Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Fran and/or Matthias, Could you publish your doveconf -n? I can't get dovecot to authenticate with my AD. Maybe you have a solution I could try. What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8 and are therefore using Outlook? --Mark -Original Message- > Date: Wed, 9 Sep 2015 17:22:34 +0200 > From: Matthias Lay > To: Dovecot Mailing List > Subject: Re: My dovecot works fine against Active Directory 2003, but not > against AD2008 > > > hi, > > check your > > /etc/openldap/ldap.conf > > for > > REFERRALS off > > I had this errors with "referrals on" in misconfigured dns environments. > > > you can debug the dns packets by strace-ing the auth process > > > > > On Tue, 8 Sep 2015 11:00:37 +0200 > Fran wrote: > > > Hello, > > > > my dovecot installation has been working fine against AD till we > > upgrade from AD 2003 to AD 2008. As > > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to > > connect AD through 389 port. The port 3268 works fine though. > > > > (...) > > Sep 7 19:02:05 dovecot: imap-login: Error: > > master(imap): Auth request timed out (received 0/12 bytes) > > Sep 7 19:02:05 dovecot: imap-login: Internal login > > failure (pid=4846 id=1) (internal failure, 1 successful auths): > > user=<>, method=PLAIN, rip=, > > lip=, TLS, session= > > (...) > > Sep 7 19:02:06 dovecot: auth: Error: > > ldap(,,): Connection appears > > to be hanging, reconnecting > > Sep 7 19:02:06 dovecot: auth: Error: > > ldap(,,): LDAP search > > returned multiple entries > > (...) > > > > Is there a technical reason for this problem? Does it exist any > > workaround? > > > > The use of Global Catalog (port 3268) is not a solution for me, since > > it misses many attributes. (ex. I use the field "initials" to set the > > quota and this field is not available through port 3268). > > > > I also noticed that, now, it uses any DC available in the domain, it > > doesn't care what I configured in "hosts = " parameter. > > > > This is using "hosts = dc03.domain:389": > > --- > > > > [root@ ~]# netstat -anp | grep dovecot | grep auth > > tcp 22 0 :55217 > > :389 ESTABLISHED 4872/dovecot/auth > > tcp 22 0 :57645 > > :389ESTABLISHED 4872/dovecot/auth > > tcp0 0 :55216 > > :389 ESTABLISHED 4872/dovecot/auth > > > > It looks like it does a look up for other domains controller (I don't > > know how nor why) and it connect aleatory to any DC in my domain (in > > this case dc06.domain, but it changes any time), additionally to the > > configured one (dc03.domain). > > > > This is using "hosts = dc03.domain:3268": > > > > [root@ ~]# netstat -anp | grep dovecot | grep auth > > tcp0 0 :58485 > > :3268 ESTABLISHED 4982/dovecot/auth > > > > In this case, only the configured server in host parameter is used (I > > think this is the right behaviour) > > > > > > Aditional info: > > --- > > CentOS Linux release 7.0.1406 (Core) > > > > dovecot 2.2.10 > > > > Build options: ioloop=epoll notify=inotify ipv6 openssl > > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox > > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite > > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > > > > My /etc/dovecot/dovecot-ldap.conf.ext > > -- > > #hosts = dc03.domain:3268 > > hosts = dc03.domain:389 > > #uris = ldap://dc03.domain > > base = DC=domain > > #tls = yes > > tls = no > > ldap_version = 3 > > auth_bind = yes > > auth_bind_userdn = %u@domain > > #auth_bind_userdn = DOMAIN\%u > > dn = cn=,cn=Users,dc=domain > > dnpass = > > > > #scope = subtree > > #deref = never > > > > user_filter = > > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > > pass_filter = > > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > > pass_attrs = userPassword=password > > user_attrs = Initials=quota_rule=*:storage=%$MB > > --- > > > > > > -- > > Log trace using PORT 389: > > -- > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > where=0x10, ret=1: before/accept initialization [] > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > where=0x2001, ret=1: before/accept initialization [] > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > where=0x2001, ret=1: SSLv3 read client hello A [] > > Sep
Re: How to "Windows Authenticate"
Rick,
I extremely dislike Exchange as well. I have a long list of problems: near
impossibility to monitor logs for trouble, poor configurable spam checking, no
good way to archive and review emails ... I could go on for paragraphs, but the
main reason we recently migrated away from SBS/Exchange is that Microsoft no
longer sells Small Business Server and its replacement, Server Essentials, does
not support Exchange! Exchange has to run on Server 2012, but MS would prefer
you to use Server Essentials with your email in the cloud. We're not gonna do
that.
Samba4 AD/DC and Dovecot work perfectly for everything including access from
SmartPhones. I've got roaming domain logins, redirected folders, calendars and
contacts work just fine with Outlook and WebDav for sharing calendars; don't
need them in Dovecot. For the most part, Outlook users can't tell they are not
still on Exchange ... except they have to maintain their Outlook password
distinct from their Windows password. Which is their one HUGE issue.
My absolutely LAST issue with totally duplicating SBS/Exchange functionality on
Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using
Windows Authentication which, as I understand things, can supposedly be done
with NTLM. I just can't get it to work. I think a heck of a lot if Windows
[SB]Server shops would convert to Samba4/Dovecot if someone figured out how to
do this.
My Dovecot log messages make it look close to working:
Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find
it in the userdb.
I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way
can someone (Timo?) tell me so and I'll cease my 8 month quest.
Otherwise, what should I have for a userdb? What should I have for a passdb? Can
I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my
hang-ups. At this point, I'm open to guesses.
Just for the heck of it, here's one of the doveconf's I tested with, reproduced
here because it's burried in the messages below:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
protocols = imap
ssl_cert = It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
> mapping. Your AD users shouldn't be in there when all is said and
> done.
If not there, where?
Humor me. Give me ONE suggestion to try!
--Mark
-Original Message-
> Date: Tue, 08 Sep 2015 21:21:13 -0500
> From: Rick Romero
> To: dovecot@dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
> If I had time I would be all over this - but IMHO the main problem is that
> Dovecot != Exchange. Even in small environments - unless I'm out of date,
> there's no calendar, tasks or contact lists within Dovecot.
>
> Your next best best is to use something like Horde that would allow you to
> auth via ActiveSync (on Outlook 2013 clients) and manage everything else
> that the users will want, with Dovecot as the mail backend.
> Though I believe there could be licensing issues if you're looking to do it
> for free. I think, by license, you still need CALs for each ActiveSync
> client (if you're in the US).
>
> Auth-Wise it'd be a whole different animal. I'm not sure if there's
> anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba
> would accept the username via GSSAPI and I suppose you could pass that to
> HordeAuth.
>
> I hate Exchange - I have a nagging 45 second delay on OWA logins ever since
> I had to setup multiple NICs to get Outlook to stop complaining about
> certs, and today while trying to fix that issue, AD decided to stop
> replicating one of my trusted domains (and began rejecting auths for linked
> mailboxes from that domain) and in short I really just hate that
> environment with every fiber of my being and would love to see a decent
> free Exchange replacement on *nix.
>
> Rick
>
> Quoting Mark Foley :
>
> > More experimentation ...
> >
> > I tried removing userdb and passdb from the dovecot NTLM config. That
> > didn't
> > work. I then tried adding a static userdb as follows:
> >
> > userdb {
> > driver = static
> > # allow_all_users = yes
> > args = gid=100 home=/home/HPRS/%n
> > }
> >
> > (Interestingly, when I uncommented "allow_all_users" I got an
> "unsupported
> > setting" [or something like that], even though that was in there from the
> > beginning and is shown in the example wiki
> > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm)
> >
> > Anyway, in both tests my error messages were the same:
> >
> > Sep 08 18:3
Re: Convert from Maildir to Mdbox
Am 19.08.2015 um 06:17 schrieb Ачилов Рашид Нурмухамедович: > 14/08/15 23:33, J. Echter пишет: >>> >> Hi, >> >> thanks for your reply. >> >> Would be nice to have a look at this script :) >> >> Thanks for your offer. >> >> Juergen >> > > http://www.sheltonsoft.ru/fileZ/other/convmbx.tar.bz2 > > When you converting maildir-based mail boxes, you must grant write > access to anyone to root mailbox folder, elsewhere conveting failed > (dsync runs in user access space). I.e. when your layout is > /usr/folder/mailbox1, /usr/folder/mailbox2 etc. you must grant access > to /usr/folder. Script detects user home directory and placed mail > onto it. > > commonlib.sh and colorprint.sh placed anywhere on PATH, /usr/bin is > good place. > > Message "INBOX exist..." you can safely ignored > Hi, sorry for the late reply. I'll try this soon. Thanks again!
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
hi, check your /etc/openldap/ldap.conf for REFERRALS off I had this errors with "referrals on" in misconfigured dns environments. you can debug the dns packets by strace-ing the auth process On Tue, 8 Sep 2015 11:00:37 +0200 Fran wrote: > Hello, > > my dovecot installation has been working fine against AD till we > upgrade from AD 2003 to AD 2008. As > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to > connect AD through 389 port. The port 3268 works fine though. > > (...) > Sep 7 19:02:05 dovecot: imap-login: Error: > master(imap): Auth request timed out (received 0/12 bytes) > Sep 7 19:02:05 dovecot: imap-login: Internal login > failure (pid=4846 id=1) (internal failure, 1 successful auths): > user=<>, method=PLAIN, rip=, > lip=, TLS, session= > (...) > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,,): Connection appears > to be hanging, reconnecting > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,,): LDAP search > returned multiple entries > (...) > > Is there a technical reason for this problem? Does it exist any > workaround? > > The use of Global Catalog (port 3268) is not a solution for me, since > it misses many attributes. (ex. I use the field "initials" to set the > quota and this field is not available through port 3268). > > I also noticed that, now, it uses any DC available in the domain, it > doesn't care what I configured in "hosts = " parameter. > > This is using "hosts = dc03.domain:389": > --- > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp 22 0 :55217 > :389 ESTABLISHED 4872/dovecot/auth > tcp 22 0 :57645 > :389ESTABLISHED 4872/dovecot/auth > tcp0 0 :55216 > :389 ESTABLISHED 4872/dovecot/auth > > It looks like it does a look up for other domains controller (I don't > know how nor why) and it connect aleatory to any DC in my domain (in > this case dc06.domain, but it changes any time), additionally to the > configured one (dc03.domain). > > This is using "hosts = dc03.domain:3268": > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp0 0 :58485 > :3268 ESTABLISHED 4982/dovecot/auth > > In this case, only the configured server in host parameter is used (I > think this is the right behaviour) > > > Aditional info: > --- > CentOS Linux release 7.0.1406 (Core) > > dovecot 2.2.10 > > Build options: ioloop=epoll notify=inotify ipv6 openssl > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > My /etc/dovecot/dovecot-ldap.conf.ext > -- > #hosts = dc03.domain:3268 > hosts = dc03.domain:389 > #uris = ldap://dc03.domain > base = DC=domain > #tls = yes > tls = no > ldap_version = 3 > auth_bind = yes > auth_bind_userdn = %u@domain > #auth_bind_userdn = DOMAIN\%u > dn = cn=,cn=Users,dc=domain > dnpass = > > #scope = subtree > #deref = never > > user_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_attrs = userPassword=password > user_attrs = Initials=quota_rule=*:storage=%$MB > --- > > > -- > Log trace using PORT 389: > -- > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 read client hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write server hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write certificate A [] > Sep 7 19:00:35 dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libdriver_sqlite.so > Sep 7 19:00:35 dovecot: auth: Debug: Loading modules > from directory: /usr/lib64/dovecot/auth > Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: > /usr/lib64/dovecot/auth/libauthdb_ldap.so > Sep 7 19:00:35 dovecot: auth: Debug: Read auth token > secret from /var/run/dovecot/auth-token-secret.dat > Sep 7 19:00:35 dovecot:
Re: How to "Windows Authenticate"
On Tue, 08 Sep 2015 21:21:13 -0500, Rick Romero stated: >I hate Exchange - I have a nagging 45 second delay on OWA logins ever since >I had to setup multiple NICs to get Outlook to stop complaining about >certs, and today while trying to fix that issue, AD decided to stop >replicating one of my trusted domains (and began rejecting auths for linked >mailboxes from that domain) and in short I really just hate that >environment with every fiber of my being and would love to see a decent >free Exchange replacement on *nix. The only time I have had a problem with certs, is when they are "self signed". -- Jerry pgphEXabkUb7V.pgp Description: OpenPGP digital signature
Re: sieve_extprograms - double linebreaks at filtering
Op 8-9-2015 om 13:10 schreef Hajo Locke: Hello List, i have a problem when using sieve-plugin sieve_extprograms. I use dovecot 2.2.18 and bundled pigeonhole 0.4.6 (Ubuntu 14.04.3 LTS) i have enabled sieve_extprograms and vnd.dovecot.filter to send mail to user-defined script and get changed content back. My script previously was used with procmail and is working fine. Using same script with vnd.dovecot.filter leads to odd behavior. I already found out the problem itself: By sending Mailcontent to filter-programm it seems that sieve/sieve_extprograms is adding additional linebreaks to every line of complete mail. Please see this image to clarify: http://r31i.imgup.net/header8d56.jpg?l=de Every lineending got additional windows-lineendings, which leads to problems with processing scripts. Piping mails by procmail to same script is working without problems, because this mails are recieved "clean" without the "^M". Well, the specified format for an internet message like e-mail has CRLF line endings everywhere. That's why this happens now: http://hg.rename-it.nl/dovecot-2.2-pigeonhole/file/5df1b6d72ec2/src/plugins/sieve-extprograms/sieve-extprograms-common.c#l604 But maybe that is not such a good idea in a UNIX environment. I think I can just make it configurable. Regards, Stephan.
Re: How to "Windows Authenticate"
If I had time I would be all over this - but IMHO the main problem is that
Dovecot != Exchange. Even in small environments - unless I'm out of date,
there's no calendar, tasks or contact lists within Dovecot.
Your next best best is to use something like Horde that would allow you to
auth via ActiveSync (on Outlook 2013 clients) and manage everything else
that the users will want, with Dovecot as the mail backend.
Though I believe there could be licensing issues if you're looking to do it
for free. I think, by license, you still need CALs for each ActiveSync
client (if you're in the US).
Auth-Wise it'd be a whole different animal. I'm not sure if there's
anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba
would accept the username via GSSAPI and I suppose you could pass that to
HordeAuth.
I hate Exchange - I have a nagging 45 second delay on OWA logins ever since
I had to setup multiple NICs to get Outlook to stop complaining about
certs, and today while trying to fix that issue, AD decided to stop
replicating one of my trusted domains (and began rejecting auths for linked
mailboxes from that domain) and in short I really just hate that
environment with every fiber of my being and would love to see a decent
free Exchange replacement on *nix.
Rick
Quoting Mark Foley :
More experimentation ...
I tried removing userdb and passdb from the dovecot NTLM config. That
didn't
work. I then tried adding a static userdb as follows:
userdb {
driver = static
# allow_all_users = yes
args = gid=100 home=/home/HPRS/%n
}
(Interestingly, when I uncommented "allow_all_users" I got an
"unsupported
setting" [or something like that], even though that was in there from the
beginning and is shown in the example wiki
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm)
Anyway, in both tests my error messages were the same:
Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be
used for ECDH and ECDHE key exchanges
Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758)
Sep 08 18:38:16 auth: Debug: client in: AUTH 1 NTLM
service=imap session=vPWqBUQfeADAqAA6 lip=192.168.0.2
rip=192.168.0.58 lport=143 rport=56184
Sep 08 18:38:16 auth: Debug: client passdb out: CONT 1
Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,):
user not authenticated: NT_STATUS_LOGON_FAILURE
Sep 08 18:38:18 auth: Debug: client passdb out: FAIL 1
Notice that my userid (mark or mark@ohprs) is nowhere to be found.
Whereas when
I specified the userdb passwd at least it had a user id in the error
log. From
my previous test with userdb passwd amd passdb shadow:
Sep 05 16:45:19 auth: Debug: client passdb out: OK 1
user=mark@hprs original_user=mark@HPRS
Sep 05 16:45:19 auth-worker(5498): Debug:
shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND
998899713
The "Info: ntml" log entry has ntlm(?,192.168.0.58,),
whereas
the previous test "Info shadow" log entry has Info:
shadow(mark@hprs,192.168.0.58).
Of course I have no passdb specified which is right for NTML ... or is
it?
I feel like this should be obvious to someone familiar with Dovecot.
Once again,
it's difficult for me to believe no on on planet Earth (who also happens
to
subscribe to this list) had ever done Dovecot/ntlm from Outlook before.
Help!!! If I can't get this last bit sorted out I'll be forced back to
Server
2012 and Exchange.
Thanks, --Mark
-Original Message-
From: Mark Foley
Date: Mon, 07 Sep 2015 21:28:23 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
Comments interspersed with yours ...
--Mark
-Original Message-
Date: Sun, 06 Sep 2015 20:00:11 -0500
From: Rick Romero
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"
Hmm. I would expect to see 'm...@hprs.com'. Whatever your full
domain
name is.
Full user@domain would be mark@hprs.local
It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
mapping. Your AD users shouldn't be in there when all is said and
done.
I was thinking this too. I don't know why NTLM would need a userdb at
all. It
should just use something like ntlm_auth (which is configured in
auth_winbind_helper).
What if I simply removed the userdb? What would you recommend for
userdb, passdb?
Well, at when I did a Samba4 install as a DC it still behaved like a
Samba3
member, and there were no AD users in the local unix passwd files.
What does wbinfo -u provide? It should list all your users -
especially
because it's an DC. Whatever wbinfo -u shows, you may need to adjust
another config file to match waht Dovecot is receiving.
$ wbinfo -u
Administrator
Guest
krbtgt
dns-
