| Commit message (Collapse) | Author | Age | Files |
... | |
|
|
|
|
|
|
|
| |
SMTP client connection caching was introduced in 2.6.0: the SMTP session is
held for the next task (in adaptative mode, only when there was a delay of only
5s between the two previous mails), but Postfix will terminate it if the next
mail doesn't come soon enough, or if amavis does't terminate it itself (usually
after 15s).
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
(Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill.
|
|
|
|
|
|
| |
And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect .
|
|
|
|
| |
So unfortunately we can't fit a 2048-bits RSA key.
|
| |
|
| |
|
|
|
|
| |
For DKIM signing and virus checking.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Unlike adduser(8), ansible's 'user' module copies skeletal configuration
files even for system users (unless called with createhome=no).
|
|
|
|
|
|
|
| |
This is important as we don't want the IMAP server baning the webmail,
for instance. (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.)
|
|
|
|
|
|
|
| |
The reason is that we don't want to rely on CAs to verify the
certificate of our server. Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint. stunnel
does.
|
| |
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| |
|
|
|
|
|
|
|
| |
In 2.1.7 they are buggy, and make Dovecot crash (when connected through
Evolution for instance). They have improved a lot since, though:
http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
|
|
|
|
|
|
| |
Sadly not doing so and keeping a table message ID -> username, like we
do for SASL authenticated users, doesn't seem trivial here. We could
encrypt the header, though.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This is required for dbox, see
http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There seem to be multiple bugs with the version from wheezy-backports
(2.2.9-1~bpo70+1), and the client is killed on THREAD commands:
guilhem@elefant:~$ telnet localhost 143
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a LOGIN guilhem xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in
b SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 8060 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1302032711] UIDs valid
* OK [UIDNEXT 78905] Predicted next UID
* OK [NOMODSEQ] No permanent modsequences
b OK [READ-WRITE] Select completed (0.395 secs).
c THREAD REFERENCES UTF-8 ALL
Connection closed by foreign host.
:/var/log/syslog
Jun 27 21:58:01 elefant dovecot: imap(guilhem@fripost.org): Fatal: master: service(imap): child 24907 killed with signal 11 (core dumps disabled)
Jun 27 21:58:01 elefant kernel: [248570.057270] imap[24907]: segfault at 400 ip 00007f7651596e09 sp 00007fff6e267760 error 4 in libdovecot.so.0.0.0[7f765153a000+cc000]
Other (less scary) errors can be found in the syslog:
Jun 27 20:26:09 elefant dovecot: imap(xxxx@fripost.org): Error: file_dotlock_open() failed with file /home/imapproxy/fripost.org/xxxx/imapc/dovecot.list.index.log: No such file or directory
Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc(imap.fripost.org:993): Command '11 APPEND "Sent" (\Seen) {2512485}' timed out, disconnecting
Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc: COPY failed: Disconnected from server
Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Disconnected: IMAP session state is inconsistent, please relogin. in=2512632 out=969
This is infortunate as we cannot benefit from the 'fetch-headers'
imapc_features right now. However, the bugs (at least the segfault) seems to
be fixed as of 2.2.13-1, the version which can currently be found in testing.
Hopefully it'll be backported soon :-)
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This ensures that Dovecot won't deliver messages if the disk hasn't been
mounted, for instance.
|
|
|
|
| |
So we set 'first_valid_uid' to 1, to accept any UID.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Interesting features include caching of mail headers (v2.2.8+) as well
as new IMAP capabilities.
|
|
|
|
|
|
| |
Recent versions have a whole bunch of bugfixes and nice new features:
http://trac.roundcube.net/wiki/Changelog
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, generate a server certificate for each host (on the machine
itself). Then fetch all these certs locally, and copy them over to each
IPSec peer. That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines.
|