Re: Debian package for bookworm
Em 16/06/2023 12:59, Claudio Corvino escreveu: Hi guys, I updated to Debian 12 but I can't find repo for bookworm on https://repo.dovecot.org/. When it will be released? Thanks! repo.devocot.org may be maintained by dovecot itself and has nothing to do with debian ecosystem. And if you really care about using a Debian clean system, you rather be use dovecot from debian official repository. -- Claudio ___ dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-le...@dovecot.org Grato. Lucas Castro. OpenPGP_signature Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI mail home mapping problem
Sorry, my fault, I missed some comma on user and pass attrs. On 8/10/21 1:31 PM, Lucas Castro wrote: Hello, I'm trying to map authenticated kerberos users to mail_location, The problem when I set mail_home = /var/mail/virtual/domain1.zw.loca/%n works fine. But if mail_home is set as /var/mail/virtual/%d/%n I get Apr 12 19:53:18 postfix10 dovecot: imap-login: Login: user=, method=GSSAPI, rip=172.16.0.44, lip=10.16.0.220, mpid=2428, session= Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Added userdb setting: plugin/=yes Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Effective uid=5000, gid=5000, home=/var/mail/virtual/domain1.zw.local =login_user=user0/user0 Right here, I can't figure out why login_user=user0/user0 Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/mail Now login_user=user0 Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: maildir++: root=/var/mail/virtual/domain1.zw.local =login_user=user0/user0/mail, index=, indexpvt=, control=, inbox=/var/mail/virtual/domain1.zw.local =login_user=user0/user0/mail, alt= then login_user=user0/user0/mail Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Mailbox INBOX: Mailbox opened because: SELECT doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 5.10.0-7-amd64 x86_64 Debian 10.6 # Hostname: postfix10.zw.local auth_debug = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/imap.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket KRB5_KTNAME=/etc/dovecot/imap.keytab mail_debug = yes mail_gid = 5000 mail_home = /var/mail/virtual/%d/%n mail_location = maildir:~/mail mail_privileged_group = mail mail_uid = 5000 namespace inbox { disabled = no inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = " imap lmtp pop3" service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cert = ldap://ldap10.zw.local auth_bind = yes sasl_bind = yes sasl_mech = gssapi sasl_realm = zw.local debug_level = -1 ldap_version = 3 base = dc=zw,dc=local user_attrs = \ =user=%{ldap:mail} \ =login_user=%{ldap:uid} user_filter = (uid=%n) pass_attrs = \ =user=%{ldap:uid},\ =k5principals=%{ldap:krbPrincipalName} pass_filter = (&(objectClass=krbPrincipalAux)(uid=%n)) -- Lucas Castro
GSSAPI mail home mapping problem
Hello, I'm trying to map authenticated kerberos users to mail_location, The problem when I set mail_home = /var/mail/virtual/domain1.zw.loca/%n works fine. But if mail_home is set as /var/mail/virtual/%d/%n I get Apr 12 19:53:18 postfix10 dovecot: imap-login: Login: user=, method=GSSAPI, rip=172.16.0.44, lip=10.16.0.220, mpid=2428, session= Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Added userdb setting: plugin/=yes Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Effective uid=5000, gid=5000, home=/var/mail/virtual/domain1.zw.local =login_user=user0/user0 Right here, I can't figure out why login_user=user0/user0 Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/mail Now login_user=user0 Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: maildir++: root=/var/mail/virtual/domain1.zw.local =login_user=user0/user0/mail, index=, indexpvt=, control=, inbox=/var/mail/virtual/domain1.zw.local =login_user=user0/user0/mail, alt= then login_user=user0/user0/mail Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local =login_user=user0)<2428>: Debug: Mailbox INBOX: Mailbox opened because: SELECT doveconf -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 5.10.0-7-amd64 x86_64 Debian 10.6 # Hostname: postfix10.zw.local auth_debug = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/imap.keytab auth_mechanisms = gssapi auth_verbose = yes disable_plaintext_auth = no import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket KRB5_KTNAME=/etc/dovecot/imap.keytab mail_debug = yes mail_gid = 5000 mail_home = /var/mail/virtual/%d/%n mail_location = maildir:~/mail mail_privileged_group = mail mail_uid = 5000 namespace inbox { disabled = no inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = " imap lmtp pop3" service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cert = ldap://ldap10.zw.local auth_bind = yes sasl_bind = yes sasl_mech = gssapi sasl_realm = zw.local debug_level = -1 ldap_version = 3 base = dc=zw,dc=local user_attrs = \ =user=%{ldap:mail} \ =login_user=%{ldap:uid} user_filter = (uid=%n) pass_attrs = \ =user=%{ldap:uid},\ =k5principals=%{ldap:krbPrincipalName} pass_filter = (&(objectClass=krbPrincipalAux)(uid=%n)) -- Lucas Castro
Re: Dovecot GSSAPI Authentication problem
On 8/6/21 9:56 AM, Aki Tuomi wrote: On 04/08/2021 19:47 Lucas Castro wrote: Hello, I'm getting problem to setup dovecot imap/pop service authentication through Kerberos. Already read https://wiki.dovecot.org/Authentication/Kerberos. My guess is kerberos is working but something goes wrong after. Hi! This looks like a bug indeed. Does things start working if you add passdb { driver = static args = password=pass } Aki Thanks for reply. Another question, How can I map kerberos principal to mail users? How can I access us...@domain1.zw.local with user0@ZW.LOCAL When I set on mail client the user as user0, works fine. but if I set the user to u...@domain1.zw.local dovecot return "User not authorized to log in as user0" And I don't figure out how to map the kerberos principal to mail account. Right now, I keep the users information on ldap. -- Lucas Castro
Re: Dovecot Debian repo instructions need updating
Please, reply to list only! On 8/5/21 12:20 PM, Laura Smith wrote: On Thursday, August 5th, 2021 at 4:06 PM, Lucas Castro wrote: On 8/5/21 8:42 AM, Laura Smith wrote: Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/debian_packages/ The instructions need updating for two reasons: 1. Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster". To "replace", I guess it should me added instruction for others versions. There is very little point supporting EOL systems. As per the table in the link I provided, 8.0 Jessie is EOL unless you are paying money to Debian for ELTS subscription. I really don't know where you read about payment for ELTS subscription. Not (exactly) needed secure connection. Debian will check the package using gpg, Neither official repositories enforce secure connection. As you said "The key MUST be downloaded over secure connection" the key, not the package, the package must be signed by the key. I am not sure what the point you are trying to make here is ? There is no argument that what I am asking for MUST be done. The Debian link I referred to explains in much detaily WHY it is important. The point is package is checked by gpg signature. The link referred "Serving the repository under HTTPS is OPTIONAL" The package is signed using gpg key, The key must be download over secure connection, not the package. -- Lucas Castro
Re: Dovecot Debian repo instructions need updating
On 8/5/21 8:42 AM, Laura Smith wrote: Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/debian_packages/ The instructions need updating for two reasons: 1) Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster". To "replace", I guess it should me added instruction for others versions. Soon will be released bullseye, so must it be replaced again? To add instruction for other version someone need to test and document. 2) The instructions presented for key handling are not inline with Debian best-practices. As per https://wiki.debian.org/DebianRepository/UseThirdParty: "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint." Not (exactly) needed secure connection. Debian will check the package using gpg, Neither official repositories enforce secure connection. As you said "The key MUST be downloaded over secure connection" the key, not the package, the package must be signed by the key. -- Lucas Castro
Dovecot GSSAPI Authentication problem
Hello, I'm getting problem to setup dovecot imap/pop service authentication through Kerberos. Already read https://wiki.dovecot.org/Authentication/Kerberos. My guess is kerberos is working but something goes wrong after. The keytab and ticket ( for ldap userdb lookup ) -rw--- 1 dovecot dovecot 498 ago 3 20:20 /etc/dovecot/imap.keytab -rw--- 1 dovecot root 1503 ago 4 11:40 /etc/dovecot/imap.ticket dovecot --version 2.3.13 (89f716dc2) the dovecot setting # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-7-amd64 x86_64 Debian 11.0 # Hostname: postfix10.zw.local auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/imap.keytab auth_mechanisms = gssapi auth_username_translation = /@ import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket KRB5_KTNAME=/etc/dovecot/imap.keytab mail_gid = 5000 mail_home = /var/mail/virtual/%d/%n mail_location = maildir:~/mail mail_privileged_group = mail mail_uid = 5000 namespace inbox { disabled = no inbox = yes list = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = type = private } protocols = " imap lmtp pop3" service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=pop3#011session=Q3GdfL7IvLmsEAAs#011lip=10.16.0.220#011rip=172.16.0.44#011lport=110#011rport=47548 Aug 4 13:42:23 postfix10 dovecot: auth: Debug: gssapi(?,172.16.0.44,): Using all keytab entries Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: CONT#0111#011 Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT Aug 4 13:42:23 postfix10 dovecot: auth: Debug: gssapi(user0@zw.local,172.16.0.44,): security context state completed. Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvsoco75BA/W0B9tS+UmJnunUg6vIcO5wr0fzZ7iGmCpsz0K2vL/qniGISDIwF9hDXXxs79bljbZE8Yx4dujqVuTPGMtewfhDtNfRNgYGNk/z28sDz7fs/dpIMKF2FAA1m9pFjBupQ1VkGbzMYc77U Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT Aug 4 13:42:23 postfix10 dovecot: auth: Debug: gssapi(user0@zw.local,172.16.0.44,): Negotiated security layer Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out: CONT#0111#011BQQF/wAMAdf8bQH///86U2L5ErmqfWFYNQA= Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT Aug 4 13:42:23 postfix10 dovecot: auth: Error: gssapi(us...@domain1.zw.local,172.16.0.44,): All password databases were skipped Aug 4 13:42:23 postfix10 dovecot: auth: Debug: auth(us...@domain1.zw.local,172.16.0.44,): Auth request finished Aug 4 13:42:25 postfix10 dovecot: auth: Debug: client passdb out: FAIL#0111#011user=us...@domain1.zw.local#011code=temp_fail#011original_user=user0@ZW.LOCAL Aug 4 13:42:25 postfix10 dovecot: pop3-login: Debug: Ignoring unknown passdb extra field: original_user Can someone help on this? -- Lucas Castro