Re: [Dovecot] Please help: LDAP configuration _almost_ works.
I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot. Our setup looks like this: # rpm -q dovecot dovecot-1.0-1.2.0.el5 # dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf # cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass= auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = ((objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = ((objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect. Hope this helps you. Rob On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote: /etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling. i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?). [on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.] in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '((objectClass=posixAccount)(uid=wojtek))' homeDirectory so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is: access to dn.children=ou=Users,dc=frontline attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=admin,dc=frontline write by anonymous auth by self write by * none access to dn.children=ou=Users,dc=frontline by dn=cn=root,ou=Users,dc=frontline read by anonymous auth by self write access to dn.base= by * read access to * by dn=cn=admin,dc=frontline write by * read maybe the problem is here... any hints please? regards, Wojtek Please consider the environment before printing this email. GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at: mailto:[EMAIL PROTECTED] The recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any
Re: [Dovecot] Expire plugin isn't working
Raphael Bittencourt S. Costa wrote: I followed the wiki to configured the expire plugin on dovecot-1.1rc4 and it isn't working. No error messages on logs or on the execution of dovecot --exec-mail ext /usr/libexec/dovecot/expire-tool. Same problem for me. The expire plugin is in fact active, as I get an error when intentionally malforming the expire= configuration line. After observing my install for a bit, though, I have come to the understanding that the expire plugin never really does anything. The proxy db is only created when the expire-tool is run at night, and never touched during the day. I wonder what can be done to debug this? Using the find -delete way of removing old mail seems a bit crude, especially with regards to the index. Regards, Anders.
Re: [Dovecot] Please help: LDAP configuration _almost_ works.
dear Rob, thank you for support! there are small differences in mine and yours config, like: - you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek - you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference. - i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :( Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config... cheers, Wojtek Rob Coward wrote: I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot. Our setup looks like this: # rpm -q dovecot dovecot-1.0-1.2.0.el5 # dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf # cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass= auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = ((objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = ((objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect. Hope this helps you. Rob On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote: /etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u) criteria. However, it does not see the reply. The fact that it does perform the query successfully implies to me that it does not use an anonymous connection. Very puzzling. i have no idea what dovecot is doing :-) from the log file it looks like there are 2 queries to ldap: 1. to check provided password for provided user name, 2. to find a user related information (and from what Steffen wrote this one is done with anonymous user - correct?). [on the margin: why isn't it done in one query: get me the user related information, i am binding with provided user and with provided password. this way it would be one query for two things.] in my case, i cannot list user related information from ldap in anonymous connection even from command line, using: ldapsearch -x -b 'ou=Users,dc=frontline' '((objectClass=posixAccount)(uid=wojtek))' homeDirectory so i guess that i have to workout ldap settings for anonymous query. my /etc/ldap/slapd.conf related to access permissions is: access to dn.children=ou=Users,dc=frontline attrs=uid,homeDirectory,uidNumber by anonymous read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=admin,dc=frontline write by anonymous auth by self write by * none access to dn.children=ou=Users,dc=frontline by dn=cn=root,ou=Users,dc=frontline read by anonymous auth by self write access to dn.base= by * read access to * by dn=cn=admin,dc=frontline write by * read maybe the problem is here... any hints please? regards, Wojtek Please
[Dovecot] antispam for Dovecot 1.1
Hi Johannes. I wanted to try out the antispam plugin for a Dovecot 1.1 install, only to learn that 1.1 is actually not supported. Are there any plans to remedy this? If not, is it known how much effort is required? (i.e. could I do it myself?). Thanks, Anders.
Re: [Dovecot] Please help: LDAP configuration _almost_ works.
On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote: dear Rob, thank you for support! there are small differences in mine and yours config, like: - you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek Our initial connection is made using the dn and dnpass settings. This looks up the user's dn based on the ((objectClass=user)(mail=% u)) search criteria. My understanding of the auth_bind_userdn setting is that it is only useful if all your users are in a specific tree in the ldap, so that you can specify (from http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy This I believe saves the first lookup to find the dn of the user trying to login. Our users are spread throughout our tree, hence using the initial lookup as the 'dn'/'dnpass' user to find our user's dn. If you remove auth_bind_userdn, do you have 'dn' 'dnpass' setup with a suitable unprivileged user to allow the initial lookup of the logging-in user's dn ? - you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference. Our users login with their email address as the userid - hence mail=user telling dovecot that the userid is stored in the 'mail' attribute in the ldap results. We dont bother with 'home' or 'uid' as they are all virtual users, using a fixed uid set by user_global_uid = dovecot and mail_location: maildir:/data/shared/mailstore/%d/%n - i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :( something to do with following links to other ldap servers I think. Dont think its strictly necessary in a single server setup. Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config... As I said, we use Active Directory (running on Win2k3 servers I believe), not slapd. Regards, Rob Rob Coward wrote: I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot. Our setup looks like this: # rpm -q dovecot dovecot-1.0-1.2.0.el5 # dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf # cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass= auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = ((objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = ((objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for performance and as there are other users elsewhere in our schema that we dont want dovecot to allow to connect. Hope this helps you. Rob On Wed, 2008-04-16 at 00:19 +0100, Wojtek Bogusz wrote: /etc/ldap/sldap.conf: access to attr=uid,homeDirectory,uidNumber by anonymous read I do not have this in my configuration, and dovecot does indeed use the credential I provide to successfully query LDAP for the user based on the (mail=%u)
Re: [Dovecot] Please help: LDAP configuration _almost_ works.
On Wed, 2008-04-16 at 08:16 +, Rob Coward wrote: I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot. This is exactly what I am trying to achieve, though I am using OpenLDAP. Our setup looks like this: user_attrs = mail=user user_filter = ((objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = ((objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot Hmmm. I am not using LDAP for userdb. The only userdb information that is needed is the homedir for the mail (and the uid/gid, but these are always varmail). In my case, this is always determined by the email address: [EMAIL PROTECTED] - /var/mail/lorentz.com/jackmc Thus, I have this in my config: userdb: driver: static args: uid=varmail gid=varmail home=/var/mail/%Ld/%Ln Looking at your config, it seems that your passdb for LDAP depends on your userdb, as you have mail= twice in your pass_attrs, once for userdb_user. For that matter, why do you have userPassword=password? dovecot should never need to see the contents of this field. Indeed, this is the whole point of using auth_bind: instead of dovecot retrieving the password from LDAP and checking it against the user-supplied one, dovecot should _send_ the password to LDAP in the form of a bind and have LDAP accept or reject it. -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Please help: LDAP configuration _almost_ works.
On Wed, 2008-04-16 at 08:28 -0500, Jack McKinney wrote: Looking at your config, it seems that your passdb for LDAP depends on your userdb, as you have mail= twice in your pass_attrs, once for userdb_user. For that matter, why do you have userPassword=password? dovecot should never need to see the contents of this field. Indeed, this is the whole point of using auth_bind: instead of dovecot retrieving the password from LDAP and checking it against the user-supplied one, dovecot should _send_ the password to LDAP in the form of a bind and have LDAP accept or reject it. I never said that it was right, only that it works for us ;) It may be that some of our config settings are unnecessary, redundant or sub-optimal, but it works, its running happily in an active-passive RHEL5 cluster configuration using ext3 on DRBD for storing the mailboxes, and until we look at upgrading to the latest dovecot stable release, we aren't likely to play with any config settings Please consider the environment before printing this email. GAME Stores Group Ltd has been awarded Retailer of the Year at the 2006 and 2007 Golden Joystick Awards and 'Thames Valley Business Award' for Outstanding Employer of Choice 2006. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager at: mailto:[EMAIL PROTECTED] The recipient acknowledges that the transmissions made via the Internet can be corrupted and therefore THE GAME GROUP PLC and any of its subsidiaries do not give any warranty as to the quality or accuracy of any information contained in the message or assume any liability for it or for its transmission, reception or storage. This footnote also confirms that this e-mail message has been swept by anti-virus software for the presence of computer viruses. http://www.game.co.uk http://www.gamegroup.plc.uk Registered Number: 1937170 Registered Office: Unity House, Telford Road, Basingstoke, Hampshire. RG21 6YJ Registered in England and Wales.
[Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
It seems that Rob and I are doing almost exactly the same thing except: - He uses AD, I use OpenLDAP - His works, mine doesn't. I have: - Red Hat Linux release 7.2 (Enigma) - OpenLDAP 2.3.38 - Dovecot 1.0.12, 1.0.13, and 1.1.rc4 (they all fail the same way). Sigh... Rob, It sounds like you are trying to do EXACTLY what I am trying to do: 1. My users login with their email address. 2a. My users are all over the tree in the sense that you cannot determine the DN from the email alone. E.g., I am [EMAIL PROTECTED], but my DN is cn=Jack McKinney, ou=users, dc=lorentz, dc=com. Thus, I need to do a lookup to get the DN to use for auth_bind. However, 2b. My users have contact databases under their DNs. For example, all of my contacts are in ou=AddressBook,cn=Jack McKinney, ou=users, dc=lorentz, dc=com. If I did a subtree search, then [EMAIL PROTECTED] would pick up my DN, plus the DN of any entry in anyone's addressbook for me. I.e., if [EMAIL PROTECTED] had an account on my system, and they had an entry in their addressbook, then the subtree query for [EMAIL PROTECTED] would turn up two entries: dn: cn=Jack McKinney, ou=users, dc=lorentz, dc=com dn: cn=Jack McKinney, ou=AddressBook, cn=Foo Bar, ou=users, dc=example, dc=com Thus, I do a query with base ou=users, dc=%Dd and scope = onelevel, so that only the real users are matched. 3. My users do not have any logins on the system. Just like a web server is just a web server and not a login system, the same with my email: all mail lives under the same username and group (varmail/varmail), and everyone's maildir is /var/mail/domain/user/Maildir/ My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP. On Wed, 2008-04-16 at 11:17 +, Rob Coward wrote: On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote: dear Rob, thank you for support! there are small differences in mine and yours config, like: - you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek Our initial connection is made using the dn and dnpass settings. This looks up the user's dn based on the ((objectClass=user)(mail=% u)) search criteria. My understanding of the auth_bind_userdn setting is that it is only useful if all your users are in a specific tree in the ldap, so that you can specify (from http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy This I believe saves the first lookup to find the dn of the user trying to login. Our users are spread throughout our tree, hence using the initial lookup as the 'dn'/'dnpass' user to find our user's dn. If you remove auth_bind_userdn, do you have 'dn' 'dnpass' setup with a suitable unprivileged user to allow the initial lookup of the logging-in user's dn ? - you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference. Our users login with their email address as the userid - hence mail=user telling dovecot that the userid is stored in the 'mail' attribute in the ldap results. We dont bother with 'home' or 'uid' as they are all virtual users, using a fixed uid set by user_global_uid = dovecot and mail_location: maildir:/data/shared/mailstore/%d/%n - i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :( something to do with following links to other ldap servers I think. Dont think its strictly necessary in a single server setup. Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config... As I said, we use Active Directory (running on Win2k3 servers I believe), not slapd. Regards, Rob Rob Coward wrote: I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot. Our setup looks like this: # rpm -q dovecot dovecot-1.0-1.2.0.el5 # dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login
Re: [Dovecot] antispam for Dovecot 1.1
Hi Anders, I wanted to try out the antispam plugin for a Dovecot 1.1 install, only to learn that 1.1 is actually not supported. Are there any plans to remedy this? If not, is it known how much effort is required? (i.e. could I do it myself?). I don't have any plans right now, but it shouldn't be too hard. Essentially, you have to copy antispam-storage-1.0.c to antispam-storage-1.1.c, adjust the Makefile and make that new file build against 1.1 johannes signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP. What do you see in the dovecot logs with auth debug on?
Re: [Dovecot] Please help: LDAP configuration _almost_ works.
Rob. actually it works... you made me check one thing again and i did have a mistake with the user specified in dn in dovecot-ldap.conf. it was not possible to search userdb information with it. so a small fix in slapd.conf and it is working. now i am off to setting the ldap aliases for postfix. setting mailing lists with mailman, making ldap work with samba, etc... i need to offer users simple way of changing the password and editing mail address aliases. i was thinking of writing a simple web interface. but maybe there are already programs for doing this? all the best! Wojtek Rob Coward wrote: On Wed, 2008-04-16 at 10:39 +0100, Wojtek Bogusz wrote: dear Rob, thank you for support! there are small differences in mine and yours config, like: - you do not have auth_bind_userdn defined. if i comment my out i cannot authenticate at all - log file: auth(default): ldap(wojtek,192.168.0.200): unknown user dovecot: auth(default): client out: FAIL^I1^Iuser=wojtek Our initial connection is made using the dn and dnpass settings. This looks up the user's dn based on the ((objectClass=user)(mail=% u)) search criteria. My understanding of the auth_bind_userdn setting is that it is only useful if all your users are in a specific tree in the ldap, so that you can specify (from http://wiki.dovecot.org/HowTo/DovecotOpenLdap?highlight=% 28auth_bind_userdn%29 ) auth_bind_userdn = uid=% u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy This I believe saves the first lookup to find the dn of the user trying to login. Our users are spread throughout our tree, hence using the initial lookup as the 'dn'/'dnpass' user to find our user's dn. If you remove auth_bind_userdn, do you have 'dn' 'dnpass' setup with a suitable unprivileged user to allow the initial lookup of the logging-in user's dn ? - you have user_attrs = mail=user, me: user_attrs = homeDirectory=home,uidNumber=uid. but i do not think it make any difference. Our users login with their email address as the userid - hence mail=user telling dovecot that the userid is stored in the 'mail' attribute in the ldap results. We dont bother with 'home' or 'uid' as they are all virtual users, using a fixed uid set by user_global_uid = dovecot and mail_location: maildir:/data/shared/mailstore/%d/%n - i did not have deref = never. do you know what does it do? i do not understand man ldapsearch explanation :( something to do with following links to other ldap servers I think. Dont think its strictly necessary in a single server setup. Rob, could you send me your ldap config (/etc/ldap/slapd.conf) please? maybe i am making some simple mistake with my ldap config... As I said, we use Active Directory (running on Win2k3 servers I believe), not slapd. Regards, Rob Rob Coward wrote: I cant help you with what is going wrong for you, but we use dovecot very successfully with ldap lookups against Active Directory, using auth_bind=yes, and it does not require anonymous connections. The initial connection is by an un-privileged user that searches for the user, then a 2nd connection is used, authenticating against AD as the looked up user using the password supplied to dovecot. Our setup looks like this: # rpm -q dovecot dovecot-1.0-1.2.0.el5 # dovecot -n # /etc/dovecot.conf protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login login_user: dovecotlogin login_process_size: 64 login_processes_count: 10 login_max_processes_count: 64 first_valid_uid: 97 default_mail_env: maildir:/data/shared/mailstore/%d/%n mail_location: maildir:/data/shared/mailstore/%d/%n mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: passdb: driver: ldap args: /etc/dovecot-ldap.conf passdb: driver: ldap args: /etc/dovecot-ldap-fr.conf passdb: driver: ldap args: /etc/dovecot-ldap-se.conf userdb: driver: ldap args: /etc/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot-ldap-fr.conf userdb: driver: ldap args: /etc/dovecot-ldap-se.conf # cat /etc/dovecot-ldap.conf hosts = ad.our.net dn=CN=Lookup,CN=Users,DC=our,DC=net dnpass= auth_bind = yes ldap_version = 3 base = OU=Stores,OU=UK,DC=our,DC=net deref = never scope = subtree user_attrs = mail=user user_filter = ((objectClass=user)(mail=%u)) pass_attrs = mail=user,userPassword=password,mail=userdb_user pass_filter = ((objectClass=user)(mail=%u)) user_global_uid = dovecot user_global_gid = dovecot We use multiple userdb / passdb definitions and ldap configs in order to limit the searches of our AD schema to specific sub-trees, both for
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=hidden Apr 3 08:13:30 fourier dovecot: auth(default): ldap([EMAIL PROTECTED],y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=((objectClass=inetOrgPerson)([EMAIL PROTECTED])) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS For full details, see the original email. It would appear from the OpenLDAP logs that OpenLDAP is sending the match, but that dovecot is not receiving it. On Wed, 2008-04-16 at 15:31 +0100, Gavin Henry wrote: My config is almost exactly the same as yours, except that I use static userdb and I do not have (nor do I understand the need for; see my previous post) pass_attrs. I tried putting them in matching yours, but it still fails the same way: OpenLDAP receives the query and (according to its logs) responds with nentries=1 (i.e., exactly one match, as expected). However, dovecot never sees the response from OpenLDAP. What do you see in the dovecot logs with auth debug on? -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
quote who=Jack McKinney Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=hidden Apr 3 08:13:30 fourier dovecot: auth(default): ldap([EMAIL PROTECTED],y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=((objectClass=inetOrgPerson)([EMAIL PROTECTED])) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS This isn't a TLS mismatch kidn of thing is it?
Re: [Dovecot] Please help: LDAP configuration _almost_ works.
Wojtek Bogusz wrote: i need to offer users simple way of changing the password and editing mail address aliases. i was thinking of writing a simple web interface. but maybe there are already programs for doing this? I found Phamm and GOsa while looking for this kind of thing. Anders.
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
No, it isn't. I have verified the connection with openssl s_client. Besides, the server is receiving the username [EMAIL PROTECTED], so the connection has already been made by this time. What is happening every time is that dovecot sends the correct query to OpenLDAP (as noted in the log below), OpenLDAP receives that query (according to its log) and responds with one match, but dovecot never seems to see that response. 180 seconds after the auth fails, dovecot drops the connection with the IMAP client for inactivity. On Wed, 2008-04-16 at 19:41 +0100, Gavin Henry wrote: quote who=Jack McKinney Apr 3 08:13:21 fourier dovecot: auth(default): new auth connection: pid=15774 Apr 3 08:13:30 fourier dovecot: auth(default): client in: AUTH^I1^IPLAIN^Iservice=IMAP^Isecured^Ilip=x.x.x.x^Irip=y.y.y.y^Iresp=hidden Apr 3 08:13:30 fourier dovecot: auth(default): ldap([EMAIL PROTECTED],y.y.y.y): bind search: base=ou=users, dc=lorentz,dc=com filter=((objectClass=inetOrgPerson)([EMAIL PROTECTED])) Apr 3 08:16:30 fourier dovecot: imap-login: Disconnected: Inactivity: method=PLAIN, rip=y.y.y.y, lip=x.x.x.x, TLS This isn't a TLS mismatch kidn of thing is it? -- Jack McKinney GPG 1024D/99C6A174 [EMAIL PROTECTED] YM:lfaatsnat2006 AIM:jackmclorentz Beware geeks bearing diffs signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Does dovecot work with OpenLDAP? (was Re: Please help: LDAP configuration _almost_ works.)
quote who=Jack McKinney No, it isn't. I have verified the connection with openssl s_client. Besides, the server is receiving the username [EMAIL PROTECTED], so the connection has already been made by this time. What is happening every time is that dovecot sends the correct query to OpenLDAP (as noted in the log below), OpenLDAP receives that query (according to its log) and responds with one match, but dovecot never seems to see that response. 180 seconds after the auth fails, dovecot drops the connection with the IMAP client for inactivity. I've gone back to your first post, and you slapd logs show: Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH base=ou=users,dc=lorentz,dc=com scope=1 deref=0 filter=((objectClass=inetOrgPerson)(mail=jackmc at lorentz.com)) Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SRCH attr=uid Apr 3 08:13:30 fourier slapd[14039]: conn=7 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Which shows the correct filter, but the requested attribute to return is uid, which is _not_ in your entry: # Jack McKinney, users, lorentz.com dn: cn=Jack McKinney,ou=users,dc=lorentz,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jack McKinney givenName: Jack McKinney sn: McKinney mail: jackmc at lorentz.com Try the same search again, but using (note uid on end): ldapsearch -h ldap.lrtz -b 'ou=users, dc=lorentz, dc=com' -D 'cn=varmail,ou=users,dc=lorentz,dc=com' -x -W -s onelevel '((objectClass=inetOrgPerson)(mail=jackmc at lorentz.com))' uid It should be empty, hence why dovecot isn't getting anything.
[Dovecot] pop3 imap
Hi, I use dovecot as pop3 and imap(squirrelmail) server. When I create a folder through webmail and set some sieve rules(fileinto for example), messages will be delivered to that folder by lda, but will not be visibe for pop clients. Is it possible to download these messages ? (Dovecot 1.0, debian etch) regards
[Dovecot] how to link antispam server mail server?
Hi; I just installed antispam server quarantine system in a machine, and mail server in another machine. I tested the mail server, it works ok! can send in out the mail properly.. how can i link my mail server and antispam togather? Please advice ThankYou Regards Allen
