Dovecot authentication against active directory
Hello,
i´ve got a problem with the dovecot authentication against active directory.
I´m using dovecot 2.0.19 and windows server 2008 R2.
When I try to login via telnet I get the following error message:
a NO [AUTHENTICATIONFAILED] Authentication failed.
My dovecot configuration:
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-60-generic x86_64 Ubuntu 12.04.4 LTS ext4
auth_mechanisms = plain login
auth_username_format = %Lu
disable_plaintext_auth = no
first_valid_gid = 1001
first_valid_uid = 1001
last_valid_gid = 1001
last_valid_uid = 1001
log_path = /var/log/dovecot.log
mail_location = maildir:/srv/mail/%u
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
protocols = imap
ssl = no
syslog_facility = local7
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
valid_chroot_dirs = /srv/mail
My dovecot-ldap.conf:
hosts = **
dn = CN=*,OU=*,OU=*,OU=*,DC=**,DC=*,DC=de
dnpass =
tls = no
debug_level = -1
ldap_version = 2
base = OU=*,DC=*,DC=*,DC=de
deref = never
scope = subtree
user_attrs = sAMAccountName=home
user_filter = (&(ObjectClass=user)(|(mail=%u)(sAMAccountName=%u)))
pass_filter = (&(ObjectClass=user)(sAMAccountName=%u))
default_pass_scheme = plain
could anybody help me with this problem?
Thanks in advance!
Regards,
Tobias Dummert
Re: ACL group vs. owner question
Am 2014-06-22 15:09, schrieb Thomas Leuxner: * Peter Chiochetti 2014.06.22 14:48: * owner lr * group=SYS lrwstipekxa doveadm(archiv): Info: User archiv has rights: lookup read What version is this? There used to be a bug in versions before 2.2.13 where only the first matching ACL line was applied. From the looks this could be the case here as only 'lr' is applied. Thomas, thank you for your interest. This is with 2.2.13, after the mentioned bug was corrected. As nobody seems to know, whether such should work in stock dovecot, I guess I will have to take out all my config and try myself :( -- peter
OOM in Dovecot 2.2.13 imap
Hi,
we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes.
We have two users that repeatedly trigger an OOM condition with IMAP.
Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal:
pool_system_realloc(268435456): Out of memory
Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Error: Raw backtrace:
/usr/lib/dovecot/libdovecot.so.0(+0x6c15f) [0x7f11766cc15f] ->
/usr/lib/dovecot/libdovecot.so.0(+0x6c1be) [0x7f11766cc1be] ->
/usr/lib/dovecot/libdovecot.so.0(i_error+0) [0x7f1176685568] ->
/usr/lib/dovecot/libdovecot.so.0(+0x81e80) [0x7f11766e1e80] ->
/usr/lib/dovecot/libdovecot.so.0(+0x86cda) [0x7f11766e6cda] ->
/usr/lib/dovecot/libdovecot.so.0(+0x86f96) [0x7f11766e6f96] ->
/usr/lib/dovecot/libdovecot.so.0(+0x87b48) [0x7f11766e7b48] ->
/usr/lib/dovecot/libdovecot.so.0(o_stream_sendv+0xcd) [0x7f11766e60cd] ->
/usr/lib/dovecot/libdovecot.so.0(o_stream_send+0x1a) [0x7f11766e615a] ->
/usr/lib/dovecot/modules/lib30_imap_zlib_plugin.so(+0x5849) [0x7f1175692849] ->
/usr/lib/dovecot/modules/lib30_imap_zlib_plugin.so(+0x5982) [0x7f1175692982] ->
/usr/lib/dovecot/modules/lib30_imap_zlib_plugin.so(+0x5b62) [0x7f1175692b62] ->
/usr/lib/dovecot/libdovecot.so.0(o_stream_flush+0x4d) [0x7f11766e5d6d] ->
/usr/lib/dovecot/libdovecot.so.0(+0x85e2c) [0x7f11766e5e2c] -> dovecot/imap
[USER IP UID fetch](client_output+0xe9) [0x7f1176e8d269] ->
/usr/lib/dovecot/libdovecot.so.0(+0x879d5) [0x7f11766e79d5] ->
/usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4e) [0x7f11766dcfbe] ->
/usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xd7)
[0x7f11766ddfb7] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9)
[0x7f11766dd049] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38)
[0x7f11766dd0c8] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13)
[0x7f117668a7b3] -> dovecot/imap [USER IP UID fetch](main+0x2ae)
[0x7f1176e8152e] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)
[0x7f11762f3ead] -> dovecot/imap [USER IP UID fetch](+0xd69d) [0x7f1176e8169d]
Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: master: service(imap):
child 33659 killed with signal 6 (core dumped)
The gdb backtrace looks like this:
gdb) bt full
#0 0x7f1176307475 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x7f117630a6f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2 0x7f11766cc155 in default_fatal_finish (type=,
status=status@entry=83) at failures.c:193
backtrace = 0x7f11789d4088 "/usr/lib/dovecot/libdovecot.so.0(+0x6c15f)
[0x7f11766cc15f] -> /usr/lib/dovecot/libdovecot.so.0(+0x6c1be) [0x7f11766cc1be]
-> /usr/lib/dovecot/libdovecot.so.0(i_error+0) [0x7f1176685568] ->
/usr/lib/d"...
#3 0x7f11766cc1be in i_internal_fatal_handler (ctx=0x7fff5ffedfb0,
format=, args=) at failures.c:657
status = 83
#4 0x7f1176685568 in i_fatal_status (status=status@entry=83,
format=format@entry=0x7f1176702ba8 "pool_system_realloc(%lu): Out of memory")
at failures.c:295
ctx = {type = LOG_TYPE_FATAL, exit_status = 83, timestamp = 0x0}
args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area =
0x7fff5ffee0a0, reg_save_area = 0x7fff5ffedfe0}}
#5 0x7f11766e1e80 in pool_system_realloc (pool=, mem=0x0,
old_size=134217728, new_size=268435456) at mempool-system.c:134
__FUNCTION__ = "pool_system_realloc"
#6 0x7f11766e6cda in o_stream_grow_buffer
(fstream=fstream@entry=0x7f11789f41c0, bytes=) at
ostream-file.c:440
size = 268435456
new_size =
end_size =
#7 0x7f11766e6f96 in o_stream_add (fstream=fstream@entry=0x7f11789f41c0,
data=0x7f11789fe549, size=12113) at ostream-file.c:501
unused =
sent =
i =
#8 0x7f11766e7b48 in o_stream_file_sendv (stream=0x7f11789f41c0,
iov=, iov_count=) at ostream-file.c:588
fstream = 0x7f11789f41c0
size =
total_size =
added =
optimal_size =
i =
ret = 0
__FUNCTION__ = "o_stream_file_sendv"
#9 0x7f11766e60cd in o_stream_sendv (stream=0x7f11789f4250,
iov=iov@entry=0x7fff5ffee1a0, iov_count=iov_count@entry=1) at ostream.c:239
_stream = 0x7f11789f41c0
i =
total_size = 12113
ret =
__FUNCTION__ = "o_stream_sendv"
#10 0x7f11766e615a in o_stream_send (stream=,
data=, size=size@entry=12113) at ostream.c:217
iov = {iov_base = 0x7f11789fe549, iov_len = 12113}
#11 0x7f1175692849 in o_stream_zlib_send_outbuf (zstream=0x7f11789f9340) at
ostream-zlib.c:94
ret =
size = 12113
#12 0x7f1175692982 in o_stream_zlib_send_flush
(zstream=zstream@entry=0x7f11789f9340, final=final@entry=true) at
ostream-zlib.c:189
zs = 0x7f11789f9420
len =
done = false
ret =
flush =
__FUNCTION__ = "o_stream_zlib_send_flush"
#13 0x7f1175692b62 in o_stream_zlib_flush (stream=0x7f11789f9340) at
ostream-z
Re: OOM in Dovecot 2.2.13 imap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 23 Jun 2014, Bernhard Schmidt wrote: we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes. We have two users that repeatedly trigger an OOM condition with IMAP. Do those users have mailboxes extra ordinary large or is one message of them extra ordinary large? Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: pool_system_realloc(268435456): Out of memory this number likely mean 256MB, is one of your memory limits that large? You can see all limits with dovecot -a (note the "-a" instead of "-n"). Memory limits are vsz_limit, IMHO. I had to increase some vsz_limits, because one particular large message caused an out of memory during LMTP. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU6g76nz1H7kL/d9rAQJeqggApw27K6NvoVJNs8zH/MeqY8sRYzooOziQ fJ6pIJS2I86ChaG/DjJkmlds17GSdBaM55FS94yrC+arBZMh/jVTe4KXcyzQMyzq GtPQzWsW3LJdFGTF7RMai74bKU/ca+uIlNCtS2rznsH6p6BnJJWlE9Nml6vPEfQg CbvED7gs+L+dclwTuKjew/6XINBaVda7k5Ow2QO+Hn7nWbnldx7QBr7sbjWPIyHy SU6VO2tUPir+bjs16yd7uEUsTzYbpK33UUKOPBX5Dw3PWzYTh8oUpCuUW0LbSjIP Og2x+PZ1U+0Mz5yPB7sQIegXhuon0K7bOTuNUWuErmRBItFBMTsIUg== =s88s -END PGP SIGNATURE-
Re: Dovecot authentication against active directory
Hi , > My dovecot-ldap.conf: > > > hosts = ** > dn = CN=*,OU=*,OU=*,OU=*,DC=**,DC=*,DC=de > dnpass = > tls = no > debug_level = -1 > ldap_version = 2 > base = OU=*,DC=*,DC=*,DC=de > deref = never > scope = subtree > user_attrs = sAMAccountName=home > user_filter = (&(ObjectClass=user)(|(mail=%u)(sAMAccountName=%u))) > pass_filter = (&(ObjectClass=user)(sAMAccountName=%u)) > default_pass_scheme = plain I could be wrong, but I think you must have TLS to connect to AD. sAMAccountName, at least in cases I am familiar with, does not match a full email address, try %n instead of %u, or filter on userPrincipal instead. do you have a mail attribute in your active directory? I would suggest start by getting it working with just the sAMAccountName in your user/pass_filter lines, then flesh out your filters after you have that working... > > could anybody help me with this problem? > Thanks in advance! > > > Regards, > > Tobias Dummert
Re: ACL group-override question
Previous posts below, here why I guess this one fails:
http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/src/plugins/acl/acl-api.c#l744
It says: …a user can't match multiple usernames…
In my setup this is not true: there is only one user, but she goes by
several names. (Like in /etc/passwd several users can have the same ID.)
I do not understand the source, but I guess the acl is attached to the
"user" and therefore I am out of luck in my adventure: no way short of
having a "userdb_acl_user" parameter in passdb.
Kind regards
Peter
Am 2014-06-17 22:59, schrieb Peter Chiochetti:
Trying to get ACLs working, very basic setup:
Virtual users are put into different acl_group via passdb.
u:{PLAIN}B::userdb_acl_groups=g
The global acl file restricts what they can do.
* group-override=g
* group=g lr
Shouldn't this mean, that the group rights override the user rights?
The effect that I see though is, that the user "u" then may not do
anything, not even lookup and read.
Further to this experiment, I made the ACLs to not use any group
settings at all, only trying to lock down the server for anybody, like
that:
root@xxx:/etc/dovecot# cat dovecot-acl
* user=archiv lr
* owner lr
* authenticated lr
* anyone lr
Yet, I still can delete messages from anywhere - What am I missing?
Below system setup info (dovecot from bigmichi1 ppa):
root@xxx:/etc/dovecot# doveconf -n
# 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS
mail_debug = yes
mail_location = maildir:~/Maildir
mail_log_prefix = "%s(%{auth_user}): "
mail_plugins = " acl fts fts_solr mail_log notify"
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/passwd
driver = passwd-file
}
plugin {
acl = vfile:/etc/dovecot/dovecot-acl
fts = solr
fts_autoindex = yes
fts_solr = url=http://localhost:8983/solr/
mail_log_events = save copy delete undelete expunge mailbox_create
mailbox_rename mailbox_delete
mail_log_fields = uid box msgid from subject
}
protocols = " imap"
ssl_cert =
The virtual users all act as the system user, their names are just icing
for auditing.
Wheezy Dovecot workarounds
Hi all, In switching from Ubuntu to Debian Wheezy (7.5 64bit, network install), I'm finding some surprises in getting Dovecot to work. PROBLEM: As installed, the package manager doesn't give you the dovecot executable. WORKAROUND: To install the dovecot executable, you need to follow these instructions: http://wiki2.dovecot.org/HowTo/DebianStable PROBLEM: Even when you install Dovecot, it doesn't work, as evidenced by the inability of a local email client to talk to it. Further elements of the symptom are that nmap -A -T4 LocalIPAddress, whether LocalIPAddress is the IP of eth0, or 127.0.0.1, fails to find any open ports. Telnet can't operate dovecot at port 143, and openssl can't operate it at 993. However, bizarrly, executing these same commands on a remote machine into the original machine (including accessing the machine's Dovecot from an email client) work perfectly. WORKAROUND To "solve" this problem, do the following raindance as root: ifdown lo ifup lo After the raindance, local access to Dovecot works perfectly, and all nmap commands perform as expected. LOL, hey man, don't shoot me, I'm just the messenger. SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance
Re: Wheezy Dovecot workarounds
Am 23.06.2014 19:56, schrieb Steve Litt: > Hi all, > > In switching from Ubuntu to Debian Wheezy (7.5 64bit, network install), > I'm finding some surprises in getting Dovecot to work. > > PROBLEM: > As installed, the package manager doesn't give you the dovecot > executable. > > WORKAROUND: > To install the dovecot executable, you need to follow these > instructions: > > http://wiki2.dovecot.org/HowTo/DebianStable > > PROBLEM: > Even when you install Dovecot, it doesn't work, as evidenced by the > inability of a local email client to talk to it. Further elements of > the symptom are that nmap -A -T4 LocalIPAddress, whether LocalIPAddress > is the IP of eth0, or 127.0.0.1, fails to find any open ports. Telnet > can't operate dovecot at port 143, and openssl can't operate it at 993. > However, bizarrly, executing these same commands on a remote machine > into the original machine (including accessing the machine's Dovecot > from an email client) work perfectly. > > WORKAROUND > To "solve" this problem, do the following raindance as root: > > ifdown lo > ifup lo > > After the raindance, local access to Dovecot works perfectly, and all > nmap commands perform as expected. > > LOL, hey man, don't shoot me, I'm just the messenger. > > SteveT > > Steve Litt* http://www.troubleshooters.com/ > Troubleshooting Training * Human Performance > contact distro mantainer looks like https://packages.debian.org/de/wheezy-backports/dovecot-core latest possible is vers 2.2.9 from wheezy which at last isnt up2date Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: OOM in Dovecot 2.2.13 imap
On 23.06.2014 16:38, Steffen Kaiser wrote:
On Mon, 23 Jun 2014, Bernhard Schmidt wrote:
we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes.
We have two users that repeatedly trigger an OOM condition with IMAP.
Do those users have mailboxes extra ordinary large or is one message of
them extra ordinary large?
No, not particularly. 8000 Mails (2GB total), the largest mail is 20MB.
Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal:
pool_system_realloc(268435456): Out of memory
this number likely mean 256MB, is one of your memory limits that large?
You can see all limits with dovecot -a (note the "-a" instead of "-n").
Memory limits are vsz_limit, IMHO.
No memory limits outside of dovecot. In dovecot there are the default
settings
default_vsz_limit = 256 M
service imap {
[...]
vsz_limit = 18446744073709551615 B
}
Since the largest IMAP processes I can observe are at around 70MB VIRT
(43MB RSS) I suspect vsz_limit is doing what it is supposed to do (limit
memory consumption of a run-away process) and something went wrong in
that mailbox. Thus the backtrace, hoping for someone to confirm.
Regards,
Bernhard
Wishlist: add a variable %{x509} expanding to the client cert in Dovecot-auth
Hi there, As of Dovecot 2.2.9, it's possible to enable passwordless authentication using client certificates [1]: ssl_ca = http://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2BAC8-authentication [2] http://www.postfix.org/postconf.5.html#relay_clientcerts signature.asc Description: Digital signature
Re: OOM in Dovecot 2.2.13 imap
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 23 Jun 2014, Bernhard Schmidt wrote:
On 23.06.2014 16:38, Steffen Kaiser wrote:
On Mon, 23 Jun 2014, Bernhard Schmidt wrote:
we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes.
We have two users that repeatedly trigger an OOM condition with IMAP.
Do those users have mailboxes extra ordinary large or is one message of
them extra ordinary large?
No, not particularly. 8000 Mails (2GB total), the largest mail is 20MB.
Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal:
pool_system_realloc(268435456): Out of memory
this number likely mean 256MB, is one of your memory limits that large?
You can see all limits with dovecot -a (note the "-a" instead of "-n").
Memory limits are vsz_limit, IMHO.
No memory limits outside of dovecot. In dovecot there are the default
settings
default_vsz_limit = 256 M
service imap {
[...]
vsz_limit = 18446744073709551615 B
}
Do you run Dovecot in High-Peformance mode or Security mode?
Since the largest IMAP processes I can observe are at around 70MB VIRT (43MB
RSS) I suspect vsz_limit is doing what it is supposed to do (limit memory
consumption of a run-away process) and something went wrong in that mailbox.
Thus the backtrace, hoping for someone to confirm.
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU6kXYnz1H7kL/d9rAQIxWggAn9OnpE8oqc9tWGZIkbRYsRiBeXZNETFy
CNBYmEQxhP2aYHd1zqFsdrpuve4ZrgBL56AE9Vv9HnZcnrD9yin1aFgN2efmAiBX
J7j8o5cpGtZRfBmTJzNXm5+ZT6rSlZTYGfkuooQHw3xSZhlTCMCkUlOFbUXTgbHW
Dm6jrZo2Obu2rRgd6QazynD1/uJwiNQV8BEGELTJyHFtegSOjyv575SfuRmgIrIT
DeYJm/m6RcYI4cUdQUqm6xS6Q+siHAFx2sDIOmKBHKKW8GY4uYLOtvRJIJ5pHG02
p9ncYIRi5IRUwIMgrOYU47zPYFIrwFVsOGPcSoyCavYBr9tK33sEqw==
=ML0o
-END PGP SIGNATURE-
