I note that after the update to Dovecot 2.4, /etc/pam.d/dovecot was missing on my system, meaning that people who were accessing POP accounts belonging to usernames (as opposed to virtual email addresses) could not authenticate. I had to recreate it myself to restore previous functionality.
DirectAdmin 1.676
- Thread starter fln
- Start date
Dovecot fail to start
Confirm error,
with DA conf "ssl_configuration=old"
Confirm error,
with DA conf "ssl_configuration=old"
- Joined
- Aug 30, 2021
- Messages
- 1,135
A new release is made with the following fixes:
- Make sure Dovecot 2.4 works in the
ssl_configuration=oldmode, thanks @petersconsult and @Ohm J - Create Dovecot PAM configuration for RHEL systems (Debian systems works without explicit config), thanks @Swift-AU
vinao
Verified User
- Joined
- Sep 16, 2024
- Messages
- 14
Hello
Today there was an update to dovecot.conf 0.5
Will it be necessary to allow the old authentication policy again after this update?
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf
(too many clients use this option to change it immediately)
Today there was an update to dovecot.conf 0.5
Will it be necessary to allow the old authentication policy again after this update?
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf
(too many clients use this option to change it immediately)
Richard G
Verified User
In regards to SMTP forcing secure authentications, does this also apply for Dovecot's POP3 and IMAP? Seems it's rather pointless to force secure log ins with SMTP if POP3 and IMAP is still allowed to be insecure. I don't see any specific mentions of this in the changelog, but there's a lot going on with the Dovecot 2.4 upgrade, so maybe it's included there.
Also has any thought been put into the potential ramifications of new accounts setting up email accounts before there's been a chance for a secure certificate to be issued?
I have to defer a bit on this because I'm using my own self-developed certificate issuance system and not what's built-in to DirectAdmin, so I don't know exactly how DirectAdmin's certificate issuance system works. But, I presume there's a timer to check for if a user's domain name resolves to the server to issue a certificate. Certificates cannot be issued immediately because you never know when a new user will modify the nameservers for their domain to resolve to your server. You'd expect it to be pretty quick, but I've also seen it take multiple hours to multiple days for users to modify their nameservers. Of course, an email address is not going to do any good until the domain is resolving to the server - which would mean the nameservers have been modified. But there's always that brief period between the user modifying their nameservers and the domain starts resolving correctly and then another brief period before a secure certificate is automatically issued.
Also has any thought been put into the potential ramifications of new accounts setting up email accounts before there's been a chance for a secure certificate to be issued?
I have to defer a bit on this because I'm using my own self-developed certificate issuance system and not what's built-in to DirectAdmin, so I don't know exactly how DirectAdmin's certificate issuance system works. But, I presume there's a timer to check for if a user's domain name resolves to the server to issue a certificate. Certificates cannot be issued immediately because you never know when a new user will modify the nameservers for their domain to resolve to your server. You'd expect it to be pretty quick, but I've also seen it take multiple hours to multiple days for users to modify their nameservers. Of course, an email address is not going to do any good until the domain is resolving to the server - which would mean the nameservers have been modified. But there's always that brief period between the user modifying their nameservers and the domain starts resolving correctly and then another brief period before a secure certificate is automatically issued.
- Joined
- Aug 30, 2021
- Messages
- 1,135
@sparek, there are no changes in how IMAP and POP work in this release. Authentication in POP/IMAP can be performed over plain text. But we need to start somewhere.
We deliberately avoided adding any changes in Dovecot config as part of the migration from 2.3 to 2.4. The Dovecot 2.4 configuration is more flexible and would allow some config simplifications and improvements, but our goal was to keep the configs 1:1 semantically and structurally compatible (between 2.3 and 2.4) as much as possible. This is to make it easier for admins that have Dovecot customisations to port them to the 2.4 version. Bigger changes for Dovecot configs are postponed until the migration to 2.4 is finished.
@Richard G The auth driver was one of the things we could not keep compatible. Dovecot 2.3 used the
Thanks to the prevalence and availability of free TLS certificates, using encryption always and everywhere is no longer a problem. There will always be non-standard configurations and problematic edge cases, but it is easier to look at the problem from the following perspective. Imagine a situation where a user is having problems with TLS certificates (for reasons beyond our control). Which outcome would be preferred:
We deliberately avoided adding any changes in Dovecot config as part of the migration from 2.3 to 2.4. The Dovecot 2.4 configuration is more flexible and would allow some config simplifications and improvements, but our goal was to keep the configs 1:1 semantically and structurally compatible (between 2.3 and 2.4) as much as possible. This is to make it easier for admins that have Dovecot customisations to port them to the 2.4 version. Bigger changes for Dovecot configs are postponed until the migration to 2.4 is finished.
@Richard G The auth driver was one of the things we could not keep compatible. Dovecot 2.3 used the
shadow auth driver, but in Dovecot 2.4 it was replaced with the PAM auth driver. The PAM config for Dovecot is not needed for Dovecot 2.3. Yes, it is used for UNIX user password authentication.Thanks to the prevalence and availability of free TLS certificates, using encryption always and everywhere is no longer a problem. There will always be non-standard configurations and problematic edge cases, but it is easier to look at the problem from the following perspective. Imagine a situation where a user is having problems with TLS certificates (for reasons beyond our control). Which outcome would be preferred:
- User just configures email client to use plain text. Everything works fine for the user. Even after a TLS certificate is issued, there is no mechanism to prompt the user to revisit his email configuration and upgrade to use encryption. His password can be passively sniffed at any time by anyone along the path from him to the DA server.
- Email does not work without encryption. The user is forced to pick one of:
- Do not use email until the TLS certificate issue is resolved. The user is pressured to seek help from admin or others.
- Use server host name. He could switch to using his domain once the TLS certificate is issued. Most likely he will not.
- Use his domain name, but accept the invalid cert once (server host name certificate or self-signed certificate). Once the TLS certificate is issued, everything will work as expected.
- Configure email with disabled cert validation (always accepting all certificates). The user will be vulnerable to active MITM attacks. At least the user is protected from passive sniffing.
zEitEr
Super Moderator
Quota warning configs might need to be updated per this docs: https://doc.dovecot.org/2.4.0/core/plugins/quota.html#quota-warning-scripts
Related:
- https://docs.directadmin.com/other-...ser-level.html#lmtp-quota-limit-notifications
- http://files.directadmin.com/services/all/91-quota-warning.conf
Meanwhile when tried the new config it reported 75 error:
Code:
Error: userdb: client doesn't have lookup permissions for this user: userdb uid (1065) doesn't match peer uid (8) (to bypass this check, set: service auth { unix_listener /var/run/dovecot/auth-userdb { mode=0777 } })as of now it is:
Bash:
# ls -al /var/run/dovecot/auth-userdb
srw-rw-rw- 1 dovecot root 0 Apr 24 11:22 /var/run/dovecot/auth-userdbthe error above fixed by (thanks to Kristian and his message #42):
Bash:
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
user = root
unix_listener quota-warning {
user = mail
mode = 0660
}
}
Bash:
quota-warning: Fatal: master: service(quota-warning): child 1176063 returned error 75
auth([email protected],127.0.0.1,sasl:plain)<X8NSJYMzFp5/AAAB>: virtual_user: Password mismatchand quota warnings can not be sent.
Last edited:
wila
Verified User
- Joined
- Dec 15, 2017
- Messages
- 95
Is there an easy way to check if any of my customers still use port 25, for example by grepping for it in the logs?
(I'll go have a look now myself, but figured that this might be useful anyways)
edit: Didn't see an obvious way to check for this in the logs, but hopefully there is a way.
Things I am also worried about besides customers are tools, such as backup scripts and other helpful scripts that are supposed to check things and now stop being able to report when things go bad. So I prefer to find where port 25 is used before turning it off and discover a foot gun later on.
(I'll go have a look now myself, but figured that this might be useful anyways)
edit: Didn't see an obvious way to check for this in the logs, but hopefully there is a way.
Things I am also worried about besides customers are tools, such as backup scripts and other helpful scripts that are supposed to check things and now stop being able to report when things go bad. So I prefer to find where port 25 is used before turning it off and discover a foot gun later on.
Last edited:
- Joined
- Aug 30, 2021
- Messages
- 1,135
@wila The default Exim configuration does not log the incoming TCP port. Logging of incoming connection details can be enabled by customizing the
In main Exim log file
Update:
All authenticated connections without encryption can be quickly grabbed with:
This works with the default exim log, no changes to exim.conf needed.
/etc/exim.conf file and appending +incoming_interface to the log_selector field:
Code:
...
log_selector = \
+incoming_interface \
...In main Exim log file
/var/log/exim/mainlog the log lines will have I={ip}:{port} section, authenticated connections will have P=esmtpa or P=esmtpsa (if encryption is used). Quick grep over the logs that used 25 port (with or without encryption) would be:
Code:
grep 'I=[^ ]*:25\s.*P=esmtps\?a' /var/log/exim/mainlogUpdate:
All authenticated connections without encryption can be quickly grabbed with:
Code:
grep P=esmtpa /var/log/exim/mainlog | grep -F -v -e ' [::1] ' -e ' [127.0.0.1] 'This works with the default exim log, no changes to exim.conf needed.
Last edited:
wila
Verified User
- Joined
- Dec 15, 2017
- Messages
- 95
dkzr
Verified User
- Joined
- Aug 30, 2021
- Messages
- 1,135
If custom ImageMagick7 is never removed (the command
da build remove_imagemagick is never executed), the PHP extension will prefer the custom (non system) ImageMagic version.This means existing servers can opt to not remove it. New servers will always use the ImageMagic that comes with the system unless custom version is manually installed in /usr/local/.... For standard web applications the version of ImageMagic library does not really matter that much.
Note: Debian 13 provides ImageMagic7.
castris
Verified User
Support told me this discussion also relates to the message below, but I don't see any logic or the slightest hint that it has anything to do with the change made and what's being discussed here.
Am I mistaken or did I miss something?
> R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
Am I mistaken or did I miss something?
> R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)