courier-imap Mailing List for Courier Mail Server
Brought to you by:
mrsam
You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(161) |
Jun
(225) |
Jul
(302) |
Aug
(242) |
Sep
(216) |
Oct
(376) |
Nov
(269) |
Dec
(260) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(392) |
Feb
(279) |
Mar
(330) |
Apr
(481) |
May
(407) |
Jun
(365) |
Jul
(221) |
Aug
(165) |
Sep
(222) |
Oct
(207) |
Nov
(294) |
Dec
(189) |
2005 |
Jan
(327) |
Feb
(235) |
Mar
(308) |
Apr
(222) |
May
(214) |
Jun
(223) |
Jul
(184) |
Aug
(257) |
Sep
(180) |
Oct
(217) |
Nov
(187) |
Dec
(162) |
2006 |
Jan
(113) |
Feb
(271) |
Mar
(123) |
Apr
(73) |
May
(97) |
Jun
(102) |
Jul
(122) |
Aug
(123) |
Sep
(55) |
Oct
(52) |
Nov
(117) |
Dec
(72) |
2007 |
Jan
(89) |
Feb
(114) |
Mar
(86) |
Apr
(134) |
May
(121) |
Jun
(91) |
Jul
(112) |
Aug
(70) |
Sep
(104) |
Oct
(131) |
Nov
(80) |
Dec
(65) |
2008 |
Jan
(42) |
Feb
(54) |
Mar
(46) |
Apr
(63) |
May
(64) |
Jun
(68) |
Jul
(92) |
Aug
(28) |
Sep
(19) |
Oct
(41) |
Nov
(47) |
Dec
(24) |
2009 |
Jan
(33) |
Feb
(42) |
Mar
(40) |
Apr
(19) |
May
(18) |
Jun
(47) |
Jul
(19) |
Aug
(12) |
Sep
(29) |
Oct
(2) |
Nov
(35) |
Dec
(21) |
2010 |
Jan
(31) |
Feb
(10) |
Mar
(21) |
Apr
(28) |
May
(71) |
Jun
(20) |
Jul
(35) |
Aug
(6) |
Sep
|
Oct
(6) |
Nov
(15) |
Dec
(32) |
2011 |
Jan
(11) |
Feb
|
Mar
(22) |
Apr
(12) |
May
(30) |
Jun
(31) |
Jul
(12) |
Aug
(23) |
Sep
|
Oct
(11) |
Nov
(14) |
Dec
(17) |
2012 |
Jan
(28) |
Feb
(8) |
Mar
(16) |
Apr
(23) |
May
(25) |
Jun
(20) |
Jul
(11) |
Aug
(3) |
Sep
(14) |
Oct
(19) |
Nov
(11) |
Dec
(8) |
2013 |
Jan
(6) |
Feb
(19) |
Mar
(6) |
Apr
(23) |
May
(2) |
Jun
(21) |
Jul
(30) |
Aug
(19) |
Sep
(31) |
Oct
(21) |
Nov
(6) |
Dec
(8) |
2014 |
Jan
(16) |
Feb
(3) |
Mar
(5) |
Apr
(18) |
May
(13) |
Jun
(26) |
Jul
(10) |
Aug
(12) |
Sep
(20) |
Oct
(38) |
Nov
(5) |
Dec
(8) |
2015 |
Jan
|
Feb
(8) |
Mar
(5) |
Apr
(1) |
May
|
Jun
(5) |
Jul
(13) |
Aug
(15) |
Sep
|
Oct
(3) |
Nov
(1) |
Dec
(1) |
2016 |
Jan
|
Feb
(7) |
Mar
(11) |
Apr
(9) |
May
(1) |
Jun
(4) |
Jul
(12) |
Aug
(3) |
Sep
|
Oct
(3) |
Nov
|
Dec
(3) |
2017 |
Jan
(1) |
Feb
(7) |
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
(5) |
Aug
(3) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
2018 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(4) |
May
(18) |
Jun
(1) |
Jul
(11) |
Aug
(17) |
Sep
(3) |
Oct
(2) |
Nov
(17) |
Dec
(12) |
2019 |
Jan
(12) |
Feb
(12) |
Mar
(1) |
Apr
|
May
(4) |
Jun
(2) |
Jul
(23) |
Aug
(1) |
Sep
(1) |
Oct
(18) |
Nov
(3) |
Dec
(7) |
2020 |
Jan
(4) |
Feb
|
Mar
(16) |
Apr
(5) |
May
(3) |
Jun
(1) |
Jul
|
Aug
(14) |
Sep
(4) |
Oct
(4) |
Nov
(1) |
Dec
(1) |
2021 |
Jan
(33) |
Feb
(5) |
Mar
(25) |
Apr
(24) |
May
(8) |
Jun
(1) |
Jul
(4) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(11) |
Jul
(8) |
Aug
|
Sep
|
Oct
(2) |
Nov
(17) |
Dec
(2) |
2023 |
Jan
|
Feb
(4) |
Mar
(12) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(3) |
Dec
|
From: Sam V. <mr...@co...> - 2023-11-25 16:08:37
|
Download: https://www.courier-mta.org/download.html Changes: • Fix generated Date: header issues in timezones that have a non-standard alternate timezoe offset • pop3 and imap logs also indicate whether the connections used starttls or stls • add missing TLS_PRIVATE_KEYFILE setting to esmtpd.dist |
From: Sam V. <sam...@gm...> - 2023-11-06 23:54:32
|
On Mon, Nov 6, 2023 at 6:36 PM <co...@jo...> wrote: > > Hello, > > There is a very old server running a very old courier-imap: > > Courier-IMAP 4.10.0/i386-portbld-freebsd8.1/Sun Feb 5 20:50:23 PST 2012 > > Recently, an account on this server attempted to delete ~120GB of mail > piled up in the inbox via an iPhone mail client. > > This resulted in a massive copy of data to a .Deleted\ Messages/ maildir > directory. > > As this proceeded to use all free disk space, the IMAP server was shutdown > to prevent system crash. > > Now, there is a lot of mail stuck in the .Deleted\ Messages/tmp/ directory: > > No, the account on this server did not attempt to delete anything. The "iPhone mail client" issued an IMAP COPY command to copy a large number of messages from some folder, probably INBOX, into a different folder called "Deleted Messages". There's nothing particularly special about an IMAP folder called "Deleted Messages". Apparently, the "iPhone mail client" creates this folder to represent messages that are pseudo-deleted. Presumably, after some period of time, the "iPhone mail client" will quietly delete, actually delete, the individual messages after they've been sitting in this pseudo-"Deleted Messages" folder. First I tried to rm this directory and restart sourier-imap, but the next > time the acct client connects, it begins filling this directory again. > When an IMAP client issues a COPY command to copy a large number of messages into a different folder they get copied into a tmp subdirectory first. After all messages are copied there they get moved into the new or the cur directory, together. It looks like the large number of messages that the "iPhone mail client" is apparently trying to copy, at the same time, is blowing up your storage. The operation fails, and the "iPhone mail client" receives an appropriate error. Which causes it to simply try again at the next opportunity. I also tried to delete this with a python imaplib script, but the mail in > the tmp/ dir is not recognized by imaplib. > > Is there some courier-imap admin utility that can clear/expunge this tmp/ > dir? > There is no "admin utility" of any kind. All operations on IMAP folders can be carried out manually using regular commands, like "mv" or "rm". Courier-IMAP will update its own files to reflect the changes to the actual folders. > Is there any method short of deleting the acct and starting over that will > cause these messages to be purged from the tmp/ directory to cur/ where > they could be deleted and expunged? > Purging messages from the tmp/ directory, in this case, will accomplish absolutely nothing, whatsoever. Deleting messages will have no effect on the "iPhone mail client". It will continue, apparently, trying to copy a large number of messages from one folder to another. > > I'm about to shut down courier-imap again, since the free disk space is > about to be depleted. > > What you need to do is determine which messages are being copied into the "Deleted Messages" folder, which folder they're coming from, and which messages they are. Having done so, just "rm" the messages in their original folder. Hopefully, the "iPhone mail client" will see that the messages that it's attempting to pseudo-deleted don't exist any more, the next time it connects to the IMAP server, and it will then do nothing. When the dust settles you should look into implementing quotas. |
From: <co...@jo...> - 2023-11-06 23:33:22
|
Hello, There is a very old server running a very old courier-imap: Courier-IMAP 4.10.0/i386-portbld-freebsd8.1/Sun Feb 5 20:50:23 PST 2012 Recently, an account on this server attempted to delete ~120GB of mail piled up in the inbox via an iPhone mail client. This resulted in a massive copy of data to a .Deleted\ Messages/ maildir directory. As this proceeded to use all free disk space, the IMAP server was shutdown to prevent system crash. Now, there is a lot of mail stuck in the .Deleted\ Messages/tmp/ directory: # du -shc -I .. -I . .maildir/.Deleted\ Messages/* 4.9M .maildir/.Deleted Messages/courierimapkeywords 4.0k .maildir/.Deleted Messages/courierimapuiddb 5.8M .maildir/.Deleted Messages/cur 0B .maildir/.Deleted Messages/maildirfolder 4.0k .maildir/.Deleted Messages/new 101G .maildir/.Deleted Messages/tmp 101G total First I tried to rm this directory and restart sourier-imap, but the next time the acct client connects, it begins filling this directory again. I also tried to delete this with a python imaplib script, but the mail in the tmp/ dir is not recognized by imaplib. Is there some courier-imap admin utility that can clear/expunge this tmp/ dir? Is there any method short of deleting the acct and starting over that will cause these messages to be purged from the tmp/ directory to cur/ where they could be deleted and expunged? I'm about to shut down courier-imap again, since the free disk space is about to be depleted. Any help is appreciated... John A 2023-11-06 |
From: Sam V. <mr...@co...> - 2023-08-29 02:16:45
|
Download: https://www.courier-mta.org/download.html Changes: sqwebmail: fix a potential crash when loading search results. imap: manually turn off the "LOGINDISABLED" IMAP capability after TLS is enabled. Add an optional compilation option to mitigate performance issues on some distributed filesystems. |
From: Sam V. <mr...@co...> - 2023-04-30 13:34:27
|
Download: https://www.courier-mta.org/download.html New releases of courier, courier-imap, sqwebmail, maildrop, and cone packages. Changes: * all: fix warning message from gcc 13 (false positives). * courier, courier-imap, cone: update configure script to check for the standardized location of the CA certificate bundle, in addition to various legacy compatibility paths. * courier: update the ESMTP server to recognize alternative Courier ESMTP extension names, in addition to the current ones. A future version of Courier will switch the syntax of its custom ESMTP extension names to be strictly compliant with the ESMTP specification. The names remain unchanged for now, but this version of Courier recognizes both the existing names and the new names. * courier: update internal scripts, replace deprecated fgrep alias with grep -F. |
From: Sam V. <mr...@co...> - 2023-04-05 01:55:33
|
Download: https://www.courier-mta.org/download.html New releases courier, courier-imap, sqwebmail, maildrop, and cone packages. Changes: • maildrop: overhaul of internal code, updating pre-C++03 code to C++11. As part of the code update, the "foreach" command now supports subpattern matches setting $MATCH<n>. Fix latent, rare bugs that could theoretically result in crashes, that were lurking around for years. The -V option initializes the VERBOSE variable, for consistency. • all: check for minimum libidn version in the configure script. • courier: fix issues with system accounts that are in a large number of groups. |
From: Sam V. <mr...@co...> - 2023-03-04 01:20:53
|
Steve Charmer writes: > from the terminal, do I call the bash script? > /usr/sbin/authdaemond stopor just > authdaemond stop > (bcuz it's in my path, both should work) Correct, it does the same thing. > authdaemond: Authenticated: sysusername=<null>, sysuserid=8, sysgroupid=8, > homedir=/var/vmail/<URL:http://domain.com/acct>domain.com/acct, > address=<URL:mailto:ac...@do...>ac...@do..., fullname=<null>, > maildir=/var/vmail/<URL:http://domain.com/acct>domain.com/acct, quota=<null>, > options=<null> > authdaemond: Authenticated: clearpasswd=MYPASSWORD, > passwd=$1$EGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGR.ZbFFFFFFFFFFFFFFFFFFF/ > imapd: LOGIN, user=<URL:mailto:ac...@do...>ac...@do..., > ip=[::ffff:xxx.xxx.xxx.xxx], port=[56789], protocol=IMAP > imapd: Connection, ip=[::ffff:xxx.xxx.xxx.xxx] > > > > > > so it appears to be working. > > > Is it shown twice (the first clearpasswd is null) because the DEBUG level is > set to 2, and it needs to do debug level 1 first, (the login attempt), then > level 2 (the clearpasswd) ? > > > or do I have 2 instances running in memory? No, different parts of the daemon were doing their own logging. > does authdaemond run as a service? or is it just called on demand by courier- > imapd-ssl ? > I tried systemctl list-units -a to view all the services > but I did not find a service named authdaemond authdaemond runs as a permanent service. Check for services that have "authlib" in their name. > for the purposes of customizing rsyslog, does authdaemond have a facility > name, or is it captured under mail.* ? > > > I noticed it worked for me under <URL:http://mail.info>mail.info and > mail.debug LOGGEROPTS in the authdaemonrc configuration file sets options for courierlogger. You can specify a -facility option to use a different subsystem. |
From: Steve C. <ste...@gm...> - 2023-03-03 20:12:53
|
Thank you Mr Sam. I could not get the binary executable to run manually at the terminal, I couldn't understand how the variables from the rc file were supposed to be pasted after the command. I ended up modifying my rsyslog 50-default.conf file, then restarting rsyslog I am still confused as to which is the correct command to stop and start authdaemond from the terminal, do I call the bash script? /usr/sbin/authdaemond stop or just authdaemond stop (bcuz it's in my path, both should work) ANYHOW, by some miracle I saw in my syslog file commands authdaemond: modules="authuserdb authpam", daemons=5 authdaemond: Installing libauthuserdb authdaemond: Installation complete: authuserdb authdaemond: Installing libauthpam authdaemond: Installation complete: authpam which convinced me that it started then later in the mail log imapd: Connection, ip=[::ffff:xxx.xxx.xxx.xxx] authdaemond: received auth request, service=imap, authtype=login authdaemond: authuserdb: trying this module authdaemond: userdb: opened /etc/courier/userdb.dat authdaemond: userdb: looking up 'ac...@do...' authdaemond: userdb: home=/var/vmail/domain.com/acct, uid=8, gid=8, shell=<unset>, mail=/var/vmail/domain.com/acct, quota=<unset>, gecos=<unset>, options=<unset> authdaemond: found systempw in userdbshadow authdaemond: authuserdb: sysusername=<null>, sysuserid=8, sysgroupid=8, homedir=/var/vmail/domain.com/acct, address=ac...@do..., fullname=<null>, maildir=/var/vmail/domain.com/acct, quota=<null>, options=<null> authdaemond: authuserdb: clearpasswd=<null>, passwd=$1$EGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGR.ZbFFFFFFFFFFFFFFFFFFF/ authdaemond: password matches successfully authdaemond: Authenticated: sysusername=<null>, sysuserid=8, sysgroupid=8, homedir=/var/vmail/domain.com/acct, address=ac...@do..., fullname=<null>, maildir=/var/vmail/domain.com/acct, quota=<null>, options=<null> authdaemond: Authenticated: clearpasswd=MYPASSWORD, passwd=$1$EGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGR.ZbFFFFFFFFFFFFFFFFFFF/ imapd: LOGIN, user=ac...@do..., ip=[::ffff:xxx.xxx.xxx.xxx], port=[56789], protocol=IMAP imapd: Connection, ip=[::ffff:xxx.xxx.xxx.xxx] so it appears to be working. Is it shown twice (the first clearpasswd is null) because the DEBUG level is set to 2, and it needs to do debug level 1 first, (the login attempt), then level 2 (the clearpasswd) ? or do I have 2 instances running in memory? does authdaemond run as a service? or is it just called on demand by courier-imapd-ssl ? I tried systemctl list-units -a to view all the services but I did not find a service named authdaemond for the purposes of customizing rsyslog, does authdaemond have a facility name, or is it captured under mail.* ? I noticed it worked for me under mail.info and mail.debug thank you for your help On Thu, Mar 2, 2023 at 7:49 PM Sam Varshavchik <mr...@co...> wrote: > Steve Charmer writes: > > > « HTML content follows » > > > > Hello again, > > I am using courier-imapd-ssl on Ubuntu > > > > > > I want to debug a user authentication by viewing the password being sent > > > > > > I have read > > > > <URL:https://www.courier- > > mta.org/authlib/README.authdebug.html>https://www.courier- > > mta.org/authlib/README.authdebug.html > > > > to edit > > /usr/local/etc/authdaemonrc: > > but, I have no file there > > Each Linux distribution configures packages according to its own > conventions. > > The documentation on the web defaults to the default package > configuration, > and you'll need to check where your Linux distribution installs the > package > and how it gets configured. > > > > in /var/log/mail.log > > imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] > > lemp-dev authdaemond: received auth request, service=imap, authtype=login > > lemp-dev authdaemond: authuserdb: trying this module > > lemp-dev authdaemond: userdb: opened /etc/courier/userdb.dat > > > > > > > > Is this showing that I am indeed using authdaemond to process the login > > request? > > Yes, and its configuration files are stored in /etc/courier > > > I edited /etc/courier/authdaemonrc > > set DEBUG_LOGIN=2 > > (as the above webpage said that would show the pwd) > > save the file > > > > > > authmodulelist="authuserdb authpam" > > daemons=5 > > authdaemonvar=/var/run/courier/authdaemon/socket > > DEBUG_LOGIN=2 > > DEFAULTOPTIONS="" > > LOGGEROPTS="" > > > > > > > > and following the instructions in that webpage > > I stopped authdaemond > > then attempted to start it manually > > authdaemond >/home/user/authdaemond.log 2>&1 > > > > > > > > but that log file shows only > > Unknown option '-' > > > > > > I do not see any hyphen character in the conf file > > There are two executables in the courier-authlib package that are named > authdaemond. > > The first executable is usually installed somewhere that's not in the > default PATH, typically /usr/libexec/courier-authlib/authdaemond or > /usr/local/libexec/courier-authlib/authdaemond. That's the binary that > the > documentation you read is referring to. > > The second executable is installed in your default PATH, > /usr/sbin/authdaemond usually. It's a shell script that does a few > things, > and then runs the first executable. > > You ran the second shell script instead of the binary executable. > > Note, though, that if you already have authdaemond running then starting > the > executable again is not going to work. > > |
From: Sam V. <mr...@co...> - 2023-03-03 00:49:58
|
Steve Charmer writes: > « HTML content follows » > > Hello again, > I am using courier-imapd-ssl on Ubuntu > > > I want to debug a user authentication by viewing the password being sent > > > I have read > > <URL:https://www.courier- > mta.org/authlib/README.authdebug.html>https://www.courier- > mta.org/authlib/README.authdebug.html > > to edit > /usr/local/etc/authdaemonrc: > but, I have no file there Each Linux distribution configures packages according to its own conventions. The documentation on the web defaults to the default package configuration, and you'll need to check where your Linux distribution installs the package and how it gets configured. > in /var/log/mail.log > imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] > lemp-dev authdaemond: received auth request, service=imap, authtype=login > lemp-dev authdaemond: authuserdb: trying this module > lemp-dev authdaemond: userdb: opened /etc/courier/userdb.dat > > > > Is this showing that I am indeed using authdaemond to process the login > request? Yes, and its configuration files are stored in /etc/courier > I edited /etc/courier/authdaemonrc > set DEBUG_LOGIN=2 > (as the above webpage said that would show the pwd) > save the file > > > authmodulelist="authuserdb authpam" > daemons=5 > authdaemonvar=/var/run/courier/authdaemon/socket > DEBUG_LOGIN=2 > DEFAULTOPTIONS="" > LOGGEROPTS="" > > > > and following the instructions in that webpage > I stopped authdaemond > then attempted to start it manually > authdaemond >/home/user/authdaemond.log 2>&1 > > > > but that log file shows only > Unknown option '-' > > > I do not see any hyphen character in the conf file There are two executables in the courier-authlib package that are named authdaemond. The first executable is usually installed somewhere that's not in the default PATH, typically /usr/libexec/courier-authlib/authdaemond or /usr/local/libexec/courier-authlib/authdaemond. That's the binary that the documentation you read is referring to. The second executable is installed in your default PATH, /usr/sbin/authdaemond usually. It's a shell script that does a few things, and then runs the first executable. You ran the second shell script instead of the binary executable. Note, though, that if you already have authdaemond running then starting the executable again is not going to work. |
From: Steve C. <ste...@gm...> - 2023-03-02 21:01:04
|
Hello again, I am using courier-imapd-ssl on Ubuntu I want to debug a user authentication by viewing the password being sent I have read https://www.courier-mta.org/authlib/README.authdebug.html to edit /usr/local/etc/authdaemonrc: but, I have no file there which authdaemond /usr/sbin/authdaemond systemctl status authdaemond ● authdaemond.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) in /var/log/mail.log imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] lemp-dev authdaemond: received auth request, service=imap, authtype=login lemp-dev authdaemond: authuserdb: trying this module lemp-dev authdaemond: userdb: opened /etc/courier/userdb.dat Is this showing that I am indeed using authdaemond to process the login request? I edited /etc/courier/authdaemonrc set DEBUG_LOGIN=2 (as the above webpage said that would show the pwd) save the file authmodulelist="authuserdb authpam" daemons=5 authdaemonvar=/var/run/courier/authdaemon/socket DEBUG_LOGIN=2 DEFAULTOPTIONS="" LOGGEROPTS="" and following the instructions in that webpage I stopped authdaemond then attempted to start it manually authdaemond >/home/user/authdaemond.log 2>&1 but that log file shows only Unknown option '-' I do not see any hyphen character in the conf file ============== thanks for any help |
From: Doug M. <me...@ge...> - 2023-03-01 23:02:08
|
On Wed, Mar 01, 2023 at 03:31:55PM -0700, Grant Taylor via Courier-imap wrote: > On 3/1/23 11:31 AM, Doug McIntyre wrote: > > The problem that I assumed was the issue (but apparently not), is > > that when Courier IMAP is setup behind a load balancer/proxy such as > > HAProxy without using the proxy protocol extension, the IP address > > that Courier IMAP sees is the IP address of the HAProxy, and not the > > client IP because it is the proxy that connected to the service and > > that is what gets logged. > > It's been a long time since I've done anything with HAProxy, but I > really thought that it had a configuration mode where it didn't change > the source IP of the connection. There is a transparent mode for certain OS versions, setup a certain way with iptables and special routing. If your network doesn't match on everything, it does not work at all. And even then, it only works partially on other environments. My OS choice does not support it. > > When you use the HAProxy Proxy Protocol, it sends > > additional information inline with the protocol detailing > > the true client IP address, protocol, source ports, > > etc. etc. etc. ... This protocol is documented here > > https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt > > I read (most of) that document last night. HAProxy's protocol seems > like an interesting solution. Though I'm not sure I've run into a > problem where I needed that specific solution. Databases, web apps that don't support X-Forwarded-For. Things that support only L4 load balancing (there are *many* out there). DNS, mail server applications. etc. I've setup all of these for my work & client requests. > I suspect that you would get the real client IP if you use the > "transparent" mode. If it worked in my environment. It does not. > > While HAproxy supports some form of cut-through proxy, it doesn't > > work well nor in my environment. I'd rather that my backend service > > supported the HAProxy Proxy Protocol which has worked very well with > > other setups I've done. > > That sounds like additional desires ~> requirements. ;-) OOTH, Dovecot and Postfix have supported it for years. My future needs will probably push me to Dovecot rather than switching out my base OS. |
From: Grant T. <co...@gt...> - 2023-03-01 22:32:09
|
On 3/1/23 11:31 AM, Doug McIntyre wrote: > The problem that I assumed was the issue (but apparently not), is > that when Courier IMAP is setup behind a load balancer/proxy such as > HAProxy without using the proxy protocol extension, the IP address > that Courier IMAP sees is the IP address of the HAProxy, and not the > client IP because it is the proxy that connected to the service and > that is what gets logged. It's been a long time since I've done anything with HAProxy, but I really thought that it had a configuration mode where it didn't change the source IP of the connection. Maybe I'm conflating HAProxy with Linux Virtual Server (LVS). Looking at the HAProxy documentation seems to indicate that HAPRoxy operates on the TCP layer. It does look like HAProxy supports transparent connections: § 3.3.1 -- Basic features : Proxying -- Transparent connect : spoof the client's (or any) IP address if needed when connecting to the server; Link - HAProxy version 2.7.3-6 - Starter Guide - http://docs.haproxy.org/2.7/intro.html#3.1 > When you use the HAProxy Proxy Protocol, it sends > additional information inline with the protocol detailing > the true client IP address, protocol, source ports, > etc. etc. etc. ... This protocol is documented here > https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt I read (most of) that document last night. HAProxy's protocol seems like an interesting solution. Though I'm not sure I've run into a problem where I needed that specific solution. I wonder if anyone has created -- what I assume would be -- a TUN (as opposed to TAP) device that receives HAProxy protocol and converts it into a traditional interface for daemons to listen to, much like a GRE tunnel interface. This seems like a logical option to enable more things to support HAProxy Protocol without needing to modify the daemons themselves. This also seems like it might enable doing other interesting things with the traffic. }:-) > Otherwise, without this sort of extension, all you get in Courier > IMAP's logs is the IP address of the HAProxy box as one would expect. I suspect that you would get the real client IP if you use the "transparent" mode. > While HAproxy supports some form of cut-through proxy, it doesn't > work well nor in my environment. I'd rather that my backend service > supported the HAProxy Proxy Protocol which has worked very well with > other setups I've done. That sounds like additional desires ~> requirements. ;-) -- Grant. . . . unix || die |
From: Grant T. <co...@gt...> - 2023-03-01 22:13:19
|
On 3/1/23 10:35 AM, Steve Charmer wrote: > Aha Grant, you were correct ! :-) > during testing and watching the logs, I had a webmail interface open, so > the code in the webmail script residing on the same server as the > courier installation was showing the server's public ip address. That makes perfect sense and explains what you were seeing. > today, we tested imapd-ssl from a smartphone, and the expected public > IPv4 addresses were showing up in the log. :-) > thank you, ... You're welcome. > ... sorry to all whom I may have wasted your time. Apology returned as unnecessary. I know that I've made small oops like that in the past so I won't hold it against anyone else making such an oops. ;-) -- Grant. . . . unix || die |
From: Doug M. <me...@ge...> - 2023-03-01 18:31:12
|
On Tue, Feb 28, 2023 at 08:05:02PM -0500, Sam Varshavchik wrote: > Doug McIntyre writes: > > > On Tue, Feb 28, 2023 at 06:22:12PM -0500, Sam Varshavchik wrote: > > > > > That's because there is nothing that the server can do to determine the > > > client's real IP address. When NAT is used, as is apparently the case is > > > here, as far as the server knows that's the IP address where the connection > > > is coming from, and that's the only IP address that's involved. The real > > > client IP address is only known to the network proxy. > > > > > > What would it take to have Courier-IMAP support HAProxy Proxy Protocol? > > https://www.haproxy.com/de/blog/haproxy/proxy-protocol/ > > I'm not familiar with haproxy, so I can't say; but Courier takes the > incoming connection, sets environment variables to the socket peer's IP > address, and forks off the child daemon. Whatever's happening with haproxy, > mimicing this should result in logging reflecting the real client IP address. The problem that I assumed was the issue (but apparently not), is that when Courier IMAP is setup behind a load balancer/proxy such as HAProxy without using the proxy protocol extension, the IP address that Courier IMAP sees is the IP address of the HAProxy, and not the client IP because it is the proxy that connected to the service and that is what gets logged. In web servers, they developed the X-Forwarded-For: header to handle working aroiund this, but there are other protocols that proxy/load balancers are useful than just web servers that don't have this. (ie. Databases, SMTP, DNS, other email services). When you use the HAProxy Proxy Protocol, it sends additional information inline with the protocol detailing the true client IP address, protocol, source ports, etc. etc. etc. Such that when load balanced through haproxy, the backend client can still log information such as the client IP address instead of the IP address that connected to it, (ie. the haproxy machine in front of it). This protocol is documented here https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt As I mentioned, other Load Balancer devices do support the haproxy proxy protocol as a defacto standard. Otherwise, without this sort of extension, all you get in Courier IMAP's logs is the IP address of the HAProxy box as one would expect. In my case, I have F5 load balancer in front doing the cut through proxy, such that Courier IMAP still sees it as the client IP, but I want to change out my EOL'd F5s to HAProxy instead, but I'm going to lose access to client IP address information unless Courier IMAP supported the proxy protocol extension. While HAproxy supports some form of cut-through proxy, it doesn't work well nor in my environment. I'd rather that my backend service supported the HAProxy Proxy Protocol which has worked very well with other setups I've done. |
From: Steve C. <ste...@gm...> - 2023-03-01 17:35:40
|
Aha Grant, you were correct ! during testing and watching the logs, I had a webmail interface open, so the code in the webmail script residing on the same server as the courier installation was showing the server's public ip address. today, we tested imapd-ssl from a smartphone, and the expected public IPv4 addresses were showing up in the log. thank you, and sorry to all whom I may have wasted your time. On Tue, Feb 28, 2023 at 9:48 PM Grant Taylor via Courier-imap < cou...@li...> wrote: > On 2/28/23 11:34 AM, Steve Charmer wrote: > > hello, > > Hi, > > > I want to add additional information to these lines. > > The ip address is the public IPv4 of my server. > > That seems both odd and somewhat unexpected to me. > > > I want to be able to add the public IPv4 address of the remote client > > trying to login to courier-imapd > > The thing that I don't understand is why you aren't already seeing the > public IP address of the remote client trying to log in. > > Both Courier servers that I'm running do show the remote IP address of > clients. > > Is there a chance that the IP that you're seeing is your server logging > into itself? Possibly via a webmail interface running on the same system? > > > can I add additional text to that line to include the remote ip address? > > I think that you should already be seeing the remote IP address of clients. > > So if you're not seeing remote IP addresses of clients, I'd take that as > an indication that something is wrong. > > > > -- > Grant. . . . > unix || die > > > _______________________________________________ > Courier-imap mailing list > Cou...@li... > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap > |
From: Grant T. <co...@gt...> - 2023-03-01 02:46:49
|
On 2/28/23 4:22 PM, Sam Varshavchik wrote: > That's because there is nothing that the server can do to determine the > client's real IP address. When NAT is used, as is apparently the case is > here, as far as the server knows that's the IP address where the > connection is coming from, and that's the only IP address that's > involved. The real client IP address is only known to the network proxy. Please clarify where the NAT is that you're talking about. N.B. the OP did say "public IPv4 address of the remote client", so it doesn't seem like the OP is trying to identify the client's LAN / NATed IP address. I did not see any indication that the OP had any form of NATing between the Internet and the Courier IMAP daemon. Maybe I missed another message describing that. -- Grant. . . . unix || die |
From: Grant T. <co...@gt...> - 2023-03-01 02:46:49
|
On 2/28/23 11:34 AM, Steve Charmer wrote: > hello, Hi, > I want to add additional information to these lines. > The ip address is the public IPv4 of my server. That seems both odd and somewhat unexpected to me. > I want to be able to add the public IPv4 address of the remote client > trying to login to courier-imapd The thing that I don't understand is why you aren't already seeing the public IP address of the remote client trying to log in. Both Courier servers that I'm running do show the remote IP address of clients. Is there a chance that the IP that you're seeing is your server logging into itself? Possibly via a webmail interface running on the same system? > can I add additional text to that line to include the remote ip address? I think that you should already be seeing the remote IP address of clients. So if you're not seeing remote IP addresses of clients, I'd take that as an indication that something is wrong. -- Grant. . . . unix || die |
From: Sam V. <mr...@co...> - 2023-03-01 01:05:10
|
Doug McIntyre writes: > On Tue, Feb 28, 2023 at 06:22:12PM -0500, Sam Varshavchik wrote: > > > That's because there is nothing that the server can do to determine the > > client's real IP address. When NAT is used, as is apparently the case is > > here, as far as the server knows that's the IP address where the connection > > is coming from, and that's the only IP address that's involved. The real > > client IP address is only known to the network proxy. > > > What would it take to have Courier-IMAP support HAProxy Proxy Protocol? > https://www.haproxy.com/de/blog/haproxy/proxy-protocol/ I'm not familiar with haproxy, so I can't say; but Courier takes the incoming connection, sets environment variables to the socket peer's IP address, and forks off the child daemon. Whatever's happening with haproxy, mimicing this should result in logging reflecting the real client IP address. |
From: Doug M. <me...@ge...> - 2023-02-28 23:49:07
|
On Tue, Feb 28, 2023 at 06:22:12PM -0500, Sam Varshavchik wrote: > Steve Charmer writes: > > > Feb 28 12:20:04 diggy-ocn-drop imapd-ssl: LOGOUT, > > user=<URL:mailto:me...@my...>me...@my..., ip=[::ffff:104.xxx.xxx.xxx], > > headers=0, body=0, rcvd=77, sent=330, time=0, starttls=1 ... > > I want to be able to add the public IPv4 address of the remote client trying > > to login to courier-imapd ... > That's because there is nothing that the server can do to determine the > client's real IP address. When NAT is used, as is apparently the case is > here, as far as the server knows that's the IP address where the connection > is coming from, and that's the only IP address that's involved. The real > client IP address is only known to the network proxy. What would it take to have Courier-IMAP support HAProxy Proxy Protocol? https://www.haproxy.com/de/blog/haproxy/proxy-protocol/ Other load balancers use HAProxy's solution as well, it isn't exclusive to them. As as you see in the list, several email component packages already support it. As for a different way to do it, certain Load Balancers can do L4 cut-through load balancing (ie. F5, Avi) preserving the client IP. |
From: Sam V. <mr...@co...> - 2023-02-28 23:22:20
|
Steve Charmer writes: > Feb 28 12:20:04 diggy-ocn-drop imapd-ssl: LOGOUT, > user=<URL:mailto:me...@my...>me...@my..., ip=[::ffff:104.xxx.xxx.xxx], > headers=0, body=0, rcvd=77, sent=330, time=0, starttls=1 > > > > I want to add additional information to these lines. > The ip address is the public IPv4 of my server. > > > I want to be able to add the public IPv4 address of the remote client trying > to login to courier-imapd > > > in the file /etc/courier/imapd-ssl I see the line > SSLLOGGEROPTS="-name=imapd-ssl" > > > can I add additional text to that line to include the remote ip address? > > > I have searched the web, but I cannot find any examples on what to put there. That's because there is nothing that the server can do to determine the client's real IP address. When NAT is used, as is apparently the case is here, as far as the server knows that's the IP address where the connection is coming from, and that's the only IP address that's involved. The real client IP address is only known to the network proxy. |
From: Steve C. <ste...@gm...> - 2023-02-28 18:34:53
|
hello, in my syslog i have lines of: Feb 28 12:18:04 diggy-ocn-drop imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] Feb 28 12:18:04 diggy-ocn-drop imapd-ssl: LOGIN, user=me...@my..., ip=[::ffff:104.xxx.xxx.xxx], port=[57204], protocol=IMAP Feb 28 12:18:04 diggy-ocn-drop imapd-ssl: LOGOUT, user=me...@my..., ip=[::ffff:104.xxx.xxx.xxx], headers=0, body=0, rcvd=77, sent=330, time=0, starttls=1 Feb 28 12:20:04 diggy-ocn-drop imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] Feb 28 12:20:04 diggy-ocn-drop imapd-ssl: LOGIN, user=me...@my..., ip=[::ffff:104.xxx.xxx.xxx], port=[57206], protocol=IMAP Feb 28 12:20:04 diggy-ocn-drop imapd-ssl: LOGOUT, user=me...@my..., ip=[::ffff:104.xxx.xxx.xxx], headers=0, body=0, rcvd=77, sent=330, time=0, starttls=1 I want to add additional information to these lines. The ip address is the public IPv4 of my server. I want to be able to add the public IPv4 address of the remote client trying to login to courier-imapd in the file /etc/courier/imapd-ssl I see the line SSLLOGGEROPTS="-name=imapd-ssl" can I add additional text to that line to include the remote ip address? I have searched the web, but I cannot find any examples on what to put there. thank you |
From: Sam V. <mr...@co...> - 2023-02-20 00:39:57
|
Download: https://www.courier-mta.org/download.html New releases of all Courier packages. Changes: * courier: adjust esmtp server's ulimit to match the imap server's ulimit * courier: fix error handling with some versions of OpenSSL that resulted in an error if the certificate file did not have the optional DH parameter section. * courier-imap: fix parsing of the IMAp APPEND command. * maildrop: reimplement how timeouts works, to prevent a potential crash in the rare event of a lock timeout. |
From: Sam V. <mr...@co...> - 2022-12-18 01:51:57
|
Download: https://www.courier-mta.org/download.html New releases of courier and courier-imap packages Changes: * Fix a compatibility problem with OpenSSL 3 that results in TLS negotiation failures in some non-default configurations. * Fix an error in courier-imap's installation script that results in creation of absolute, rather than relative, symbolic links. |
From: Sam V. <mr...@co...> - 2022-12-04 17:56:33
|
Download: https://www.courier-mta.org/download.html New releases of all Courier packages. Changes: • Use libidn2 instead of libidn. • "make install" creates relative, instead of absolute, symbolic links. • debuild script: update lintian overrides, add pkg-config to build dependencies. |
From: Sam V. <mr...@co...> - 2022-11-17 13:29:28
|
PICCORO McKAY Lenz writes: > > > > Ditto for sqwebmail. > > > what's the problem with sqwebmail? > > > AFAIK there's only one sqwebmail version. And I'm not aware of issues > > > arising on how it has been packaged. > > There are some default configuration settings that differ. One is: > > sqwebmail's configure looks for "sendmail" in PATH. Courier's sqwebmail > > knows where Courier's is. So if you have both Courier and sendmail or > > postfix installed, the end results may not be what your intentions were. > > For that debian packages has alternatives system.. your packages dont The sqwebmail component of Courier uses Courier to send the email, because it's a part of one integrated package. The standalone sqwebmail package will pick up /usr/sbin/sendmail which is an alternatives link. |