Re: Howto authenticate smartPhone via Active Directory
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is: Active Directory When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx I have not been able to find an example of someone using Dovecot and ldap with AD. However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable. passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch } The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise: Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003gid=1 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session= Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are: auth_mechanisms = plain login gssapi THX, --Mark --Mark -Original Message- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi To: Mark Foley , dovecot@dovecot.org with passdb ldap i guess. ---Aki Tuomi Dovecot oy Original message From: Mark Foley Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -Original Message- > Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi > To: Mark Foley , dovecot@dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from > shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > Original message > From: Mark Foley > Date: 03/12/2017 06:03 (GMT+02:00) > To: dovecot@dovecot.org > Subject: Howto authenticate smartPhone via Active Directory > I have a Samba4 Active Directory server. Dovecot authenticates AD Users with > domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt > authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL. They are not domain > members so if the > shadow authentication fails, no other methods are tried and no connection is > made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/do
Re: Recommended tool for migrating IMAP servers
Hi, I vouch for imapsync. Have used it in the past with quite a big amount of emails. cheers. x0p > Hi Friends, > I would like to ask you a suggestion: > I need to migrate a imap server to a new one and then dismiss the old > one. > Reading from relative Dovecot documentation page > (https://wiki.dovecot.org/Migration), more tools are shown: > > UW-IMAP's mailutil, imapsync, YippieMove and Larch. > > The each mail servers are Linux based, one of this (mine) is Dovecot. > Based on your experience which of these tools would be preferable to > use? > > > Thank you very much > > Davide >
Recommended tool for migrating IMAP servers
Hi Friends, I would like to ask you a suggestion: I need to migrate a imap server to a new one and then dismiss the old one. Reading from relative Dovecot documentation page (https://wiki.dovecot.org/Migration), more tools are shown: UW-IMAP's mailutil, imapsync, YippieMove and Larch. The each mail servers are Linux based, one of this (mine) is Dovecot. Based on your experience which of these tools would be preferable to use? Thank you very much Davide
Re: Howto authenticate smartPhone via Active Directory
with passdb ldap i guess. ---Aki TuomiDovecot oy Original message From: Mark Foley Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -Original Message- > Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi > To: Mark Foley , dovecot@dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from > shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > Original message > From: Mark Foley > Date: 03/12/2017 06:03 (GMT+02:00) > To: dovecot@dovecot.org > Subject: Howto authenticate smartPhone via Active Directory > I have a Samba4 Active Directory server. Dovecot authenticates AD Users with > domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt > authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL. They are not domain > members so if the > shadow authentication fails, no other methods are tried and no connection is > made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 4.4.88 x86_64 Slackware 14.2 > auth_debug = yes > auth_debug_passwords = yes > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_use_winbind = yes > auth_username_format = %n > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = > ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > Thanks, Mark
Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -Original Message- > Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi > To: Mark Foley , dovecot@dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from > shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > Original message > From: Mark Foley > Date: 03/12/2017 06:03 (GMT+02:00) > To: dovecot@dovecot.org > Subject: Howto authenticate smartPhone via Active Directory > I have a Samba4 Active Directory server. Dovecot authenticates AD Users with > domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt > authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL. They are not domain > members so if the > shadow authentication fails, no other methods are tried and no connection is > made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 4.4.88 x86_64 Slackware 14.2 > auth_debug = yes > auth_debug_passwords = yes > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_use_winbind = yes > auth_username_format = %n > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = > ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > Thanks, Mark
Re: Upgrade to 2.2.32 from 2.2.15 failed
On Sat, 25 Nov 2017 10:13:58 +0200 (EET) Aki Tuomi wrote: > > > On November 25, 2017 at 7:04 AM Mark Foley wrote: > > > > I have a problem. I have been running Dovecot 2.2.15 and I'd like to > > upgrade. My distro > > (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, > > but it didn't work. > > No one was able to get messages from the dovecot server on their > > workstations. The following is > > the entire dovecot log file from startup to the last message generated. No > > more messages went > > into the logfile after line 76, even with clients trying to connect. The > > 174.233.134.88 IP is > > from an external user connecting from his iPhone. The normal successful > > message from this user > > are shown at bottom. > > > > I'm suspecting something to do with line 18 where is says "Auth process > > broken." If anyone has > > any insight I'd deeply appreciate it as I'd love to upgrade. > > > > THX -- Mark > > > > Can you try adding > > service auth { > executable = strace -o /tmp/auth.trace /usr/libexec/dovecot/auth > } > > and see if it gives any insight why it dies? > > Aki > The problem was that I did an install from sbopkg which downloads and installs the package in the SlackBuilds repository. This mechanism does not easily allow setting options. I needed to have the --with-gssapi=yes option set. So, I just downloaded directly from http://www.dovecot.org/releases/2.2/dovecot-2.2.33.2.tar.gz and did: ./configure --with-gssapi=yes make make install and everything appears to be working fine! --Mark
Dovecot (doveadm, ssl, sync) - SSL error
Hello! I've got a problem to run syncing between both dovecot services on the separate servers. The error indicates to the problem with SSL. Directly using openssl command to connect from one server to other and vice versa is passed without any errors. OS: FreeBSD 11.1-RELEASE-p4 Dovecot: 2.2.33.2_2 and the older one dovecot-2.2.32.1_1 (or similar) - build by ports. OpenSSL: 1.0.2k-freebsd 26 Jan 2017 dovecot: doveadm(10.18.1.15): Error: doveadm client disconnected before handshake: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol dovecot.conf (on both servers): mail_plugins = $mail_plugins notify replication service replicator { process_min_avail = 1 } service aggregator { fifo_listener replication-notify-fifo { user = dovecot } unix_listener replication-notify { user = dovecot } } service replicator { unix_listener replicator-doveadm { mode = 0600 } } replication_max_conns = 10 service doveadm { inet_listener { port = 12130 ssl = yes } } ssl = required ssl_protocols = SSLv3 TLSv1 TLSv1.1 TLSv1.2 ssl_cert =
doveadm with 2-level user/domain quotas scheme
Hi! I believe now it a right time to return to previous discussion about Dovecot's in 2-level user/domain quotas scheme wich was finished here https://dovecot.org/pipermail/dovecot/2015-October/102346.html Here is configuration. 1. Dictionary storage placed in MySQL table "quota2" root@localhost [(none)]> SHOW COLUMNS FROM quota2 FROM exim; +--+--+--+-+-+---+ | Field| Type | Null | Key | Default | Extra | +--+--+--+-+-+---+ | username | varchar(100) | NO | PRI | NULL| | | bytes| bigint(20) | NO | | 0 | | | messages | int(11) | NO | | 0 | | +--+--+--+-+-+---+ 3 rows in set (0,00 sec) 2. Two types of quota - for domains with index "2" and for users without index. ... plugin { quota = dict:user_quota::proxy::sqluserquota quota_rule2 = Trash:storage=+10%% quota_rule3 = Junk:storage=+10%% quota_warning = storage=100%% quota-exceeded 100 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=90%% quota-warning 90 %u quota_warning4 = storage=75%% quota-warning 75 %u quota2 = dict:domain_quota:%d:proxy::sqldomainquota } dict { sqluserquota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql-user.conf sqldomainquota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql-domain.conf } service dict { unix_listener dict { user = mailnull mode = 0660 } } ... 3. Both stored in the same table and files "dovecot-dict-sql-user.conf" and "dovecot-dict-sql-domain.conf" are identical. connect = host=localhost dbname=exim user=user password=password map { pattern = priv/quota/storage table = quota2 username_field = username value_field = bytes } map { pattern = priv/quota/messages table = quota2 username_field = username value_field = messages } All quotas for users and domains are calculates correctly until "doveadm quota recalc" use. root@beta:~ # doveadm quota recalc -u foo@my.domain root@beta:~ # doveadm quota get -u foo@my.domain Quota name Type Value Limit % user_quota STORAGE 7850978 - 0 user_quota MESSAGE 32474 - 0 domain_quota STORAGE 7850978 - 0 domain_quota MESSAGE 32474 -, 0 If we look at MySQL table directly foo@my.domain quota was counted right but last users data was copied into domains values. ... root@localhost [exim]> SELECT * FROM quota2 WHERE username LIKE '%my.domain'; +---+-+--+ | username | bytes | messages | +---+-+--+ | foo@my.domain | 8039401321 |32474 | | my.domain | 8039401321 |32474 | | john@my.domain| 3455382803 |11142 | | mary@my.domain| 544637146 | 1965 | +---+-+--+ 4 rows in set (0.00 sec) ... Also you may see that "doveadm quota get" above gave wrong values. For domain its produces empty output root@beta:~ # doveadm quota get -u my.domain doveadm(my.domain): Error: User doesn't exist Quota name Type Value Limit % Than if we are trying to calculate quota for domain or for all users (-A) it produces an error. root@beta:~ # doveadm quota recalc -u my.domain doveadm(my.domain): Error: User doesn't exist root@beta:~ # doveadm quota recalc -A Error: User listing returned failure doveadm: Error: Failed to iterate through some users So "doveadm quota" almost useless for such quotas scheme except single user. I wrote small shell-script "dovequota.sh" to resolve this issue but I believe that doveadm need to be fixed too. (script may be found here https://kostikov.co/problemy-uchyota-domennoj-kvoty-v-dovecot-2). -- With best regards, Max Kostikov BBM: 24CA5DF8 | W: https://kostikov.co signature.asc Description: OpenPGP digital signature
Re: Howto authenticate smartPhone via Active Directory
Actually you are authenticating gssapi clients from ad and everyone else from shadow. maybe you need to configure pam module? ---Aki TuomiDovecot oy Original message From: Mark Foley Date: 03/12/2017 06:03 (GMT+02:00) To: dovecot@dovecot.org Subject: Howto authenticate smartPhone via Active Directory I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI. Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made. What can I do with my dovecot config to fix this? > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =