Dovecot authentication against active directory
Hello, i´ve got a problem with the dovecot authentication against active directory. I´m using dovecot 2.0.19 and windows server 2008 R2. When I try to login via telnet I get the following error message: a NO [AUTHENTICATIONFAILED] Authentication failed. My dovecot configuration: # 2.0.19: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-60-generic x86_64 Ubuntu 12.04.4 LTS ext4 auth_mechanisms = plain login auth_username_format = %Lu disable_plaintext_auth = no first_valid_gid = 1001 first_valid_uid = 1001 last_valid_gid = 1001 last_valid_uid = 1001 log_path = /var/log/dovecot.log mail_location = maildir:/srv/mail/%u passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocols = imap ssl = no syslog_facility = local7 userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } valid_chroot_dirs = /srv/mail My dovecot-ldap.conf: hosts = ** dn = CN=*,OU=*,OU=*,OU=*,DC=**,DC=*,DC=de dnpass = tls = no debug_level = -1 ldap_version = 2 base = OU=*,DC=*,DC=*,DC=de deref = never scope = subtree user_attrs = sAMAccountName=home user_filter = (&(ObjectClass=user)(|(mail=%u)(sAMAccountName=%u))) pass_filter = (&(ObjectClass=user)(sAMAccountName=%u)) default_pass_scheme = plain could anybody help me with this problem? Thanks in advance! Regards, Tobias Dummert
Re: ACL group vs. owner question
Am 2014-06-22 15:09, schrieb Thomas Leuxner: * Peter Chiochetti 2014.06.22 14:48: * owner lr * group=SYS lrwstipekxa doveadm(archiv): Info: User archiv has rights: lookup read What version is this? There used to be a bug in versions before 2.2.13 where only the first matching ACL line was applied. From the looks this could be the case here as only 'lr' is applied. Thomas, thank you for your interest. This is with 2.2.13, after the mentioned bug was corrected. As nobody seems to know, whether such should work in stock dovecot, I guess I will have to take out all my config and try myself :( -- peter
OOM in Dovecot 2.2.13 imap
Hi, we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes. We have two users that repeatedly trigger an OOM condition with IMAP. Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: pool_system_realloc(268435456): Out of memory Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Error: Raw backtrace: /usr/lib/dovecot/libdovecot.so.0(+0x6c15f) [0x7f11766cc15f] -> /usr/lib/dovecot/libdovecot.so.0(+0x6c1be) [0x7f11766cc1be] -> /usr/lib/dovecot/libdovecot.so.0(i_error+0) [0x7f1176685568] -> /usr/lib/dovecot/libdovecot.so.0(+0x81e80) [0x7f11766e1e80] -> /usr/lib/dovecot/libdovecot.so.0(+0x86cda) [0x7f11766e6cda] -> /usr/lib/dovecot/libdovecot.so.0(+0x86f96) [0x7f11766e6f96] -> /usr/lib/dovecot/libdovecot.so.0(+0x87b48) [0x7f11766e7b48] -> /usr/lib/dovecot/libdovecot.so.0(o_stream_sendv+0xcd) [0x7f11766e60cd] -> /usr/lib/dovecot/libdovecot.so.0(o_stream_send+0x1a) [0x7f11766e615a] -> /usr/lib/dovecot/modules/lib30_imap_zlib_plugin.so(+0x5849) [0x7f1175692849] -> /usr/lib/dovecot/modules/lib30_imap_zlib_plugin.so(+0x5982) [0x7f1175692982] -> /usr/lib/dovecot/modules/lib30_imap_zlib_plugin.so(+0x5b62) [0x7f1175692b62] -> /usr/lib/dovecot/libdovecot.so.0(o_stream_flush+0x4d) [0x7f11766e5d6d] -> /usr/lib/dovecot/libdovecot.so.0(+0x85e2c) [0x7f11766e5e2c] -> dovecot/imap [USER IP UID fetch](client_output+0xe9) [0x7f1176e8d269] -> /usr/lib/dovecot/libdovecot.so.0(+0x879d5) [0x7f11766e79d5] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_call_io+0x4e) [0x7f11766dcfbe] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xd7) [0x7f11766ddfb7] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_handler_run+0x9) [0x7f11766dd049] -> /usr/lib/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f11766dd0c8] -> /usr/lib/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f117668a7b3] -> dovecot/imap [USER IP UID fetch](main+0x2ae) [0x7f1176e8152e] -> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f11762f3ead] -> dovecot/imap [USER IP UID fetch](+0xd69d) [0x7f1176e8169d] Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: master: service(imap): child 33659 killed with signal 6 (core dumped) The gdb backtrace looks like this: gdb) bt full #0 0x7f1176307475 in raise () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #1 0x7f117630a6f0 in abort () from /lib/x86_64-linux-gnu/libc.so.6 No symbol table info available. #2 0x7f11766cc155 in default_fatal_finish (type=, status=status@entry=83) at failures.c:193 backtrace = 0x7f11789d4088 "/usr/lib/dovecot/libdovecot.so.0(+0x6c15f) [0x7f11766cc15f] -> /usr/lib/dovecot/libdovecot.so.0(+0x6c1be) [0x7f11766cc1be] -> /usr/lib/dovecot/libdovecot.so.0(i_error+0) [0x7f1176685568] -> /usr/lib/d"... #3 0x7f11766cc1be in i_internal_fatal_handler (ctx=0x7fff5ffedfb0, format=, args=) at failures.c:657 status = 83 #4 0x7f1176685568 in i_fatal_status (status=status@entry=83, format=format@entry=0x7f1176702ba8 "pool_system_realloc(%lu): Out of memory") at failures.c:295 ctx = {type = LOG_TYPE_FATAL, exit_status = 83, timestamp = 0x0} args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fff5ffee0a0, reg_save_area = 0x7fff5ffedfe0}} #5 0x7f11766e1e80 in pool_system_realloc (pool=, mem=0x0, old_size=134217728, new_size=268435456) at mempool-system.c:134 __FUNCTION__ = "pool_system_realloc" #6 0x7f11766e6cda in o_stream_grow_buffer (fstream=fstream@entry=0x7f11789f41c0, bytes=) at ostream-file.c:440 size = 268435456 new_size = end_size = #7 0x7f11766e6f96 in o_stream_add (fstream=fstream@entry=0x7f11789f41c0, data=0x7f11789fe549, size=12113) at ostream-file.c:501 unused = sent = i = #8 0x7f11766e7b48 in o_stream_file_sendv (stream=0x7f11789f41c0, iov=, iov_count=) at ostream-file.c:588 fstream = 0x7f11789f41c0 size = total_size = added = optimal_size = i = ret = 0 __FUNCTION__ = "o_stream_file_sendv" #9 0x7f11766e60cd in o_stream_sendv (stream=0x7f11789f4250, iov=iov@entry=0x7fff5ffee1a0, iov_count=iov_count@entry=1) at ostream.c:239 _stream = 0x7f11789f41c0 i = total_size = 12113 ret = __FUNCTION__ = "o_stream_sendv" #10 0x7f11766e615a in o_stream_send (stream=, data=, size=size@entry=12113) at ostream.c:217 iov = {iov_base = 0x7f11789fe549, iov_len = 12113} #11 0x7f1175692849 in o_stream_zlib_send_outbuf (zstream=0x7f11789f9340) at ostream-zlib.c:94 ret = size = 12113 #12 0x7f1175692982 in o_stream_zlib_send_flush (zstream=zstream@entry=0x7f11789f9340, final=final@entry=true) at ostream-zlib.c:189 zs = 0x7f11789f9420 len = done = false ret = flush = __FUNCTION__ = "o_stream_zlib_send_flush" #13 0x7f1175692b62 in o_stream_zlib_flush (stream=0x7f11789f9340) at ostream-z
Re: OOM in Dovecot 2.2.13 imap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 23 Jun 2014, Bernhard Schmidt wrote: we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes. We have two users that repeatedly trigger an OOM condition with IMAP. Do those users have mailboxes extra ordinary large or is one message of them extra ordinary large? Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: pool_system_realloc(268435456): Out of memory this number likely mean 256MB, is one of your memory limits that large? You can see all limits with dovecot -a (note the "-a" instead of "-n"). Memory limits are vsz_limit, IMHO. I had to increase some vsz_limits, because one particular large message caused an out of memory during LMTP. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU6g76nz1H7kL/d9rAQJeqggApw27K6NvoVJNs8zH/MeqY8sRYzooOziQ fJ6pIJS2I86ChaG/DjJkmlds17GSdBaM55FS94yrC+arBZMh/jVTe4KXcyzQMyzq GtPQzWsW3LJdFGTF7RMai74bKU/ca+uIlNCtS2rznsH6p6BnJJWlE9Nml6vPEfQg CbvED7gs+L+dclwTuKjew/6XINBaVda7k5Ow2QO+Hn7nWbnldx7QBr7sbjWPIyHy SU6VO2tUPir+bjs16yd7uEUsTzYbpK33UUKOPBX5Dw3PWzYTh8oUpCuUW0LbSjIP Og2x+PZ1U+0Mz5yPB7sQIegXhuon0K7bOTuNUWuErmRBItFBMTsIUg== =s88s -END PGP SIGNATURE-
Re: Dovecot authentication against active directory
Hi , > My dovecot-ldap.conf: > > > hosts = ** > dn = CN=*,OU=*,OU=*,OU=*,DC=**,DC=*,DC=de > dnpass = > tls = no > debug_level = -1 > ldap_version = 2 > base = OU=*,DC=*,DC=*,DC=de > deref = never > scope = subtree > user_attrs = sAMAccountName=home > user_filter = (&(ObjectClass=user)(|(mail=%u)(sAMAccountName=%u))) > pass_filter = (&(ObjectClass=user)(sAMAccountName=%u)) > default_pass_scheme = plain I could be wrong, but I think you must have TLS to connect to AD. sAMAccountName, at least in cases I am familiar with, does not match a full email address, try %n instead of %u, or filter on userPrincipal instead. do you have a mail attribute in your active directory? I would suggest start by getting it working with just the sAMAccountName in your user/pass_filter lines, then flesh out your filters after you have that working... > > could anybody help me with this problem? > Thanks in advance! > > > Regards, > > Tobias Dummert
Re: ACL group-override question
Previous posts below, here why I guess this one fails: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/src/plugins/acl/acl-api.c#l744 It says: …a user can't match multiple usernames… In my setup this is not true: there is only one user, but she goes by several names. (Like in /etc/passwd several users can have the same ID.) I do not understand the source, but I guess the acl is attached to the "user" and therefore I am out of luck in my adventure: no way short of having a "userdb_acl_user" parameter in passdb. Kind regards Peter Am 2014-06-17 22:59, schrieb Peter Chiochetti: Trying to get ACLs working, very basic setup: Virtual users are put into different acl_group via passdb. u:{PLAIN}B::userdb_acl_groups=g The global acl file restricts what they can do. * group-override=g * group=g lr Shouldn't this mean, that the group rights override the user rights? The effect that I see though is, that the user "u" then may not do anything, not even lookup and read. Further to this experiment, I made the ACLs to not use any group settings at all, only trying to lock down the server for anybody, like that: root@xxx:/etc/dovecot# cat dovecot-acl * user=archiv lr * owner lr * authenticated lr * anyone lr Yet, I still can delete messages from anywhere - What am I missing? Below system setup info (dovecot from bigmichi1 ppa): root@xxx:/etc/dovecot# doveconf -n # 2.2.13 (6bb26098a45c): /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-64-generic x86_64 Ubuntu 12.04.4 LTS mail_debug = yes mail_location = maildir:~/Maildir mail_log_prefix = "%s(%{auth_user}): " mail_plugins = " acl fts fts_solr mail_log notify" namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/passwd driver = passwd-file } plugin { acl = vfile:/etc/dovecot/dovecot-acl fts = solr fts_autoindex = yes fts_solr = url=http://localhost:8983/solr/ mail_log_events = save copy delete undelete expunge mailbox_create mailbox_rename mailbox_delete mail_log_fields = uid box msgid from subject } protocols = " imap" ssl_cert = The virtual users all act as the system user, their names are just icing for auditing.
Wheezy Dovecot workarounds
Hi all, In switching from Ubuntu to Debian Wheezy (7.5 64bit, network install), I'm finding some surprises in getting Dovecot to work. PROBLEM: As installed, the package manager doesn't give you the dovecot executable. WORKAROUND: To install the dovecot executable, you need to follow these instructions: http://wiki2.dovecot.org/HowTo/DebianStable PROBLEM: Even when you install Dovecot, it doesn't work, as evidenced by the inability of a local email client to talk to it. Further elements of the symptom are that nmap -A -T4 LocalIPAddress, whether LocalIPAddress is the IP of eth0, or 127.0.0.1, fails to find any open ports. Telnet can't operate dovecot at port 143, and openssl can't operate it at 993. However, bizarrly, executing these same commands on a remote machine into the original machine (including accessing the machine's Dovecot from an email client) work perfectly. WORKAROUND To "solve" this problem, do the following raindance as root: ifdown lo ifup lo After the raindance, local access to Dovecot works perfectly, and all nmap commands perform as expected. LOL, hey man, don't shoot me, I'm just the messenger. SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance
Re: Wheezy Dovecot workarounds
Am 23.06.2014 19:56, schrieb Steve Litt: > Hi all, > > In switching from Ubuntu to Debian Wheezy (7.5 64bit, network install), > I'm finding some surprises in getting Dovecot to work. > > PROBLEM: > As installed, the package manager doesn't give you the dovecot > executable. > > WORKAROUND: > To install the dovecot executable, you need to follow these > instructions: > > http://wiki2.dovecot.org/HowTo/DebianStable > > PROBLEM: > Even when you install Dovecot, it doesn't work, as evidenced by the > inability of a local email client to talk to it. Further elements of > the symptom are that nmap -A -T4 LocalIPAddress, whether LocalIPAddress > is the IP of eth0, or 127.0.0.1, fails to find any open ports. Telnet > can't operate dovecot at port 143, and openssl can't operate it at 993. > However, bizarrly, executing these same commands on a remote machine > into the original machine (including accessing the machine's Dovecot > from an email client) work perfectly. > > WORKAROUND > To "solve" this problem, do the following raindance as root: > > ifdown lo > ifup lo > > After the raindance, local access to Dovecot works perfectly, and all > nmap commands perform as expected. > > LOL, hey man, don't shoot me, I'm just the messenger. > > SteveT > > Steve Litt* http://www.troubleshooters.com/ > Troubleshooting Training * Human Performance > contact distro mantainer looks like https://packages.debian.org/de/wheezy-backports/dovecot-core latest possible is vers 2.2.9 from wheezy which at last isnt up2date Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: OOM in Dovecot 2.2.13 imap
On 23.06.2014 16:38, Steffen Kaiser wrote: On Mon, 23 Jun 2014, Bernhard Schmidt wrote: we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes. We have two users that repeatedly trigger an OOM condition with IMAP. Do those users have mailboxes extra ordinary large or is one message of them extra ordinary large? No, not particularly. 8000 Mails (2GB total), the largest mail is 20MB. Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: pool_system_realloc(268435456): Out of memory this number likely mean 256MB, is one of your memory limits that large? You can see all limits with dovecot -a (note the "-a" instead of "-n"). Memory limits are vsz_limit, IMHO. No memory limits outside of dovecot. In dovecot there are the default settings default_vsz_limit = 256 M service imap { [...] vsz_limit = 18446744073709551615 B } Since the largest IMAP processes I can observe are at around 70MB VIRT (43MB RSS) I suspect vsz_limit is doing what it is supposed to do (limit memory consumption of a run-away process) and something went wrong in that mailbox. Thus the backtrace, hoping for someone to confirm. Regards, Bernhard
Wishlist: add a variable %{x509} expanding to the client cert in Dovecot-auth
Hi there, As of Dovecot 2.2.9, it's possible to enable passwordless authentication using client certificates [1]: ssl_ca = http://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2BAC8-authentication [2] http://www.postfix.org/postconf.5.html#relay_clientcerts signature.asc Description: Digital signature
Re: OOM in Dovecot 2.2.13 imap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 23 Jun 2014, Bernhard Schmidt wrote: On 23.06.2014 16:38, Steffen Kaiser wrote: On Mon, 23 Jun 2014, Bernhard Schmidt wrote: we run Dovecot 2.2.13 on Debian Wheezy with a couple thousand mailboxes. We have two users that repeatedly trigger an OOM condition with IMAP. Do those users have mailboxes extra ordinary large or is one message of them extra ordinary large? No, not particularly. 8000 Mails (2GB total), the largest mail is 20MB. Jun 23 12:53:21 lxmhs74 dovecot: imap(USER): Fatal: pool_system_realloc(268435456): Out of memory this number likely mean 256MB, is one of your memory limits that large? You can see all limits with dovecot -a (note the "-a" instead of "-n"). Memory limits are vsz_limit, IMHO. No memory limits outside of dovecot. In dovecot there are the default settings default_vsz_limit = 256 M service imap { [...] vsz_limit = 18446744073709551615 B } Do you run Dovecot in High-Peformance mode or Security mode? Since the largest IMAP processes I can observe are at around 70MB VIRT (43MB RSS) I suspect vsz_limit is doing what it is supposed to do (limit memory consumption of a run-away process) and something went wrong in that mailbox. Thus the backtrace, hoping for someone to confirm. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU6kXYnz1H7kL/d9rAQIxWggAn9OnpE8oqc9tWGZIkbRYsRiBeXZNETFy CNBYmEQxhP2aYHd1zqFsdrpuve4ZrgBL56AE9Vv9HnZcnrD9yin1aFgN2efmAiBX J7j8o5cpGtZRfBmTJzNXm5+ZT6rSlZTYGfkuooQHw3xSZhlTCMCkUlOFbUXTgbHW Dm6jrZo2Obu2rRgd6QazynD1/uJwiNQV8BEGELTJyHFtegSOjyv575SfuRmgIrIT DeYJm/m6RcYI4cUdQUqm6xS6Q+siHAFx2sDIOmKBHKKW8GY4uYLOtvRJIJ5pHG02 p9ncYIRi5IRUwIMgrOYU47zPYFIrwFVsOGPcSoyCavYBr9tK33sEqw== =ML0o -END PGP SIGNATURE-