Package: dovecot-core Version: 1:2.1.7-6 Severity: normal Problem description -------------------
I was trying to setup dovecot SASL authentication for my postfix server, using a postgresql database as the back end for authentication. I was able to get this to work and tested it using the following technique: http://qmail.jms1.net/test-auth.shtml However, part of the SQL configuration of dovecot is defining the iterate_query, and I could not get that to work. I have a valid SQL query, and I'm using valid credentials for the database, but I get the following error every time: # doveadm fetch -A user ALL doveadm(root): Error: userdb list: Disconnected unexpectedly doveadm: Error: Failed to iterate through some users zsh: exit 75 doveadm fetch -A user ALL After enabling debug logs in both dovecot (cf. output of doveconf -n below) and postgresql, here's what I see in /var/log/syslog when I issue that command: Jan 27 11:47:18 orange dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Jan 27 11:47:18 orange dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Jan 27 11:47:18 orange dovecot: auth: Error: userdb connection: Failed to get peer's credentials Jan 27 11:47:18 orange postgres[3177]: [2-1] 2013-01-27 11:47:18 PST LOG: 00000: connection received: host=::1 port=35751 Jan 27 11:47:18 orange postgres[3177]: [2-2] 2013-01-27 11:47:18 PST LOCATION: BackendInitialize, postmaster.c:3474 Jan 27 11:47:18 orange postgres[3177]: [3-1] 2013-01-27 11:47:18 PST LOG: 00000: connection authorized: user=dovecot database=mail Jan 27 11:47:18 orange postgres[3177]: [3-2] 2013-01-27 11:47:18 PST LOCATION: PerformAuthentication, postinit.c:230 Jan 27 11:47:18 orange dovecot: auth: pgsql(localhost): Connected to database mail Personal research ----------------- I did some digging around the only useful log: userdb connection: Failed to get peer's credentials I found that it's generated by the following piece of code: 691 if (net_getunixcred(conn->fd, &cred) < 0) { 692 i_error("userdb connection: Failed to get peer's credentials"); 693 return -1; 694 } in auth-master-connection.c's auth_master_connection_set_permissions function. (cf. http://fossies.org/dox/dovecot-2.1.13/auth-master-connection_8c_source.html) So I looked at net_getunixcred and I found that my version of dovecot-core could not possibly be running the following code: 697 #if defined(HAVE_GETPEEREID) 698 /* OSX 10.4+, FreeBSD 4.6+, OpenBSD 3.0+, NetBSD 5.0+ */ 699 if (getpeereid(fd, &cred_r->uid, &cred_r->gid) < 0) { 700 i_error("getpeereid() failed: %m"); 701 return -1; 702 } 703 return 0; otherwise I would have seen this log like I did the other: "getpeereid() failed: %m" Similarly, we cannot possibly be running the Linux branch starting with: 704 #elif defined(SO_PEERCRED) 705 /* Linux */ So we must be going through: 716 #elif defined(HAVE_GETPEERUCRED) 717 /* Solaris */ 718 ucred_t *ucred = NULL; 719 720 if (getpeerucred(fd, &ucred) < 0) { 721 i_error("getpeerucred() failed: %m"); 722 return -1; 723 } 724 cred_r->uid = ucred_geteuid(ucred); 725 cred_r->gid = ucred_getrgid(ucred); 726 ucred_free(ucred); 727 728 if (cred_r->uid == (uid_t)-1 || 729 cred_r->gid == (gid_t)-1) { 730 errno = EINVAL; 731 return -1; 732 } 733 return 0; 734 #else 735 errno = EINVAL; 736 return -1; 737 #endif (cf. http://fossies.org/dox/dovecot-2.1.13/network_8c_source.html#l00695) Looking at the comment, I'd easily speculate that we're probably not even running the Solaris branch, so I suspect dovecot-core is being built for kfreebsd-amd64 with neither of the following definitions: HAVE_GETPEEREID SO_PEERCRED HAVE_GETPEERUCRED If I am right, then there's no chance this could ever work on this architecture; in that case, fixing the bug might be a matter of making sure one of these libraries/APIs is used for compiling dovecot-core. Additional debugging information -------------------------------- Here's the content of my /etc/dovecot/dovecot-sql.conf.ext with my postgresql user password redacted: driver = pgsql connect = host=localhost dbname=mail user=dovecot password=REDACTED default_pass_scheme = SHA512-CRYPT password_query = \ SELECT address AS user, password \ FROM mailboxes \ INNER JOIN domains \ ON domains.domain = '%L{domain}' AND domains.active = true AND domains.mailboxes = true \ WHERE address = '%L{user}' AND mailboxes.active = true user_query = \ SELECT concat_ws('/', '%d', '%u', '') AS home, 114 AS uid, 114 AS gid \ FROM mailboxes \ INNER JOIN domains \ ON domains.domain = '%d' AND domains.active = true AND domains.mailboxes = true \ WHERE address = '%s' AND mailboxes.active = true iterate_query = \ SELECT address AS user \ FROM mailboxes \ INNER JOIN domains \ ON domain = split_part(address, '@', 2) AND domains.active = true AND domains.mailboxes = true \ WHERE mailboxes.active = true Here's my postgresql database model: CREATE TABLE domains ( domain varchar(255) NOT NULL, aliases boolean NOT NULL DEFAULT true, mailboxes boolean NOT NULL DEFAULT false, maxquota bigint NOT NULL DEFAULT 0, active boolean NOT NULL DEFAULT true, created timestamptz NOT NULL DEFAULT current_timestamp, modified timestamptz NOT NULL DEFAULT current_timestamp, PRIMARY KEY (domain) ); CREATE TABLE aliases ( source varchar(255) NOT NULL, destination text NOT NULL, active boolean NOT NULL DEFAULT true, created timestamptz NOT NULL DEFAULT current_timestamp, modified timestamptz NOT NULL DEFAULT current_timestamp, PRIMARY KEY (source) ); CREATE TABLE mailboxes ( address varchar(255) NOT NULL, password varchar(255) NOT NULL, quota bigint NOT NULL DEFAULT 0, active boolean NOT NULL DEFAULT true, created timestamptz NOT NULL DEFAULT current_timestamp, modified timestamptz NOT NULL DEFAULT current_timestamp, PRIMARY KEY (address) ); And here are the permissions I granted to the dovecot postgresql user: GRANT CONNECT ON DATABASE mail TO dovecot; GRANT SELECT ON TABLE domains TO dovecot; GRANT SELECT ON TABLE aliases TO dovecot; GRANT SELECT ON TABLE mailboxes TO dovecot; Here's what I get when running that iterate_query in the psql query interpretor (domains redacted): mail=# SELECT address AS user FROM mailboxes INNER JOIN domains ON domain = split_part(address, '@', 2) AND domains.active = true AND domains.mailboxes = true WHERE mailboxes.active = true; user -------------------- [email protected] [email protected] (2 rows) I don't think it's very important for this bug report, but for your information, 114 refers to the uid and gid of my virtual_mail unix account and group: # grep 114 /etc/passwd /etc/shadow /etc/group /etc/passwd:virtual_mail:x:114:114:Virtual mail administrator,,,:/var/mail/virtual:/bin/false /etc/group:virtual_mail:x:114: Please let me know if you need any additional information. -- Package-specific info: dovecot configuration --------------------- # 2.1.7: /etc/dovecot/dovecot.conf # OS: GNU/kFreeBSD 9.0-2-amd64 x86_64 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain mail_debug = yes mail_location = maildir:%{home}/mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl = no ssl_cert = </etc/dovecot/dovecot.pem ssl_key = </etc/dovecot/private/dovecot.pem userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } verbose_ssl = yes -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 9.0-2-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dovecot-core depends on: ii adduser 3.113+nmu3 ii libbz2-1.0 1.0.6-4 ii libc0.1 2.13-37 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii libssl1.0.0 1.0.1c-4 ii openssl 1.0.1c-4 ii ucf 3.0025+nmu3 ii zlib1g 1:1.2.7.dfsg-13 dovecot-core recommends no packages. Versions of packages dovecot-core suggests: pn dovecot-gssapi <none> pn dovecot-imapd <none> pn dovecot-ldap <none> pn dovecot-lmtpd <none> pn dovecot-managesieved <none> pn dovecot-mysql <none> ii dovecot-pgsql 1:2.1.7-6 pn dovecot-pop3d <none> pn dovecot-sieve <none> pn dovecot-solr <none> pn dovecot-sqlite <none> ii ntp 1:4.2.6.p5+dfsg-2 Versions of packages dovecot-core is related to: ii dovecot-core [dovecot-common] 1:2.1.7-6 pn dovecot-dbg <none> pn dovecot-dev <none> pn dovecot-gssapi <none> pn dovecot-imapd <none> pn dovecot-ldap <none> pn dovecot-lmtpd <none> pn dovecot-managesieved <none> pn dovecot-mysql <none> ii dovecot-pgsql 1:2.1.7-6 pn dovecot-pop3d <none> pn dovecot-sieve <none> pn dovecot-sqlite <none> -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
