RE: service-specific userdb affecting lmtp, quota-service
> On Wed, 3 Aug 2016, Steffen Kaiser wrote:
>
> >> Update:
> >>
> >> I was able to eliminate the /var/log/mail.err error messages (shown
> below)
> >> by creating a userdb.quota-status and userdb.lmtp passwd-file.
> However,
> >> since userdb.pop3 and userdb.imap will have different extra-fields
> values
> >> for namespace (different namespace/xxx/inbox=yes values) I can't simply
> >> create userdb.quota-status and userdb.lmtp as the union of userdb.pop3
> and
> >> userdb.imap. At a minimum, the extra-fields namespace info has to be
> left
> >> out.
> >
> > do LMTP and Quota-status fail, if you symlink them to the imap version?
I didn't try a symlink because I intend to have separate users in
userdb.pop3 and userdb.imap so I can control who has imap access. To allow
the two user lists to be independent, I made a unique union of the pop3 and
imap userdbs and used that for quota-status and lmtp.
> BTW: your posted conf does not contain the virtual plugin and its
> namespace.
Correct. As I put in the previous email, I didn't get to that point.
First, I just commented out the "inbox=yes" declaration from "namespace
inbox {}" and then added it to the userdb.imap extra-fields but got an
error.
How embarrassing. I just discovered a syntax error. I was using:
userdb_namespace=/namespace/inbox/inbox=yes
Instead of:
userdb_namespace/inbox/inbox=yes
Now that's working.
BTW, it turns out that both quota-status and lmtp need to see the value of
inbox=. So I guess all of the userdb.%s files will include
userdb_namespace/inbox/inbox=yes, except for userdb.pop3 which will use
userdb_namespace/virtual/inbox=yes.
Next step is to configure the extra namespaces.
Thanks for your help so far Steffen.
Michael
RE: service-specific userdb affecting lmtp, quota-service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 3 Aug 2016, Steffen Kaiser wrote:
Update:
I was able to eliminate the /var/log/mail.err error messages (shown below)
by creating a userdb.quota-status and userdb.lmtp passwd-file. However,
since userdb.pop3 and userdb.imap will have different extra-fields values
for namespace (different namespace/xxx/inbox=yes values) I can't simply
create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and
userdb.imap. At a minimum, the extra-fields namespace info has to be left
out.
do LMTP and Quota-status fail, if you symlink them to the imap version?
BTW: your posted conf does not contain the virtual plugin and its
namespace.
So this creates the question: For each service, which fields does the
userdb need to contain? I can't find that documented anywhere.
For example, for the quota-status service, I presume the following are
needed:
-- username
-- home directory (since mail_location = maildir:~/Maildir)
-- any "quota=" overrides in the extra-fields
-- nothing else
Is that right?
And I presume userdb.lmtp needs to return:
-- username
-- home directory (since mail_location = maildir:~/Maildir)
-- nothing else
Is that right?
Thanks,
Michael
-Original Message-
The service specific passwd-file userdb is causing quota-status and lmtp
to
fail.
Using:
userdb {
args = ... /etc/dovecot/auth.d/%d/userdb.%s
}
I'm getting the following in /var/log/mail.err when I try to send/receive
mail:
Aug 1 15:46:57 n6mef-gw dovecot: auth: Error:
passwd-file(mef...@email.n6mef.org):
stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed:
Address family not supported by protocol
Aug 1 15:47:08 n6mef-gw dovecot: auth: Error:
passwd-file(mef...@email.n6mef.org):
stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address
family
not supported by protocol
I don't have a userdb.quota-status or userdb.lmtp.
Is there something else that needs to be in the configuration to prevent
these services from needing their own userdb?
Thanks,
Michael
$ doveconf -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS
auth_mechanisms = cram-md5
auth_verbose = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_plugins = " quota"
mail_uid = vmail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/deny-users
deny = yes
driver = passwd-file
}
passdb {
args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb
driver = passwd-file
}
plugin {
quota = maildir:User quota
quota_grace = 10%%
quota_rule = *:storage=50MB
quota_rule2 = Trash:storage=+10%%
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_status_toolarge = 552 5.2.3 Message is too large
quota_warning = storage=90%% quota-warning 90 %n %d
quota_warning2 = storage=75%% quota-warning 75 %n %d
}
pop3_lock_session = yes
protocols = pop3 imap lmtp
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3 {
executable = pop3 postlogin
process_limit = 25
}
service postlogin {
executable = script-login /etc/dovecot/postlogin.sh
group = vmail
user = vmail
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
inet_listener {
port = 12340
}
}
service quota-warning {
executable = /etc/dovecot/quota-warning.sh
user = vmail
}
ssl = required
ssl_cert =
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEVAwUBV6F8znz1H7kL/d9rAQKltAf/bl5r175/Iokd+XxoBnsbT8LUfsCM20/p
0tPsnfz9E75nnFgOTTYYKPhc7zJvA61ZMz+yZ9SIYxce7mfA86AGvg7cpD8/KIfO
RnhDuLEmFZbaRqnmrDuJvtbLzg2VargYj65Y0hykeRisdNE/3nh//iPxs/5BQs2z
ZRTeJer3UkYae4AxI8E3P+S5fKWbirIJ5mapM28IVw3+uabRED/2TGO5rEuCToLU
UMgI3tQKDIp04dqPfZGbsYefzv6azUtQQ/JL7BeSd/YdiJibGxI/yb7Z6zNPwUvJ
sn7i6FBKdwT0sirEBfHIk4E+gAZZ0fQMkWq1z8q9C7ImoEgtqsObBg==
=0g6C
-END PGP SIGNATURE-
RE: service-specific userdb affecting lmtp, quota-service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 2 Aug 2016, Michael Fox wrote:
Update:
I was able to eliminate the /var/log/mail.err error messages (shown below)
by creating a userdb.quota-status and userdb.lmtp passwd-file. However,
since userdb.pop3 and userdb.imap will have different extra-fields values
for namespace (different namespace/xxx/inbox=yes values) I can't simply
create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and
userdb.imap. At a minimum, the extra-fields namespace info has to be left
out.
do LMTP and Quota-status fail, if you symlink them to the imap version?
So this creates the question: For each service, which fields does the
userdb need to contain? I can't find that documented anywhere.
For example, for the quota-status service, I presume the following are
needed:
-- username
-- home directory (since mail_location = maildir:~/Maildir)
-- any "quota=" overrides in the extra-fields
-- nothing else
Is that right?
And I presume userdb.lmtp needs to return:
-- username
-- home directory (since mail_location = maildir:~/Maildir)
-- nothing else
Is that right?
Thanks,
Michael
-Original Message-
The service specific passwd-file userdb is causing quota-status and lmtp
to
fail.
Using:
userdb {
args = ... /etc/dovecot/auth.d/%d/userdb.%s
}
I'm getting the following in /var/log/mail.err when I try to send/receive
mail:
Aug 1 15:46:57 n6mef-gw dovecot: auth: Error:
passwd-file(mef...@email.n6mef.org):
stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed:
Address family not supported by protocol
Aug 1 15:47:08 n6mef-gw dovecot: auth: Error:
passwd-file(mef...@email.n6mef.org):
stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address
family
not supported by protocol
I don't have a userdb.quota-status or userdb.lmtp.
Is there something else that needs to be in the configuration to prevent
these services from needing their own userdb?
Thanks,
Michael
$ doveconf -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS
auth_mechanisms = cram-md5
auth_verbose = yes
mail_gid = vmail
mail_location = maildir:~/Maildir
mail_plugins = " quota"
mail_uid = vmail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/deny-users
deny = yes
driver = passwd-file
}
passdb {
args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb
driver = passwd-file
}
plugin {
quota = maildir:User quota
quota_grace = 10%%
quota_rule = *:storage=50MB
quota_rule2 = Trash:storage=+10%%
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_status_toolarge = 552 5.2.3 Message is too large
quota_warning = storage=90%% quota-warning 90 %n %d
quota_warning2 = storage=75%% quota-warning 75 %n %d
}
pop3_lock_session = yes
protocols = pop3 imap lmtp
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0600
user = vmail
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3 {
executable = pop3 postlogin
process_limit = 25
}
service postlogin {
executable = script-login /etc/dovecot/postlogin.sh
group = vmail
user = vmail
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
inet_listener {
port = 12340
}
}
service quota-warning {
executable = /etc/dovecot/quota-warning.sh
user = vmail
}
ssl = required
ssl_cert =
- --
Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEVAwUBV6F2unz1H7kL/d9rAQKP0AgArfFBzFeioX/90YBHWJlyOAJT8D+daQWl
TRBg8OJo15haoKn6JkzJbtuZHOkV0/YPW09sWKF8e8/6LgIU512HZibE2QkD2cPl
6v5Xt4hxRtDeY7YpdzxegJ1HjoLkGsCiFIc9EXBSxlDIcvnyz74h4FdYIldhwjoY
WErisoF3bKzz5vzf609JoB4veu6nK24MMdo7OxvyUlswizAN2AGSbevCLaTVkvsy
iXbK4jXgvHyTK26EqNeZ6rCTx1htT4Jk/tsx3Hicg+rbX4JuaUUNRJXkVWLc4haO
yJSSleqXjddEiH+UwH9LvNS2fZg99sv8tj/Ad+UHpmWedPMZFOvNGg==
=tC1k
-END PGP SIGNATURE-
Re: "Plaintext authentication disallowed on non-secure (SSL/TLS) connections" despite correct configuration to allow this
Hello, talking to oneself seems to be all the rage on this ML, so I shall join that trend. As it turns out this was a case of slightly muddled/unclear error messages, the client sees: --- -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections. --- But the actual issue was that the newly added "login_source_ips" (the main reason for this upgrade, as we're running out of ports) was not not in the "trusted_networks" of the target mailbox server. So the failure was between proxy and mailbox server, not client and proxy. After adding that network all is working now as expected. Christian On Tue, 2 Aug 2016 16:02:34 +0900 Christian Balzer wrote: > > Hello, > > this is basically a repeat of this query from last year, which > unfortunately got a deafening silence for replies: > --- > http://dovecot.org/pipermail/dovecot/2015-August/101720.html > --- > > I have mostly 2.1.7 (Debian Wheezy) mailbox servers and the current proxies > are also of that vintage. > > So with "ssl=yes" and "disable_plaintext_auth=no" plaintext logins work, > as per the documentation > (http://wiki2.dovecot.org/SSL/DovecotConfiguration) > and historically expected. > > Trying to use a 2.2.24 (Debian Jessie backports) dovecot proy with the > same parameters fails like this: > --- > Aug 2 15:45:57 smtp12 dovecot: pop3-login: proxy(chibi...@gol.com): Login > failed to mbxx.xxx.gol.com:110: Plaintext authentication disallowed on > non-secure (SSL/TLS) connections.: user=, method=PLAIN, > rip=x.x.x.x, lip=x.x.x.x, pid=16066 > --- > > Changing things to "ssl=no" doesn't help and setting trusted networks only > changes the last bit to have "secured" appended but still fails the same > otherwise. > > I really need 2.2.x to behave the same way as before and documented. > > Any ideas and feedback would be most welcome. > > Regards, > > Christian -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/
Re: SSL connection reset by peer
On 07/27/2016 11:55 PM, Vince42 wrote: Hi, [Steffen Kaiser] - [2016-07-26 09:05] I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed. that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high? My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise. what about the network itself? Does the monitor crosses a firewall? I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again. Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem. usually you get some warning in the logs, if such limit is reached. I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities. I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :))) Hi Vince, just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos. Regards, Olaf (*) http://www.issihosts.com/haveged/ -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
RE: service-specific userdb affecting lmtp, quota-service
Update:
I was able to eliminate the /var/log/mail.err error messages (shown below)
by creating a userdb.quota-status and userdb.lmtp passwd-file. However,
since userdb.pop3 and userdb.imap will have different extra-fields values
for namespace (different namespace/xxx/inbox=yes values) I can't simply
create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and
userdb.imap. At a minimum, the extra-fields namespace info has to be left
out.
So this creates the question: For each service, which fields does the
userdb need to contain? I can't find that documented anywhere.
For example, for the quota-status service, I presume the following are
needed:
-- username
-- home directory (since mail_location = maildir:~/Maildir)
-- any "quota=" overrides in the extra-fields
-- nothing else
Is that right?
And I presume userdb.lmtp needs to return:
-- username
-- home directory (since mail_location = maildir:~/Maildir)
-- nothing else
Is that right?
Thanks,
Michael
> -Original Message-
>
> The service specific passwd-file userdb is causing quota-status and lmtp
> to
> fail.
>
> Using:
> userdb {
> args = ... /etc/dovecot/auth.d/%d/userdb.%s
> }
>
> I'm getting the following in /var/log/mail.err when I try to send/receive
> mail:
>
> Aug 1 15:46:57 n6mef-gw dovecot: auth: Error:
> passwd-file(mef...@email.n6mef.org):
> stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed:
> Address family not supported by protocol
> Aug 1 15:47:08 n6mef-gw dovecot: auth: Error:
> passwd-file(mef...@email.n6mef.org):
> stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address
> family
> not supported by protocol
>
> I don't have a userdb.quota-status or userdb.lmtp.
>
> Is there something else that needs to be in the configuration to prevent
> these services from needing their own userdb?
>
> Thanks,
> Michael
>
>
> $ doveconf -n
> # 2.2.9: /etc/dovecot/dovecot.conf
> # OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS
> auth_mechanisms = cram-md5
> auth_verbose = yes
> mail_gid = vmail
> mail_location = maildir:~/Maildir
> mail_plugins = " quota"
> mail_uid = vmail
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = /etc/dovecot/deny-users
> deny = yes
> driver = passwd-file
> }
> passdb {
> args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb
> driver = passwd-file
> }
> plugin {
> quota = maildir:User quota
> quota_grace = 10%%
> quota_rule = *:storage=50MB
> quota_rule2 = Trash:storage=+10%%
> quota_status_nouser = DUNNO
> quota_status_overquota = 552 5.2.2 Mailbox is full
> quota_status_success = DUNNO
> quota_status_toolarge = 552 5.2.3 Message is too large
> quota_warning = storage=90%% quota-warning 90 %n %d
> quota_warning2 = storage=75%% quota-warning 75 %n %d
> }
> pop3_lock_session = yes
> protocols = pop3 imap lmtp
> service auth {
> unix_listener /var/spool/postfix/private/dovecot-auth {
> group = postfix
> mode = 0660
> user = postfix
> }
> unix_listener auth-userdb {
> group = vmail
> mode = 0600
> user = vmail
> }
> }
> service lmtp {
> unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
> }
> }
> service pop3 {
> executable = pop3 postlogin
> process_limit = 25
> }
> service postlogin {
> executable = script-login /etc/dovecot/postlogin.sh
> group = vmail
> user = vmail
> }
> service quota-status {
> client_limit = 1
> executable = quota-status -p postfix
> inet_listener {
> port = 12340
> }
> }
> service quota-warning {
> executable = /etc/dovecot/quota-warning.sh
> user = vmail
> }
> ssl = required
> ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3
> userdb {
> args = username_format=%n /etc/dovecot/auth.d/%d/userdb.%s
> default_fields = home=/var/vmail/%d/%n
> driver = passwd-file
> }
> verbose_ssl = yes
> protocol lmtp {
> postmaster_address = x
> }
> protocol imap {
> mail_max_userip_connections = 10
> }
> protocol pop3 {
> mail_max_userip_connections = 1
> }
> remote 192.168.7.0/24/24 {
> ssl = yes
> }
> remote 192.168.7.0/27/27 {
> ssl = no
> }
> $
Error: Timeout (180s) while waiting for lock for transaction log file dovecot.index.log
Hi, our maildir store is on a NFS share which was working fine for some time with the recommended setting from the dovecot wiki; suddenly today i got informed that one user has login problems to his mails and I have some messages in the logs: Error: Timeout (180s) while waiting for lock for transaction log file ../Maildir/dovecot.index.log My current guess is a hick up in the network during a router configuration this weekend. My question: How to solve the problem? I can restart the nfs service/server later this day, as well as the mailserver ... as there is a kernel update too. Do I have to initiate some resync or deletion of index or whatsoever files? Thanks for any feedback and regards . Götz smime.p7s Description: S/MIME Cryptographic Signature
Re: [BUG] auth_bind with "()#<>"\:," in username not working
sorry forgot
password for all test users is "insecure"
and you´ll need the function in the header too
diff --git a/src/auth/db-ldap.h b/src/auth/db-ldap.h
index 8a51081..82ed1b3 100644
--- a/src/auth/db-ldap.h
+++ b/src/auth/db-ldap.h
@@ -197,6 +197,8 @@ void db_ldap_enable_input(struct ldap_connection
*conn, bool enable);
const char *ldap_escape(const char *str,
const struct auth_request *auth_request);
+const char *ldapdn_escape(const char *str,
+ const struct auth_request *auth_request);
const char *ldap_get_error(struct ldap_connection *conn);
struct db_ldap_result_iterate_context *
On Tue, 2 Aug 2016 14:32:48 +0200
Matthias Lay wrote:
> Hi once again, replying to myself
>
>
> I think I tracked down the problem with a local openldap server.
>
> IMO the point is, you are using a ldap search escaping for a DN
> Request which needs another kind of escaping.
> the '(' worked well with my NULL-Patch because '(' is a char that
> needs escaping for a search filter but not for DN.
>
> I experienced some more problems with users containing a '+', '<' for
> example. so I googled a bit and found this one.
>
> http://www.openldap.org/lists/openldap-software/200407/msg00722.html
>
> So you might be missing (or I didnt find it) a special DN escaping
> function. I added one in the following patch and all the special chars
> seems to work find in the bind AND search requests.
>
>
>
> diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
> index 1476fa9..e9218ca 100644
> --- a/src/auth/db-ldap.c
> +++ b/src/auth/db-ldap.c
> @@ -1423,6 +1422,35 @@ db_ldap_value_get_var_expand_table(struct
> auth_request *auth_request, return table;
> }
>
> +
> +#define IS_LDAPDN_ESCAPED_CHAR(c) \
> + ((c) == '"' || (c) == '+' || (c) == ',' || (c) == '\\' || (c)
> == '<' || (c) == '>' || (c) == ';') +
> +const char *ldapdn_escape(const char *str,
> + const struct auth_request *auth_request
> ATTR_UNUSED) +{
> + const char *p;
> + string_t *ret;
> +
> + for (p = str; *p != '\0'; p++) {
> + if (IS_LDAPDN_ESCAPED_CHAR(*p))
> + break;
> + }
> +
> + if (*p == '\0')
> + return str;
> +
> + ret = t_str_new((size_t) (p - str) + 64);
> + str_append_n(ret, str, (size_t) (p - str));
> +
> + for (; *p != '\0'; p++) {
> + if (IS_LDAPDN_ESCAPED_CHAR(*p))
> + str_append_c(ret, '\\');
> + str_append_c(ret, *p);
> + }
> + return str_c(ret);
> +}
> +
> #define IS_LDAP_ESCAPED_CHAR(c) \
> ((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\')
>
>
>
>
>
> diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
> index c1c2544..5629d85 100644
> --- a/src/auth/passdb-ldap.c
> +++ b/src/auth/passdb-ldap.c
> @@ -367,7 +374,7 @@ ldap_verify_plain_auth_bind_userdn(struct
> auth_request *auth_request,
> brequest->request.type = LDAP_REQUEST_TYPE_BIND;
>
> - vars = auth_request_get_var_expand_table(auth_request,
> ldap_escape);
> + vars = auth_request_get_var_expand_table(auth_request,
> ldapdn_escape);
> dn = t_str_new(512);
> var_expand(dn, conn->set.auth_bind_userdn, vars);
>
>
>
>
>
> an ldif file for testing.
> add them with
> # slapadd -l filename
>
>
> # cat user.ldif
> dn: dc=uma,dc=local
> dc: uma
> objectClass: dcObject
> objectClass: domain
> structuralObjectClass: domain
> entryUUID: 5cdda309-7ad5-4b03-b981-784c1b7ec27e
> creatorsName: cn=admin,dc=uma,dc=local
> createTimestamp: 20160729231019Z
> entryCSN: 20160729231019.057480Z#00#000#00
> modifiersName: cn=admin,dc=uma,dc=local
> modifyTimestamp: 20160729231019Z
>
> dn: ou=users,dc=uma,dc=local
> ou: users
> objectClass: organizationalUnit
> structuralObjectClass: organizationalUnit
> entryUUID: cc56753d-09aa-404a-8446-5d0bf75531a3
> creatorsName: cn=admin,dc=uma,dc=local
> createTimestamp: 20160729231019Z
> entryCSN: 20160729231019.147739Z#00#000#00
> modifiersName: cn=admin,dc=uma,dc=local
> modifyTimestamp: 20160729231019Z
>
> dn: uid=s\+schmidt,ou=users,dc=uma,dc=local
> givenName: Stefan
> uid: s+schmidt
> sn: Schmidt
> mail:: cy5zY2htaWR0QHR0dC1wb2ludC5sb2NhbA0=
> cn: Stefan Schmidt
> objectClass: person
> objectClass: inetOrgPerson
> userPassword:: aW5zZWN1cmU=
> structuralObjectClass: inetOrgPerson
> entryUUID: fffad6fe-d083-4ab9-b6c2-da82067d510b
> creatorsName: cn=admin,dc=uma,dc=local
> createTimestamp: 20160729231039Z
> entryCSN: 20160729231039.234641Z#00#000#00
> modifiersName: cn=admin,dc=uma,dc=local
> modifyTimestamp: 20160729231039Z
>
> dn: uid=m\\mueller,ou=users,dc=uma,dc=local
> givenName: Melanie
> uid: m\mueller
> sn: Mueller
> mail:: bS5tdWVsbGVyQHR0dC1wb2ludC5sb2NhbA0=
> cn: Melanie Mueller
> objectClass: person
> objectClass: inetOrgPerson
> userPassword:: aW5zZWN1cmU=
> structuralObjectClass: inetOrgPerson
> entryUUID:
[BUG] auth_bind with "()#<>"\:," in username not working
Hi once again, replying to myself
I think I tracked down the problem with a local openldap server.
IMO the point is, you are using a ldap search escaping for a DN Request
which needs another kind of escaping.
the '(' worked well with my NULL-Patch because '(' is a char that needs
escaping for a search filter but not for DN.
I experienced some more problems with users containing a '+', '<' for
example. so I googled a bit and found this one.
http://www.openldap.org/lists/openldap-software/200407/msg00722.html
So you might be missing (or I didnt find it) a special DN escaping
function. I added one in the following patch and all the special chars
seems to work find in the bind AND search requests.
diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
index 1476fa9..e9218ca 100644
--- a/src/auth/db-ldap.c
+++ b/src/auth/db-ldap.c
@@ -1423,6 +1422,35 @@ db_ldap_value_get_var_expand_table(struct
auth_request *auth_request, return table;
}
+
+#define IS_LDAPDN_ESCAPED_CHAR(c) \
+ ((c) == '"' || (c) == '+' || (c) == ',' || (c) == '\\' || (c)
== '<' || (c) == '>' || (c) == ';') +
+const char *ldapdn_escape(const char *str,
+ const struct auth_request *auth_request
ATTR_UNUSED) +{
+ const char *p;
+ string_t *ret;
+
+ for (p = str; *p != '\0'; p++) {
+ if (IS_LDAPDN_ESCAPED_CHAR(*p))
+ break;
+ }
+
+ if (*p == '\0')
+ return str;
+
+ ret = t_str_new((size_t) (p - str) + 64);
+ str_append_n(ret, str, (size_t) (p - str));
+
+ for (; *p != '\0'; p++) {
+ if (IS_LDAPDN_ESCAPED_CHAR(*p))
+ str_append_c(ret, '\\');
+ str_append_c(ret, *p);
+ }
+ return str_c(ret);
+}
+
#define IS_LDAP_ESCAPED_CHAR(c) \
((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\')
diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c
index c1c2544..5629d85 100644
--- a/src/auth/passdb-ldap.c
+++ b/src/auth/passdb-ldap.c
@@ -367,7 +374,7 @@ ldap_verify_plain_auth_bind_userdn(struct
auth_request *auth_request,
brequest->request.type = LDAP_REQUEST_TYPE_BIND;
- vars = auth_request_get_var_expand_table(auth_request,
ldap_escape);
+ vars = auth_request_get_var_expand_table(auth_request,
ldapdn_escape);
dn = t_str_new(512);
var_expand(dn, conn->set.auth_bind_userdn, vars);
an ldif file for testing.
add them with
# slapadd -l filename
# cat user.ldif
dn: dc=uma,dc=local
dc: uma
objectClass: dcObject
objectClass: domain
structuralObjectClass: domain
entryUUID: 5cdda309-7ad5-4b03-b981-784c1b7ec27e
creatorsName: cn=admin,dc=uma,dc=local
createTimestamp: 20160729231019Z
entryCSN: 20160729231019.057480Z#00#000#00
modifiersName: cn=admin,dc=uma,dc=local
modifyTimestamp: 20160729231019Z
dn: ou=users,dc=uma,dc=local
ou: users
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: cc56753d-09aa-404a-8446-5d0bf75531a3
creatorsName: cn=admin,dc=uma,dc=local
createTimestamp: 20160729231019Z
entryCSN: 20160729231019.147739Z#00#000#00
modifiersName: cn=admin,dc=uma,dc=local
modifyTimestamp: 20160729231019Z
dn: uid=s\+schmidt,ou=users,dc=uma,dc=local
givenName: Stefan
uid: s+schmidt
sn: Schmidt
mail:: cy5zY2htaWR0QHR0dC1wb2ludC5sb2NhbA0=
cn: Stefan Schmidt
objectClass: person
objectClass: inetOrgPerson
userPassword:: aW5zZWN1cmU=
structuralObjectClass: inetOrgPerson
entryUUID: fffad6fe-d083-4ab9-b6c2-da82067d510b
creatorsName: cn=admin,dc=uma,dc=local
createTimestamp: 20160729231039Z
entryCSN: 20160729231039.234641Z#00#000#00
modifiersName: cn=admin,dc=uma,dc=local
modifyTimestamp: 20160729231039Z
dn: uid=m\\mueller,ou=users,dc=uma,dc=local
givenName: Melanie
uid: m\mueller
sn: Mueller
mail:: bS5tdWVsbGVyQHR0dC1wb2ludC5sb2NhbA0=
cn: Melanie Mueller
objectClass: person
objectClass: inetOrgPerson
userPassword:: aW5zZWN1cmU=
structuralObjectClass: inetOrgPerson
entryUUID: 6e1a3a14-dd75-4766-a308-44a8437a0139
creatorsName: cn=admin,dc=uma,dc=local
createTimestamp: 20160729231039Z
entryCSN: 20160729231039.308360Z#00#000#00
modifiersName: cn=admin,dc=uma,dc=local
modifyTimestamp: 20160729231039Z
dn: uid=k(lammer,ou=users,dc=uma,dc=local
givenName: karl
uid: k(lammer
sn: klammer
mail:: a0BzcGRldi5sb2NhbA0=
cn: karl klammer
objectClass: person
objectClass: inetOrgPerson
userPassword:: aW5zZWN1cmU=
structuralObjectClass: inetOrgPerson
entryUUID: b5a26caf-62b1-4cf5-985c-3167424d90c7
creatorsName: cn=admin,dc=uma,dc=local
createTimestamp: 20160729231039Z
entryCSN: 20160729231039.315462Z#00#000#00
modifiersName: cn=admin,dc=uma,dc=local
modifyTimestamp: 20160729231039Z
dn: uid=g\>ross,ou=users,dc=uma,dc=local
givenName: v
uid: g>ross
sn: n
mail:: Z0BzcGRldi5sb2NhbA0=
cn: v n
objectClass: person
objectClass: inetOrgPerson
userPassword:: aW5zZWN1cmU=
structuralObjectClass: inetOrgPerson
entryUUID: fb7ad7cc-a028-444c-8109-cfe9dd182b0b
creators
"Plaintext authentication disallowed on non-secure (SSL/TLS) connections" despite correct configuration to allow this
Hello, this is basically a repeat of this query from last year, which unfortunately got a deafening silence for replies: --- http://dovecot.org/pipermail/dovecot/2015-August/101720.html --- I have mostly 2.1.7 (Debian Wheezy) mailbox servers and the current proxies are also of that vintage. So with "ssl=yes" and "disable_plaintext_auth=no" plaintext logins work, as per the documentation (http://wiki2.dovecot.org/SSL/DovecotConfiguration) and historically expected. Trying to use a 2.2.24 (Debian Jessie backports) dovecot proy with the same parameters fails like this: --- Aug 2 15:45:57 smtp12 dovecot: pop3-login: proxy(chibi...@gol.com): Login failed to mbxx.xxx.gol.com:110: Plaintext authentication disallowed on non-secure (SSL/TLS) connections.: user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, pid=16066 --- Changing things to "ssl=no" doesn't help and setting trusted networks only changes the last bit to have "secured" appended but still fails the same otherwise. I really need 2.2.x to behave the same way as before and documented. Any ideas and feedback would be most welcome. Regards, Christian -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/
