sheet.rst @@ -0,0 +1,6 @@ +================ +LDAP cheat sheet +================ + + +TBD diff --git a/source/configuration_manual/howto/dovecot_lda_postfix_admin_mysql.rst b/source/configuration_manual/howto/dovecot_lda_postfix_admin_mysql.rst new file mode 100644 index 000000000..3e0ad4b75 --- /dev/null +++ b/source/configuration_manual/howto/dovecot_lda_postfix_admin_mysql.rst @@ -0,0 +1,5 @@ +======================================== +Dovecot LMTP with PostfixAdmin and MySQL +======================================== + +TBD diff --git a/source/configuration_manual/howto/dovecot_ldap_cheat_sheet.rst b/source/configuration_manual/howto/dovecot_ldap_cheat_sheet.rst new file mode 100644 index 000000000..df989e39e --- /dev/null +++ b/source/configuration_manual/howto/dovecot_ldap_cheat_sheet.rst @@ -0,0 +1,6 @@ +================ +LDAP cheat sheet +================ + + +TBD diff --git a/source/configuration_manual/howto/dovecot_open_ldap.rst b/source/configuration_manual/howto/dovecot_open_ldap.rst new file mode 100644 index 000000000..54a78af83 --- /dev/null +++ b/source/configuration_manual/howto/dovecot_open_ldap.rst @@ -0,0 +1,5 @@ +=========================== +Virtual users with OpenLDAP +=========================== + +TBD diff --git a/source/configuration_manual/howto/dovecot_postgresql.rst b/source/configuration_manual/howto/dovecot_postgresql.rst new file mode 100644 index 000000000..1a357184a --- /dev/null +++ b/source/configuration_manual/howto/dovecot_postgresql.rst @@ -0,0 +1,333 @@ +======================= +HowTo/DovecotPostgresql +======================= + +.. warning:: + + This document has been taken out of the old wiki and + has not yet been updated. + +Introduction +============ + +Gluing together virtual user/domain support for: + +- Debian (These instructions are for Sid) + +- Postfix 2 with SMTP AUTH + +- SASL2 with libpam-pgsql for Postfix + +- PostgreSQL + +- Dovecot (dovecot-pop3d and or dovecot-imapd) + +Note(s) +======= + +On Debian, the package dovecot-pgsql do not yet include postgresql as a +dependency to pull it if not installed. + +Software Installation +===================== + +For Debian: + +:: + + apt-get install postfix-pgsql sasl2-bin libsasl2-modules postgresql libpam-pgsql dovecot-pgsql dovecot-imapd dovecot-pop3d + +Configuring PostgreSQL +====================== + +Edit /etc/postgresql/pg_hba.conf to accept password authentication for +localhost: + +:: + + host all all 127.0.0.1 255.255.255.255 password + +Then create the database: + +:: + + sudo su postgres + createdb mails + psql mails + +Create tables: + +:: + + CREATE TABLE transport ( + domain VARCHAR(128) NOT NULL, + transport VARCHAR(128) NOT NULL, + PRIMARY KEY (domain) + ); + CREATE TABLE users ( + userid VARCHAR(128) NOT NULL, + password VARCHAR(128), + realname VARCHAR(128), + uid INTEGER NOT NULL, + gid INTEGER NOT NULL, + home VARCHAR(128), + mail VARCHAR(255), + PRIMARY KEY (userid) + ); + CREATE TABLE virtual ( + address VARCHAR(255) NOT NULL, + userid VARCHAR(255) NOT NULL, + PRIMARY KEY (address) + ); + create view postfix_mailboxes as + select userid, home||'/' as mailbox from users + union all + select domain as userid, 'dummy' as mailbox from transport; + create view postfix_virtual as + select userid, userid as address from users + union all + select userid, address from virtual; + +Create separate users for read and write accesses. Postfix and Dovecot +needs only read access. You may want to use the writer user for your own +purposes. + +:: + + CREATE USER mailreader PASSWORD 'secret'; + grant select on transport, users, virtual, postfix_mailboxes, postfix_virtual to mailreader; + create user mailwriter password 'secret'; + grant select, insert, update, delete on transport, users, virtual, postfix_mailboxes, postfix_virtual to mailwriter; + +Here's a few example values: + +:: + + insert into transport (domain, transport) values ('domain.org', 'virtual:'); + insert into transport (domain, transport) values ('foo.org', 'virtual:'); + insert into users (userid, uid, gid, home) values ('user@domain.org', 1001, 1001, 'domain.org/mails/user'); + insert into users (userid, uid, gid, home) values ('user2@domain.org', 1001, 1001, 'domain.org/mails/user2'); + insert into users (userid, uid, gid, home) values ('user@foo.org', 1002, 1002, 'foo.org/mails/user'); + insert into virtual (address, userid) values ('foo@foo.org', 'user@foo.org'); + +Above examples assume that you'd use separate system UID and GID for +each domain. I think that's good enough compromise between simplicity +and security. The UIDs and GIDs aren't required to be in /etc/passwd and +/etc/group, "ls -l" will just show them in numeric form in that case. + +In this case, the virtual domain "domain.org" and "foo.org" will define +virtual: as the transport. Please note in this case, virtual service +from postfix will deliver the mail and ignore all virtual_transport +config settings. + +If you prefer dovecot as the transport, make sure 'dovecot' or something +like ``lmtp:unix:private/dovecot-lmtp`` is returned from the transport_maps +query. + +In order to make virtual_transport setting effective, leave +transport_maps as default. + +Configuring Postfix +=================== + +PostgreSQL configuration in main.cf: + +:: + + transport_maps = pgsql:/etc/postfix/transport.cf + virtual_uid_maps = pgsql:/etc/postfix/uids.cf + virtual_gid_maps = pgsql:/etc/postfix/gids.cf + virtual_mailbox_base = /home + virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf + virtual_maps = pgsql:/etc/postfix/virtual.cf + mydestination = $mydomain, $myhostname + +Note that we've set virtual_mailbox_base to /home, which means that it's +prefixed to all home directories in SQL database. + +SASL2 authentication configuration in main.cf: + +:: + + smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination + smtpd_sasl_auth_enable = yes + smtpd_sasl_security_options = noanonymous + smtpd_sasl_local_domain = domain.org + smtp_sasl_auth_enable = no + +And /etc/postfix/sasl/smtpd.conf: + +:: + + pwcheck_method: saslauthd + saslauthd_path: /etc/mux + +/etc/postfix/transport.cf: + +:: + + user=mailreader + password=secret + dbname=mails + table=transport + select_field=transport + where_field=domain + hosts=localhost + +/etc/postfix/uids.cf: + +:: + + user=mailreader + password=secret + dbname=mails + table=users + select_field=uid + where_field=userid + hosts=localhost + +/etc/postfix/gids.cf: + +:: + + user=mailreader + password=secret + dbname=mails + table=users + select_field=gid + where_field=userid + hosts=localhost + +/etc/postfix/mailboxes.cf: + +:: + + user=mailreader + password=secret + dbname=mails + table=postfix_mailboxes + select_field=mailbox + where_field=userid + hosts=localhost + +/etc/postfix/virtual.cf: + +:: + + user=mailreader + password=secret + dbname=mails + table=postfix_virtual + select_field=userid + where_field=address + hosts=localhost + +Configuring SASL2 +================= + +We want to use PAM authentication via saslauthd. SMTP process runs +chrooted into /var/spool/postfix and we have to be able to communicate +to saslauthd via UNIX socket, so create the socket inside the chroot. + +In Debian you can configure it in /etc/default/saslauthd: + +:: + + START=yes + MECHANISMS=pam + PARAMS="-m /var/spool/postfix/etc" + +As of version 2.1.19 of SASL you also need to add the -r parameter in +order to authenticate with an email address (containing a @) as user id: + +:: + + PARAMS="-r -m /var/spool/postfix/etc" + +(This parameter will probably break saslauthd if used with previous +versions.) + +Configure libpam-pgsql in /etc/pam_pgsql.conf: + +:: + + database = mails + host = localhost + user = mailreader + password = secret + table = users + user_column = userid + pwd_column = password + #expired_column = acc_expired + #newtok_column = acc_new_pwreq + pw_type = crypt + #debug + +And create /etc/pam.d/smtp: + +:: + + auth required pam_pgsql.so + account required pam_pgsql.so + password required pam_pgsql.so + +libsasl2-modules install a lot of plugins which you most likely don't +need and which don't even work with PAM. You mostly just need PLAIN and +possibly LOGIN authentication. I'm not sure if there's any pretty way to +select only them, but one evil way is to just delete others: + +:: + + cd /usr/lib/sasl2 + rm -f libcrammd5.* libdigestmd5.* libsasldb.* libotp.* libntlm.* libanonymous.* + +The better way is to put in /etc/postfix/sasl/smtpd.conf the following +line: + +:: + + mech_list: login plain + +Where mech_list is a list of all the mechanism names to enable. + +Configuring Dovecot +=================== + +In dovecot.conf, set: + +:: + + mail_location = maildir:~/ + + passdb { + driver = sql + args = /usr/local/etc/dovecot-sql.conf + } + + userdb { + driver = sql + args = /usr/local/etc/dovecot-sql.conf + } + +And create /usr/local/etc/dovecot-sql.conf: + +:: + + driver = pgsql + connect = host=localhost dbname=mails user=mailreader password=secret + default_pass_scheme = CRYPT + password_query = SELECT userid as user, password FROM users WHERE userid = '%u' + user_query = SELECT '/home/'||home AS home, uid, gid FROM users WHERE userid = '%u' + +Restart +======= + +Finally remember to restart everything before trying to figure out why +nothing is working: + +:: + + /etc/init.d/saslauthd restart + /etc/init.d/postgresql restart + /etc/init.d/postfix restart + /etc/init.d/dovecot restart diff --git a/source/configuration_manual/howto/virtual_hosting_with_exim.rst b/source/configuration_manual/howto/virtual_hosting_with_exim.rst new file mode 100644 index 000000000..b2b6ef15f --- /dev/null +++ b/source/configuration_manual/howto/virtual_hosting_with_exim.rst @@ -0,0 +1,5 @@ +========================= +Virtual hosting with Exim +========================= + +TBD diff --git a/source/configuration_manual/howto/virtual_user_flat_files_postfix.rst b/source/configuration_manual/howto/virtual_user_flat_files_postfix.rst new file mode 100644 index 000000000..d5218febf --- /dev/null +++ b/source/configuration_manual/howto/virtual_user_flat_files_postfix.rst @@ -0,0 +1,635 @@ +=========================================== +Virtual users with passwd files and Postfix +=========================================== + +.. warning:: + + This document has been taken out of the old wiki and + has not yet been updated. + +Basic Configuration +=================== + +``/etc/dovecot/dovecot.conf`` + +:: + + !include conf.d/*.conf + protocols = imap lmtp + +Mail Location and Namespaces +---------------------------- + +A private namespace configured for *maildir* or *multi-dbox* storage to +hold the mailboxes and a public namespace configured for *maildir* +storage with filesystem layout (/dir/subdir) and per user +index-information. The index will be stored in the ``public`` dir under +the home directories. This allows individual /SEEN information for the +public namespace. + +``/etc/dovecot/conf.d/10-mail.conf`` + +:: + + #mail_location = mdbox:~/mdbox + mail_location = maildir:~/maildir + mail_plugins = acl quota + namespace { + type = private + separator = / + prefix = + hidden = no + inbox = yes + } + namespace { + type = public + separator = / + prefix = Public/ + location = maildir:/var/vmail/public:LAYOUT=fs:INDEX=~/public + list = yes + subscriptions = no + } + +User Home directory structure: ``/var/vmail///`` + +:: + + -rw------- 1 vmail vmail 1489 2010-03-03 19:30 .dovecot.sieve + -rw------- 1 vmail vmail 2897 2010-03-14 12:22 .dovecot.svbin + drwx--S--- 4 vmail vmail 4096 2010-03-17 20:15 maildir + drwx--S--- 4 vmail vmail 4096 2010-03-14 13:31 public + +Authentication Databases +------------------------ + +Per domain flat-files containing the virtual user's specific parameters, +stored in a single *passwd-like* file. User logins are expected to be in +full-qualified e-mail address format: user@domain.tld. Additional +parameters may be used to override defaults, such as individual quotas +or mailbox formats. + +``/etc/dovecot/conf.d/10-auth.conf`` + +:: + + auth_mechanisms = plain + passdb { + driver = passwd-file + args = username_format=%u /var/vmail/auth.d/%d/passwd + } + userdb { + driver = passwd-file + args = username_format=%u /var/vmail/auth.d/%d/passwd + } + +``/var/vmail/auth.d//passwd`` + +:: + + @:{SSHA}xxxx:5000:5000::/var/vmail//::userdb_quota_rule=\ + *:storage=5G userdb_acl_groups=PublicMailboxAdmins + +Later on the *auth service* will be configured to run in the +``doveauth`` user context. Therefore the directory ``auth.d/`` and its +content will be owned by this user, while mails / ACLs / Sieve-Scripts, +will be accessed using the ``vmail`` context specified in the +*passwd-file*. To keep directory permissions simple these will be stored +seperately under the ``conf.d/`` tree. + +Per-domain authentication and configuration structure ``/var/vmail`` + +:: + + dr-x------ 3 doveauth dovecot 4096 2010-03-17 19:09 auth.d |--> domain.tld + dr-x------ 3 vmail vmail 4096 2010-03-03 19:32 conf.d |--> domain.tld + +Master Configuration +-------------------- + +IMAP-Server bound to IP *1.2.3.4* on port 143 while the IMAPS Port (993) +is disabled since ``STARTTLS`` will be used to request encryption over +the standard IMAP port. The LMTP-Server is bound to a Unix socket +configured with relevant permissions allowing Postfix to inject mails +through it. Dovecot presents its Authentication Mechanism and User +Database as another socket to Postfix allowing SASL submission. + +Dovecot's authentication services will run in the ``doveauth`` +user-context. + +``/etc/dovecot/conf.d/10-master.conf`` + +:: + + service imap-login { + inet_listener imap { + address = 1.2.3.4 + port = 143 + } + inet_listener imaps { + port = 0 + } + } + service lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { + group = postfix + mode = 0660 + user = postfix + } + } + service imap { + } + service auth { + unix_listener /var/spool/postfix/private/auth { + group = postfix + mode = 0660 + user = postfix + } + user = doveauth + } + service auth-worker { + user = doveauth + } + verbose_proctitle = yes + +Protocols +--------- + +``/etc/dovecot/conf.d/20-imapd.conf`` + +:: + + protocol imap { + mail_plugins = $mail_plugins imap_acl imap_quota mail_log notify + } + +``/etc/dovecot/conf.d/20-lmtp.conf`` + +:: + + protocol lmtp { + postmaster_address = postmaster@domainname # required on my debian + mail_plugins = $mail_plugins sieve + } + +Plugins +------- + +``/etc/dovecot/conf.d/90-plugin.conf`` + +:: + + plugin { + #quota = dict:user::file:%h/mdbox/dovecot-quota + quota = dict:user::file:%h/maildir/dovecot-quota + quota_rule = *:storage=1GB + quota_rule2 = Trash:storage=+10%% + acl = vfile:/var/vmail/conf.d/%d/acls:cache_secs=300 + } + +``/etc/dovecot/conf.d/90-sieve.conf`` + +:: + + plugin { + sieve = ~/.dovecot.sieve + sieve_dir = ~/sieve + sieve_global_dir = /var/vmail/conf.d/%d/sieve + } + +TLS +--- + +``/etc/dovecot/conf.d/10-ssl.conf`` + +:: + + ssl_cert = ` for more complex configurations. + +``/etc/dovecot/conf.d/10-logging.conf`` + +:: + + log_path = /var/log/dovecot.log + info_log_path = /var/log/dovecot-info.log + mail_debug = no + +Syslog Logging +============== + +``/etc/dovecot/conf.d/10-logging.conf`` + +:: + + #log_path = + #info_log_path = + mail_debug = no + syslog_facility = local1 + +``/etc/rsyslog.conf`` + +:: + + local1.* -/var/log/dovecot.log + local1.info -/var/log/dovecot.info + local1.warn -/var/log/dovecot.warn + local1.err -/var/log/dovecot.err + :msg,contains,"stored mail into mailbox"\ + -/var/log/dovecot.lmtp + +``/etc/logrotate.d/dovecot`` + +:: + + /var/log/dovecot.log + /var/log/dovecot.info + /var/log/dovecot.warn + /var/log/dovecot.err + /var/log/dovecot.lmtp + { + weekly + rotate 52 + missingok + notifempty + compress + delaycompress + create 640 root adm + sharedscripts + postrotate + /bin/kill -USR1 'cat /var/run/dovecot/master.pid 2>/dev/null' 2>/dev/null || true + endscript + } + +Postfix Configuration +===================== + +In this configuration Postfix will only accept SASL requests on its +submission port (``TCP:587``) and will not accept them on Port 25. As +Dovecot is used as authentication backend in this example, this will not +break inbound mail flow in case the authentication mechanism is down +e.g. due to upgrading to a new build. The configuration of the +submission port is handled in ``master.cf`` overriding possible +``main.cf`` settings. Several sanity checks are performed upon +submission like recipient domain validation and sender map checks. Final +delivery is performed through Dovecot's LMTP server via a socket. + +``/etc/postfix/main.cf`` + +:: + + smtpd_banner = $myhostname ESMTP + biff = no + append_dot_mydomain = no + + myhostname = mail.domain.tld + inet_protocols = ipv4 + inet_interfaces = 1.2.3.4 + masquerade_domains = + masquerade_exceptions = root + masquerade_classes = envelope_sender, header_sender, header_recipient + mydestination = $myhostname, localhost.$mydomain + mynetworks_style = subnet + + virtual_mailbox_domains = domain.tld, domain1.tld + virtual_mailbox_base = /var/vmail + virtual_minimum_uid = 100 + virtual_uid_maps = static:5000 + virtual_gid_maps = static:5000 + virtual_alias_maps = hash:/etc/postfix/virtual + virtual_transport = lmtp:unix:private/dovecot-lmtp + + strict_rfc821_envelopes = yes + disable_vrfy_command = yes + + smtpd_client_restrictions = + check_client_access hash:/etc/postfix/client_access, + reject_unknown_client_hostname + smtpd_helo_required = yes + smtpd_helo_restrictions = + check_helo_access hash:/etc/postfix/helo_access, + reject_invalid_helo_hostname, + reject_unknown_helo_hostname, + reject_non_fqdn_helo_hostname + smtpd_sender_restrictions = + reject_unknown_sender_domain + smtpd_recipient_restrictions = + reject_unknown_recipient_domain, + reject_non_fqdn_recipient, + reject_unverified_recipient, + permit_mynetworks, + reject_unauth_destination, + check_policy_service unix:private/policyd-spf, + check_policy_service unix:public/postgrey + + policyd-spf_time_limit = 3600 + smtpd_milters = unix:public/dkim-filter + non_smtpd_milters = unix:public/dkim-filter + milter_protocol = 6 + + unknown_address_reject_code = 554 + unknown_hostname_reject_code = 554 + unknown_client_reject_code = 554 + unknown_local_recipient_reject_code = 550 + + smtpd_tls_cert_file=/etc/postfix/server.pem + smtpd_tls_key_file=/etc/ssl/private/domain_tld.key + smtpd_tls_security_level = may + smtp_tls_security_level = may + smtpd_tls_ask_ccert = yes + smtpd_tls_loglevel = 1 + smtp_tls_loglevel = 1 + smtpd_tls_received_header = yes + smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache + smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache + + alias_maps = hash:/etc/aliases + mailbox_size_limit = 0 + message_size_limit = 20480000 + + queue_run_delay = 300s + minimal_backoff_time = 300s + master_service_disable = + +Postfix Master Configuration +---------------------------- + +The submission port is configured to only accept TLS secured +transmissions. Login Map checks will verify the authenticated SASL user +is authorized to send using different MAIL FROM aliases. + +``/etc/postfix/master.cf`` + +:: + + # + # Postfix master process configuration file. For details on the format + # of the file, see the master(5) manual page (command: "man 5 master"). + # + # ========================================================================== + # service type private unpriv chroot wakeup maxproc command + args + # (yes) (yes) (yes) (never) (100) + # ========================================================================== + smtp inet n - - - - smtpd + submission inet n - - - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_sasl_security_options=noanonymous + -o smtpd_sasl_local_domain=$myhostname + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_sender_login_maps=hash:/etc/postfix/virtual + -o smtpd_sender_restrictions=reject_sender_login_mismatch + -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,\ + permit_sasl_authenticated,reject + #smtps inet n - - - - smtpd + # -o smtpd_tls_wrappermode=yes + # -o smtpd_sasl_auth_enable=yes + # -o smtpd_client_restrictions=permit_sasl_authenticated,reject + #628 inet n - - - - qmqpd + pickup fifo n - - 60 1 pickup + cleanup unix n - - - 0 cleanup + qmgr fifo n - n 300 1 qmgr + #qmgr fifo n - - 300 1 oqmgr + tlsmgr unix - - - 1000? 1 tlsmgr + rewrite unix - - - - - trivial-rewrite + bounce unix - - - - 0 bounce + defer unix - - - - 0 bounce + trace unix - - - - 0 bounce + verify unix - - - - 1 verify + flush unix n - - 1000? 0 flush + proxymap unix - - n - - proxymap + smtp unix - - - - - smtp + -o smtp_header_checks=pcre:/etc/postfix/header_checks_outbound + # When relaying mail as backup MX, disable fallback_relay to avoid MX loops + relay unix - - - - - smtp + -o fallback_relay= + # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 + showq unix n - - - - showq + error unix - - - - - error + discard unix - - - - - discard + local unix - n n - - local + virtual unix - n n - - virtual + lmtp unix - - - - - lmtp + anvil unix - - - - 1 anvil + scache unix - - - - 1 scache + # + # ==================================================================== + # Interfaces to non-Postfix software. Be sure to examine the manual + # pages of the non-Postfix software to find out what options it wants. + # + # Many of the following services use the Postfix pipe(8) delivery + # agent. See the pipe(8) man page for information about ${recipient} + # and other message envelope options. + # ==================================================================== + # + # maildrop. See the Postfix MAILDROP_README file for details. + # Also specify in main.cf: maildrop_destination_recipient_limit=1 + # + maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} + # + # See the Postfix UUCP_README file for configuration details. + # + uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) + # + # Other external delivery methods. + # + ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) + bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient + scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} + mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + # python-postfix-policyd-spf + policyd-spf unix - n n - 0 spawn + user=nobody argv=/usr/bin/python /usr/bin/policyd-spf + retry unix - - - - - error + +**Additional hints about this howto (30. July 2010)** + +Postfix listens on all interfaces by default so it's not really needed +to set this: + +:: + + inet_interfaces = 1.2.3.4 + +These options are not needed: + +:: + + masquerade_domains = + masquerade_exceptions = root + masquerade_classes = envelope_sender, header_sender, header_recipient + +These options are not needed if the Dovecot LDA or LMTP is used (these +options are only relevant for the Postfix LDA "virtual"): + +:: + + virtual_mailbox_base = /var/vmail + virtual_minimum_uid = 100 + virtual_uid_maps = static:5000 + virtual_gid_maps = static:5000 + +These options are also not required - instead use only +smtpd_recipient_restrictions: + +:: + + smtpd_client_restrictions = ... + smtpd_helo_restrictions = ... + smtpd_sender_restrictions = ... + +:: + + smtpd_recipient_restrictions = + reject_non_fqdn_recipient + reject_non_fqdn_sender + reject_unknown_recipient_domain + reject_unknown_sender_domain + permit_mynetworks + reject_unauth_destination + +In master.cf these options are not needed: + +:: + + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_sender_login_maps=hash:/etc/postfix/virtual + -o smtpd_sender_restrictions=reject_sender_login_mismatch + +It's better to use smtpd_recipient_restrictions like this: + +:: + + -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,\ + permit_sasl_authenticated,reject + +Also you do not need to set + +:: + + -o smtpd_sasl_local_domain=$myhostname + +When you do not want to you sender_login_maps it's not needed to set + +:: + + -o smtpd_sender_login_maps=hash:/etc/postfix/virtual + +in master.cf. Don't use + +:: + + check_policy_service unix:private/policyd-spf, + check_policy_service unix:public/postgrey + +in any smtpd_*_restriction in main.cf if these policy servers are not +installed! Also don't use + +:: + + policyd-spf_time_limit = 3600 + smtpd_milters = unix:public/dkim-filter + non_smtpd_milters = unix:public/dkim-filter + milter_protocol = 6 + +if you don't have installed dkim-filter (dkim milter) or SPF policy +server. These options are not needed because these are default +values: + +:: + + queue_run_delay = 300s + minimal_backoff_time = 300s + master_service_disable = + +Here's a more cleaner Postfix configuration (only with recommend +options): + +:: + + smtpd_banner = $myhostname ESMTP + biff = no + append_dot_mydomain = no + + myhostname = mail.domain.tld + inet_protocols = ipv4 + mydestination = $myhostname, localhost.$mydomain + virtual_mailbox_domains = domain.tld, domain1.tld + virtual_alias_maps = hash:/etc/postfix/virtual + virtual_transport = lmtp:unix:private/dovecot-lmtp + + strict_rfc821_envelopes = yes + disable_vrfy_command = yes + + smtpd_helo_required = yes + smtpd_recipient_restrictions = + reject_unknown_recipient_domain, + reject_non_fqdn_recipient, + permit_mynetworks, + reject_unauth_destination + permit + + smtpd_tls_cert_file=/etc/postfix/server.pem + smtpd_tls_key_file=/etc/ssl/private/domain_tld.key + smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache + + alias_maps = hash:/etc/aliases + mailbox_size_limit = 0 + message_size_limit = 20480000 + +master.cf + +:: + + # + # Postfix master process configuration file. For details on the format + # of the file, see the master(5) manual page (command: "man 5 master"). + # + # ========================================================================== + # service type private unpriv chroot wakeup maxproc command + args + # (yes) (yes) (yes) (never) (100) + # ========================================================================== + smtp inet n - - - - smtpd + submission inet n - - - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject + pickup fifo n - - 60 1 pickup + cleanup unix n - - - 0 cleanup + qmgr fifo n - n 300 1 qmgr + tlsmgr unix - - - 1000? 1 tlsmgr + rewrite unix - - - - - trivial-rewrite + bounce unix - - - - 0 bounce + defer unix - - - - 0 bounce + trace unix - - - - 0 bounce + verify unix - - - - 1 verify + flush unix n - - 1000? 0 flush + proxymap unix - - n - - proxymap + smtp unix - - - - - smtp + relay unix - - - - - smtp + -o fallback_relay= + showq unix n - - - - showq + error unix - - - - - error + discard unix - - - - - discard + local unix - n n - - local + virtual unix - n n - - virtual + lmtp unix - - - - - lmtp + anvil unix - - - - 1 anvil + scache unix - - - - 1 scache + retry unix - - - - - error diff --git a/source/configuration_manual/howto/virtual_users.rst b/source/configuration_manual/howto/virtual_users.rst new file mode 100644 index 000000000..c087d9b2e --- /dev/null +++ b/source/configuration_manual/howto/virtual_users.rst @@ -0,0 +1,58 @@ +.. _howto_virtual_users: + +============================== +How to implement virtual users +============================== + +:ref:`Virtual users ` with :ref:`passwd-files ` +------------------------------------------------------------------------------------------ + +- :doc:`A simple virtual passwd file installation ` + +- :doc:`Virtual passwd file and Exim ` + +- :doc:`Virtual passwd file and Postfix ` + +:ref:`Virtual users ` with :ref:`LDAP ` +--------------------------------------------------------------------------- + +- :doc:`OpenLDAP ` (:doc:`Cheat sheet `) + +- `Postfix and Active Directory `__ + +:ref:`System users ` and/or :ref:`Virtual users ` with :ref:`LDAP ` +--------------------------------------------------------------------------------------------------------------------- + +- `Dovecot, ManageSieve, Exim, OpenLDAP and + getmail `__ + (Instructions in German) - LDAP users can be both :ref:`system_users` and :ref:`virtual_users` + depending on how you use :ref:`LDAP ` with + the possibility to add subaccounts for each user. For example if you + have a LDAP user named peter, you can add a separate subordinate + mailbox to retrieve mail from an external mail account like + peter[at]gmail.com + +:ref:`Virtual users ` with :ref:`SQL ` +------------------------------------------------------------------------- + +- MySQL + + - :doc:`Dovecot, Postfix with Dovecot LDA transport and Dovecot SASL + Auth, Postfix Admin, MySQL and + SquirrelMail ` + + - `ISP-style Email Server with Debian-Etch and Postfix (MySQL, + Dovecot, Postfix etc.) `__ + +- PostgreSQL + + - :doc:`PostgreSQL and Postfix ` + + - `PostgreSQL, Postfix (Dovecot LMTP and Dovecot SASL), Dovecot and + vmm (command line tool) `__ + +- SQLite + + - `Postfix+Dovecot with SQLite3 + backend `__ (also implements system + users) diff --git a/source/configuration_manual/virtual_users.rst b/source/configuration_manual/virtual_users.rst new file mode 100644 index 000000000..f51347c92 --- /dev/null +++ b/source/configuration_manual/virtual_users.rst @@ -0,0 +1,257 @@ +.. _virtual_users: + +============= +Virtual Users +============= + +There are many ways to configure Dovecot to use virtual users. If you +have no idea how you want your users to be configured, select some +:ref:`HOWTO ` and follow its +instructions. + +Users are often categorized as being either system users (in +``/etc/passwd``) or virtual users (not in ``/etc/passwd``). However from +Dovecot's point of view there isn't much of a difference between them. +If a :ref:`passwd ` lookup and a +:ref:`SQL ` lookup return the same +:ref:`userdb ` information, +Dovecot's behavior is identical. + +Password and user databases +=========================== + +Dovecot supports many different :ref:`password databases ` +and :ref:`user databases `. With virtual users the +most commonly used ones are :ref:`LDAP `, +:ref:`SQL ` and :ref:`passwd-file `. +The databases usually contain the following information: + +- Username + +- Password + +- UNIX User ID (UID) and primary UNIX Group ID (GID) + +- Home directory and/or mail location + +Usernames and domains +--------------------- + +Dovecot doesn't care much about domains in usernames. IMAP and POP3 +protocols currently have no concept of "domain", so the username is just +something that shows up in your logs and maybe in some configuration, +but they have no direct functionality. + +So although Dovecot makes it easier to handle "user@domain" style +usernames (eg. ``%n`` and ``%d`` :ref:`variables `), +nothing breaks if you use for example ``domain%user`` style usernames +instead. However some :ref:`authentication mechanisms ` +do have an explicit support for realms (pretty much the same as +domains). If those mechanisms are used, the username is changed to be +``user@realm``. + +And of course there's no need to have domains at all in the usernames. + +Passwords +--------- + +The password can be in :ref:`any format that Dovecot supports `, +but you need to tell the format to Dovecot because it won't try to guess +it. The SQL and LDAP configuration files have the +``default_pass_scheme`` setting for this. If you have passwords in +multiple formats, or the passdb doesn't have such a setting, you'll need +to prefix each password with ``{}``, for example +``{PLAIN}plaintext-password`` or +``{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72``. + +UNIX UIDs +--------- + +The most important thing you need to understand is that **Dovecot +doesn't access the users' mails as the dovecot user**! So **do not** put +*dovecot* into the *mail* group, and don't make mails owned by the +*dovecot* user. That will only make your Dovecot installation less +secure. + +So, if not the *dovecot* user, what then? You can decide that yourself. +You can create, for example, one *vmail* user which owns all the mails, +or you can assign a separate UID for each user. See +:ref:`system_users_used_by_dovecot` +for more information about different ways to allocate UIDs for users. + +UNIX GIDs +--------- + +Unless you're using :ref:`shared mailboxes ` +and multiple UIDs, it doesn't really matter what GIDs you use. You can, +for example, use a single GID for all users, or create a separate GID +for each user. See :ref:`system_users_used_by_dovecot` for more information. + +Home directories +---------------- + +Home directory is a per-user directory where **Dovecot can save +user-specific files**. + +- Dovecot's home directories have nothing to do with system users' home + directories. + +- It's irrelevant if it's under ``/home/`` or ``/var/mail/`` or + wherever. + +- If you have trouble understanding this, mentally replace all + occurrences of "home directory" with "mail user's private state + directory". + +And in particular: + +- Never configure your userdb to return the same home directory for + multiple users, this will break things. + +- Home directory must be an absolute path, don't even try to use + relative paths, these do not work. + +Some uses for home directory are: + +- By default :ref:`Sieve ` scripts are in a user's home directory. + +- The Duplicate mail check database is in a user's home directory. + Suppression of duplicate rejects/vacations won't work if home + directory isn't specified. + +- Debugging: If an imap or pop3 process crashes, the core file is + written to the user's home directory. + +Home vs. mail directory +~~~~~~~~~~~~~~~~~~~~~~~ + +Home directory shouldn't be the same as mail directory with mbox or +Maildir formats (but with dbox/obox it's fine). It's possible to do +that, but you might run into trouble with it sooner or later. Some +problems with this are: + +- Non-mailbox files may show up as mailboxes. + + - If you see this with Maildir, :dovecot_core:ref:`maildir_stat_dirs=yes ` hides + them. + +- Or a user might not be able to create mailbox with some wanted name, + because there already exists a conflicting file or directory. + + - e.g. with Maildir if you have ``.dovecot.sieve`` file, user can't + create a mailbox called "dovecot.sieve" (i.e. "dovecot" mailbox + that has a "sieve" child) + +- And vice versa: If user creates "dovecot.sieve" mailbox, Dovecot will + probably start logging all kinds of errors because the mailbox + directory isn't a valid :ref:`Sieve ` script. + +- If you ever intend to migrate to another mailbox format, it's much + easier to do if you can have both old and new mail directories under + the user's home directory. + +Ways to set up home directory +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The directory layouts for home and mail directories could look like one +of these (in the preferred order): + +1. Mail directory under home, for example: + + - ``home=/var/vmail/domain/user/`` + - ``mail=/var/vmail/domain/user/mail/`` + +2. Completely distinct home and mail directories: + + - ``home=/home/virtual/domain/user/`` + - ``mail=/var/vmail/domain/user/`` + +3. Home directory under mail, for example: + + - Maildir: + - ``home=/var/vmail/domain/user/home/`` + - ``mail=/var/vmail/domain/user/`` + + - mbox: There's really no good and safe way to do it. + +4. The home directory is the same as the mail directory. + +If for example ``home=/var/vmail/domain/user/`` and ``mail=/var/vmail/domain/user/mail/``, set: + +:: + + mail_home = /var/vmail/%d/%n + mail_location = maildir:~/mail + + +LDAP with relative directory paths +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If your LDAP database uses e.g. ``mailDirectory = domain/user/``, you +can use it as a base for home directory: + +:: + + user_attrs = .., mailDirectory=home=/var/vmail/%$ + +Then just use ``mail_location = maildir:~/Maildir``. + + + +Mail location +~~~~~~~~~~~~~ + +If your users have varying locations for mail location, which cannot be represented by +templating, userdb can return the :ref:`mail field ` to +override the default :dovecot_core:ref:`mail_location` setting. Normally this is not +needed, and it is sufficient to have the setting in config file. + + +Dynamic passwd-file locations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In the following example users are expected to log in as ``user@domain``. +Their mail is kept in their home directory at +``/home///Maildir``. + +The usernames in the passwd and shadow files are expected to contain +only the user part, no domain. This is because the path itself already +contained %d to specify the domain. If you want the files to contain +full ``user@domain`` names, you can change username_format to %u or +leave it out. + +Note that the default :dovecot_core:ref:`auth_username_format` is ``%Lu``. + +:: + + mail_location = maildir:/home/%d/%n/Maildir + passdb { + driver = passwd-file + args = username_format=%n /home/%d/etc/shadow + } + userdb { + driver = passwd-file + args = username_format=%n /home/%d/etc/passwd + } + +static userdb +~~~~~~~~~~~~~ + +Many people store only usernames and passwords in their database and +don't want to deal with UIDs or GIDs. In that case the easiest way to +get Dovecot running is to use the :ref:`static userdb `: + +:: + + mail_location = maildir:~/Maildir + passdb { + driver = pam + } + userdb { + driver = static + args = uid=vmail gid=vmail home=/var/mail/virtual/%d/%n + } + +This makes Dovecot look up the mails from +``/var/mail/virtual///Maildir/`` directory, which should +be owned by vmail user and vmail group. From e23585f2e2089b3550c64d08b495527683605daf Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 09:25:51 +0300 Subject: [PATCH 14/22] configuration_manual/authentication: Migrate more ldap pages --- .../authentication/ldap.rst | 8 +- .../authentication/ldap_bind.rst | 92 +++++++++ .../authentication/ldap_passwords.rst | 110 ++++++++++ .../authentication/ldap_userdb.rst | 191 ++++++++++++++++++ 4 files changed, 396 insertions(+), 5 deletions(-) create mode 100644 source/configuration_manual/authentication/ldap_bind.rst create mode 100644 source/configuration_manual/authentication/ldap_passwords.rst create mode 100644 source/configuration_manual/authentication/ldap_userdb.rst diff --git a/source/configuration_manual/authentication/ldap.rst b/source/configuration_manual/authentication/ldap.rst index c69fd337a..7f9358771 100644 --- a/source/configuration_manual/authentication/ldap.rst +++ b/source/configuration_manual/authentication/ldap.rst @@ -8,14 +8,12 @@ LDAP There are two ways to do LDAP authentication: -* `Password lookups - `_ -* `Authentication binds - `_ +* :ref:`Password lookups ` +* :ref:`Authentication binds ` Both of these have their own advantages and disadvantages. -* `LDAP as userdb `_ and +* :ref:`LDAP as userdb ` and other common LDAP query settings. Configuration common to LDAP passdb and userdb diff --git a/source/configuration_manual/authentication/ldap_bind.rst b/source/configuration_manual/authentication/ldap_bind.rst new file mode 100644 index 000000000..d47b55b30 --- /dev/null +++ b/source/configuration_manual/authentication/ldap_bind.rst @@ -0,0 +1,92 @@ +.. _authentication-ldap_bind: + +===================================== +Passdb LDAP with authentication binds +===================================== + +Advantages over :ref:`password lookups ` + +- LDAP server verifies the password, so Dovecot doesn't need to know + what format the password is stored in. + +- A bit more secure, as a security hole in Dovecot doesn't give + attacker access to all the users' password hashes. (And Dovecot + admins in general don't have direct access to them.) + +You can enable authentication binds by setting ``auth_bind=yes``. Next +Dovecot needs to know what DN to use in the binding. There are two ways +to configure this: lookup or template. + +DN lookup +--------- + +DN is looked up by sending a ``pass_filter`` LDAP request and getting +the DN from the reply. This is very similar to doing a +:ref:`password lookup `. +The only difference is that ``userPassword`` attribute isn't returned. Just +as with password lookups, the ``pass_attrs`` may contain special +:ref:`extra fields `. + +Example: + +:: + + auth_bind = yes + pass_attrs = uid=user + pass_filter = (&(objectClass=posixAccount)(uid=%u)) + +DN template +=========== + +The main reason to use DN template is to avoid doing the DN lookup, so +that the authentication consists only of one LDAP request. With IMAP and +POP3 logins the same optimization can be done by using :ref:`prefetch +userdb ` +and returning userdb info in the DN lookup (a total of two LDAP requests +per login in both cases). If you're also using Dovecot for SMTP AUTH, it +doesn't do a userdb lookup so the prefetch optimization doesn't help. + +If you're using DN template, ``pass_attrs`` and ``pass_filter`` settings +are completely ignored. That means you can't make passdb return any +:ref:`extra fields `. +You should also set ``auth_username_format = %Lu`` in ``dovecot.conf`` +to normalize the username by lowercasing it. + +Example: + +:: + + auth_bind = yes + auth_bind_userdn = cn=%u,ou=people,o=org + +Connection optimization +======================= + +When using + +- auth binds and + +- userdb ldap lookups, + +the userdb lookups should use a separate connection to the LDAP server. +That way it can send LDAP requests asynchronously to the server, which +improves the performance. This can be done by specifying different +filenames in the LDAP passdb and userdb args. The second file could be a +symlink to the first one. For example: + +:: + + passdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap.conf.ext + } + userdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap-userdb.conf.ext + } + +And create the symlink: + +:: + + ln -s /etc/dovecot/dovecot-ldap.conf.ext /etc/dovecot/dovecot-ldap-userdb.conf.ext diff --git a/source/configuration_manual/authentication/ldap_passwords.rst b/source/configuration_manual/authentication/ldap_passwords.rst new file mode 100644 index 000000000..ff6f4120c --- /dev/null +++ b/source/configuration_manual/authentication/ldap_passwords.rst @@ -0,0 +1,110 @@ +.. _authentication-ldap_passwords: + +================================= +Passdb LDAP with password lookups +================================= + +Advantages over :ref:`authentication binds `: + +- Faster, because Dovecot can keep sending multiple LDAP requests + asynchronously to the server. With auth binds Dovecot must wait for + each request to finish before sending the next one. + +- Supports non-plaintext :ref:`authentication + mechanisms ` + (if returning plaintext/:ref:`properly hashed + passwords `). + +- When using :ref:`LDA ` or :ref:`LMTP ` + and static userdb, deliver can check if destination user exists. With + auth binds this check isn't possible. + +LDAP server permissions +----------------------- + +Normally LDAP server doesn't give anyone access to users' passwords, so +you'll need to create an administrator account that has access to the +userPassword field. With OpenLDAP this can be done by modifying +``/etc/ldap/slapd.conf``: + +:: + + # there should already be something like this in the file: + access to attribute=userPassword + by dn="" read # just add this line + by anonymous auth + by self write + by * none + +Replace ```` with the DN you specified in +``dovecot-ldap.conf's`` ``dn`` setting. + +Dovecot configuration +--------------------- + +The two important settings in password lookups are: + +- ``pass_filter`` specifies the LDAP filter how user is found from the + LDAP. You can use all the normal + :ref:`variables ` + like ``%u`` in the filter. + +- ``pass_attrs`` specifies a comma-separated list of attributes that + are returned from the LDAP. If you set it to empty, all the + attributes are returned. + +Usually the LDAP attribute names aren't the same as :ref:`the field names +that Dovecot uses internally ` +You must create a mapping between them to get the wanted results. This +is done by listing the fields as ``=``. +For example: + +:: + + pass_attrs = uid=user, userPassword=password + +This maps the LDAP "uid" attribute to Dovecot's "user" field and LDAP's +"userPassword" attribute to Dovecot's "password" field. These two fields +should always be returned, but it's also possible to return other +special :ref:`extra fields `. + +Password +~~~~~~~~ + +Most importantly the ``pass_attrs`` must return a "password" field, +which contains the user's password. The next thing Dovecot needs to know +is what format the password is in. If all the passwords are in same +format, you can use ``default_pass_scheme`` setting in +``dovecot-ldap.conf`` to specify it. Otherwise each password needs to be +prefixed with ``{password-scheme}``, for example +``{plain}plaintext-password``. See :ref:`authentication-password_schemes` +for a list of supported password schemes. + +Username +~~~~~~~~ + +LDAP lookups are case-insensitive. Unless you somehow normalize the +username, it's possible that a user logging in as "user", "User" and +"uSer" are treated differently. The easiest way to handle this is to +tell Dovecot to change the username to the same case as it's in the LDAP +database. You can do this by returning "user" field in the +``pass_attrs``, as shown in the above example. + +If you can't normalize the username in LDAP, you can alternatively +lowercase the username in ``dovecot.conf``: + +:: + + auth_username_format = %Lu + +Example +------- + +A typical configuration would look like: + +:: + + auth_bind = no + pass_attrs = uid=user, userPassword=password + pass_filter = (&(objectClass=posixAccount)(uid=%u)) + default_pass_scheme = MD5 diff --git a/source/configuration_manual/authentication/ldap_userdb.rst b/source/configuration_manual/authentication/ldap_userdb.rst new file mode 100644 index 000000000..285c4a5e3 --- /dev/null +++ b/source/configuration_manual/authentication/ldap_userdb.rst @@ -0,0 +1,191 @@ +.. _authentication-ldap_userdb: + +================== +LDAP user database +================== + +Usually your LDAP database also contains the :ref:`userdb +information ` +If your home directory can be specified with a template and you're using +only a single UID and GID, you +should use :ref:`static userdb ` +instead to avoid an unnecessary LDAP lookup. You can also use :ref:`prefetch +userdb ` to avoid the userdb LDAP lookup. + +Userdb lookups are always done using the default DN (``dn`` setting) +bind. It's not possible to do the lookup using the user's DN (remember +that e.g. :ref:`LDA ` or :ref:`LMTP ` needs +to do userdb lookups without knowing the user's password). + +The userdb lookups are configured in very much the same way as :ref:`LDAP +password lookups `. +Instead of ``pass_attrs`` and ``pass_filter``, the userdb uses +``user_attrs`` and ``user_filter``. Typically ``pass_filter`` and +``user_filter`` are equivalent. + +If you're using a single UID and GID for all the users, you can specify +them globally with ``mail_uid`` and ``mail_gid`` settings instead of +returning them from LDAP. + +Example: + +:: + + user_attrs = \ + =home=%{ldap:homeDirectory}, \ + =uid=%{ldap:uidNumber}, \ + =gid=%{ldap:gidNumber} + user_filter = (&(objectClass=posixAccount)(uid=%u)) + + # For using doveadm -A: + iterate_attrs = =user=%{ldap:uid} + iterate_filter = (objectClass=posixAccount) + +Attribute templates (v2.1+) +--------------------------- + +You can mix static text with the value returned from LDAP by using +``%{ldap:*}`` variables, which expand to the named LDAP attribute's value. +Some examples: + +Create a "quota_rule" field with value ``*:bytes=`` where comes +from "quotaBytes" LDAP attribute: + +:: + + user_attrs = \ + =quota_rule=\*:bytes=%{ldap:quotaBytes} + +Create a "mail" field with value ``maildir:/var/mail//Maildir`` where +```` comes from "sAMAccountName" LDAP attribute: + +:: + + user_attrs = \ + =mail=maildir:/var/spool/vmail/%{ldap:sAMAccountName}/Maildir + +You can add static fields that aren't looked up from LDAP. For example +create a "mail" field with value ``maildir:/var/vmail/%d/%n/Maildir``: + +:: + + user_attrs = \ + =quota_rule=*:bytes=%{ldap:quotaBytes}, \ + =mail=maildir:/var/vmail/%d/%n/Maildir + +If you don't want a field to exist at all when its LDAP attribute +doesn't exist, you can give the attribute name before the first "=" +character. For example this doesn't return "home" or "mail" fields if +"mailboxPath" doesn't exist: + +:: + + user_attrs = \ + =quota_rule=*:bytes=%{ldap:quotaBytes}, \ + mailboxPath=home=/home/%{ldap:mailboxPath}, \ + mailboxPath=mail=maildir:~/Maildir + +It's also possible to give default values to nonexistent attributes in +v2.1.11+ by using e.g. ``%{ldap:userDomain:example.com}`` where if +userDomain attribute doesn't exist, example.com is used instead. + +Subqueries and pointers (v2.2) +------------------------------ + +LDAP values can now have DN pointers to other entries that are queried. + +.. note:: These aren't actually very useful anymore. See the next + section for how to do multiple queries more easily using multiple + userdbs. + +Example: + +:: + + user_attrs = \ + =user=%{ldap:uid}, \ + @mail=%{ldap:mailDN}, \ + =uid=%{ldap:uidNumber@mail}, \ + =gid=%{ldap:gidNumber@mail}, \ + =home=%{ldap:rootPath@mail}/%d/%n + +This will do a regular lookup first. Then does another lookup with DN +taken from mailDN's value. The ``*@mail`` attributes are assigned from the +second lookup's results. + +:: + + user_attrs = \ + =user=%{ldap:uid}, \ + =home=%{ldap_ptr:activePath}, \ + !primaryPath, !secondaryPath + +The activePath's value can be either "primaryPath" or "secondaryPath". +The home's value will be the contents of that field. The !field tells +Dovecot to fetch the field's value but not to do anything with it +otherwise. + +Multiple queries via userdbs (v2.2+) +------------------------------------ + +Example: Give the user a class attribute, which defines the default +quota: + +dovecot.conf: + +:: + + userdb { + driver = ldap + args = /etc/dovecot/dovecot-users-ldap.conf.ext + result_success = continue-ok + } + userdb { + driver = ldap + args = /etc/dovecot/dovecot-class-ldap.conf.ext + skip = notfound + } + +/etc/dovecot/dovecot-users-ldap.conf.ext: + +:: + + # If user has overridden quota, quota_rule is set below. Otherwise it's still unset. + user_attrs = \ + =class=%{ldap:userClass} + quotaBytes=quota_rule=*:bytes=%{ldap:quotaBytes} + +/etc/dovecot/dovecot-class-ldap.conf.ext: + +:: + + # Do the lookup using the user's class: + user_filter = (&(objectClass=userClass)(class=%{userdb:class})) + # With :protected suffix the quota_rule isn't overridden if it's already set. + user_attrs = \ + classQuotaBytes=quota_rule:protected=*:bytes=%{ldap:classQuotaBytes} + +Variables and domains +--------------------- + +User names and domains may be distinguished using the +:ref:`Variables ` +%n and %d. They split the *previous username* at the "@" character. The +*previous username* is: + +- For LMTP, it will be ``user@hostname``, where hostname depends on e.g. + the Postfix configuration. + +- For IMAP, it will be whatever the password database has designated as + the username. If the (LDAP) password database has ``user_attrs = + =user=%n``, then the domain part of the login name will be stripped by + the password database. The UserDB will not see any domain part, i.e. + %n and %u are the same thing for the UserDB. + +The UserDB may set a new username, too, using ``user_attrs = =user=...``. +This will be used for + +- Logging + +- %u and %d variables in other parts of the configuration (e.g. quota + file names) From aef36e1d671c349ad73281cc38b420a0172d8f0b Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 09:39:53 +0300 Subject: [PATCH 15/22] configuration_manual/authentication: Migrate domain lost page --- .../authentication/domain_lost.rst | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 source/configuration_manual/authentication/domain_lost.rst diff --git a/source/configuration_manual/authentication/domain_lost.rst b/source/configuration_manual/authentication/domain_lost.rst new file mode 100644 index 000000000..78aa19b32 --- /dev/null +++ b/source/configuration_manual/authentication/domain_lost.rst @@ -0,0 +1,100 @@ +==================== +Domain (%d) is empty +==================== + +IMAP or POP3 protocol doesn't have explicit support for domains. The +usernames are commonly in ``user@domain`` format, and that is also where +Dovecot gets the domain from. If the username doesn't have ``@domain``, then +the domain is also usually empty (unless :dovecot_core:ref:`auth_default_realm` setting +is used). + +If you login as ``user@domain``, but the %d is still empty, the problem is +that your configuration lost the domain part by changing the username. +Dovecot doesn't keep track of the domain separately from username, so if +something changes username from ``user@domain`` to just plain ``user``, the +domain is lost and %d returns nothing. If you have +:dovecot_core:ref:`auth_debug=yes `, +this shows up in logs like: + +:: + + Info: auth(user@domain.org): username changed user@domain.org -> user + +Below are some of the most common reasons for this. + +Settings +-------- + +:dovecot_core:ref:`auth_username_format = %Ln ` lowercases +the username but also drops the domain. Use +:dovecot_core:ref:`auth_username_format = %Lu ` instead. + +:dovecot_core:ref:`auth_username_format` changes the username permanently, some +user databases support using variables or ``username_format`` (see +:ref:`authentication-passwd_file`). See also :ref:`authentication-virtual_and_system_users`. + +SQL +--- + +``password_query`` gets often misconfigured to drop the domain if +username and domain are stored separately. For example: + +:: + + # BROKEN: + password_query = SELECT username AS user, password FROM users \ + WHERE username = '%n' AND domain = '%d' + +The "username AS user" changes the username permanently and the domain +is dropped. You can instead use: + +:: + + # MySQL: + password_query = SELECT concat(username, '@', domain) AS user, \ + password FROM users WHERE username = '%n' AND domain = '%d' + +Or you can return username and domain fields separately and Dovecot will +merge them into a single user field: + +:: + + password_query = SELECT username, domain, password FROM users \ + WHERE username = '%n' AND domain = '%d' + +.. _authentication-virtual_and_system_users: + +Virtual and system users +======================== + +If you need to do PAM/passwd lookup for system users, and also have domain users, +you can configure authentication to drop the domain part after doing virtual +user lookup. + +:: + + ## Your virtual passdb + passdb { + driver = ldap + args = /path/to/ldap/config + } + + passdb { + driver = static + args = user=%Ld noauthenticate + skip = authenticated + } + + passdb { + driver = pam + skip = authenticated + } + + userdb { + driver = ldap + args = /path/to/ldap/config + } + + userdb { + driver = passwd + } From 4422c63238a486ebead4058395ac5b124f7e7b1b Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 09:57:35 +0300 Subject: [PATCH 16/22] configuration_manual/authentication: Migrate kerberos page --- .../authentication/kerberos.rst | 247 ++++++++++++++++++ 1 file changed, 247 insertions(+) create mode 100644 source/configuration_manual/authentication/kerberos.rst diff --git a/source/configuration_manual/authentication/kerberos.rst b/source/configuration_manual/authentication/kerberos.rst new file mode 100644 index 000000000..286937eb7 --- /dev/null +++ b/source/configuration_manual/authentication/kerberos.rst @@ -0,0 +1,247 @@ +======================= +Kerberos authentication +======================= + +Dovecot supports Kerberos 5 using GSSAPI. The Kerberos authentication +mechanism doesn't require having a :ref:`passdb `, +but you do need a :ref:`userdb ` +so Dovecot can lookup user-specific information, such as where their +mailboxes are stored. With centralized systems, such as Microsoft Active +Directory, LDAP is pretty good choice. + +.. note:: If you only wish to authenticate clients using their Kerberos + *passphrase* (as opposed to ticket authentication), you will probably + want to use :ref:`PAM ` authentication with ``pam_krb5.so`` instead. + +Pre-requisites +-------------- + +This document assumes that you already have a Kerberos Realm up and +functioning correctly at your site, and that each host in your realm +also has a host *keytab* installed in the appropriate location. + +For Dovecot, you will need to install the appropriate *service* keys on +your server. By default, Dovecot will look for these in the host's +keytab file, typically ``/etc/krb5.keytab``, but you can specify an +alternate path using the :dovecot_core:ref:`auth_krb5_keytab` configuration entry in +dovecot.conf. Anyway specified keytab file should be readable by user +"dovecot" (or whatever user the auth process is running as). If you wish +to provide an IMAP service, you will need to install a service ticket of +the form ``imap/hostname@REALM``. For POP3, you will need a service +ticket of the form ``pop/hostname@REALM``. When using Dovecot's +:ref:`SASL ` with :ref:`MTA `, you will need to install service ticket of the form +``smtp/hostname@REALM``. + +Setting up samba +---------------- + +Create symlink for krb5.conf, if you do not have krb5.conf ready + +:: + + ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf + +Create dovecot user to your samba instance (choose random password) + +:: + + $ samba-tool user create dovecot + New Password: + Retype Password: + User 'dovecot' created successfully + +Add Service Principal Names (SPNs) and create keytab + +:: + + $ samba-tool spn add imap/host.domain.com dovecot + $ samba-tool domain exportkeytab --principal imap/host.domain.com /etc/dovecot/dovecot.keytab + +Dovecot needs to be able to read the keytab + +:: + + $ chgrp dovecot /etc/dovecot/dovecot.keytab + $ chmod g+r /etc/dovecot/dovecot.keytab + +Make sure your keytab has entry for ``imap/host.domain.name@REALM``. + +:: + + $ klist -Kek /etc/dovecot/dovecot.keytab + Keytab name: FILE:/etc/dovecot/dovecot.keytab + KVNO Principal + ---- -------------------------------------------------------------------------- + 1 imap/host.domain.name@REALM (des-cbc-crc) + 1 imap/host.domain.name@REALM (des-cbc-md5) + 1 imap/host.domain.name@REALM (arcfour-hmac) + +Example dovecot.conf configurations +----------------------------------- + +If you only want to use Kerberos ticket-based authentication: + +:: + + auth_gssapi_hostname = "$ALL" + auth_mechanisms = gssapi + auth_krb5_keytab = /etc/dovecot/dovecot.keytab + + userdb { + driver = static + args = uid=vmail gid=vmail home=/var/vmail/%u + } + +(In this virtual-hosting example, all mail is stored in +``/var/vmail/$username`` with uid and gid set to 'vmail') + +If you also want to support plaintext authentication in addition to +ticket-based authentication, you will need something like: + +:: + + auth_mechanisms = plain login gssapi + auth_gssapi_hostname = "$ALL" + auth_mechanisms = gssapi + auth_krb5_keytab = /etc/dovecot/dovecot.keytab + passdb { + driver = pam + } + userdb { + driver = passwd + } + +(Note that in this example, you will also need to configure PAM to use +whichever authentication backends are appropriate for your site.) + +Enable plaintext authentication to use Kerberos +----------------------------------------------- + +This is needed when some of your clients don't support GSSAPI and you +still want them to authenticate against Kerberos. + +Install pam_krb5 module for PAM, and create ``/etc/pam.d/dovecot``: + +:: + + auth sufficient pam_krb5.so + account sufficient pam_krb5.so + +Then enable PAM passdb: + +:: + + passdb { + driver = pam + } + +Check ``/var/log/auth.log`` if you have any problems logging in. The +problem could be that PAM is still trying to use pam_unix.so rather than +pam_krb5.so. Make sure pam_krb5.so is the first module for account or +just change pam_unix.so to sufficient. + +Cross-realm authentication +-------------------------- + +This seems to have all kinds of trouble. Search Dovecot mailing list for +previous threads about it. Some points about it: + +- ``krb5_kuserok()`` is used to check if access is allowed. It may try to + do the check by reading ``~user/.k5login`` (good!) or ``~dovecot/.k5login`` + (bad!) + +- Solaris uses ``gss_userok()`` instead of ``krb5_kuserok()``. Dovecot v2.2+ has + "k5principals" :ref:`passdb extra field ` + which is a comma separated list of usernames that are allowed to log + in. If it's set, it bypasses the ``krb5_kuserok()`` check. + + .. note:: + for this to work, you need a password database which supports + **credential lookups**.With 2.2.13, this excludes LDAP databases + using authentication binds (``auth_bind = yes``). However, a second LDAP + passdb entry without ``auth_bind = yes`` may be added for the sole + purpose of Kerberos principals mapping. This passdb doesn't need to + return a password attribute (and usually shouldn't). With 2.2.24, + authentication-bind LDAP databases are able to provide ``k5principals`` + lookups if configured with ``pass_filter``. + +Client support +-------------- + +Mail clients that support Kerberos GSSAPI authentication include: + +- Evolution + +- Mozilla Thunderbird + +- SeaMonkey + +- Mutt + +- UW Pine + +- Apple Mail + +Test that the server can access the keytab +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This test demonstrates that the server can acquire its private +credentials. You need to configure your server accordingly, +and then you can use mutt client to test this. + +First telnet directly to the server + +:: + + $ telnet localhost 143 + * OK Dovecot ready. + +or, if you are using IMAPS then use openssl instead of telnet to +connect: + +:: + + $ openssl s_client -connect localhost:993 + CONNECTED(00000003) + ... + * OK Dovecot ready. + +Check that GSSAPI appears in the authentication capabilities: + +:: + + a capability + * CAPABILITY ... AUTH=GSSAPI + +Attempt the first round of GSS communication. The '+' indicates that the +server is ready + +:: + + a authenticate GSSAPI + + + +Abort the telnet session by typing control-] and then 'close' + +:: + + ^] + telnet> close + +The test: + +- Setup mutt in /etc/Muttrc to use kerberos using gssapi and imap + configuration + + - this is done with ``set imap_authenticators="gssapi"`` + +- run kinit (type in password for kerb) + +- run command mutt + +- If you get error No Authentication Method + + - run command klist (list all kerberos keys) should show + imap/HOSTNAME + +- DNS has to function correctly so that kerberos works. From aee35a18326f21485f88ed46cf5e99c83da9d017 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 09:58:43 +0300 Subject: [PATCH 17/22] configuration_manual/authentication: Migrate caching page --- .../authentication/caching.rst | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 source/configuration_manual/authentication/caching.rst diff --git a/source/configuration_manual/authentication/caching.rst b/source/configuration_manual/authentication/caching.rst new file mode 100644 index 000000000..05d14e2fd --- /dev/null +++ b/source/configuration_manual/authentication/caching.rst @@ -0,0 +1,130 @@ +.. _authentication-caching: + +================================= +Caching of authentication results +================================= + +Dovecot supports caching the results of password and user database +lookups. The following rules apply to using the authentication cache: + +- Data is used from the cache if it's not expired + (:dovecot_core:ref:`auth_cache_ttl` setting) + + - If authentication fails this time, but it didn't fail last time, + it's assumed that the password has changed and a database lookup + is done. + +- If a database lookup fails because of some internal error, but data + still exists in the cache (even if expired), the cached data is used. + This allows Dovecot to log in some users even if the database is + temporarily down. + +The authentication cache can be flushed by sending a SIGHUP to +dovecot-auth. + +Sending SIGUSR2 to dovecot-auth makes it log the number of cache hits +and misses. You can use that information for tuning the cache size and +TTL. + +Settings +-------- + +The settings related to the authentication cache are: + +:dovecot_core:ref:`auth_cache_size` + Authentication cache size, 0 disables caching + (default). A typical passdb cache entry is around 50 bytes and a + typical userdb cache entry is around 100-200 bytes, depending on the + amount of information your user and password database lookups return. + +:dovecot_core:ref:`auth_cache_ttl` + Time to live in seconds for cache entries. A + cache entry is no longer used (except for internal failures) if it + was created more than this many seconds ago. Entries are removed from + the cache only when the cache is full and a new entry is to be added. + +:dovecot_core:ref:`auth_cache_negative_ttl` + If a passdb or userdb lookup didn't return any data (i.e. the user + doesn't exist), it's also stored in the cache as a negative entry. + This setting allows you to give negative entries a different TTL. + 0 disables negative caching completely. + +:dovecot_core:ref:`auth_cache_verify_password_with_worker` + Password hash verifications are done by the auth master process by + default. Setting this to "yes" moves the verification to auth-worker + processes. This allows distributing the hash calculations to multiple + CPU cores, which could make sense if strong hashes are used. (v2.2.34+) + +It should be pretty safe to set very high TTLs, because the only field +that usually can change is the user's password, and Dovecot attempts to +catch those cases (see the rules above). + +Cache keys +---------- + +Usually only the username uniquely identifies a user, but in some setups +you may need something more, for example the remote IP address. For SQL +and LDAP lookups Dovecot figures this out automatically by using all the +used :ref:`variables ` as the cache key. For example +if your SQL query contains %s, %u and %r the cache entry is used only +if all of them (service name, username and remote IP) match for the new lookup. + +With other databases Dovecot doesn't know what could affect caching, so +you have to tell Dovecot manually. The following databases require +specifying the cache key: + +- pam + +- bsdauth + +For example if the PAM lookup depends on username and service, you can +use: + +:: + + passdb { + driver = pam + args = cache_key=%s%u * + } + +Password changing scenarios +--------------------------- + +Normal scenario: + +1. User logs in with password X. The password X is added to cache and + login succeeds. + +2. Password is changed to Y. + +3. User logs in with password Y. The cached password X doesn't match Y, + but since the previous authentication was successful Dovecot does + another backend passdb lookup to see if the password changed. It did, + so the password Y is cached and login succeeds. + +Using old cached password scenario: + +1. User logs in with password X. The password X is added to cache and + login succeeds. + +2. Password is changed to Y. + +3. User logs in with password X. The cached password X matches X, so + login succeeds. + +Early change scenario: + +1. User logs in with password X. The password X is added to cache and + login succeeds. + +2. User logs in with password Y. The cached password X doesn't match Y, + but since the previous authentication was successful Dovecot does + another backend passdb lookup to see if the password changed. It + didn't, so the login fails. + +3. Password is changed to Y. + +4. User logs in with password Y. The cached password X doesn't match Y + and the previous authentication was unsuccessful, so Dovecot doesn't + bother doing another backend passdb lookup (until cache TTL expires). + The login fails. From 8cdd0cef9e56aca5f3d9984fd923f43250c3a45d Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 10:00:45 +0300 Subject: [PATCH 18/22] configuration_manual/authentication: Migrate restrict access page --- .../authentication/restrict_access.rst | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 source/configuration_manual/authentication/restrict_access.rst diff --git a/source/configuration_manual/authentication/restrict_access.rst b/source/configuration_manual/authentication/restrict_access.rst new file mode 100644 index 000000000..da10eec4d --- /dev/null +++ b/source/configuration_manual/authentication/restrict_access.rst @@ -0,0 +1,82 @@ +============================ +Restricting IMAP/POP3 access +============================ + +Below examples show how you can give POP3 access to everyone, but IMAP +access only for some people. The exact solution you want depends on what +passdb you use. The solutions can also be modified for other types of +IMAP/POP3/SMTP/etc. access checks. + +PAM +--- + +Set PAM service name to ``%s``, ie.: + +:: + + passdb { + driver = pam + args = %s + } + +That way PAM uses ``/etc/pam.d/imap`` for IMAP, and ``/etc/pam.d/pop3`` +for POP3. + +In ``/etc/pam.d/imap`` you could then use eg. the pam_listfile.so +module: + +:: + + # allow IMAP access only for users in /etc/imapusers file + auth required pam_listfile.so item=user sense=allow file=/etc/imapusers onerr=fail + +SQL +--- + +You can use the ``%s`` variable which expands to ``imap`` or ``pop3`` in +``password_query``, eg: + +:: + + password_query = SELECT password FROM users WHERE userid = '%u' and not (imap_allowed = false and '%s' = 'imap') + +LDAP +---- + +Just like with SQL, you can use ``%s`` in pass_filter, eg.: + +:: + + pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s)) + +That would require setting both service=pop3 and service=imap attributes +to the user objects. + +passwd-file +----------- + +You can create a deny passwd-file based on the service: + +:: + + passdb { + driver = passwd-file + args = /etc/dovecot/deny.%s + deny = yes + } + +This makes Dovecot look for ``/etc/dovecot/deny.imap`` and +``/etc/dovecot/deny.pop3`` files. If the user exists in it, the access +is denied. The files don't need to have anything else than one username +per line. + +Note that this deny passdb must be before other passdbs. It also means +that it can be used with any other passdb, not just with passwd-file +passdbs. + +Restricting IP Access +--------------------- + +It's possible to allow a user to authenticate only from a specific IP or +network. This is especially useful for master users. This can be done by +returning :ref:`allow_nets ` extra field in passdb. From bbadbe9daf4a9281d7028fa119d4cc788d093aa8 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 10:18:50 +0300 Subject: [PATCH 19/22] admin_manual: Migrate clients page --- source/admin_manual/clients.rst | 233 ++++++++++++++++++++++++++++++++ 1 file changed, 233 insertions(+) create mode 100644 source/admin_manual/clients.rst diff --git a/source/admin_manual/clients.rst b/source/admin_manual/clients.rst new file mode 100644 index 000000000..fa70475ec --- /dev/null +++ b/source/admin_manual/clients.rst @@ -0,0 +1,233 @@ +============= +Client issues +============= + +.. warning:: + + This page is copied from old wiki and may contain old information. + If you do find client(s) that need special configuration, or no longer + need it, please let us know. + +It seems to be quite difficult to implement a working IMAP client. `Best +Practices for Implementing an IMAP +Client `__ tries to help +you with it. + +------------- +Negative UIDs +------------- + +:: + + Invalid messageset: 1181461470:-1181461446. + +IMAP uses unsigned 32bit integers for unique message identifiers. +Unfortunately a lot of IMAP clients use 32bit signed integers, which +means that if the UIDs go higher than 2147483647, they'll wrap to +negative integers. This causes errors such as above. + +However normally the UIDs should never go that high, so it's possible to +avoid this problem. + +Earlier Dovecot versions had bugs which could cause X-UID: headers in +incoming messages to grow the UIDs too high. Some spam messages +especially contained these intentionally broken X-UID: headers. + +With newer Dovecot versions these broken X-UID: headers aren't +practically ever used. It happens only if the mail has a valid +X-IMAPbase: header, X-UID: header and the mail is written to an empty +mbox file. Note that this can happen only new mboxes, because expunging +all messages in a mailbox causes Dovecot to create a metadata message at +the beginning of the mbox file. + +In any case it's still a good idea to filter out X-UID: and other +metadata headers in your MDA. :ref:`Dovecot's deliver ` does +this internally. See :ref:`known_issues_mbox_problems` for a list +of headers to filter out. + +Fixing +====== + +Fixing is done by letting Dovecot update UIDVALIDITY value and recreate +the UIDs beginning from one. This means that client's local cache will +be invalidated and the client will be required to download all the +messages again. + +mbox +---- + +Delete Dovecot's index files (eg. ``.imap/INBOX/``) and X-IMAP: and +X-IMAPbase: headers from the mbox file. + +Maildir +------- + +This should really never be a problem with Maildir. If however you have +managed to cause it somehow (by receiving 2 billion mails?), you can +recreate the UIDs by deleting ``dovecot-uidlist`` file. + +------------------ +Some known clients +------------------ + +Appsuite webmail +================ + +Works fine. + + +Apple Mail.app +============== + +On Mac OS X Leopard 10.5 Mail.app appears to support +subscribe/unsubscribe by right clicking on a mailbox, selecting 'Get +Account Info' and selecting 'Subscription List' from tabs. This however +doesn't really work with any IMAP server. + +Apple Mail 3.6 (that comes with OS X 10.5 Leopard) supports +subscribing/unsubscribing to folders in the public namespace. + +Outlook +======= + +- You should enable :dovecot_core:ref:`pop3_client_workarounds = + outlook-no-nuls ` workaround with POP3. + +- If some Outlook users don't see new or sent mails in the appropriate + folders after a migration from UW IMAPd even if they are visible in + other clients (e.g. Roundcube, Thunderbird, or on the disk itself), + and you get the error message "BAD Error in IMAP command UID: Invalid + UID messageset" in the log or rawlog: It helps to remove the + problematic IMAP account completely from Outlook and recreating it + again there. It speaks a different IMAP afterwards, so there are + reasons to believe it caches the details of some server on the first + connect and doesn't refresh them even if you change the server's + hostname in the account settings. + +Outlook Express 6 +================= + +- Using "Headers only" synchronization is buggy and can cause "Message + is no longer available on this server" error when opening a mail. + This isn't Dovecot specific problem, and I'm not aware of any + possible workarounds at the moment for this in server side. + +- You should enable :dovecot_core:ref:`imap_client_workarounds = + delay-newmail ` workarounds for IMAP. + +- You should enable :dovecot_core:ref:`pop3_client_workarounds = + outlook-no-nuls oe-ns-eoh ` workarounds + for POP3. + +Netscape Mail +============= + +I'm not actually sure what version exactly this refers to. + +- You should enable :dovecot_core:ref:`pop3_client_workarounds = + oe-ns-eoh ` workaround for POP3. + +Evolution +========= + +- Some versions don't support creating subfolders with mbox format. + Evolution in Ubuntu Gutsy, 2.12.0-0ubuntu5, does support creating + subfolders, at least when the parent folder is empty. + +Mulberry +======== + +Seems to be OK. + +Claws-mail +========== + +Everything works perfectly with Dovecot. + +Thunderbird +=========== + +- If you're using + :ref:`mbox `, + :ref:`dbox ` or + :ref:`Maildir ` with ``:LAYOUT=fs`` , + + - You should enable :dovecot_core:ref:`imap_client_workarounds = + tb-extra-mailbox-sep ` workaround for IMAP. + `Bug + report `__. + +- If you're using :ref:`mbox ` + + - If you are not using a technique to allow folders that contain + both sub-folders and messages (e.g. see :ref:`mbox_child_folders`) + then you will have to disable "Server supports folders that + contain sub-folders and messages" setting from Thunderbird. + `Enhancement + request `__. + +- Versions of Thunderbird from at least 17 (possibly earlier) up to + 24.0 display incorrect new mail counts in the New Mail notification + box. This is due to a bug in Thunderbird's handling of the CONDSTORE + extension. See `Bug + Report `__ for + details and a client-side workaround. + +Mutt +==== + +- New mutt versions supporting IDLE command will hang with Dovecot + versions earlier than v1.0beta3. Upgrade Dovecot or disable IDLE by + setting imap_idle=no in .muttrc. + +- `Using mutt with IMAP `__ + +Pine +==== + +Seems to be OK. + +SquirrelMail +============ + +- Configuration asks IMAP server name for some workarounds. There has + been a Dovecot option since 1.4.6 and 1.5.1. For older SquirrelMail + versions, select the "other" option and remove the default + INBOX-prefix. + +Horde IMP +========= + +Dovecot namespace detection works automatically with any recent version +of IMP (4.1+). + +Quota support is now integrated into the 'imap' driver (as of +horde-groupware V1.2), an example config of /imp/config/servers.php is: + +:: + + $servers['imap'] = array( + 'name' => 'IMAP Server', + 'server' => 'localhost', + 'hordeauth' => false, + 'protocol' => 'imap/notls', + 'port' => 143, + 'quota' => array('driver'=>'imap'), + ); + +RoundCube Webmail +================= + +Works fine. + +@Mail Webmail +============= + +Uses the namespace returned via Dovecot, full support via IMAP/POP3 +using `@Mail `__. Can also read mailbox quota via +the getquotaroot IMAP command. + +RainLoop Webmail +================ + +Works fine. From 1b611e4b4331706d7559f5565340245fcd816f7b Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 14 Jul 2023 10:49:10 +0300 Subject: [PATCH 20/22] installation_manual: Migrate compiling source page --- .../installation_guide/compiling_source.rst | 250 ++++++++++++++++++ source/installation_guide/index.rst | 1 + 2 files changed, 251 insertions(+) create mode 100644 source/installation_guide/compiling_source.rst diff --git a/source/installation_guide/compiling_source.rst b/source/installation_guide/compiling_source.rst new file mode 100644 index 000000000..b3053eae2 --- /dev/null +++ b/source/installation_guide/compiling_source.rst @@ -0,0 +1,250 @@ +============================== +Compiling Dovecot From Sources +============================== + +.. todo:: Update this page + +.. note:: + Dovecot is provided by package managers on most popular operating systems, + and we also provide packages at ``__, we encourage + you to use these instead of building sources yourself. + +For most people it is enough to do: + +:: + + ./configure + make + sudo make install + +That installs Dovecot under the ``/usr/local`` directory. The +configuration file is in ``/usr/local/etc/dovecot.conf``. Logging goes +to syslog's mail facility by default, which typically goes to +``/var/log/mail.log`` or something similar. If you are in a hurry, you +can then jump to :ref:`quick_configuration`. + +If you have installed some libraries into locations which require +special include or library paths, you can pass them in the ``CPPFLAGS`` +and ``LDFLAGS`` environment variables. For example: + +:: + + CPPFLAGS="-I/opt/openssl/include" LDFLAGS="-L/opt/openssl/lib" ./configure + +You'll need to create two users for Dovecot's internal use: + +**dovenull** + Used by untrusted imap-login and pop3-login processes, + :dovecot_core:ref:`default_login_user` setting. + +**dovecot** + Used by slightly more trusted Dovecot processes, + :dovecot_core:ref:`default_internal_user` setting. + +Both of them should also have their own **dovenull** and **dovecot** +groups. See :ref:`system_users_used_by_dovecot` for more information. + +Compiling Dovecot From Git +========================== + +If you got Dovecot from Git, for instance with + +:: + + git clone https://github.com/dovecot/core.git dovecot + +you will first need to run ``./autogen.sh`` to generate the +``configure`` script and some other files. This requires that you have +the following software/packages installed: + +- ``wget`` + +- ``autoconf`` + +- ``automake`` + +- ``libtool`` + +- ``pkg-config`` + +- ``gettext`` + +- ``pandoc`` (not strictly required - you can avoid it by using: + ``PANDOC=false ./configure``) + +- GNU make. + +It is advisable to add ``--enable-maintainer-mode`` to the ``configure`` +script. Thus: + +:: + + ./autogen.sh + ./configure --enable-maintainer-mode + make + sudo make install + +For later updates, you can use: + +:: + + git pull + make + sudo make install + +SSL/TLS Support +=============== + +Dovecot uses OpenSSL for SSL/TLS support and it should be automatically detected. +If it is not, you are missing some header files or libraries, or they +are just in a non-standard path. Make sure you have the ``openssl-dev`` +or a similar package installed, and if it is not in the standard +location, set ``CPPFLAGS`` and ``LDFLAGS`` as shown in the first +section above. + +By default the SSL certificate is read from +``/etc/ssl/certs/dovecot.pem`` and the private key from +``/etc/ssl/private/dovecot.pem``. The ``/etc/ssl`` directory can be +changed using the ``--with-ssldir=DIR`` configure option. Both can of +course be overridden from the configuration file. + +You can use `Mozilla SSL Configuration Generator +`__ +to get a decent SSL configuration. + +Optional Configure Options +========================== + +--help + gives a full list of available options + +--help=short + list the dovecot specific options only and hide the generic configuration options + +Options are usually listed as ``--with-something`` or +``--enable-something``. If you want to disable them, do it as +``--without-something`` or ``--disable-something``. There are many +default options that come from autoconf, automake or libtool. They are +explained elsewhere. + +Here is a list of options that Dovecot adds. You should not usually have +to change these, these are usually not needed. + +--enable-devel-checks + Enables some extra sanity checks. This is mainly useful for + developers. It does quite a lot of unnecessary work but should catch + some programming mistakes more quickly. + +--enable-asserts + Enable assertion checks, enabled by default. Disabling them may + slightly save some CPU, but if there are bugs they can cause more + problems since they are not detected as early. + +--without-shared-libs + Link Dovecot binaries with static libraries instead of dynamic + libraries. + +--disable-largefile + Specifies if we use 32bit or 64bit file offsets in 32bit CPUs. 64bit + is the default if the system supports it (Linux and Solaris do). + Dropping this to 32bit may save some memory, but it prevents + accessing any file larger than 2 GB. + +--with-mem-align=BYTES + Specifies memory alignment used for memory allocations. It is needed + with many non-x86 systems and it should speed up x86 systems too. + Default is 8, to make sure 64bit memory accessing works. + +--with-ioloop=IOLOOP + Specifies what I/O loop method to use. Possibilities are ``select``, + ``poll``, ``epoll`` and ``kqueue``. The default is to use the best + method available on your system. + +--with-notify=NOTIFY + Specifies what file system notification method to use. Possibilities + are ``dnotify``, ``inotify`` (both on Linux), ``kqueue`` (FreeBSD) + and ``none``. The default is to use the best method available on your + system. See `Notify method <#notify>`__ above for more information. + +Generic features +---------------- + +--with-lua + Enables Lua support for authentication and push notifications. + +--with-solr + Build with Solr full text search support + +Compression libraries +--------------------- + +--with-zlib + Build with zlib compression support (default if detected) + +--with-zstd + Build with zStandard compression support (default if detected) + + +SQL Driver Options +------------------ + +SQL drivers are typically used for authentication, and they may be +used as a lib-dict backend too, which can be used by plugins for +different purposes. + +--with-cassandra + Build with cassandra support (requires ``cassandra-cpp-driver``) + +--with-pgsql + Build with PostgreSQL support (requires ``pgsql-devel``, ``libpq-dev`` or + similar package) + +--with-mysql + Build with MySQL support (requires ``mysql-devel, ``libmysqlclient-dev`` + or similar package) + +--with-sqlite + Build with SQLite3 driver support (requires ``sqlite-devel``, + ``libsqlite3-dev`` or similar package) + +Authentication Backend Options +------------------------------ + +The basic backends are built if the system is detected to support them: + +--with-pam + Build with :ref:`PAM ` support + +--with-nss + Build with :ref:`NSS ` + support + +--with-bsdauth + Build with :ref:`BSD authentication ` + support (if supported by your OS) + +Some backends require extra libraries and are not necessarily wanted, so +they are built only if specifically enabled: + +--with-sql(=plugin) + Build with generic SQL support (drivers are enabled separately, see above). + You can also build this as a plugin. + +--with-ldap(=plugin) + Build with LDAP support (requires ``openldap-devel``, ``libldap2-dev`` or + similar package). You can also build this as a plugin. + +--with-gssapi(=plugin) + Build with GSSAPI authentication support (requires ``krb5-devel``, + ``libkrb5-dev`` or similar package) + +Dynamic IMAP and POP3 Modules +============================= + +The :dovecot_core:ref:`mail_plugins` setting lists all plugins that Dovecot is supposed +to load from the ``mail_plugin_dir`` directory at program start. These +plugins can do anything they want. + +The plugin filename is prefixed with a number which specifies the order +in which the plugins are loaded. This is important if one plugin depends +on another. diff --git a/source/installation_guide/index.rst b/source/installation_guide/index.rst index 157022637..d7cdf166d 100644 --- a/source/installation_guide/index.rst +++ b/source/installation_guide/index.rst @@ -8,6 +8,7 @@ Installation guide :maxdepth: 1 :glob: + compiling_source dovecot_pro_releases/index dovecot_community_repositories/index upgrading/index From 0ee6212b4cdd140811b66a4fcbbf2bdeb970ab69 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Mon, 17 Jul 2023 13:05:56 +0300 Subject: [PATCH 21/22] custom.css: Allow document to fill all available space --- source/_static/custom.css | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source/_static/custom.css b/source/_static/custom.css index 05392ec2c..41af9dd36 100644 --- a/source/_static/custom.css +++ b/source/_static/custom.css @@ -33,3 +33,7 @@ dl.dovecotsetting dd { overflow: hidden; text-overflow: ellipsis; } + +div.body { + max-width: none; +} From 2b1945806aede35b62a2e6f6d12189db05dca500 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 20 Jul 2023 10:52:25 +0300 Subject: [PATCH 22/22] spelling: Update expectations --- .github/actions/spelling/expect.txt | 530 +++++----------------------- 1 file changed, 86 insertions(+), 444 deletions(-) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index 4f6fdbe48..4dbe34dee 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -1,12 +1,10 @@ aad ACCESSKEY achara -acl actimeo addflag addhdr addhdrvar -addheader ADDRESULT ADH adminpass @@ -14,62 +12,46 @@ admins adminuser AEAD Aildir -algo aliasempty allbackups -alloc alloca alloconly -allof -alnum altmove altpath altstorage Amavis amavisd -amazonaws amz amzn AND'ing anotherhost antispam -anyof -api apk -apop apparmor Appe APPENDUID +Appsuite APY +arcfour architecting Archlinux -arglist -args -argv asd asdfgh -aspx Atilika -atime atimes atmail ATo -attr auid authpriv authtok authuser authz -autoconf autocreate autocreated Autocreation -autodetect -autodetection autoexpunge autoexpunged autoexpunging -autofix autoforward autogen autoindexed @@ -80,24 +62,15 @@ autosubscribed autotools auxw avc -aws azp -backend -backtraces bantime barfoo basearch -baseurl -bashrc bayes -baz bcc -bcrypt BDAT -bdb bernat beupdatescript -bigint bindir bitfield bitmask @@ -105,7 +78,6 @@ BITMIME blitiri blkid blockdev -blog bodystructure Boehm Bokmal @@ -114,63 +86,45 @@ BROKENCHAR bsdauth BSDs bsearch +bsmtp btrfs bucketname -buf bugreport bugzilla Buildkey -bzip bzlib -cacert CACERTDIR -CAfile -calloc CANTCREAT CApath -cas Cazabon -cbc +ccert cdb cdmi certbot -certs -cfg CFLAGS -cgi Chales -changelog changetype -charset chasquid chcon checkpassword checkpwd CHECKSCRIPT -chgrp -chmod -chown chronos chrony -chroot chrooted chrooting chroots -CIDR cifs cip cipe Ciphersuites CJK -cleartext clockspeed -closedir clucene clusterfs cmake cmdlog cmds -cmp cmusieve cnf cnrilrgfclra @@ -178,10 +132,8 @@ codahale codinghorror coi commitlog -compat Compuserve -concat -config +CONDSTORE copybox COPYUID coretest @@ -190,37 +142,25 @@ courierimapuiddb cov cpanel CPID -cpp CPPFLAGS cql cqlsh -crlf CRLFs CRLs -cron -cronjob crt -cryptokey -ctime ctlr -ctx -CUID currentdate currentmodule customflags -CXX cydir cyrusimap datacenter DATAERR datalake -datasource datastack datastax datatracker -datetime dbg -dbname dbox dboxes dclocal @@ -228,65 +168,53 @@ dcrypt DDTHH debian debuginfo -deduplicate deeplinks defaultdelivery -deinit deinitialization Deinitialize deinitialized Deinitializing delaycompress -DELETEACL deleteheader denotify dentries -DEPS deref -dest destuser desync desynchronized -devtools DHd -DHE Dhesi -dhparam dhparams dictdiffmap dictmap dictrevmap -dicts -Diffie digestmd -DIRNAME dirnamename -dirpath -dirs dirsize displayname distros -DKIM dlog dlua DMARC +dnotify dnpass -dns docidx Docindex -DOCTYPE domaindb domainless domainname dontlognull dotlock dotlocking +dotnet dov doveadm doveauth doveconf +dovecotadded dovecotdirector dovecotpw +dovecotremoved dovelda dovemail dovemon @@ -295,7 +223,6 @@ downsides DRhu Droid droppriv -dsa dspam dsync dsyncing @@ -305,221 +232,139 @@ dumpable dumpe dumpster EACCESS -EAGAIN ecc -ECDH -ECDHE -ECDSA ECIES econds -ecparam ecprivkey ecpubkey editheader -EDQUOT +effinger egid -egrep -ehlo EID Eing -EINVAL ekh -elasticsearch -ELOOP -elsif emacs emaillookup -emails -encodestring -endian -endianness -endif endscript ENHANCEDSTATUSCODES -ENOENT -ENOSPC -ENOTDIR enotify -enum envid eoh eokb -eol -eperm epk -EROFS -errno esac ESEARCH -ESMTP ESORT ESTMP ETRN etuid -euc eucjp euid -EVP examplescripts -exe -executables exim +exportkeytab Expu extdata Extextcat extprograms extracttext exttextcat -facebook FADV fadvise -failover failregex -fcntl fcontext -fdatasync -fds fetc fetchmail FETCHs fgrep -fieldname fieldvalue fileinto -filepath -filesystem findtime -FIXME flagsmodseq flatcurve flushall foop foos -foreach foreverypart -formatdate forwardfor fpdb -fqdn -frontend +Fqhu frontends FROP fsbench fscache -fsck fscrypt fsgid fsserver -fstab -fstat fsuid -fsync fsynced fsyncing +ftn fts ftscache FULLDIRNAME fulltext -func gauner gcc gcda -gcm gcov -gdb gecos gendh genhtml geninfo genkey genpkey -getacl -getenv -gethostbyname gethosterror -gethostname getmail getmailbird -getpid -getpwnam -GETQUOTA -GETQUOTAROOT -getrusage GETSCRIPT -gettext -gitlab -glibc -globals Globalsign Gluster -gmail gmatch gno gnomint GNUC -google -googleapis gpg gpgcheck gpgkey -grep +groupware gss gssapi -gui -gzip halon -haproxy hara -hardcoded -hardlink hardlinking hardlinks hasfrop -hashmap hatv hba hda HDD hdr -HELO hendrik hexblob -hexdump hexuc -HHMMSS highestmodseq HIGHESTPVTMODSEQ -hmac -homedir +hordeauth hostaddr hostchange -hostname Hotspot howto -htaccess +howtoforge htdigest htiweb -htm -html htpasswd -http httpchk -httpd httplog -hypervisor -iam IAT ICAL -icu idx IES ietf -iface +ifmail ignoreunlimited -ihave ilo IMA -imap imapc imapcpass imapd @@ -528,6 +373,7 @@ imapflags imaps imapsieve imaptest +imapusers imapwiki IMDS imem @@ -538,75 +384,62 @@ inboxes INCLUDERC indexfiles INDEXPVT -inet inka -inlined inlines Inno -ino -inode inodes inodetofile -inotify INTERNALDATE internalfail -Interoperability -interoperable inthread -intmax -INUSE inute invol IOERR ioloop -iops iostream ipairs -ipc ipt -iptables iredmail +ispmail isps istream ITERINDEX itip -javascript jeffpc jessie -jis JMK johndoh joulu -json junkflag jvm -JWT +kde kdump -keepalive -Kerberos +Kek +keychain keyid keypair keyspace keytab KIB +kinit +klist kludgy kmail korvatunturi KPOP -kqueue krb ktrace kurkku kuromoji kuserok KVM +KVNO LANMAN +largefile lasthost lastlogin -launchd lcov lda -ldap ldapi ldapmodify ldaprc @@ -616,68 +449,63 @@ LDFLAGS ldif learntype leastconn -len letsencrypt LFs lgdb LHLO LIBADD +libanonymous libbzip -libc +libcrammd libcs -libcurl +libdigestmd libdovecot libexec libexpat libexttextcat libicu +libkrb +libldap liblib liblz -liblzma +libmysqlclient +libntlm +libotp libpam libpq +libsasl +libsasldb libsodium +libsqlite libstemmer -libtool -libuv libwrap lifewithqmail linelen linenos -linux listescape +listfile listindex listname LISTSERV literalinclude -llvm lmtp lmtpd lmtponly lmtptest -localhost -localpart -localtime +localdomain lockd lockdir lockf -lockfile locklessint logbsize logbufs logdev -logfile loghdr LOGINDISABLED loginuser -loglevel LOGNAME logpath -logrotate logsock -lowercased -Lowercases -lowercasing lowwater lport lrs @@ -686,12 +514,10 @@ lrwstipeka lrwstipekxa lrwstipekxacd lsearch -lsub -ltn -lua lucene lugog maclen +madboa mailboxdir mailboxguid mailboxname @@ -702,21 +528,19 @@ maildirquota maildirsize maildrop mailfolders -mailfrom mailhome Mailinglist maillog +mailreader mailserver mailstore -mailto +mailwriter maj makecache Makefiles -malloc managesieve managesieved manmaster -manpage MARF markasjunk masteradmin @@ -725,10 +549,9 @@ masterpassword masteruser maxconn maxdepth -maxlen +maxproc maxretry Maxuid -mbox mboxchildfolders mboxcl mboxes @@ -740,29 +563,18 @@ mda mdbox melnikov memarea -Memcache -memcached -memmove -mempool -memset memtable mergequota messageguid +messageset metacache metacpan -metadata metamail microsites -microsoft -middleware millisecs mimencode -misconfigured missingok mkcert -mkdir -mkfifo -mkfs mkhomedir mmap mmencode @@ -774,46 +586,39 @@ mozilla mpi mpid mseconds -msecs -msgid -msgs msn mta -mtime mtimes MUAs MULTIAPPEND -multiline multiport multiscript murchison mutf +muttmua +muttrc mybox +mydestination +mydomain myfolder myfoldertoo myhostname mynetworks mypassword -myrights myscript -mysql mysqld myuser myusername -namespace NBF nbproc neomutt -netmask -Netscape newkey newlock newmail -newname Newsgroups -NFKC +newtok +nexthop NFKD -nfs ngrams ninf NLEVEL @@ -828,77 +633,65 @@ nodelay nodeps nodetool nodiratime +nodns noenforcing -NOHOST noindex NOINFERIORS -NOINPUT noiv nolock nologin -nonblock nonindexable nonnull Nonspacing -NOPASSWD +noout nopassword -NOPERM nopipelining nordirplus noreplicate -noreply noscheme nosearch noselect nosep nosuid -notfound notifempty +notls notwhat nouser NOVALGRIND nproc nscd nsend -nsname nss ntlm ntp -ntpd -ntpdate nullok nuls nulsoe -oauth oauthbearer -objectid obox ocn OCRPT ODMR offenburg -oid OIDC olc oldkey -oldname oldstats onelevel -opendir +onerr opendirectory -openid -openldap openmetrics opensmtpd opensource -openssl +OPENSSLDIR opie opsec optboolean optname -OR'ing +oqmgr orcpt origbox +OR'ing ORing orld OSERROR @@ -916,59 +709,40 @@ oxuser packagecloud pacman pandoc -params passdb passthrough -passwd Pbase pbkd -pbkdf -pdf -pem -perl +pcre pfs PGP -pgsql -php -phtml -pid pidfile pidof pids Piljk pipermail -pkcs -pkey pki plaa -plist plpgsql -png +policyd popclient -popcount porkmail -posix postconf postfixadmin -Postgre +postgre postgresql +postgrey postlogin postrotate powerdns poweruser -ppid -pragma pread PREAUTH preauthenticated -Prebuilt precache precaching -prefetch -prefetching preinit PREREQ -printf printfa Proactively procmail @@ -977,7 +751,7 @@ proctitle promotionalmail proofpoint PROT -proxyauth +proxymap Ptest ptr ptrace @@ -985,14 +759,16 @@ pubout pukki pushmail PUTSCRIPT -pwd +pwcheck pwdfile pwhash +pwreq pwrite qmail +qmgr +qmqpd QQACg QRESYNC -qsort qwerty rackdc rampup @@ -1002,25 +778,15 @@ rchar rdineren rdparty reada -readahead -readdir readdirplus -readlines -README -readonly -readthedocs realloc +realname recalc Recentuid RECURSIVEMATCH -recv -redis redownloaded redownloading -refcount refcounting -regex -regexp releasever remotehost remoteprefix @@ -1028,33 +794,24 @@ RENAMESCRIPT replicator repoquery reqbody -requeue rescanned rescanning resolv -resync resyncing -retr -rfc -rhel RHu RLIMIT +rmail Rnotation roundcube roundrobin -roundtrip rpa -rpc rpms rport rquota rsaprivkey rsapubkey -rset rspamc rspamd -rss -rst rsyslog Rvdm rwstipekxa @@ -1062,16 +819,14 @@ rwstipekxacd rwxt samik samitest -sasl +saslauthd savedbefore savedsince SAVEONLY -sbin +scalemail scality scontext -scriptlet scriptname -SCRYPT sdbox sdc SDPS @@ -1081,64 +836,43 @@ secmail secp secretpassword seealso -seekable SELEC selfservice semanage -sendfile -sendmail SENDMAILFLAGS Sentmail +seperately seqno SERVERBUG servermetadata -servername -ses -setacl SETACTIVE setcred -setflag -setgid -SETQUOTA setra -setsid -SFTP sgid SHAREDDIR sharedmail sharedscripts sharedusers -shm showcerts +showq sievec sievemailinglist sieverules -SIGHUP -SIGTERM -sizeof -sjis -slapd slashdot slusarz smbfs smi -smtp -smtpd smtps snarf snowballstem snprintf -Solaris solib -solr solrcloud solrconfig -somaxconn somedict sourceforge sourceuser sourceware -spam spamassassin spamc spamd @@ -1148,93 +882,62 @@ spams spamtest spamtestplus specialuse -SPF SPID splitrow +spn spnego sproxy sproxyd -sql sqlhost -sqlite sqlpass sqlpool sqlquota sqluser -src srv ssd ssha -ssl ssldir sstable stackbuf -standalone -starttls STATEDIR staticbuf Stax -stddev -stderr -stdin -stdout STln -STLS stopword storageid -strace strarray strconcat -strcpy strdup strescape -strftime strfuncs strlcpy -strlen strocpy strp strsplit -structs STW +subaccounts subaddress subdomain -subfolder subfolders subjwas subkey submissiond subname -substr subsys Subtables subvalue -sudo -sudoers -SUSE svbin swapoff -swappiness sylpheed -symlink -symlinking -sys sysadmin -syscall syscalls -sysconfig syscr -sysctl syscw sysexits -syslog syslogd syslogging sysreport -systemctl -systemd TABLEGEN -tarball tarballs targethost Tarpit @@ -1242,27 +945,23 @@ tarpitted tarpitting tclass tcontext -tcp TCPLOCALIP tcplog TCPREMOTEIP tcps -tcpwrap tecadmin technet -telnet tempdisabled tempfail tempfailing +templating Tenuring terabytes testaccounts testmbox Testmsg testpass -testpassword testshared -testuser textcat tgz thesmbexchange @@ -1271,42 +970,30 @@ tika tikahost timesieved timeval -timezone timo timsieved tinyca tinyint -tld tldmypassword tldmyusername TLDR -tls -tmp +tlsmgr tmpfs tmpmbox toctree -todo tohdr tokeninfo -tokenization -tokenizer -tokenizing tosivaikeasalasana -tostring transitioning -trie Trojita tscript -ttl +TTLs tukaani tuxfamily -txn TYPECHECK typedef tzknvtr -uid uidgid -uidl uidlist uidlpop uidls @@ -1315,46 +1002,30 @@ UIDPLUS uids uidv uidvalidity -uint UKS -ulimit -umask -umount unaccessed -unalias unaliased -uname unauth uncoment -uncomment -uncompress unconfigured -undelete -unescape +und unhibernate unhibernated unhibernation -unicode -unixfrom unixtime unixtimedate unmark -unref -unreference +unpriv unsubscribable -unsubscribe unsubscriptions +unter uoff -uploader upn uppercased uppercasing upperfirst Urg -uri -url urlauth -usec usecs usercache userdata @@ -1364,47 +1035,35 @@ userguide userid userinfo userip -userlist -username usernames +userok userslist -usr -utf -utils -utime -UUID +uucp uuuuuu +uux Uvh vacationcheck valgrind Valgrinding -varchar -VBox vboxadm vda vdb Venema -venv -versionadded -versionchanged -Versioning versionremoved vfile vfuncs vgdb -vhost vhosts virtualdate virtualenv virtualised -virtualization -virtualized virustest Vjcm vlan vlast vmail vmback +vmm vmware vname vnd @@ -1412,35 +1071,25 @@ VOLATILEDIR VPop VPS vpv -VRFY vsize vsz wal wbytes -wchar +wcf weakforced webmail webpage -website wforce -wget -whitelisting Wietse -wiki wikipedia wikis -wildcards WILLNEED winbind -Wordlist -workaround worl +wrappermode writetime wso -www xapian -xargs -xattr XBAR xchange xclient @@ -1450,18 +1099,11 @@ Xes XFOO xfs Xloggc -xml xoauth Xpunge XRCPTFORWARD xuidl -yaml -yml yourldap -yyyymmdd -ZFS zimbra -zlib ZMailer Zstandard -zstd