"Now i understand, that you want to add cram-md5 to the mechs, but to authenticate still against the sql-db?" Hehe no. I have cram-md5 and when I try sql-db I can't send emails. I use ubuntu server 14.04.5 lts with 16.04 kernel. I found out that Postfix logs go to mail.log and mail.err files. "dovecot logs for the mentioned two cases?" - which two cases? :) dovecot-sql.conf output in attachement. "maybe a link to the mentioned dovecot threat" - do You mean tutorial based on I setup cram-md5 in dovecot?
2017-02-23 15:26 GMT+01:00 wilfried.es...@essignetz.de < wilfried.es...@essignetz.de>: > Now i understand, that you want to add cram-md5 to the mechs, but to > authenticate still against the sql-db? > > > On http://wiki.dovecot.org/Authentication/PasswordSchemes you'll find > under "Non-plaintext authentication mechanisms": > "The problem with non-plaintext auth mechanisms is that the password > must be stored either in plaintext, or using a mechanism-specific scheme > that's incompatible with all other non-plaintext mechanisms. In > addition, the mechanism-specific schemes often offer very little > protection. This isn't a limitation of Dovecot, it's a requirement for > the algorithms to even work. > > For example if you're going to use CRAM-MD5 authentication, the password > needs to be stored in either PLAIN or CRAM-MD5 scheme. If you want to > allow both CRAM-MD5 and DIGEST-MD5, the password must be stored in > plaintext. " > > Does that possibly point out your problem? > > > Otherwise please provide > - dovecot logs for the mentioned two cases? > - contnet of /etc/dovecot/dovecot-sql.conf? > - maybe a link to the mentioned dovecot threat. > > Did you find your postfix logs? Which system do you use? > > > Willi > > > Am 23.02.2017 um 13:56 schrieb Poliman - Serwis: > > Still nothing. If I removed "noplaintext" from these lines, sending email > > still working when I have: > > auth_mechanisms = plain login cram-md5 #added cram-md5 > > passdb { > > #args = /etc/dovecot/dovecot-sql.conf > > #driver = sql > > driver = passwd-file > > args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > > } > > > > but with this: > > auth_mechanisms = plain login > > passdb { > > args = /etc/dovecot/dovecot-sql.conf > > driver = sql > > } > > > > I still can't send. So sending (or not sending) depends (I think) from > > above configurations from dovecot.conf. > > > > 2017-02-23 13:39 GMT+01:00 wilfried.es...@essignetz.de < > > wilfried.es...@essignetz.de>: > > > >> Am 23.02.2017 um 13:27 schrieb Poliman - Serwis: > >>> Test email go through when I have in dovecot.conf: > >>> auth_mechanisms = plain login cram-md5 #added cram-md5 > >>> passdb { > >>> #args = /etc/dovecot/dovecot-sql.conf > >>> #driver = sql > >>> driver = passwd-file > >>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > >>> } > >>> > >>> but this isn't default setting. I don't need this, need default: > >>> auth_mechanisms = plain login > >>> passdb { > >>> args = /etc/dovecot/dovecot-sql.conf > >>> driver = sql > >>> } > >>> > >>> but then sending testing email is not working. > >> > >> Now (i think) i understand. You should look to your postfix main.cf. > >> > >> smtpd_sasl_security_options = noanonymous,noplaintext > >> smtpd_sasl_tls_security_options = noanonymous,noplaintext > >> > >> Possibly you should remove "noplaintext" from > >> smtpd_sasl_tls_security_options. > >> > >> If you remove it also from smtpd_sasl_security_options your password > >> will traverse internet in cleartext. > >> > >> Details : > >> http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options > >> > >> > >> Willi > >> > >> > >>> > >>> Unfortunatelly dovecot list didn't help me. One developer sends me to > >> this > >>> group. ;) > >>> > >>> All logs from mail.log I pasted. I have mail.log and mail.err files. > >>> > >>> 2017-02-23 13:08 GMT+01:00 wilfried.es...@essignetz.de < > >>> wilfried.es...@essignetz.de>: > >>> > >>>> Hi, > >>>> > >>>> > >>>> i assume your test mail got through now? > >>>> > >>>> > >>>> Am 23.02.2017 um 11:17 schrieb Poliman - Serwis: > >>>>> I am not sure that all in these logs are good because there is info > >>>> 'passdb > >>>>> didn't return userdb entries'. > >>>> I think there is nothing to worry about. > >>>> > >>>> Dovecot knows about password and user databases. It is possible to > have > >>>> password and userdata in the same db, like the sql-db from your > default > >>>> entry. But the cram-md5 file didn't have userdata, which made dovecot > >>>> looking in the other db it got to know. I recommend you read details > in > >>>> http://wiki.dovecot.org/PasswordDatabase , > >>>> http://wiki.dovecot.org/Authentication/MultipleDatabases and maybe > >> other > >>>> info from dovecot wiki. > >>>> > >>>> > >>>>> Authentication worked because dovecot used > >>>>> cram-md5 file (still custom settings in dovecot.conf about which I > say > >>>> all > >>>>> time) but dovecot can't find match in database (configured in line: > >>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>> driver = sql). > >>>> As this is the postfix list, i'd like to send you to the dovecot > >>>> forum/list to ask what you concerns. > >>>> > >>>> > >>>>> How can I provide postfix logs - where can I find them? I have only > >>>>> mail.log and mail.err files for mailing errors. :) > >>>> If mail got through now, there is no need for further info from > postfix. > >>>> As i know, postfix logs usually by means of syslog into > >>>> /var/log/mail.log or /var/log/mail/mail.log. > >>>> > >>>> > >>>> Willi > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>> > >>>>> 2017-02-23 11:11 GMT+01:00 wilfried.es...@essignetz.de < > >>>>> wilfried.es...@essignetz.de>: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> > >>>>>> now i'm rather unsure what you want to say with this? > >>>>>> > >>>>>> It looks something like authentification worked. But without the > >> postfix > >>>>>> loglines i cant see it for sure. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Willi > >>>>>> > >>>>>> > >>>>>> Am 23.02.2017 um 10:47 schrieb Poliman - Serwis: > >>>>>>> I setup like You pasted and in mail.log I have: > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth: Debug: client in: > >> CONT<hidden> > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth: Debug: passwd-file( > >>>>>>> do_not_re...@example.com,93.179.231.31,<Fl+mbC9JRABds+cf>): > lookup: > >>>>>> user= > >>>>>>> do_not_re...@example.com file=/etc/dovecot/cram-m$ > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth: Debug: client passdb out: > >>>>>>> OK#0111#011user=do_not_re...@example.com > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth: Debug: master in: > >>>>>>> REQUEST#0113625975809#0115088#0111#0115fa408b8c444a03b751b990e57c > >>>>>> bfada#011session_pid=5092 > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth: Debug: prefetch( > >>>>>>> do_not_re...@example.com,93.179.231.31,<Fl+mbC9JRABds+cf>): passdb > >>>>>> didn't > >>>>>>> return userdb entries, trying the next userdb > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth-worker(5090): Debug: sql( > >>>>>>> do_not_re...@example.com,93.179.231.31): SELECT email as user, > >> maildir > >>>>>> as > >>>>>>> home, CONCAT( maildir_format, ':', mail$ > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: auth: Debug: master userdb out: > >>>>>>> USER#0113625975809# > >>>>>>> 011do_not_re...@example.com#011home=/var/vmail/example. > >>>>>> com/do_not_reply#011mail=maildir:/var/vma$ > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: pop3-login: Login: user=< > >>>>>>> do_not_re...@example.com>, method=PLAIN, rip=93.179.231.31, > >>>>>>> lip=193.70.38.6, mpid=5092, TLS, session=<Fl+mbC9JRABds+cf> > >>>>>>> Feb 23 10:41:58 vps342401 dovecot: pop3(do_not_reply@serwispepsi. > pl > >> ): > >>>>>>> Disconnected: Logged out top=0/0, retr=0/0, del=1/2, size=179243 > >>>>>>> > >>>>>>> > >>>>>>> 2017-02-23 10:36 GMT+01:00 wilfried.es...@essignetz.de < > >>>>>>> wilfried.es...@essignetz.de>: > >>>>>>> > >>>>>>>> I wonderd about how dovecot would deside, which "args" belongs to > >> wich > >>>>>>>> "driver" line. So looked over > >>>>>>>> http://wiki.dovecot.org/Authentication/MultipleDatabases. > >>>>>>>> > >>>>>>>> Possibly you should write something like: > >>>>>>>> > >>>>>>>> passdb { > >>>>>>>> args = /etc/dovecot/dovecot-sql.conf > >>>>>>>> driver = sql > >>>>>>>> } > >>>>>>>> > >>>>>>>> passdb { > >>>>>>>> driver = passwd-file > >>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > >>>>>>>> } > >>>>>>>> > >>>>>>>> > >>>>>>>> Willi > >>>>>>>> > >>>>>>>> > >>>>>>>> Am 23.02.2017 um 10:30 schrieb Poliman - Serwis: > >>>>>>>>> You have right, I added 'noplaintext'. But main thing what I want > >> to > >>>>>> get > >>>>>>>> - > >>>>>>>>> no cram-md5 in dovecot and ability to send emails. All worked > fine > >>>>>> until > >>>>>>>> I > >>>>>>>>> set in dovecot.conf: > >>>>>>>>> auth_mechanisms = plain login cram-md5 > >>>>>>>>> passdb { > >>>>>>>>> #args = /etc/dovecot/dovecot-sql.conf > >>>>>>>>> #driver = sql > >>>>>>>>> driver = passwd-file > >>>>>>>>> args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd > >>>>>>>>> } > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>> > >>>> > >>> > >>> > >> > >> > > > > > > -- *Pozdrawiam / Best Regards* *Piotr Bracha* *tel. 534 555 877* *ser...@poliman.pl <ser...@poliman.pl>*
# This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki.dovecot.org/AuthDatabase/SQL # # For the sql passdb module, you'll need a database with a table that # contains fields for at least the userid and password. If you want to # use the user@domain syntax, you might want to have a separate domain # field as well. # # If your users all have the same uig/gid, and have predictable home # directories, you can use the static userdb module to generate the home # dir based on the userid and domain. In this case, you won't need fields # for home, uid, or gid in the database. # # If you prefer to use the sql userdb module, you'll want to add fields # for home, uid, and gid. Here is an example table: # # CREATE TABLE users ( # userid VARCHAR(128) NOT NULL, # password VARCHAR(64) NOT NULL, # home VARCHAR(255) NOT NULL, # uid INTEGER NOT NULL, # gid INTEGER NOT NULL, # active CHAR(1) DEFAULT 'Y' NOT NULL # ); # Database driver: mysql, pgsql, sqlite #driver = # Database connection string. This is driver-specific setting. # # pgsql: # For available options, see the PostgreSQL documention for the # PQconnectdb function of libpq. # # mysql: # Basic options emulate PostgreSQL option names: # host, port, user, password, dbname # # But also adds some new settings: # client_flags - See MySQL manual # ssl_ca, ssl_ca_path - Set either one or both to enable SSL # ssl_cert, ssl_key - For sending client-side certificates to server # ssl_cipher - Set minimum allowed cipher security (default: HIGH) # # You can connect to UNIX sockets by using host: host=/var/run/mysqld/mysqld.sock # Note that currently you can't use spaces in parameters. # # sqlite: # The path to the database file. # # Examples: # connect = host=192.168.1.1 dbname=users # connect = host=sql.example.com dbname=virtual user=virtual password=blarg # connect = /etc/dovecot/authdb.sqlite # #connect = dbname=virtual user=virtual # Default password scheme. # # List of supported schemes is in # http://wiki.dovecot.org/Authentication/PasswordSchemes # #default_pass_scheme = PLAIN-MD5 # Query to retrieve the password. # # This query must return only one row with "user" and "password" columns. # The query can also return other fields which have a special meaning, see # http://wiki.dovecot.org/PasswordDatabase/ExtraFields # # The "user" column is needed to make sure the username gets used with exactly # the same casing as it's in the database. Note that if you store username and # domain in separate fields, you most likely want to return a combination of # them as the "user" column, otherwise the domain gets stripped. # # Commonly used available substitutions (see # http://wiki.dovecot.org/Variables for full list): # %u = entire userid # %n = user part of user@domain # %d = domain part of user@domain # # Note that these can be used only as input to SQL query. If the query outputs # any of these substitutions, they're not touched. Otherwise it would be # difficult to have eg. usernames containing '%' characters. # # Example: # password_query = SELECT concat(userid, '@', domain) AS user, password FROM users WHERE userid = '%n' AND domain = '%d' # password_query = SELECT pw AS password FROM users WHERE userid = '%u' AND active = 'Y' # #password_query = SELECT userid as user, password FROM users WHERE userid = '%u' # Query to retrieve the user information. # # The query must return only one row. Commonly returned columns are: # uid - System UID # gid - System GID # home - Home directory # mail - Mail location # # Either home or mail is required. uid and gid are required. If more than one # row is returned or there are missing fields, the login will fail. For a list # of all fields that can be returned, see # http://wiki.dovecot.org/UserDatabase/ExtraFields # # Examples # user_query = SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d' # user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u' # user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u' # #user_query = SELECT home, uid, gid FROM users WHERE userid = '%u' # If you wish to avoid two SQL lookups (passdb + userdb), you can use # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll # also have to return userdb fields in password_query prefixed with "userdb_" # string. For example: #password_query = SELECT userid as user, password, home as userdb_home, uid as userdb_uid, gid as userdb_gid FROM users WHERE userid = '%u' driver = mysql connect = host=localhost dbname=dbispconfig user=ispconfig password=06549e2a867ee50a107098f424073acd port=3306 default_pass_scheme = CRYPT # password-query with prefetch password_query = SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = '%u' OR email = '%u') AND `disable%Ls` = 'n' AND server_id = '1' user_query = SELECT email as user, maildir as home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as mail, uid, gid, CONCAT('*:storage=', quota, 'B') AS quota_rule, CONCAT(maildir, '/.sieve') as sieve FROM mail_user WHERE (login = '%u' OR email = '%u') AND `disable%Ls` = 'n' AND server_id = '1' # The iterate_query is required for the doveadm command only and works only on dovecot 2 servers. # Do not enable it on Dovecot 1.x servers iterate_query = SELECT email as user FROM mail_user WHERE server_id = '1'
