From 144b8e5d04be8274b0a34425f64b0e184e4182b7 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 12:54:29 +0200 Subject: [PATCH 01/45] config/optimization: Add MALLOC_MMAP_THRESHOLD_ --- docs/core/config/basic.md | 13 ------------- docs/core/config/optimization.md | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/core/config/basic.md b/docs/core/config/basic.md index 979d2816d..d229cc038 100644 --- a/docs/core/config/basic.md +++ b/docs/core/config/basic.md @@ -35,19 +35,6 @@ verbose_proctitle = yes These are settings for Dovecot nodes that are accessing mail storage ("backends"). -### Shutdown Clients - -By default, all active sessions will be shut down when Dovecot is reloaded or -restarted. Setting [[setting,shutdown_clients,no]] is dangerous as existing -sessions are then not killed when Dovecot is restarted or reloaded. This can -have serious consequences if, for example, storage-related settings are -changed, as user connection will be using both old and new configuration at -the same time. Thus, it is recommended to use: - -``` -shutdown_clients = yes -``` - ### Memory Allocation Allocate all memory larger than 128 kB using mmap(). This allows the OS to diff --git a/docs/core/config/optimization.md b/docs/core/config/optimization.md index a4ecc01a8..2ebb6f2f8 100644 --- a/docs/core/config/optimization.md +++ b/docs/core/config/optimization.md @@ -124,6 +124,20 @@ Note that these settings do NOT directly affect the memory usage: - [[link,service_process_limit]] and [[link,service_client_limit]]: These are mostly to avoid DoS attacks using up all your memory. +### glibc + +For Linux/glibc it's recommended to set: + +```[dovecot.conf] +import_environment { + MALLOC_MMAP_THRESHOLD_ = 131072 +} +``` + +This allocates all memory larger than 128 kB using mmap(), which allows the OS +to free the memory afterwards. This is important for backends which have a lot +of long-running imap and pop3 processes. + ## Operating Systems ::: warning From 69c1b904807b7bcb565c133909355b52f9a1e86b Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 12:56:44 +0200 Subject: [PATCH 02/45] config: Remove basic configuration page This page had just a bunch of random settings which often didn't have anything to do with basic configuration. Better to just remove the page. --- docs/core/config/basic.md | 165 -------------------------------------- 1 file changed, 165 deletions(-) delete mode 100644 docs/core/config/basic.md diff --git a/docs/core/config/basic.md b/docs/core/config/basic.md deleted file mode 100644 index d229cc038..000000000 --- a/docs/core/config/basic.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -layout: doc -title: Basic Configuration -order: 3 -dovecotlinks: - basic_config: Basic configuration ---- - -# Basic Configuration - -This page describes some basic configuration in `dovecot.conf` that are -generally useful for most installations. - -## General Settings - -### Protocols - -Enable [[setting,protocols]] you intend to serve: - -``` -protocols = imap pop3 lmtp sieve -``` - -### Process Titles - -Show state information in process titles (in `ps` output) by setting -[[setting,verbose_proctitle]]: - -``` -verbose_proctitle = yes -``` - -## Storage Node Configuration - -These are settings for Dovecot nodes that are accessing mail storage -("backends"). - -### Memory Allocation - -Allocate all memory larger than 128 kB using mmap(). This allows the OS to -free the memory afterwards. This is important for storage nodes because -there can be a lot of long-running imap and pop3 processes. - -```[dovecot.conf] -import_environment { - MALLOC_MMAP_THRESHOLD_ = 131072 -} -``` - -See [[setting,import_environment]]. - -## Proxy Node Configuration - -These are settings for Dovecot nodes that are proxying traffic. - -### Login Trusted Networks - -Include proxy's IP addresses/network so they can pass through the -session ID and the client's original IP address. - -``` -login_trusted_networks = 10.0.0.0/8 -``` - -See [[setting,login_trusted_networks]]. - -### LMTP Proxying - -Enable LMTP to do proxying by doing passdb lookups (instead of only -userdb lookups). - -``` -lmtp_proxy = yes -``` - -See [[setting,lmtp_proxy]]. - -### Disconnect Delay - -Avoid load spikes caused by reconnecting clients after a backend server has -died or been restarted. - -Instead of disconnecting all the clients at the same time, the -disconnections are spread over longer time period. - -``` -login_proxy_max_disconnect_delay = 30 secs -``` - -See [[setting,login_proxy_max_disconnect_delay]]. - -### Doveadm - -[[setting,doveadm_ssl]] setting can be used to specify SSL mode to use -when doing doveadm proxying. - -Can be overridden with ssl and starttls [[link,authentication_proxies]] flags. - -When using starttls, do not add [[setting,ssl,yes]] to doveadm service's -`inet_listener` block. - -``` -#doveadm_ssl = no -``` - -This configures the doveadm server's password ([[setting,doveadm_password]]). -It can be used to access users' mailboxes and do various other things, so -it should be kept secret. - -``` -#doveadm_password = -``` - -These settings configure the doveadm port ([[setting,doveadm_port]] when -acting as doveadm client and doveadm server. - -``` -doveadm_port = 24245 - -service doveadm { - inet_listener { - port = 24245 - } -} -``` - -### LMTP - -This setting configures the LMTP port to use. - -``` -service lmtp { - inet_listener lmtp { - port = 24 - } -} -``` - -### IMAP/POP3 login - -These 3 settings configure the login processes to be in -"high performance mode", as explained in [[link,login_processes]]. - -The `4` should be changed to the number of CPU cores on the server. - -``` -service imap-login { - restart_request_count = unlimited - client_limit = 10000 - process_min_avail = 4 - process_limit = 4 -} - -service pop3-login { - restart_request_count = unlimited - client_limit = 10000 - process_min_avail = 4 - process_limit = 4 -} -``` - -The `client_limit` setting should be increased to be as high as needed. - -The max number of connections per server is `client_limit * process_limit`, -so 40k connections in the above configuration. From 44183d751bc4bd9f6b56fcba87a6bab4d3eb9a8c Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 13:05:04 +0200 Subject: [PATCH 03/45] config/overview: Remove basic_config link --- docs/core/config/overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/core/config/overview.md b/docs/core/config/overview.md index a37db3ea4..df140b8fb 100644 --- a/docs/core/config/overview.md +++ b/docs/core/config/overview.md @@ -9,7 +9,6 @@ order: 1 * [[link,settings_syntax]] * [[link,summary_settings]] * [[link,quick_config]] - * [[link,basic_config]] # Dovecot Backend From ae84c0c05781ed8e324ce542ccb3e33aeef6d292 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 13:15:47 +0200 Subject: [PATCH 04/45] config/quick: Simplify split configuration files section We no longer have split example-config files, so the text was slightly confusing/unnecessary. --- docs/core/config/quick.md | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/docs/core/config/quick.md b/docs/core/config/quick.md index 45819637d..4ccd5627e 100644 --- a/docs/core/config/quick.md +++ b/docs/core/config/quick.md @@ -83,22 +83,12 @@ configuration file in `/usr/local/etc/dovecot/dovecot.conf` The default configuration starts from `dovecot.conf`, which contains an `!include conf.d/*.conf` statement to read the rest of the configuration. -The idea is that the settings are nicely grouped into different files to make -it easier for new admins to scan through related settings. It doesn't matter -which config file you add which setting. +You can group settings into these included config files, or you can place +everything into the `dovecot.conf`, whichever you prefer. -In the production system it's often easier to just have a single -`dovecot.conf` file, which you can create easily using: - -```sh -doveconf -nP > dovecot.conf -``` - -### Hints About Writing Configuration Files - -* Usually it does not matter in which file you write the setting. You only need - to be aware that later settings replace earlier ones. If you use the same - section multiple times, the settings are merged together. +Usually it does not matter in which file you write the setting. You only need + to be aware that later settings replace earlier ones. If you use the same +section multiple times, the settings are merged together. ## Authentication From dfbc87ede06ad5dc5031693681088466aa317e0b Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 13:20:59 +0200 Subject: [PATCH 05/45] data/settings: mail_home - Replace quick_config link quick_config isn't really relevant here. A better link is to explanation of what the home directory does. --- data/settings.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/settings.js b/data/settings.js index 3187792c1..524d15741 100644 --- a/data/settings.js +++ b/data/settings.js @@ -7541,7 +7541,7 @@ This can be overridden via the \`gid\` [[link,userdb_fields,userdb field]].` }, mail_home: { - seealso: [ 'mail_path', '[[link,quick_config]]' ], + seealso: [ 'mail_path', '[[link,home_directories_for_virtual_users]]' ], values: setting_types.STRING, text: ` There are various possible ways of specifying this parameter and From 906a4eb019988502137da6dac5c03cb4b4a3d6f3 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 13:38:03 +0200 Subject: [PATCH 06/45] data/settings: Remove service_process_min_avail seealso-linking to itself --- data/settings.js | 1 - 1 file changed, 1 deletion(-) diff --git a/data/settings.js b/data/settings.js index 524d15741..71073dfae 100644 --- a/data/settings.js +++ b/data/settings.js @@ -10056,7 +10056,6 @@ no longer in "setuid" mode. This setting can't be used with non-empty chroot.` seealso: [ 'service_client_limit', 'service_restart_request_count', - 'service_process_min_avail', ], text: ` Minimum number of processes that always should be available to accept more From 21f46cabf4a6d3bf2e5875cf129cdde7511b8f6f Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 13:41:08 +0200 Subject: [PATCH 07/45] global: Use links to service settings --- docs/core/admin/errors.md | 17 +++++++++-------- docs/core/config/service.md | 4 ++-- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/core/admin/errors.md b/docs/core/admin/errors.md index 82fd29117..856dc36bf 100644 --- a/docs/core/admin/errors.md +++ b/docs/core/admin/errors.md @@ -329,22 +329,23 @@ forking less processes: This alone might be enough. - You can also switch (most of the) other commonly forked processes to - be reused. For example `service imap { restart_request_count = 100 }` - reuses the imap process for 100 different IMAP connections before it - dies. This is useful mainly for imap, pop3 and managesieve services. - It's better to avoid using `restart_request_count=unlimited` in case - there are memory leaks. + be reused. For example [[setting,service_restart_request_count,100]] + reuses the process for 100 different connections before it dies. This is + useful especially for imap, pop3 and managesieve services. + It's better to avoid using [[setting,service_restart_request_count,unlimited]] + in case there are memory leaks. - You can pre-fork some idling processes to handle bursts with - `service { process_min_avail }`. + [[setting,service_process_min_avail]]. See [[link,service_configuration]] before changing any service settings. Some services require specific values to work correctly. ### Listener Queue Size -Dovecot uses `service { client_limit } * service { process_limit }` as the -listener queue size. There is no upper limit in Dovecot. +Dovecot uses [[setting,service_client_limit]] * +[[setting,service_process_limit]] as the listener queue size. There is no upper +limit in Dovecot. Most OSes use an even lower limit, typically `128`. In Linux you can increase this through: `/proc/sys/net/core/somaxconn`. diff --git a/docs/core/config/service.md b/docs/core/config/service.md index bbd6cf94f..afe18d000 100644 --- a/docs/core/config/service.md +++ b/docs/core/config/service.md @@ -81,8 +81,8 @@ There are 3 types of services that need to be optimized in different ways: set to the number of CPU cores, so each CPU will be busy serving the process but without unnecessary context switches. Then [[setting,service_client_limit]] needs to be set high enough to be able to - serve all the needed connections (max connections = `process_limit * - client_limit`). + serve all the needed connections (max connections = + [[setting,service_process_limit]] * [[setting,service_client_limit]]). [[setting,service_restart_request_count]] is commonly set to `unlimited` for these services. Otherwise when the limit is beginning to be reached, the total number of available connections will shrink. With very bad luck that From d0919e8f9766787c5731a324286128fca775a872 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 13:45:44 +0200 Subject: [PATCH 08/45] global: Refer to %{system:cpu_count} where useful --- data/settings.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/data/settings.js b/data/settings.js index 71073dfae..7c58b2d3e 100644 --- a/data/settings.js +++ b/data/settings.js @@ -10074,8 +10074,9 @@ is launched. time to check mails. * For [[setting,service_restart_request_count]] to a value \`!=1\` and [[setting,service_client_limit]] to a value \`>1\` processes it could be set - to the number of CPU cores on the system to balance the load among them. This - is commonly used with \`*-login\` processes. + to the number of CPU cores (you can use \`%{system:cpu_count}\`) on the + system to balance the load among them. This is commonly used with \`*-login\` + processes. * For [[setting,service_restart_request_count]] with a value of \`!=1\` and [[setting,service_client_limit,1]] processes it is likely not useful to use this, because generally there are already some idling processes waiting to From b5942c66a6ab2e53a2ff24c930dded596efc6127 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 14:04:06 +0200 Subject: [PATCH 09/45] config/ssl: Remove pointless links The ssl_admin link links to this page itself. And auth_allow_cleartext is not the most useful first link on a page talking about SSL. --- docs/core/config/ssl.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docs/core/config/ssl.md b/docs/core/config/ssl.md index 816bbf700..b0bd8219b 100644 --- a/docs/core/config/ssl.md +++ b/docs/core/config/ssl.md @@ -6,7 +6,6 @@ dovecotlinks: hash: secured-connections text: secured connections ssl: SSL - ssl_admin: SSL ssl_configuration: hash: configuration-overview text: SSL configuration @@ -17,11 +16,6 @@ dovecotlinks: # SSL/TLS Configuration -For more details see: - -* [[link,ssl_admin]] -* [[setting,auth_allow_cleartext]] - ## Configuration Overview The most important SSL settings are: From 03a535d2104e820ebc21fdabd1a673925aeded30 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 27 Feb 2025 14:15:19 +0200 Subject: [PATCH 10/45] config/ssl: Remove duplicated examples of multiple SSL certificates --- docs/core/config/ssl.md | 40 ++++------------------------------------ 1 file changed, 4 insertions(+), 36 deletions(-) diff --git a/docs/core/config/ssl.md b/docs/core/config/ssl.md index b0bd8219b..c11858f76 100644 --- a/docs/core/config/ssl.md +++ b/docs/core/config/ssl.md @@ -12,6 +12,9 @@ dovecotlinks: ssl_ja3: hash: ja3-identifier text: JA3 string + ssl_multiple_certs: + hash: multiple-ssl-certificates + text: Multiple SSL Certificates --- # SSL/TLS Configuration @@ -52,34 +55,7 @@ ssl_server_cert_file = /etc/ssl/dovecot.pem ssl_server_key_file = /etc/ssl/dovecot.pem ``` -For using different SSL certificates for different IP addresses you can put -them inside local {} blocks: - -```[dovecot.conf] -local 10.0.0.1 { - ssl_server_cert_file = /etc/dovecot/dovecot.crt - ssl_server_key_file = /etc/dovecot/dovecot.key -} - -local 10.0.0.2 { - ssl_server_cert_file = /etc/dovecot/dovecot2.crt - ssl_server_key_file = /etc/dovecot/dovecot2.key -} -``` - -If you need different SSL certificates for IMAP and POP3 protocols, you can put them inside protocol ``{}`` blocks: - -```[dovecot.conf] -protocol imap { - ssl_server_cert_file = /etc/dovecot/dovecot-imap.crt - ssl_server_key_file = /etc/dovecot/dovecot-imap.key -} - -protocol pop3 { - ssl_server_cert_file = /etc/dovecot/dovecot-pop3.crt - ssl_server_key_file = /etc/dovecot/dovecot-pop3.key -} -``` +For using multiple SSL certificates, see [[link,ssl_multiple_certs]]. ::: tip It's important to note that `ssl = yes` must be set globally if @@ -88,14 +64,6 @@ SSL ports), which in turn requires that a certificate and key are specified globally even if you intend to specify certificates per protocol. ::: -Dovecot supports also using TLS SNI extension for giving different SSL -certificates based on the server name when using only a single IP address, -but the TLS SNI isn't yet supported by all clients so that may not be -very useful. - -It's anyway possible to configure it by using -`local_name imap.example.com {}` blocks. - ## How to Specify When SSL/TLS is Required There are a couple of different ways to specify when SSL/TLS is required: From 2094cb7bae36cc4f9aa0a2a2a35eb825ccd49f7c Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 28 Feb 2025 10:30:24 +0200 Subject: [PATCH 11/45] settings/syntax: Explain how to override group settings --- docs/core/settings/syntax.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/core/settings/syntax.md b/docs/core/settings/syntax.md index 02767240a..4b26fbc5f 100644 --- a/docs/core/settings/syntax.md +++ b/docs/core/settings/syntax.md @@ -319,6 +319,15 @@ namespace inbox { } ``` +You can override settings inside a group by adding the override settings +after it. For example: + +```[dovecot.conf] +@mysql = default +mysql_host = mysql2.example.com # override the default mysql_host + +``` + It's possible to override groups using the command line parameter `-o` or userdb. For example above you can return `namespace/inbox/@mailboxes=finnish` from userdb to change mailbox names to Finnish language. Note that groups can't From ef1e18a9f3fdcf6eab15860a0a1344c3fad5cbbc Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 28 Feb 2025 10:40:20 +0200 Subject: [PATCH 12/45] lib/settings.js: Add GROUP setting type --- lib/settings.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/settings.js b/lib/settings.js index 5f9474c6d..27a5ff65c 100644 --- a/lib/settings.js +++ b/lib/settings.js @@ -85,5 +85,9 @@ export const setting_types = { label: 'Port Number', url: '[[link,settings_types_in_port]]', default_required: true, + }, + GROUP: { + label: 'Settings Group', + url: '[[link,settings_groups_includes]]' } } From c06febdb81b1156447a6aa969209ffe89c4adfde Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 28 Feb 2025 10:50:18 +0200 Subject: [PATCH 13/45] settings/syntax: Show how to expand default group settings --- docs/core/settings/syntax.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/core/settings/syntax.md b/docs/core/settings/syntax.md index 4b26fbc5f..f8c8c3712 100644 --- a/docs/core/settings/syntax.md +++ b/docs/core/settings/syntax.md @@ -333,6 +333,12 @@ userdb. For example above you can return `namespace/inbox/@mailboxes=finnish` from userdb to change mailbox names to Finnish language. Note that groups can't be added via overrides unless `@label` is already set in the config file. +You can see the default group contents with e.g.: + +```console +doveconf -d @metric_defaults/proxy +``` + ## Including Config Files The main `dovecot.conf` file can also include other config files: From 9cb3f9be33425c872d70d9e83e57e505abc18463 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 28 Feb 2025 10:52:08 +0200 Subject: [PATCH 14/45] data/settings: Add @metric_defaults --- data/settings.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/data/settings.js b/data/settings.js index 7c58b2d3e..6fe9a37bb 100644 --- a/data/settings.js +++ b/data/settings.js @@ -11361,4 +11361,14 @@ userdb ldap { \`\`\`` }, + /* Default groups. */ + + '@metric_defaults': { + values: setting_types.GROUP, + values_enum: [ 'proxy', 'backend' ], + seealso: [ 'metric' ], + text: ` +Group that expands to recommended [[setting,metric]] settings in proxies or +backends.` + }, } From 72dd85ec1d5996dd01752afbaacc4f07b469026f Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Fri, 28 Feb 2025 11:48:20 -0700 Subject: [PATCH 15/45] debug: Move debug out of core, since this is specific to CE --- docs/{core/admin => troubleshooting}/debug.md | 43 +++++-------------- .../troubleshooting/include/debug_crashes.inc | 27 ++++++++++++ docs/troubleshooting/include/debug_mail.inc | 27 ++++++++++++ .../include/debug_sessionid.inc | 7 +++ docs/troubleshooting/index.md | 5 +++ 5 files changed, 76 insertions(+), 33 deletions(-) rename docs/{core/admin => troubleshooting}/debug.md (73%) create mode 100644 docs/troubleshooting/include/debug_crashes.inc create mode 100644 docs/troubleshooting/include/debug_mail.inc create mode 100644 docs/troubleshooting/include/debug_sessionid.inc create mode 100644 docs/troubleshooting/index.md diff --git a/docs/core/admin/debug.md b/docs/troubleshooting/debug.md similarity index 73% rename from docs/core/admin/debug.md rename to docs/troubleshooting/debug.md index e421251cd..67a7cf7dc 100644 --- a/docs/core/admin/debug.md +++ b/docs/troubleshooting/debug.md @@ -1,7 +1,6 @@ --- layout: doc title: Debug -order: 198 dovecotlinks: debug: debugging debug_process_tracing: @@ -9,7 +8,7 @@ dovecotlinks: text: Process Tracing --- -# Debugging and Troubleshooting +# Debugging ::: tip For reporting issues with Dovecot CE, see https://dovecot.org/bugreport-mail. @@ -17,37 +16,18 @@ For reporting issues with Dovecot CE, see https://dovecot.org/bugreport-mail. ## Crashes -Dovecot has been designed to crash rather than continue in a potentially -unsafe manner that could cause data loss. Most crashes usually happen just -once and retrying the operation will succeed, so usually even if you see -them it's not a big problem. + -Of course, all crashes are bugs that should eventually be fixed, so feel -free to report them always even if they're not causing any visible problems. +### Reporting Reporting crashes is usually best accompanied with a gdb backtrace as described in https://www.dovecot.org/bugreport.html. See [core dumps](#core-dumps) for further information. -Instead of crashing, there have been some rare bugs in Dovecot when some -process could go into infinite loop, which causes the process to use 100% -CPU. - -If you detect such processes, it would be helpful to get a gdb backtrace -of the running process: - -```sh -gdb -p pid-of-process -bt full -``` - -After getting the backtrace, you can `kill -9` the process. - ## Process Tracing If a Dovecot process hangs or is just really slow, the best way to debug it -is to see what it's really doing. Typically you'd be looking into imap or pop3 -processes. +is to see what it's really doing. ### Linux @@ -94,8 +74,9 @@ Before posting the output of the script publicly, make sure the exported configuration doesn't have anything sensitive in it. ::: -Use the [dovecot-sysreport](https://raw.githubusercontent.com/dovecot/core/master/src/util/dovecot-sysreport), which can also be found in the Dovecot -packages: +Use the +[dovecot-sysreport](https://raw.githubusercontent.com/dovecot/core/master/src/util/dovecot-sysreport), +which can also be found in the Dovecot packages: ```sh dovecot-sysreport --core @@ -141,16 +122,12 @@ bt full ## Session IDs -Each `IMAP`, `POP3` and `LMTP` connection has its own unique session ID. - -This ID is logged in all the lines and passed between Dovecot services, which -allows tracking it all the way through proxies to backends and their various -processes. - -The session IDs look like ``. + ## Mail Debugging + + Setting [[setting,log_debug]] will make Dovecot log all kinds of things about mailbox initialization. Note that it won't increase error logging at all, so if you're having some random problems it's unlikely to provide diff --git a/docs/troubleshooting/include/debug_crashes.inc b/docs/troubleshooting/include/debug_crashes.inc new file mode 100644 index 000000000..0461c087c --- /dev/null +++ b/docs/troubleshooting/include/debug_crashes.inc @@ -0,0 +1,27 @@ +Dovecot has been designed to crash rather than continue in a potentially +unsafe manner that could cause data loss. Most crashes usually happen just +once and retrying the operation will succeed, so usually even if you see +them it's not a big problem. + +Of course, all crashes are bugs that should eventually be fixed, so feel +free to report them always even if they're not causing any visible problems. + +Crashes appear in the logs like: + +``` +dovecot: Apr 23 11:16:05 Error: child 86116 (imap) killed with signal 11 +``` + +Instead of crashing, there have been some rare bugs in Dovecot when some +process could go into infinite loop, which causes the process to use 100% +CPU. + +If you detect such processes, it would be helpful to get a gdb backtrace +of the running process: + +```sh +gdb -p pid-of-process +bt full +``` + +After getting the backtrace, you can `kill -9` the process. diff --git a/docs/troubleshooting/include/debug_mail.inc b/docs/troubleshooting/include/debug_mail.inc new file mode 100644 index 000000000..1dedb80e1 --- /dev/null +++ b/docs/troubleshooting/include/debug_mail.inc @@ -0,0 +1,27 @@ +Setting [[setting,log_debug]] will make Dovecot log all kinds of things +about mailbox initialization. + +::: warning +This setting won't increase error logging at all, so if you're having some +random problems it's unlikely to provide any help. +::: + +If there are any problems with a mailbox, Dovecot should automatically fix +it. If that doesn't work for any reason, you can manually also request +fixing a mailbox by running [[doveadm,force-resync,-u user@domain INBOX]], +where `INBOX` should be replaced with the folder that is having problems +(or `*` if all folders should be fixed). + +Users may sometimes complain that they have lost emails. The problem is +almost always that this was done by one of the user's email clients +accidentally. Especially accidentally configuring a "POP3 client" to a +new device that deletes the mails after downloading them. + +For this reason it's very useful to enable the [[plugin,mail-log]] and +enable logging for all the events that may cause mails to be lost. This way +it's always possible to find out from the logs what exactly caused messages +to be deleted. + +If you're familiar enough with Dovecot's index files, you can use +[[doveadm,dump]] command to look at their contents in human readable +format and possibly determine if there is something wrong in them. diff --git a/docs/troubleshooting/include/debug_sessionid.inc b/docs/troubleshooting/include/debug_sessionid.inc new file mode 100644 index 000000000..09a788aae --- /dev/null +++ b/docs/troubleshooting/include/debug_sessionid.inc @@ -0,0 +1,7 @@ +Each IMAP, POP3, and LMTP connection has its own unique session ID. + +This ID is logged in all the lines and passed between Dovecot services, which +allows tracking it all the way through proxies to backends and their various +processes. + +The session IDs look like ``. diff --git a/docs/troubleshooting/index.md b/docs/troubleshooting/index.md new file mode 100644 index 000000000..6078e3c41 --- /dev/null +++ b/docs/troubleshooting/index.md @@ -0,0 +1,5 @@ +--- +order: 150 +title: Troubleshooting +exclude: true +--- From e3c026eb863ff58dda0651222ac0fd244ebf905f Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Tue, 4 Mar 2025 14:17:55 -0700 Subject: [PATCH 16/45] config: Move time synchronization topic to its own page --- docs/core/admin/errors.md | 74 +------------------------------- docs/core/config/time_sync.md | 80 +++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+), 73 deletions(-) create mode 100644 docs/core/config/time_sync.md diff --git a/docs/core/admin/errors.md b/docs/core/admin/errors.md index 856dc36bf..2c7069df5 100644 --- a/docs/core/admin/errors.md +++ b/docs/core/admin/errors.md @@ -127,79 +127,7 @@ There are usually three possibilities why it's moving backwards: 3. Dovecot is started before time is synchronized at server startup. -Moving time backwards might cause various problems (see below). - -### Time Synchronization - -There are two choices for synchronizing your clock: - -1. Use [ntpd](https://www.ntp.org/). It periodically checks the - current time from NTP server and slows down or speeds up the clock if - necessary. Unlike ntpdate, it doesn't just move the time forwards or - backwards (unless the difference is large). - - - If the time difference is too large for ntpd and it "steps", then - use "-x" as a command line option for ntpd or use "tinker step 0" - in `/etc/ntp.conf`. - - - This shows up in logs as: `ntpd[17697]: time reset -2.075483 s` - -2. If ntpd doesn't work well (e.g. a bad network connection), you can - use [clockspeed](https://cr.yp.to/clockspeed.html) or - [chrony](https://chrony.tuxfamily.org/) as well. - -In some systems ntpd/ntpdate is run at boot, but only after Dovecot has -started. That can cause Dovecot to die immediately. If you have this -problem, fix your init scripts to run ntpd/ntpdate first, before -starting Dovecot. Also, seriously consider running ntp-wait before -starting Dovecot. - -### Server Startup Time Synchronization - -With systemd add `time-sync.target` to the `After` setting. This isn't -enough though, because it only waits for time-sync to start, not finish. -To do that, enable also `systemd-time-wait-sync.service`. - -### What about Daylight Saving/Summer Time? - -On Unix-like systems, time is stored internally as the number of seconds -since January 1, 1970, 00:00:00 UTC -(see [UNIX time](https://en.wikipedia.org/wiki/Unix_time)); concepts -such as time zones and daylight saving time are applied in user space by the C -library, and will normally not have an impact on Dovecot's behavior. - -### Dovecot Shouldn't Just Die! - -Dovecot's behavior when time moves backwards is: - -- Existing imap and pop3 processes either sleep or die - -- Master process stops creating new processes until either the original - time is reached, or after a maximum wait of 3 minutes. - -- Other processes log a warning, but do nothing else. - -- Timeouts are updated so that the timeout is executed approximately at - the original intended time. - -Dovecot also notices when time unexpectedly jumps forwards. In that -situation it logs a warning and also updates timeouts. - -The reason why imap/pop3 processes get killed and new ones can't be -created for a while is to avoid problems related to timestamps. Some -issues are: - -- Uniqueness of Maildir filenames and dbox global unique identifiers - relies on a growing timestamp. - -- Dotlock files' staleness is detected by looking at its mtime. - -- Timestamps are stored internally all around in memory (as well as in - index files) and compared to current time. Those checks may or may - not be buggy if current time shrinks. - -While killing mail processes doesn't fully solve any of those issues, -they're at least less likely to happen then. +See [[link,time_synchronization]]. ## CentOS/RHEL8 Mail Location diff --git a/docs/core/config/time_sync.md b/docs/core/config/time_sync.md new file mode 100644 index 000000000..8c96193a7 --- /dev/null +++ b/docs/core/config/time_sync.md @@ -0,0 +1,80 @@ +--- +layout: doc +title: Time Synchronization +dovecotlinks: + time_synchronization: Time Synchronization +--- + +# Time Synchronization + +Dovecot relies on accurate time on syncrhonization the local system. + +There are two choices for synchronizing your clock: + +1. Use [ntpd](https://www.ntp.org/). It periodically checks the + current time from NTP server and slows down or speeds up the clock if + necessary. Unlike ntpdate, it doesn't just move the time forwards or + backwards (unless the difference is large). + + - If the time difference is too large for ntpd and it "steps", then + use "-x" as a command line option for ntpd or use "tinker step 0" + in `/etc/ntp.conf`. + + - This shows up in logs as: `ntpd[17697]: time reset -2.075483 s` + +2. If ntpd doesn't work well (e.g. a bad network connection), you can + use [clockspeed](https://cr.yp.to/clockspeed.html) or + [chrony](https://chrony.tuxfamily.org/) as well. + +In some systems ntpd/ntpdate is run at boot, but only after Dovecot has +started. That can cause Dovecot to die immediately. If you have this +problem, fix your init scripts to run ntpd/ntpdate first, before +starting Dovecot. Also, seriously consider running ntp-wait before +starting Dovecot. + +## Server Startup Time Synchronization + +With systemd add `time-sync.target` to the `After` setting. This isn't +enough though, because it only waits for time-sync to start, not finish. +To do that, enable also `systemd-time-wait-sync.service`. + +## What about Daylight Saving/Summer Time? + +On Unix-like systems, time is stored internally as the number of seconds +since January 1, 1970, 00:00:00 UTC +(see [UNIX time](https://en.wikipedia.org/wiki/Unix_time)); concepts +such as time zones and daylight saving time are applied in user space by the C +library, and will normally not have an impact on Dovecot's behavior. + +## "But Dovecot Shouldn't Just Die!" + +Dovecot's behavior when time moves backwards is: + +- Existing imap and pop3 processes either sleep or die + +- Master process stops creating new processes until either the original + time is reached, or after a maximum wait of 3 minutes. + +- Other processes log a warning, but do nothing else. + +- Timeouts are updated so that the timeout is executed approximately at + the original intended time. + +Dovecot also notices when time unexpectedly jumps forwards. In that +situation it logs a warning and also updates timeouts. + +The reason why imap/pop3 processes get killed and new ones can't be +created for a while is to avoid problems related to timestamps. Some +issues are: + +- Uniqueness of Maildir filenames and dbox global unique identifiers + relies on a growing timestamp. + +- Dotlock files' staleness is detected by looking at its mtime. + +- Timestamps are stored internally all around in memory (as well as in + index files) and compared to current time. Those checks may or may + not be buggy if current time shrinks. + +While killing mail processes doesn't fully solve any of those issues, +they're at least less likely to happen then. From ba18d8e1564a3afe78a65a6e478551ceb4307e74 Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Tue, 4 Mar 2025 14:26:41 -0700 Subject: [PATCH 17/45] optimization: Add dovecot link to the page --- docs/core/config/optimization.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/core/config/optimization.md b/docs/core/config/optimization.md index 2ebb6f2f8..35cb31c79 100644 --- a/docs/core/config/optimization.md +++ b/docs/core/config/optimization.md @@ -1,6 +1,8 @@ --- layout: doc title: Optimization +dovecotlinks: + dovecot_optimization: Dovecot Optimizations --- # Dovecot Optimizations From 3639f5e9e4e1cd1d0506e980a1f60d3049ecdeb7 Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Tue, 4 Mar 2025 14:59:23 -0700 Subject: [PATCH 18/45] Fix spelling issue --- docs/core/config/time_sync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/config/time_sync.md b/docs/core/config/time_sync.md index 8c96193a7..c7f8325db 100644 --- a/docs/core/config/time_sync.md +++ b/docs/core/config/time_sync.md @@ -7,7 +7,7 @@ dovecotlinks: # Time Synchronization -Dovecot relies on accurate time on syncrhonization the local system. +Dovecot relies on accurate time on synchronization the local system. There are two choices for synchronizing your clock: From 1e00de5f3988757befc208e0a0479923fcebaf17 Mon Sep 17 00:00:00 2001 From: Lasse Savolainen Date: Fri, 7 Mar 2025 14:27:02 +0100 Subject: [PATCH 19/45] docs/core/admin/errors.md: Add link for time-moved-backwards-error --- docs/core/admin/errors.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/core/admin/errors.md b/docs/core/admin/errors.md index 2c7069df5..5fe44b89b 100644 --- a/docs/core/admin/errors.md +++ b/docs/core/admin/errors.md @@ -3,6 +3,9 @@ layout: doc title: Errors dovecotlinks: troubleshooting: Dovecot troubleshooting + error_time_moved_backwards: + hash: time-moved-backwards-error + text: Time Moved Backwards Error --- # Dovecot Errors and Troubleshooting From 5324a6da234e85998dac4e29255286b61eb90d33 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Tue, 11 Mar 2025 12:44:41 +0200 Subject: [PATCH 20/45] data/settings: Add @mailbox_defaults=english --- data/settings.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/data/settings.js b/data/settings.js index 6fe9a37bb..60ad6698a 100644 --- a/data/settings.js +++ b/data/settings.js @@ -11371,4 +11371,13 @@ userdb ldap { Group that expands to recommended [[setting,metric]] settings in proxies or backends.` }, + + '@mailbox_defaults': { + values: setting_types.GROUP, + values_enum: [ 'english' ], + seealso: [ 'mailbox_special_use' ], + text: ` +Group that expands to recommended English language mailbox names with +[[setting,mailbox_special_use]] flags added.` + }, } From d596012f768bd8a739f837d8e3f3167292a022a7 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Tue, 11 Mar 2025 14:10:05 +0200 Subject: [PATCH 21/45] config/imap: Document special-use flags --- docs/core/config/imap.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/core/config/imap.md b/docs/core/config/imap.md index 951097d54..56319d587 100644 --- a/docs/core/config/imap.md +++ b/docs/core/config/imap.md @@ -92,8 +92,11 @@ mail_attribute { ### SPECIAL-USE -::: todo -::: +No special-use mailboxes are configured by default. However, you can use +[[setting,@mailbox_defaults]] group to include the recommended default +mailboxes with special-use flags configured. Alternatively, you can configure +the [[setting,mailbox]] settings explicitly with +[[setting,mailbox_special_use]]. ### PREVIEW From 330c8e333af1cab69806f693a3684b345b97c70e Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Tue, 11 Mar 2025 14:15:30 +0200 Subject: [PATCH 22/45] config/imap: Merge imap-hibernation "how it works" section into the overview paragraph --- docs/core/config/imap.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/docs/core/config/imap.md b/docs/core/config/imap.md index 56319d587..3a92b033b 100644 --- a/docs/core/config/imap.md +++ b/docs/core/config/imap.md @@ -121,8 +121,10 @@ This is not supported on kqueue based systems currently, such as FreeBSD. ::: Dovecot supports moving connections that have issued IDLE to a special holding -process, called imap-hibernate. This process is responsible for holding the -idle processes until they need to be thawed. +process, called `imap-hibernate`. This process is responsible for holding the +idling connections until they issue some command that requires them to be +thawed back into a (new) imap process. This way, memory and CPU resources +are saved, since there is only one hibernation process. ### Configuration @@ -154,11 +156,3 @@ service imap-hibernate { } } ``` - -### How it Works - -When client issues IDLE, the connection socket is moved to the hibernation -process. This process is responsible for keeping all connections that are -idling, until they issue some command that requires them to be thawed into a -imap process. This way, memory and CPU resources are saved, since there is only -one hibernation process. From 4e5a81c1b7f7b1d80b3f51a7a17906bce551cc1f Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Tue, 11 Mar 2025 14:16:29 +0200 Subject: [PATCH 23/45] config/imap: Split the page into include files --- docs/core/config/imap.md | 102 +----------------- docs/core/config/include/imap_extensions.inc | 95 ++++++++++++++++ .../include/imap_hibernation_overview.inc | 5 + 3 files changed, 102 insertions(+), 100 deletions(-) create mode 100644 docs/core/config/include/imap_extensions.inc create mode 100644 docs/core/config/include/imap_hibernation_overview.inc diff --git a/docs/core/config/imap.md b/docs/core/config/imap.md index 3a92b033b..876d7abe1 100644 --- a/docs/core/config/imap.md +++ b/docs/core/config/imap.md @@ -18,101 +18,7 @@ See [[link,namespaces]]. ## IMAP Extensions -Dovecot supports many [IMAP extensions](https://imapwiki.org/Specs). - -### COMPRESS - -Dovecot supports the IMAP COMPRESS ([[rfc,4978]]) extension. - -It allows an IMAP client to dynamically enable stream compression for an -IMAP session. - -The extension is enabled by default and configured with the default -compression level for the available mechanism. - -### SEARCH=FUZZY - -IMAP provides SEARCH as part of the core protocol, so it is useful to activate -a Full Text Search indexing driver to handle these searches. - -See [[plugin,fts]]. - -### METADATA - -Dovecot supports the IMAP METADATA extension ([[rfc,5464]]), which allows -per-mailbox, per-user data to be stored and accessed via IMAP commands. - -See [[setting,imap_metadata]] for configuration instructions. - -#### Storing Metadata in SQL Dictionary - -You can store metadata into a database. This works best with a dedicated table -for storing the entires. - -::: code-group -```sql [SQL Schema] --- Since username is a primary key, it is required to have some value. --- When empty, it means that the value applies to keys with 'shared/' prefix. --- Keys with 'priv/' prefix are expected to have a non-empty username. - -CREATE TABLE metadata ( - username VARCHAR(255) NOT NULL DEFAULT '', - attr_name VARCHAR(255) NOT NULL, - attr_value VARCHAR(65535), - PRIMARY KEY(username, attr_name) -); -``` - -```[/etc/dovecot/dovecot.conf] -dict_server { - dict metadata { - driver = sql - sql_driver = mysql - - dict_map $key { - sql_table = attr_priv - username_field = username - - key_field attr_name { - value = $key - } - value_field attr_value { - } - } - } -} - -mail_attribute { - dict proxy { - name = metadata - } -} -``` -::: - -### SPECIAL-USE - -No special-use mailboxes are configured by default. However, you can use -[[setting,@mailbox_defaults]] group to include the recommended default -mailboxes with special-use flags configured. Alternatively, you can configure -the [[setting,mailbox]] settings explicitly with -[[setting,mailbox_special_use]]. - -### PREVIEW - -Dovecot supports the PREVIEW extension ([[rfc,8970]]), retrieved -via the IMAP FETCH command. - -The extension is enabled by default. Preview text is generated during -message delivery and is stored in the Dovecot index files. - -### NOTIFY - -Set [[setting,mailbox_list_index,yes]]. - -### URLAUTH: - -Set [[setting,imap_urlauth_host]] and [[setting,mail_attribute]]. + ## IMAP Hibernation @@ -120,11 +26,7 @@ Set [[setting,imap_urlauth_host]] and [[setting,mail_attribute]]. This is not supported on kqueue based systems currently, such as FreeBSD. ::: -Dovecot supports moving connections that have issued IDLE to a special holding -process, called `imap-hibernate`. This process is responsible for holding the -idling connections until they issue some command that requires them to be -thawed back into a (new) imap process. This way, memory and CPU resources -are saved, since there is only one hibernation process. + ### Configuration diff --git a/docs/core/config/include/imap_extensions.inc b/docs/core/config/include/imap_extensions.inc new file mode 100644 index 000000000..08b24dc16 --- /dev/null +++ b/docs/core/config/include/imap_extensions.inc @@ -0,0 +1,95 @@ +Dovecot supports many [IMAP extensions](https://imapwiki.org/Specs). + +### COMPRESS + +Dovecot supports the IMAP COMPRESS ([[rfc,4978]]) extension. + +It allows an IMAP client to dynamically enable stream compression for an +IMAP session. + +The extension is enabled by default and configured with the default +compression level for the available mechanism. + +### SEARCH=FUZZY + +IMAP provides SEARCH as part of the core protocol, so it is useful to activate +a Full Text Search indexing driver to handle these searches. + +See [[plugin,fts]]. + +### METADATA + +Dovecot supports the IMAP METADATA extension ([[rfc,5464]]), which allows +per-mailbox, per-user data to be stored and accessed via IMAP commands. + +See [[setting,imap_metadata]] for configuration instructions. + +#### Storing Metadata in SQL Dictionary + +You can store metadata into a database. This works best with a dedicated table +for storing the entires. + +::: code-group +```sql [SQL Schema] +-- Since username is a primary key, it is required to have some value. +-- When empty, it means that the value applies to keys with 'shared/' prefix. +-- Keys with 'priv/' prefix are expected to have a non-empty username. + +CREATE TABLE metadata ( + username VARCHAR(255) NOT NULL DEFAULT '', + attr_name VARCHAR(255) NOT NULL, + attr_value VARCHAR(65535), + PRIMARY KEY(username, attr_name) +); +``` + +```[/etc/dovecot/dovecot.conf] +dict_server { + dict metadata { + driver = sql + sql_driver = mysql + + dict_map $key { + sql_table = attr_priv + username_field = username + + key_field attr_name { + value = $key + } + value_field attr_value { + } + } + } +} + +mail_attribute { + dict proxy { + name = metadata + } +} +``` +::: + +### SPECIAL-USE + +No special-use mailboxes are configured by default. However, you can use +[[setting,@mailbox_defaults]] group to include the recommended default +mailboxes with special-use flags configured. Alternatively, you can configure +the [[setting,mailbox]] settings explicitly with +[[setting,mailbox_special_use]]. + +### PREVIEW + +Dovecot supports the PREVIEW extension ([[rfc,8970]]), retrieved +via the IMAP FETCH command. + +The extension is enabled by default. Preview text is generated during +message delivery and is stored in the Dovecot index files. + +### NOTIFY + +Set [[setting,mailbox_list_index,yes]]. + +### URLAUTH: + +Set [[setting,imap_urlauth_host]] and [[setting,mail_attribute]]. diff --git a/docs/core/config/include/imap_hibernation_overview.inc b/docs/core/config/include/imap_hibernation_overview.inc new file mode 100644 index 000000000..f35e48f8b --- /dev/null +++ b/docs/core/config/include/imap_hibernation_overview.inc @@ -0,0 +1,5 @@ +Dovecot supports moving connections that have issued IDLE to a special holding +process, called `imap-hibernate`. This process is responsible for holding the +idling connections until they issue some command that requires them to be +thawed back into a (new) imap process. This way, memory and CPU resources +are saved, since there is only one hibernation process. From 097f2964651615100d3e2a99bb4aa7cadc8e35e1 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 15:25:48 +0200 Subject: [PATCH 24/45] settings/syntax: Describe the new config redesign briefly --- data/updates.js | 1 + docs/core/settings/syntax.md | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/data/updates.js b/data/updates.js index 189c2efb7..f5f6dc8e1 100644 --- a/data/updates.js +++ b/data/updates.js @@ -25,6 +25,7 @@ export const updates = { auth_protocol_handshake_changed: '2.4.0', auth_server_common_secured: '2.4.0', auth_sql_workers_changed: '2.4.1', + config_design_changed: '2.4.0', dcrypt_same_cipher_algo_added: '2.4.0', dict_protocol_v4: '2.4.0', doveadm_ex_expired_code: '2.4.0', diff --git a/docs/core/settings/syntax.md b/docs/core/settings/syntax.md index f8c8c3712..71999f3ce 100644 --- a/docs/core/settings/syntax.md +++ b/docs/core/settings/syntax.md @@ -31,6 +31,30 @@ The first setting in the configuration file must be [[setting,dovecot_config_version]]. It specifies the configuration syntax, the used setting names and the expected default values. +[[changed,config_design_changed]] All settings are now global settings, i.e. +there is no settings hierarchy. There are various filters, which can limit +where the settings are used. It is possible to configure any setting inside +any filter, although they may not actually do anything in there. Setting +name prefixes can be stripped out (and they are in [[man,doveconf]] output) +when the prefix matches the parent [[link,settings_syntax_named_filters,named +[list] filter]]. For example: + +```[dovecot.conf] +# named list filter +namespace inbox { + # namespace_separator setting + separator = / +} +# named list filter +passdb static { + # passdb_static_password setting + password = foo + + # this is allowed, but it does nothing here + namespace_separator = / +} +``` + ## Basic Syntax The syntax generally looks like this: From c2f22924bf04bfbefcca70c80c32568cc2980866 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 15:40:49 +0200 Subject: [PATCH 25/45] config/auth: Use titlecase for link texts --- docs/core/config/auth/caching.md | 2 +- docs/core/config/auth/master_users.md | 4 ++-- docs/core/config/auth/mutltiple.md | 2 +- docs/core/config/auth/overview.md | 4 ++-- docs/core/config/auth/passdb.md | 2 +- docs/core/config/auth/penalty.md | 2 +- docs/core/config/auth/policy.md | 2 +- docs/core/config/auth/schemes.md | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/core/config/auth/caching.md b/docs/core/config/auth/caching.md index 7d0710f31..f69be7616 100644 --- a/docs/core/config/auth/caching.md +++ b/docs/core/config/auth/caching.md @@ -2,7 +2,7 @@ layout: doc title: Caching dovecotlinks: - auth_caching: authentication caching + auth_caching: Authentication Caching --- # Authentication Caching diff --git a/docs/core/config/auth/master_users.md b/docs/core/config/auth/master_users.md index ea30cacf5..8b1b2653f 100644 --- a/docs/core/config/auth/master_users.md +++ b/docs/core/config/auth/master_users.md @@ -4,8 +4,8 @@ title: Master Users dovecotlinks: acl_master_users: hash: acls - text: ACL master users - auth_master_users: master users + text: ACL Master Users + auth_master_users: Master Users --- # Master Users/Passwords diff --git a/docs/core/config/auth/mutltiple.md b/docs/core/config/auth/mutltiple.md index fbfe71594..2fa2c28f7 100644 --- a/docs/core/config/auth/mutltiple.md +++ b/docs/core/config/auth/mutltiple.md @@ -2,7 +2,7 @@ layout: doc title: Multiple Databases dovecotlinks: - auth_multiple_dbs: multiple authentication databases + auth_multiple_dbs: Multiple Authentication Databases --- # Multiple Authentication Databases diff --git a/docs/core/config/auth/overview.md b/docs/core/config/auth/overview.md index 0be531f35..b1c1c517a 100644 --- a/docs/core/config/auth/overview.md +++ b/docs/core/config/auth/overview.md @@ -3,10 +3,10 @@ layout: doc title: Overview order: 101 dovecotlinks: - authentication: authentication + authentication: Authentication authentication_debug: hash: debugging - text: debugging authentication + text: Debugging Authentication --- # Authentication diff --git a/docs/core/config/auth/passdb.md b/docs/core/config/auth/passdb.md index bc941f216..2f243c10f 100644 --- a/docs/core/config/auth/passdb.md +++ b/docs/core/config/auth/passdb.md @@ -2,7 +2,7 @@ layout: doc title: passdb dovecotlinks: - passdb: passdb + passdb: Passdb passdb_auth_nologin: hash: nologin text: "passdb: Authentication `nologin` Extra Field" diff --git a/docs/core/config/auth/penalty.md b/docs/core/config/auth/penalty.md index 457a35097..4bb630c74 100644 --- a/docs/core/config/auth/penalty.md +++ b/docs/core/config/auth/penalty.md @@ -2,7 +2,7 @@ layout: doc title: Penalty dovecotlinks: - auth_penalty: authentication penalty + auth_penalty: Authentication Penalty --- # Authentication Penalty diff --git a/docs/core/config/auth/policy.md b/docs/core/config/auth/policy.md index c3b7d2bb4..3364f6250 100644 --- a/docs/core/config/auth/policy.md +++ b/docs/core/config/auth/policy.md @@ -2,7 +2,7 @@ layout: doc title: Policy dovecotlinks: - auth_policy: authentication policy + auth_policy: Authentication Policy auth_policy_configuration: hash: configuration text: Auth Policy Configuration diff --git a/docs/core/config/auth/schemes.md b/docs/core/config/auth/schemes.md index 141752c8a..dc5e182a7 100644 --- a/docs/core/config/auth/schemes.md +++ b/docs/core/config/auth/schemes.md @@ -2,7 +2,7 @@ layout: doc title: Password Schemes dovecotlinks: - password_schemes: password schemes + password_schemes: Password Schemes --- # Password Schemes From c0e1584bfebb6e31a17e764f2fc0de1d103b66cb Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:04:53 +0200 Subject: [PATCH 26/45] auth/ldap: Move Active Directory to its own howto page --- docs/core/config/auth/databases/ldap.md | 109 ----------------------- docs/howto/active_directory.md | 113 ++++++++++++++++++++++++ 2 files changed, 113 insertions(+), 109 deletions(-) create mode 100644 docs/howto/active_directory.md diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 65deb5932..4e0ba765d 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -324,115 +324,6 @@ LDAP library supports them. SASL binds are currently incompatible with authentication binds. ::: -### Active Directory - -When connecting to AD, you may need to use port 3268. Then again, not all LDAP -fields are available in port 3268. Use whatever works. See: -https://technet.microsoft.com/en-us/library/cc978012.aspx. - -### LDAP Driver Configuration - -::: code-group -```[dovecot.conf] -passdb ldap { - ... -} -``` -::: - -This enables LDAP to be used as passdb. -The most important settings are: - -- Configure how the LDAP server is reached. -(Active directory allows binding with username@domain): - -::: code-group -```[dovecot.conf] - ldap_uris = ldap://ldap.example.com - ldap_auth_dn = cn=admin,dc=example,dc=com - ldap_auth_dn_password = secret - ldap_base = dc=example,dc=com -``` -::: - -- Use LDAP authentication binding for verifying users' passwords: - -::: code-group -```[dovecot.conf] -passdb ldap { - bind_userdn = %{user} - bind = yes -} -``` -::: - -- Use auth worker processes to perform LDAP lookups in order to use multiple -concurrent LDAP connections. Otherwise only a single LDAP connection is used. - -::: code-group -```[dovecot.conf] -(passdb|userdb) ... { - use_worker = yes -} -``` -::: - -- Normalize the username to exactly the `mailRoutingAddress` field's value -regardless of how the [[setting,passdb_ldap_filter]] found the user: - -::: code-group -```[dovecot.conf] -passdb ldap { - fields { - user = %{ldap:mailRoutingAddress} - password = %{ldap:userPassword} - proxy = y - proxy_timeout = 10 - } -} -``` -::: - -- Returns userdb fields when prefetch userdb wasn't used (LMTP & doveadm). -The username is again normalized in case `user_filter` found it via some -other means: - -::: code-group -```[dovecot.conf] -passdb ldap { - fields { - user = %{ldap:mailRoutingAddress} - quota_storage_size = %{ldap:messageQuotaHard}B - } -} -``` -::: - -- How to find the user for passdb lookup (this can be set specifically to -distinct values inside each [[setting,passdb]] / [[setting,userdb]] section): - -::: code-group -```[dovecot.conf] -passdb ldap { - filter = (mailRoutingAddress=%{user}) -} -``` -::: - -- How to iterate through all the valid usernames: - -::: code-group -```[dovecot.conf] -userdb ldap { - filter = (mailRoutingAddress=%{user}) - iterate_filter = (objectClass=messageStoreRecipient) - iterate_fields { - user = %{ldap:mailRoutingAddress} - } -} -``` -::: - ### LDAP-Specific Variables The following variables can be used inside the [[setting,passdb]] / [[setting,userdb]] sections: diff --git a/docs/howto/active_directory.md b/docs/howto/active_directory.md new file mode 100644 index 000000000..04e58e5da --- /dev/null +++ b/docs/howto/active_directory.md @@ -0,0 +1,113 @@ +--- +layout: doc +title: Active Directory LDAP +--- + +# Authentication Against Active Directory + +When connecting to AD, you may need to use port 3268. Then again, not all LDAP +fields are available in port 3268. Use whatever works. See: +https://technet.microsoft.com/en-us/library/cc978012.aspx. + +# LDAP Driver Configuration + +::: code-group +```[dovecot.conf] +passdb ldap { + ... +} +``` +::: + +This enables LDAP to be used as passdb. +The most important settings are: + +- Configure how the LDAP server is reached. +(Active directory allows binding with username@domain): + +::: code-group +```[dovecot.conf] + ldap_uris = ldap://ldap.example.com + ldap_auth_dn = cn=admin,dc=example,dc=com + ldap_auth_dn_password = secret + ldap_base = dc=example,dc=com +``` +::: + +- Use LDAP authentication binding for verifying users' passwords: + +::: code-group +```[dovecot.conf] +passdb ldap { + bind_userdn = %{user} + bind = yes +} +``` +::: + +- Use auth worker processes to perform LDAP lookups in order to use multiple +concurrent LDAP connections. Otherwise only a single LDAP connection is used. + +::: code-group +```[dovecot.conf] +(passdb|userdb) ... { + use_worker = yes +} +``` +::: + +- Normalize the username to exactly the `mailRoutingAddress` field's value +regardless of how the [[setting,passdb_ldap_filter]] found the user: + +::: code-group +```[dovecot.conf] +passdb ldap { + fields { + user = %{ldap:mailRoutingAddress} + password = %{ldap:userPassword} + proxy = y + proxy_timeout = 10 + } +} +``` +::: + +- Returns userdb fields when prefetch userdb wasn't used (LMTP & doveadm). +The username is again normalized in case `user_filter` found it via some +other means: + +::: code-group +```[dovecot.conf] +passdb ldap { + fields { + user = %{ldap:mailRoutingAddress} + quota_storage_size = %{ldap:messageQuotaHard}B + } +} +``` +::: + +- How to find the user for passdb lookup (this can be set specifically to +distinct values inside each [[setting,passdb]] / [[setting,userdb]] section): + +::: code-group +```[dovecot.conf] +passdb ldap { + filter = (mailRoutingAddress=%{user}) +} +``` +::: + +- How to iterate through all the valid usernames: + +::: code-group +```[dovecot.conf] +userdb ldap { + filter = (mailRoutingAddress=%{user}) + iterate_filter = (objectClass=messageStoreRecipient) + iterate_fields { + user = %{ldap:mailRoutingAddress} + } +} +``` +::: From d0e2e729b25283fa295378ce3c9b425aa6a35491 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:23:49 +0200 Subject: [PATCH 27/45] auth/ldap: Various cleanups --- docs/core/config/auth/databases/ldap.md | 40 +++++++++++-------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 4e0ba765d..447309b72 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -91,7 +91,7 @@ The two important settings in password lookups are: Usually the LDAP attribute names aren't the same as [[link,passdb,the field names that Dovecot uses internally]]. You must create a mapping between them to get the wanted results. This -is done by listing the fields as ` = ` where +is done by listing the [[setting,passdb_fields]] as ` = ` where expression can include ldap specific variables and other variables too. For example: @@ -113,7 +113,7 @@ special [[link,passdb_extra_fields]]. #### Password -Most important, [[setting,passdb_fields]] must return a `password` field, +Most importantly, [[setting,passdb_fields]] must return a `password` field, which contains the user's password. The next thing Dovecot needs to know is what format the password is in. @@ -126,32 +126,26 @@ See [[link,password_schemes]] for a list of supported password schemes. #### Username -LDAP lookups are case-insensitive. Unless you somehow normalize the -username, it's possible that a user logging in as "user", "User" and -"uSer" are treated differently. +LDAP lookups are case-insensitive. Unless the username is normalized, it's +possible that a user logging in as "user", "User" and "uSer" are treated +differently. By default Dovecot uses [[setting,auth_username_format, +%{user | lower}]] to lowercase the username before it reaches the LDAP lookup. -The easiest way to handle this is to tell Dovecot to change the username -to the same case as it's in the LDAP database. You can do this by -returning "user" field in [[setting,passdb_fields]] setting, as shown in the above example. - -If you can't normalize the username in LDAP, you can alternatively -lowercase the username via [[setting,auth_username_format,%{user | lower}]]. +Alternatively, you may want to change the username to be exactly as it is in +the LDAP database. You can do this by returning `user` field in +[[setting,passdb_fields]] setting, as shown in the above example. #### Use Worker -By default (`no`) all LDAP lookups are performed by the auth master process. - -If [[setting,passdb_use_worker]]/[[setting,passdb_use_worker,]]`= yes`, -auth worker processes are used to perform the lookups. Each auth worker process -creates its own LDAP connection so this can increase parallelism. - -With [[setting,passdb_use_worker]]/[[setting,passdb_use_worker]]`= no`, -the auth master process can keep 8 requests pipelined for the LDAP connection, -while with [[setting,passdb_use_worker]]/[[setting,passdb_use_worker,]]`= yes` -each connection has a maximum of 1 request running. +If [[setting,passdb_use_worker,no]] / [[setting,userdb_use_worker,no]] +(default for passdb ldap), all LDAP lookups are performed by the auth master +process. Each LDAP connection can keep up to 8 requests pipelined. For small +systems this is sufficient and uses less resources, but it may become a +bottleneck if there are a lot of queries. -For small systems, [[setting,passdb_use_worker]]/[[setting,passdb_use_worker]]`= no` -is sufficient and uses less resources. +If [[setting,passdb_use_worker,yes]], `auth-worker` processes are used to +perform the lookups. Each auth worker process creates its own LDAP connection +so this can increase parallelism. ### Example From 63ebd3dec3dc2f1400dbe37f479c58725b1757f4 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:26:50 +0200 Subject: [PATCH 28/45] auth/ldap: Remove Variables and Domains This was very confusing text to read. It also isn't specific to LDAP, so doesn't really belong to this page. --- docs/core/config/auth/databases/ldap.md | 83 ------------------------- 1 file changed, 83 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 447309b72..1c91b9d13 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -353,58 +353,6 @@ userdb ldap2 { ``` ::: -### Variables and Domains - -User names and domains may be distinguished using the Variables `%{user | username}` and `%{user | domain}`. -They split the previous username at the `@` character. - -The previous username is: - -- For LMTP, it will be `user@hostname`, where hostname depends on, - e.g., the Postfix configuration. - -- For IMAP, it will be whatever the password database has designated as - the username. - - If the (LDAP) password database has: - ``` - fields { - user = %{user | username} - } - ``` - then the domain part of the login name will be stripped by the password database. - -- The userdb will not see any domain part, i.e. `%{user | username}` and `%{user}` are the same - thing for the userdb. The userdb may set a new username, too, using: - ``` - fields { - user = ... - } - ``` - This will be used for Logging `%{user}` and `%{user | domain}` - variables in other parts of the configuration (e.g. quota file names). - -::: code-group -```[dovecot.conf] -passdb ldap { - ... -} - -userdb prefetch { - driver = prefetch -} - -userdb ldap { - ... -} -``` -::: - -These enable `LDAP` to be used as [[setting,passdb]] / [[setting,userdb]]. The userdb -prefetch allows `IMAP` or `POP3` logins to do only a single LDAP lookup by -returning the userdb information already in the passdb lookup. -[[link,auth_prefetch]] has more details on the prefetch userdb. - ## LDAP Settings @@ -496,34 +444,3 @@ userdb ldap { It is possible to give default values to nonexistent attributes by using e.g. `%{ldap:userDomain | default('example.com')}` where if userDomain attribute doesn't exist, example.com is used instead. - -### Variables and Domains - -User names and domains may be distinguished using the [[variable]] -`%{user | username}` and `%{user | domain}`. They split the *previous username* at the "@" character. The -*previous username* is: - -- For LMTP, it will be `user@hostname`, where hostname depends on e.g. - the Postfix configuration. - -- For IMAP, it will be whatever the password database has designated as - the username. If the (LDAP) password database [[setting,passdb_fields ]] - contains `user=%{user | username}`, then the domain part of the login name will be stripped by - the password database. The userdb will not see any domain part, i.e. - %{user | username} and %{user} are the same thing for the userdb. - -The userdb may set a new username, too, using -``` -userdb ldap { - fields { - user = ... - } -} -``` - -This will be used for: - -- Logging - -- `%{user}` and `%{user | domain}` variables in other parts of the configuration (e.g. quota - file names) From 551ca9ee9210eed28ebb4c718b17f141d37e0d38 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:31:26 +0200 Subject: [PATCH 29/45] auth/ldap: Reorder sections --- docs/core/config/auth/databases/ldap.md | 279 ++++++++++++------------ 1 file changed, 138 insertions(+), 141 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 1c91b9d13..5628721bc 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -7,10 +7,121 @@ dovecotlinks: # LDAP Authentication (`ldap`) -There are two ways to do LDAP authentication: +There are two ways to do LDAP authentication in [[link,passdb,passdb]]: -* [Password Lookups](#password-lookups) * [Authentication Binds](#authentication-binds) +* [Password Lookups](#password-lookups) + +LDAP can be used as [userdb ldap](#ldap-userdb). + +## Connecting + +The LDAP server(s) endpoints must be specified as ldap URIs: + +* [[setting,ldap_uris]]: A space separated list of LDAP URIs to connect to. + +If multiple LDAP servers are specified, it's decided by the LDAP library how +the server connections are handled. Typically the first working server is used, +and it's never disconnected from. So there is no load balancing or automatic +reconnecting to the "primary" server. + +### Worker Processes + +If [[setting,passdb_use_worker,no]] / [[setting,userdb_use_worker,no]] +(default for passdb ldap), all LDAP lookups are performed by the auth master +process. Each LDAP connection can keep up to 8 requests pipelined. For small +systems this is sufficient and uses less resources, but it may become a +bottleneck if there are a lot of queries. + +If [[setting,passdb_use_worker,yes]], `auth-worker` processes are used to +perform the lookups. Each auth worker process creates its own LDAP connection +so this can increase parallelism. + +### Connection Optimization + +When using + +- auth binds and +- userdb ldap lookups, + +the userdb lookups should use a separate connection to the LDAP server. +That way it can send LDAP requests asynchronously to the server, which +improves the performance. This can be done by specifying distinct +[[setting,ldap_connection_group]] in the LDAP +[[setting,passdb]] / [[setting,userdb]] sections. + +::: code-group +```[dovecot.conf] +passdb ldap { + # ldap_connection_group left unchanged, the default is '' + ... +} + +userdb ldap { + ldap_connection_group = different-connection-group + ... +} +``` +::: + +### SSL/TLS + +You can enable TLS in two alternative ways: + +* Connect to ldaps port (636) by using "ldaps" protocol, e.g. `ldap_uris = + ldaps://secure.domain.org` +* Connect to ldap port (389) and use STARTTLS command. Use [[setting,ssl,yes]] to + enable this. + +See the [[link,ssl_configuration]] settings for how to configure TLS. Not all +of Dovecot SSL settings are supported by the LDAP library. Below is the list +of supported settings: + + + +#### Custom Certs + +If you need to connect to ldaps secured against a custom certificate of +authority (CA), you will need to install the custom CA on your system. + +For OpenLDAP, by default, the CA must be installed under the directory +specified in the `TLS_CACERTDIR` option found under `/etc/openldap/ldap.conf` +(default value is `/etc/openldap/certs`). + +After copying the CA, you'll need to run "c_rehash ." inside the directory, +this will create a symlink pointing to the CA. + +You can test the CA installation with this command: + +```sh +$ openssl s_client -connect yourldap.example.org:636 \ + -CApath /etc/openldap/certs -showcerts +``` + +This should report "Verify return code: 0 (ok)". + +### SASL binds + +It's possible to use SASL binds instead of the regular simple binds if your +LDAP library supports them. + +::: warning Note +SASL binds are currently incompatible with authentication binds. +::: + +## LDAP Settings + + + +## LDAP-Specific Variables + +The following variables can be used inside the [[setting,passdb]] / [[setting,userdb]] sections: + +| Variable | Description | +| -------- | ----------- | +| `%{ldap:attrName}` | Fetches a single-valued attribute. Fails if the attribute is not present, unless the `|default` filter is given. If there are multiple values, all except the first are ignored (with warning). | +| `%{ldap_multi:attrName}` | [[added,ldap_multi_added]] Fetches a multi-valued attribute and outputs the values separated by tabs, with each value "tab-escaped". Use the `list` [[link,settings_variables_filters,filter]] to further convert it to a wanted value. For example: `mail_access_groups = %{ldap_multi:userGroups \| list \| default('mail')}` | +| `%{ldap:dn}` | Retrieves the Distinguished Name of the entry. | ## Password Lookups @@ -135,18 +246,6 @@ Alternatively, you may want to change the username to be exactly as it is in the LDAP database. You can do this by returning `user` field in [[setting,passdb_fields]] setting, as shown in the above example. -#### Use Worker - -If [[setting,passdb_use_worker,no]] / [[setting,userdb_use_worker,no]] -(default for passdb ldap), all LDAP lookups are performed by the auth master -process. Each LDAP connection can keep up to 8 requests pipelined. For small -systems this is sufficient and uses less resources, but it may become a -bottleneck if there are a lot of queries. - -If [[setting,passdb_use_worker,yes]], `auth-worker` processes are used to -perform the lookups. Each auth worker process creates its own LDAP connection -so this can increase parallelism. - ### Example A typical configuration would look like: @@ -230,133 +329,6 @@ If you're using DN template, there is no LDAP lookup that returns fields, so ``` ::: -### Connection Optimization - -When using - -- auth binds and -- userdb ldap lookups, - -the userdb lookups should use a separate connection to the LDAP server. -That way it can send LDAP requests asynchronously to the server, which -improves the performance. This can be done by specifying distinct -[[setting,ldap_connection_group]] in the LDAP -[[setting,passdb]] / [[setting,userdb]] sections. - -::: code-group -```[dovecot.conf] -passdb ldap { - # ldap_connection_group left unchanged, the default is '' - ... -} - -userdb ldap { - ldap_connection_group = different-connection-group - ... -} -``` -::: - -## Common Configuration - -This sections describes the configuration common to LDAP [[link,passdb]] and -[[link,userdb]]. - -### Connecting - -The LDAP server(s) endpoints must be specified as ldap URIs: - -* [[setting,ldap_uris]]: A space separated list of LDAP URIs to connect to. - -If multiple LDAP servers are specified, it's decided by the LDAP library how -the server connections are handled. Typically the first working server is used, -and it's never disconnected from. So there is no load balancing or automatic -reconnecting to the "primary" server. - -### SSL/TLS - -You can enable TLS in two alternative ways: - -* Connect to ldaps port (636) by using "ldaps" protocol, e.g. `ldap_uris = - ldaps://secure.domain.org` -* Connect to ldap port (389) and use STARTTLS command. Use [[setting,ssl,yes]] to - enable this. - -See the [[link,ssl_configuration]] settings for how to configure TLS. Not all -of Dovecot SSL settings are supported by the LDAP library. Below is the list -of supported settings: - - - -#### Custom Certs - -If you need to connect to ldaps secured against a custom certificate of -authority (CA), you will need to install the custom CA on your system. - -For OpenLDAP, by default, the CA must be installed under the directory -specified in the `TLS_CACERTDIR` option found under `/etc/openldap/ldap.conf` -(default value is `/etc/openldap/certs`). - -After copying the CA, you'll need to run "c_rehash ." inside the directory, -this will create a symlink pointing to the CA. - -You can test the CA installation with this command: - -```sh -$ openssl s_client -connect yourldap.example.org:636 \ - -CApath /etc/openldap/certs -showcerts -``` - -This should report "Verify return code: 0 (ok)". - -### SASL binds - -It's possible to use SASL binds instead of the regular simple binds if your -LDAP library supports them. - -::: warning Note -SASL binds are currently incompatible with authentication binds. -::: - -### LDAP-Specific Variables - -The following variables can be used inside the [[setting,passdb]] / [[setting,userdb]] sections: - -| Variable | Description | -| -------- | ----------- | -| `%{ldap:attrName}` | Fetches a single-valued attribute. Fails if the attribute is not present, unless the `|default` filter is given. If there are multiple values, all except the first are ignored (with warning). | -| `%{ldap_multi:attrName}` | [[added,ldap_multi_added]] Fetches a multi-valued attribute and outputs the values separated by tabs, with each value "tab-escaped". Use the `list` [[link,settings_variables_filters,filter]] to further convert it to a wanted value. For example: `mail_access_groups = %{ldap_multi:userGroups \| list \| default('mail')}` | -| `%{ldap:dn}` | Retrieves the Distinguished Name of the entry. | - -### Multiple Queries via userdbs - -Example: Give the user a class attribute, which defines the default quota: - -::: code-group -```[dovecot.conf] -userdb ldap1 { - driver = ldap - result_success = continue-ok - fields { - class = %{ldap:userClass} - quota_storage_size = %{ldap:quotaBytes}B - } -} - -userdb ldap2 { - driver = ldap - skip = notfound - fields { - quota_storage_size:default = %{ldap:classQuotaBytes}B - } -} -``` -::: - -## LDAP Settings - - - ## LDAP userdb Usually your LDAP database also contains the [[link,userdb]]. @@ -444,3 +416,28 @@ userdb ldap { It is possible to give default values to nonexistent attributes by using e.g. `%{ldap:userDomain | default('example.com')}` where if userDomain attribute doesn't exist, example.com is used instead. + +### Multiple Queries via userdbs + +Example: Give the user a class attribute, which defines the default quota: + +::: code-group +```[dovecot.conf] +userdb ldap1 { + driver = ldap + result_success = continue-ok + fields { + class = %{ldap:userClass} + quota_storage_size = %{ldap:quotaBytes}B + } +} + +userdb ldap2 { + driver = ldap + skip = notfound + fields { + quota_storage_size:default = %{ldap:classQuotaBytes}B + } +} +``` +::: From 9506c60cecc88699e2079358a23138946beba228 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:32:31 +0200 Subject: [PATCH 30/45] auth/ldap: Clarify ldap_connection_group should be used without auth-workers --- docs/core/config/auth/databases/ldap.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 5628721bc..731de450a 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -41,6 +41,8 @@ so this can increase parallelism. When using +- [[setting,passdb_use_worker,no]], +- [[setting,userdb_use_worker,no]], - auth binds and - userdb ldap lookups, From c37cfab636f9d889fb350d349cb230ed3df151a6 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:41:47 +0200 Subject: [PATCH 31/45] auth/ldap: Fix ldap_starttls setting link --- docs/core/config/auth/databases/ldap.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 731de450a..d63013589 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -72,8 +72,8 @@ You can enable TLS in two alternative ways: * Connect to ldaps port (636) by using "ldaps" protocol, e.g. `ldap_uris = ldaps://secure.domain.org` -* Connect to ldap port (389) and use STARTTLS command. Use [[setting,ssl,yes]] to - enable this. +* Connect to ldap port (389) and use STARTTLS command. Use + [[setting,ldap_starttls,yes]] to enable this. See the [[link,ssl_configuration]] settings for how to configure TLS. Not all of Dovecot SSL settings are supported by the LDAP library. Below is the list From 06e8cbde8be3088fe3f5112bf2710d1fb7108dca Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:41:58 +0200 Subject: [PATCH 32/45] auth/ldap: Add Connection Authentication and merge SASL binds section to it --- docs/core/config/auth/databases/ldap.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index d63013589..f4b7b0ff7 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -25,6 +25,16 @@ the server connections are handled. Typically the first working server is used, and it's never disconnected from. So there is no load balancing or automatic reconnecting to the "primary" server. +### Connection Authentication + +If LDAP server requires authentication, set: + + * [[setting,ldap_auth_dn]] + * [[setting,ldap_auth_dn_password]] + * [[setting,ldap_auth_sasl_mechanisms]] can be set to list of SASL mechanisms + to authenticate with. Note that this is used only for the initial connection + authentication, not for any subsequent [authentication binds](#authentication-binds). + ### Worker Processes If [[setting,passdb_use_worker,no]] / [[setting,userdb_use_worker,no]] @@ -102,15 +112,6 @@ $ openssl s_client -connect yourldap.example.org:636 \ This should report "Verify return code: 0 (ok)". -### SASL binds - -It's possible to use SASL binds instead of the regular simple binds if your -LDAP library supports them. - -::: warning Note -SASL binds are currently incompatible with authentication binds. -::: - ## LDAP Settings From 75f1ad4763a72b349c53b5ec7e973630709efc71 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:45:03 +0200 Subject: [PATCH 33/45] auth/ldap: Fix ssl-ldap SettingsComponent level --- docs/core/config/auth/databases/ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index f4b7b0ff7..2f4acbbdf 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -89,7 +89,7 @@ See the [[link,ssl_configuration]] settings for how to configure TLS. Not all of Dovecot SSL settings are supported by the LDAP library. Below is the list of supported settings: - + #### Custom Certs From 17342e3eca80e8caf1d2acc60ec774021c4cef65 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:50:24 +0200 Subject: [PATCH 34/45] auth/ldap: Update DN template section --- docs/core/config/auth/databases/ldap.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 2f4acbbdf..15302f015 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -309,15 +309,17 @@ Example: ### DN Template +You can do authentication binding using DN template by configuring it in the +[[setting,passdb_ldap_bind_userdn]] setting. + The main reason to use DN template is to avoid doing the DN lookup, so that the authentication consists only of one LDAP request. With IMAP and POP3 logins, the same optimization can be done by using [[link,auth_prefetch]] and returning userdb info in the DN lookup (a total -of two LDAP requests per login in both cases). - -If you're also using Dovecot for SMTP AUTH, it doesn't do a userdb lookup -so the prefetch optimization doesn't help. +of two LDAP requests per login in both cases). If you're also using Dovecot +for SMTP AUTH, it doesn't do a userdb lookup so the prefetch optimization +doesn't help. If you're using DN template, there is no LDAP lookup that returns fields, so [[setting,passdb_fields]] can't access any `%{ldap:*}` variables. Also, From 1123cf65473913a2a659d196b8e2627a1b6ade44 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 17:53:17 +0200 Subject: [PATCH 35/45] auth/static: Mention that you can use mail_uid/gid/home as alternative to userdb static --- docs/core/config/auth/databases/static.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/core/config/auth/databases/static.md b/docs/core/config/auth/databases/static.md index 69ab31ed0..6f79d5f38 100644 --- a/docs/core/config/auth/databases/static.md +++ b/docs/core/config/auth/databases/static.md @@ -69,6 +69,14 @@ userdb static { The home is optional. You can also return other [[link,userdb_extra_fields]]. You can use [[variable]] everywhere. +For the above 3 fields a static userdb isn't actually necessary at all. +Instead, you can just leave out the userdb configuration and set: + + * [[setting,mail_uid]] + * [[setting,mail_gid]] + * [[setting,mail_home]] + + ### LDA and passdb Lookup for User Verification Unless your MTA already verifies that the user exists before calling From 92be4402763b02fb1a2855dff423bedf23b2c303 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 13 Mar 2025 18:03:11 +0200 Subject: [PATCH 36/45] auth/ldap: Update userdb ldap --- docs/core/config/auth/databases/ldap.md | 14 ++++++++------ docs/core/config/auth/databases/static.md | 3 +++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 15302f015..6934ce35c 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -338,12 +338,12 @@ If you're using DN template, there is no LDAP lookup that returns fields, so Usually your LDAP database also contains the [[link,userdb]]. -If your home directory can be specified with a template and you're using -only a single UID and GID, you should use [[link,auth_staticdb]] -instead to avoid an unnecessary LDAP lookup. You can also use -[[link,auth_prefetch]] to avoid the userdb LDAP lookup. +If your home directory can be specified with a template, you're using only a +single UID and GID, and you don't need any other user-specific fields, you +should use [[link,userdb_static]] instead to avoid an unnecessary LDAP lookup. +You can also use [[link,auth_prefetch]] to avoid the userdb LDAP lookup. -Userdb lookups are always done using the default DN (`dn` setting) +Userdb lookups are always done using the [[setting,ldap_auth_dn]] bind. It's not possible to do the lookup using the user's DN (remember that e.g. [[link,lda]] or [[link,lmtp]] needs to do userdb lookups without knowing the user's password). @@ -367,7 +367,9 @@ userdb ldap { } ``` -# For using doveadm -A: +### User Iteration + +For using `doveadm -A` or `-u` with wildcards: ``` userdb ldap { iterate_filter = (objectClass=posixAccount) diff --git a/docs/core/config/auth/databases/static.md b/docs/core/config/auth/databases/static.md index 6f79d5f38..92e2f82e3 100644 --- a/docs/core/config/auth/databases/static.md +++ b/docs/core/config/auth/databases/static.md @@ -3,6 +3,9 @@ layout: doc title: Static dovecotlinks: auth_staticdb: static authentication database + userdb_static: + hash: userdb + text: Userdb Static --- # Static Password Database (`static`) From b56aed03cf3e8d057ccd1300b5dfa0f7c458674f Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 07:51:26 +0200 Subject: [PATCH 37/45] auth/ldap: Add commonly used ldap_* settings to most examples --- docs/core/config/auth/databases/ldap.md | 67 ++++++++++++++++++------- 1 file changed, 49 insertions(+), 18 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 6934ce35c..ef9a9c41b 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -211,7 +211,13 @@ expression can include ldap specific variables and other variables too. For example: ::: code-group ```[dovecot.conf] +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + passdb ldap { + filter = (&(objectClass=posixAccount)(uid=%{user})) fields { user = %{ldap:uid} password = %{ldap:userPassword} @@ -255,15 +261,20 @@ A typical configuration would look like: ::: code-group ```[dovecot.conf] - passdb ldap { - bind = no - default_password_scheme = MD5 - ldap_filter = (&(objectClass=posixAccount)(uid=%{user})) - fields { - user = %{ldap:uid} - password = %{ldap:userPassword} - } +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + +passdb ldap { + bind = no + default_password_scheme = MD5 + filter = (&(objectClass=posixAccount)(uid=%{user})) + fields { + user = %{ldap:uid} + password = %{ldap:userPassword} } +} ``` ::: @@ -297,13 +308,18 @@ Example: ::: code-group ```[dovecot.conf] - passdb ldap { - bind = yes - ldap_filter = (&(objectClass=posixAccount)(uid=%{user})) - fields { - user = %{ldap:uid} - } +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + +passdb ldap { + bind = yes + filter = (&(objectClass=posixAccount)(uid=%{user})) + fields { + user = %{ldap:uid} } +} ``` ::: @@ -327,10 +343,15 @@ If you're using DN template, there is no LDAP lookup that returns fields, so ::: code-group ```[dovecot.conf] - passdb ldap { - bind = yes - bind_userdn = cn=%{user},ou=people,o=org - } +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + +passdb ldap { + bind = yes + bind_userdn = cn=%{user},ou=people,o=org +} ``` ::: @@ -357,6 +378,11 @@ them globally with [[setting,mail_uid]] and [[setting,mail_gid]] settings instea returning them from LDAP. ``` +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + userdb ldap { filter = (&(objectClass=posixAccount)(uid=%{user})) fields { @@ -371,6 +397,11 @@ userdb ldap { For using `doveadm -A` or `-u` with wildcards: ``` +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + userdb ldap { iterate_filter = (objectClass=posixAccount) iterate_fields { From 4947c5ed9626f119334c5e0a161afa966b3ffee3 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 11:55:47 +0200 Subject: [PATCH 38/45] auth/ldap: Rewrite "Multiple Queries via userdbs" example --- docs/core/config/auth/databases/ldap.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index ef9a9c41b..8384e29d1 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -457,24 +457,30 @@ userDomain attribute doesn't exist, example.com is used instead. ### Multiple Queries via userdbs -Example: Give the user a class attribute, which defines the default quota: +Example: Give the user a class attribute, which defines the quota: ::: code-group ```[dovecot.conf] -userdb ldap1 { +ldap_uris = ldap://ldap.example.org +ldap_auth_dn = cn=admin,dc=example,dc=org +ldap_auth_dn_password = secret +ldap_base = dc=example,dc=org + +userdb ldap-user { driver = ldap result_success = continue-ok + ldap_filter = (&(objectClass=posixAccount)(uid=%{user})) fields { class = %{ldap:userClass} - quota_storage_size = %{ldap:quotaBytes}B } } -userdb ldap2 { +userdb ldap-class { driver = ldap skip = notfound + ldap_filter = (&(objectClass=classSettings)(class=%{userdb:class})) fields { - quota_storage_size:default = %{ldap:classQuotaBytes}B + quota_storage_size = %{ldap:quotaBytes}B } } ``` From bbcc08925e0ddd2b43953ad174e239ed120636ff Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 14:06:11 +0200 Subject: [PATCH 39/45] config/proxy/referrals: Mention this page is mainly for historical reasons --- docs/core/config/proxy/referrals.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/core/config/proxy/referrals.md b/docs/core/config/proxy/referrals.md index e0149ef7a..c22f1ae51 100644 --- a/docs/core/config/proxy/referrals.md +++ b/docs/core/config/proxy/referrals.md @@ -7,7 +7,9 @@ dovecotlinks: # Login Referrals -Login referrals are an IMAP extension specified by [[rfc,2221]]. +Login referrals are an IMAP extension specified by [[rfc,2221]]. It is +practically not used by anyone, so this page exists mainly for historical +reasons. Their purpose is to redirect clients to an different IMAP server in case of hardware failures or organizational changes. No client action is needed From db5b19d216a2490b90db1817f188443580a47c58 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 14:26:13 +0200 Subject: [PATCH 40/45] config/proxy/overview: Remove proxy_always This is very confusing and non-workable feature nowadays. Removeit from docs so it doesn't confuse people, and later probably from code as well. --- docs/core/config/proxy/overview.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/docs/core/config/proxy/overview.md b/docs/core/config/proxy/overview.md index 0732c6427..e11733cb6 100644 --- a/docs/core/config/proxy/overview.md +++ b/docs/core/config/proxy/overview.md @@ -53,17 +53,6 @@ login fails with `Proxying loops` error. * `auth_proxy_self` setting in `dovecot.conf` can be used to specify extra IPs that are also considered to be the proxy's own IPs. -### `proxy_always` - -Can be used with `proxy_maybe` to conditionally do proxying to specified -remote host (host isn't self) or to let cluster assign a backend host (host -is self). - -Basically, this setting just always sends the `proxy` extra field to login -process, but not necessarily the host. - -Useful when dividing users across multiple clusters. - ### `host=` The destination server's IP address. From 6b0543a40cbd58035bab78439a762b8dfeb665c2 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 14:45:36 +0200 Subject: [PATCH 41/45] config/proxy/overview: Various fixes, cleanups, removals of obsolete warnings --- docs/core/config/proxy/overview.md | 130 +++++++++++++---------------- 1 file changed, 59 insertions(+), 71 deletions(-) diff --git a/docs/core/config/proxy/overview.md b/docs/core/config/proxy/overview.md index e11733cb6..9dc39f9f2 100644 --- a/docs/core/config/proxy/overview.md +++ b/docs/core/config/proxy/overview.md @@ -9,25 +9,48 @@ dovecotlinks: text: forwarding fields --- -# Proxy passdb +# Dovecot Proxying Dovecot supports proxying IMAP, POP3, [[link,submission]], [[link,lmtp]], -and [[link,managesieve]] connections to other hosts. +[[link,managesieve]] and doveadm connections to other hosts. The proxying can be done for all users, or only for some specific users. There -are two ways to do the authentication: +are two ways to do the authentication on the remote server: -1. Forward the password to the remote server. The proxy may or may not perform - authentication itself. This requires that the client uses only cleartext - authentication, or alternatively the proxy has access to users' passwords in - cleartext. +1. Forward the user-given password (or OAUTH token) to the remote server. This + is done by returning `pass=%{password}` and `proxy_mech=%{mechanism}` extra + fields. -2. Let Dovecot proxy perform the authentication and login to remote server + * This doesn't work if any non-cleartext, non-token-based + [[link,authentication_mechanisms, authentication mechanisms]] are used, + because they prevent such password forwarding by design. + * `proxy_mech` is needed only if both OAUTH and cleartext mechanisms + are enabled. + +1. Let Dovecot proxy perform the authentication and login to remote server using the proxy's [[link,auth_master_users]]. This allows client to use also non-cleartext authentication. -The proxy is configured pretty much the same way as [[link,auth_referral]], -with the addition of `proxy` field. +## Configuration + +Proxying is enabled by the `proxy` or `proxy_maybe` extra field. +Additionally, `host` is also a required field. See below for details on +them and other optional extra fields. + +In backends, set [[setting,login_trusted_networks]] to point to the proxies' +IP addresses. This way you'll get the clients' actual IP addresses logged +instead of the proxy's. + +The destination servers don't need to be running Dovecot, but you should make +sure that the Dovecot proxy doesn't advertise more capabilities than the +destination server can handle. For IMAP you can do this by changing +[[setting,imap_capability]]. For POP3 you'll have to modify Dovecot's sources +for now (`src/pop3/capability.h`). + +Dovecot IMAP proxy also automatically sends updated untagged CAPABILITY reply +if it detects that the remote server has different capabilities than what it +already advertised to the client, but some clients simply ignore the +updated CAPABILITY reply. ## Fields @@ -35,23 +58,22 @@ with the addition of `proxy` field. Enables the proxying. -Either this or `proxy_maybe` is required. +Either this or `proxy_maybe` is required to enable proxying. ### `proxy_maybe` -Enables the proxying. +Enables optional proxying. -Either this or `proxy` is required. +Either this or `proxy` is required to enable proxying. -`proxy_maybe` can be used to implement "automatic proxying". If the +`proxy_maybe` can be used to implement "automatic proxying" to implement +a mixed mode of running proxies and backends in the same servers. If the proxy destination matches the current connection, the user gets logged in normally instead of being proxied. If the same happens with `proxy`, the login fails with `Proxying loops` error. -* `proxy_maybe` with LMTP require. -* `proxy_maybe` with `host=` requires. -* `auth_proxy_self` setting in `dovecot.conf` can be used to specify extra - IPs that are also considered to be the proxy's own IPs. +[[setting,auth_proxy_self]] can be used to specify extra IPs that are also +considered to be the proxy's own IPs. ### `host=` @@ -81,6 +103,7 @@ Tell client to use a different username when logging in. ### `proxy_mech=` Tell client to use this SASL authentication mechanism when logging in. +See [[setting,imapc_sasl_mechanisms]] for supported mechanisms ### `proxy_timeout=` @@ -98,62 +121,31 @@ that hang otherwise. ### `proxy_not_trusted` -IMAP/POP3 proxying never sends the `ID/XCLIENT` command to remote. +IMAP/POP3 proxying never sends the `ID/XCLIENT` command to remote. This can be +used when proxying to remote servers that shouldn't see the clients' original +IP addresses or other information. ## SSL You can use SSL/TLS connection to destination server by returning: -* [[setting,ssl,yes]] - - Use SSL and require a valid verified remote certificate. - - ::: warning - Unless used carefully, this is an insecure setting! - The only way to use this securely is to only use and allow your own private - CA's certs; anything else is exploitable by a man-in-the-middle attack. - ::: - - ::: info - Login processes don't currently use the [[setting,ssl_client_ca_dir]] setting - for verifying the remote certificate, mainly because login processes can't - really read the files chrooted. You can instead use - [[setting,ssl_client_ca_file]]. - ::: - - ::: warning - doveadm proxying doesn't support SSL/TLS currently - any ssl/starttls - extra field is ignored. - ::: +* `ssl=yes`: Use SSL and require a valid verified remote certificate. * `ssl=any-cert`: Use SSL, but don't require a valid remote certificate. * `starttls=yes`: Use STARTTLS command instead of doing SSL handshake immediately after connected. -* `starttls=any-cert`: Combine starttls and `ssl=any-cert`. +* `starttls=any-cert`: Combine `starttl` and `ssl=any-cert`. + +::: info +Login processes are chrooted, so [[setting,ssl_client_ca_dir]] setting +doesn't work. You can instead use [[setting,ssl_client_ca_file]]. +::: Additionally you can also tell Dovecot to send SSL client certificate to the remote server using [[setting,ssl_client_cert_file]] and -[[setting,ssl_client_key_file]] settings in `dovecot.conf`. - -Set [[setting,login_trusted_networks]] to point to the proxies in the -backends. This way you'll get the clients' actual IP addresses logged instead -of the proxy's. - -The destination servers don't need to be running Dovecot, but you should make -sure that the Dovecot proxy doesn't advertise more capabilities than the -destination server can handle. - -For IMAP you can do this by changing [[setting,imap_capability]]. - -For POP3 you'll have to modify Dovecot's sources for now -(`src/pop3/capability.h`). - -Dovecot also automatically sends updated untagged CAPABILITY reply if it -detects that the remote server has different capabilities than what it -already advertised to the client, but some clients simply ignore the -updated CAPABILITY reply. +[[setting,ssl_client_key_file]] settings. ## Source IPs @@ -175,8 +167,7 @@ To avoid reconnection load spikes when a backend server dies, you can tell proxy to spread the client disconnections over a longer time period (after the server side of the connection is already disconnected). -[[setting,login_proxy_max_disconnect_delay]] controls this (disabled by -default). +[[setting,login_proxy_max_disconnect_delay]] controls this. ## Forwarding Fields @@ -191,7 +182,7 @@ passdb extra fields, so they are visible in, e.g., If the proxying continues, all these fields are further forwarded to the next hop again. -This feature requires that the sending host is in +This feature requires that the sending host is in the destination's [[setting,login_trusted_networks]]. See [[link,forwarding_parameters]] for more details on how this is implemented @@ -246,27 +237,24 @@ If you don't want proxy itself to do authentication, you can configure it to succeed with any given password. You can do this by returning an empty password and `nopassword` field. -## Master Password +## Master Users + +Note that this is different from master passwords. This way of forwarding requires the destination server to support master user feature. The users will be normally authenticated in the proxy and the common proxy fields are returned, but you'll need to return two fields specially: -* `master=`: This contains the master username (e.g. proxy). It's used as +* `master=`: This contains the master username (e.g. `proxy`). It's used as SASL authentication ID. * Alternatively you could return `destuser=user*master` and set [[setting,auth_master_user_separator,*]]. -* `pass=: This field contains the master user's password. +* `pass=`: This field contains the master user's password. See [[link,auth_master_users]] for more information how to configure this. -## OAuth2 Forwarding - -If you want to forward [[link,auth_oauth2]] tokens, return field -`proxy_mech=%{mechanism}` as extra field. - ## Examples ### Password Forwarding with Static DB From 1bbb62135badd62160fe89b22b72e7328fb7e2cb Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 14:47:57 +0200 Subject: [PATCH 42/45] config/proxy/overview: Split to proxy-auth-methods.inc --- .../config/proxy/include/proxy-auth-methods.inc | 13 +++++++++++++ docs/core/config/proxy/overview.md | 14 +------------- 2 files changed, 14 insertions(+), 13 deletions(-) create mode 100644 docs/core/config/proxy/include/proxy-auth-methods.inc diff --git a/docs/core/config/proxy/include/proxy-auth-methods.inc b/docs/core/config/proxy/include/proxy-auth-methods.inc new file mode 100644 index 000000000..f1bb01403 --- /dev/null +++ b/docs/core/config/proxy/include/proxy-auth-methods.inc @@ -0,0 +1,13 @@ +1. Forward the user-given password (or OAUTH token) to the remote server. This + is done by returning `pass=%{password}` and `proxy_mech=%{mechanism}` extra + fields. + + * This doesn't work if any non-cleartext, non-token-based + [[link,authentication_mechanisms, authentication mechanisms]] are used, + because they prevent such password forwarding by design. + * `proxy_mech` is needed only if both OAUTH and cleartext mechanisms + are enabled. + +1. Let Dovecot proxy perform the authentication and login to remote server + using the proxy's [[link,auth_master_users]]. This allows client + to use also non-cleartext authentication. diff --git a/docs/core/config/proxy/overview.md b/docs/core/config/proxy/overview.md index 9dc39f9f2..2c10f794d 100644 --- a/docs/core/config/proxy/overview.md +++ b/docs/core/config/proxy/overview.md @@ -17,19 +17,7 @@ Dovecot supports proxying IMAP, POP3, [[link,submission]], [[link,lmtp]], The proxying can be done for all users, or only for some specific users. There are two ways to do the authentication on the remote server: -1. Forward the user-given password (or OAUTH token) to the remote server. This - is done by returning `pass=%{password}` and `proxy_mech=%{mechanism}` extra - fields. - - * This doesn't work if any non-cleartext, non-token-based - [[link,authentication_mechanisms, authentication mechanisms]] are used, - because they prevent such password forwarding by design. - * `proxy_mech` is needed only if both OAUTH and cleartext mechanisms - are enabled. - -1. Let Dovecot proxy perform the authentication and login to remote server - using the proxy's [[link,auth_master_users]]. This allows client - to use also non-cleartext authentication. + ## Configuration From 99f480ddc8668196825400de15ec29977d0d2eb7 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 14 Mar 2025 14:54:24 +0200 Subject: [PATCH 43/45] proxy-auth-methods.inc: Refer to master passwords, not master users --- docs/core/config/auth/master_users.md | 3 +++ docs/core/config/proxy/include/proxy-auth-methods.inc | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/core/config/auth/master_users.md b/docs/core/config/auth/master_users.md index 8b1b2653f..32c761e1c 100644 --- a/docs/core/config/auth/master_users.md +++ b/docs/core/config/auth/master_users.md @@ -6,6 +6,9 @@ dovecotlinks: hash: acls text: ACL Master Users auth_master_users: Master Users + auth_master_passwords: + hash: master-passwords + text: Master Passwords --- # Master Users/Passwords diff --git a/docs/core/config/proxy/include/proxy-auth-methods.inc b/docs/core/config/proxy/include/proxy-auth-methods.inc index f1bb01403..7d02488c4 100644 --- a/docs/core/config/proxy/include/proxy-auth-methods.inc +++ b/docs/core/config/proxy/include/proxy-auth-methods.inc @@ -8,6 +8,6 @@ * `proxy_mech` is needed only if both OAUTH and cleartext mechanisms are enabled. -1. Let Dovecot proxy perform the authentication and login to remote server - using the proxy's [[link,auth_master_users]]. This allows client - to use also non-cleartext authentication. +1. Login to the remote server using a [[link,auth_master_passwords,master + password]]. This is done by returning `pass=master_secret` extra field. This + allows client to use also non-cleartext authentication. From 65723cbd6ad327ee9058e136ab67c2f5a1d1346a Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Tue, 18 Mar 2025 14:10:51 +0200 Subject: [PATCH 44/45] quota: Move Settings list to bottom of the page --- docs/core/plugins/quota.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/core/plugins/quota.md b/docs/core/plugins/quota.md index 4cf128233..6ff1a6a6e 100644 --- a/docs/core/plugins/quota.md +++ b/docs/core/plugins/quota.md @@ -55,10 +55,6 @@ Three plugins are associated with quota: | quota (this plugin) | Implements the actual quota handling and includes all quota drivers. | | [[plugin,quota-clone]] | Copy the current quota usage to a dict. | -## Settings - - - ## Configuration ### Enabling Quota Plugins @@ -799,3 +795,8 @@ smtpd_recipient_restrictions = ### Configuration + +## Settings + + + From 015cffc50469448c4b01765d289f9737aa596b7b Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Wed, 26 Mar 2025 13:53:11 -0600 Subject: [PATCH 45/45] spelling: Fix spelling error --- docs/core/config/proxy/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/config/proxy/overview.md b/docs/core/config/proxy/overview.md index 2c10f794d..5ab088652 100644 --- a/docs/core/config/proxy/overview.md +++ b/docs/core/config/proxy/overview.md @@ -124,7 +124,7 @@ You can use SSL/TLS connection to destination server by returning: * `starttls=yes`: Use STARTTLS command instead of doing SSL handshake immediately after connected. -* `starttls=any-cert`: Combine `starttl` and `ssl=any-cert`. +* `starttls=any-cert`: Combine `starttls` and `ssl=any-cert`. ::: info Login processes are chrooted, so [[setting,ssl_client_ca_dir]] setting