RE: service-specific userdb affecting lmtp, quota-service
> On Wed, 3 Aug 2016, Steffen Kaiser wrote: > > >> Update: > >> > >> I was able to eliminate the /var/log/mail.err error messages (shown > below) > >> by creating a userdb.quota-status and userdb.lmtp passwd-file. > However, > >> since userdb.pop3 and userdb.imap will have different extra-fields > values > >> for namespace (different namespace/xxx/inbox=yes values) I can't simply > >> create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 > and > >> userdb.imap. At a minimum, the extra-fields namespace info has to be > left > >> out. > > > > do LMTP and Quota-status fail, if you symlink them to the imap version? I didn't try a symlink because I intend to have separate users in userdb.pop3 and userdb.imap so I can control who has imap access. To allow the two user lists to be independent, I made a unique union of the pop3 and imap userdbs and used that for quota-status and lmtp. > BTW: your posted conf does not contain the virtual plugin and its > namespace. Correct. As I put in the previous email, I didn't get to that point. First, I just commented out the "inbox=yes" declaration from "namespace inbox {}" and then added it to the userdb.imap extra-fields but got an error. How embarrassing. I just discovered a syntax error. I was using: userdb_namespace=/namespace/inbox/inbox=yes Instead of: userdb_namespace/inbox/inbox=yes Now that's working. BTW, it turns out that both quota-status and lmtp need to see the value of inbox=. So I guess all of the userdb.%s files will include userdb_namespace/inbox/inbox=yes, except for userdb.pop3 which will use userdb_namespace/virtual/inbox=yes. Next step is to configure the extra namespaces. Thanks for your help so far Steffen. Michael
RE: service-specific userdb affecting lmtp, quota-service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 3 Aug 2016, Steffen Kaiser wrote: Update: I was able to eliminate the /var/log/mail.err error messages (shown below) by creating a userdb.quota-status and userdb.lmtp passwd-file. However, since userdb.pop3 and userdb.imap will have different extra-fields values for namespace (different namespace/xxx/inbox=yes values) I can't simply create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and userdb.imap. At a minimum, the extra-fields namespace info has to be left out. do LMTP and Quota-status fail, if you symlink them to the imap version? BTW: your posted conf does not contain the virtual plugin and its namespace. So this creates the question: For each service, which fields does the userdb need to contain? I can't find that documented anywhere. For example, for the quota-status service, I presume the following are needed: -- username -- home directory (since mail_location = maildir:~/Maildir) -- any "quota=" overrides in the extra-fields -- nothing else Is that right? And I presume userdb.lmtp needs to return: -- username -- home directory (since mail_location = maildir:~/Maildir) -- nothing else Is that right? Thanks, Michael -Original Message- The service specific passwd-file userdb is causing quota-status and lmtp to fail. Using: userdb { args = ... /etc/dovecot/auth.d/%d/userdb.%s } I'm getting the following in /var/log/mail.err when I try to send/receive mail: Aug 1 15:46:57 n6mef-gw dovecot: auth: Error: passwd-file(mef...@email.n6mef.org): stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed: Address family not supported by protocol Aug 1 15:47:08 n6mef-gw dovecot: auth: Error: passwd-file(mef...@email.n6mef.org): stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address family not supported by protocol I don't have a userdb.quota-status or userdb.lmtp. Is there something else that needs to be in the configuration to prevent these services from needing their own userdb? Thanks, Michael $ doveconf -n # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS auth_mechanisms = cram-md5 auth_verbose = yes mail_gid = vmail mail_location = maildir:~/Maildir mail_plugins = " quota" mail_uid = vmail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/deny-users deny = yes driver = passwd-file } passdb { args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb driver = passwd-file } plugin { quota = maildir:User quota quota_grace = 10%% quota_rule = *:storage=50MB quota_rule2 = Trash:storage=+10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_status_toolarge = 552 5.2.3 Message is too large quota_warning = storage=90%% quota-warning 90 %n %d quota_warning2 = storage=75%% quota-warning 75 %n %d } pop3_lock_session = yes protocols = pop3 imap lmtp service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3 { executable = pop3 postlogin process_limit = 25 } service postlogin { executable = script-login /etc/dovecot/postlogin.sh group = vmail user = vmail } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 12340 } } service quota-warning { executable = /etc/dovecot/quota-warning.sh user = vmail } ssl = required ssl_cert = - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBV6F8znz1H7kL/d9rAQKltAf/bl5r175/Iokd+XxoBnsbT8LUfsCM20/p 0tPsnfz9E75nnFgOTTYYKPhc7zJvA61ZMz+yZ9SIYxce7mfA86AGvg7cpD8/KIfO RnhDuLEmFZbaRqnmrDuJvtbLzg2VargYj65Y0hykeRisdNE/3nh//iPxs/5BQs2z ZRTeJer3UkYae4AxI8E3P+S5fKWbirIJ5mapM28IVw3+uabRED/2TGO5rEuCToLU UMgI3tQKDIp04dqPfZGbsYefzv6azUtQQ/JL7BeSd/YdiJibGxI/yb7Z6zNPwUvJ sn7i6FBKdwT0sirEBfHIk4E+gAZZ0fQMkWq1z8q9C7ImoEgtqsObBg== =0g6C -END PGP SIGNATURE-
RE: service-specific userdb affecting lmtp, quota-service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2 Aug 2016, Michael Fox wrote: Update: I was able to eliminate the /var/log/mail.err error messages (shown below) by creating a userdb.quota-status and userdb.lmtp passwd-file. However, since userdb.pop3 and userdb.imap will have different extra-fields values for namespace (different namespace/xxx/inbox=yes values) I can't simply create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and userdb.imap. At a minimum, the extra-fields namespace info has to be left out. do LMTP and Quota-status fail, if you symlink them to the imap version? So this creates the question: For each service, which fields does the userdb need to contain? I can't find that documented anywhere. For example, for the quota-status service, I presume the following are needed: -- username -- home directory (since mail_location = maildir:~/Maildir) -- any "quota=" overrides in the extra-fields -- nothing else Is that right? And I presume userdb.lmtp needs to return: -- username -- home directory (since mail_location = maildir:~/Maildir) -- nothing else Is that right? Thanks, Michael -Original Message- The service specific passwd-file userdb is causing quota-status and lmtp to fail. Using: userdb { args = ... /etc/dovecot/auth.d/%d/userdb.%s } I'm getting the following in /var/log/mail.err when I try to send/receive mail: Aug 1 15:46:57 n6mef-gw dovecot: auth: Error: passwd-file(mef...@email.n6mef.org): stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed: Address family not supported by protocol Aug 1 15:47:08 n6mef-gw dovecot: auth: Error: passwd-file(mef...@email.n6mef.org): stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address family not supported by protocol I don't have a userdb.quota-status or userdb.lmtp. Is there something else that needs to be in the configuration to prevent these services from needing their own userdb? Thanks, Michael $ doveconf -n # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS auth_mechanisms = cram-md5 auth_verbose = yes mail_gid = vmail mail_location = maildir:~/Maildir mail_plugins = " quota" mail_uid = vmail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/deny-users deny = yes driver = passwd-file } passdb { args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb driver = passwd-file } plugin { quota = maildir:User quota quota_grace = 10%% quota_rule = *:storage=50MB quota_rule2 = Trash:storage=+10%% quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_status_toolarge = 552 5.2.3 Message is too large quota_warning = storage=90%% quota-warning 90 %n %d quota_warning2 = storage=75%% quota-warning 75 %n %d } pop3_lock_session = yes protocols = pop3 imap lmtp service auth { unix_listener /var/spool/postfix/private/dovecot-auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3 { executable = pop3 postlogin process_limit = 25 } service postlogin { executable = script-login /etc/dovecot/postlogin.sh group = vmail user = vmail } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { port = 12340 } } service quota-warning { executable = /etc/dovecot/quota-warning.sh user = vmail } ssl = required ssl_cert = - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEVAwUBV6F2unz1H7kL/d9rAQKP0AgArfFBzFeioX/90YBHWJlyOAJT8D+daQWl TRBg8OJo15haoKn6JkzJbtuZHOkV0/YPW09sWKF8e8/6LgIU512HZibE2QkD2cPl 6v5Xt4hxRtDeY7YpdzxegJ1HjoLkGsCiFIc9EXBSxlDIcvnyz74h4FdYIldhwjoY WErisoF3bKzz5vzf609JoB4veu6nK24MMdo7OxvyUlswizAN2AGSbevCLaTVkvsy iXbK4jXgvHyTK26EqNeZ6rCTx1htT4Jk/tsx3Hicg+rbX4JuaUUNRJXkVWLc4haO yJSSleqXjddEiH+UwH9LvNS2fZg99sv8tj/Ad+UHpmWedPMZFOvNGg== =tC1k -END PGP SIGNATURE-
Re: "Plaintext authentication disallowed on non-secure (SSL/TLS) connections" despite correct configuration to allow this
Hello, talking to oneself seems to be all the rage on this ML, so I shall join that trend. As it turns out this was a case of slightly muddled/unclear error messages, the client sees: --- -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections. --- But the actual issue was that the newly added "login_source_ips" (the main reason for this upgrade, as we're running out of ports) was not not in the "trusted_networks" of the target mailbox server. So the failure was between proxy and mailbox server, not client and proxy. After adding that network all is working now as expected. Christian On Tue, 2 Aug 2016 16:02:34 +0900 Christian Balzer wrote: > > Hello, > > this is basically a repeat of this query from last year, which > unfortunately got a deafening silence for replies: > --- > http://dovecot.org/pipermail/dovecot/2015-August/101720.html > --- > > I have mostly 2.1.7 (Debian Wheezy) mailbox servers and the current proxies > are also of that vintage. > > So with "ssl=yes" and "disable_plaintext_auth=no" plaintext logins work, > as per the documentation > (http://wiki2.dovecot.org/SSL/DovecotConfiguration) > and historically expected. > > Trying to use a 2.2.24 (Debian Jessie backports) dovecot proy with the > same parameters fails like this: > --- > Aug 2 15:45:57 smtp12 dovecot: pop3-login: proxy(chibi...@gol.com): Login > failed to mbxx.xxx.gol.com:110: Plaintext authentication disallowed on > non-secure (SSL/TLS) connections.: user=, method=PLAIN, > rip=x.x.x.x, lip=x.x.x.x, pid=16066 > --- > > Changing things to "ssl=no" doesn't help and setting trusted networks only > changes the last bit to have "secured" appended but still fails the same > otherwise. > > I really need 2.2.x to behave the same way as before and documented. > > Any ideas and feedback would be most welcome. > > Regards, > > Christian -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/
Re: SSL connection reset by peer
On 07/27/2016 11:55 PM, Vince42 wrote: Hi, [Steffen Kaiser] - [2016-07-26 09:05] I am running a dovecot server and have set up an external monitoring, where every five minutes a login with SSL on port 993 is done. I usually get once a day an error "connection reset by peer - SSL connect", which goes away until the next monitor is executed. that looks like a basic networking issue to me. Do you have logs how many users try to connect at this time? Is it always the same time range? Is the server load very high? My server has nice specs (in fact a 30 times lower scaled server never had this kind of problems), I also don't host many domains and users, therefore I doubt that some kind of limit might be touched. I also suspected some internal system load, but unfortunately the error occurs arbitrarily, which makes me think that no scheduled process is responsible for this. I also ran 'top' during such an event without any obvious load tasks. The system statistics also show no weird peaks. I read about the "running out of random" phenomenon, but during such an event there were still enough resources random-wise. what about the network itself? Does the monitor crosses a firewall? I do not know all the details about my provider's data center, but the monitor is an internal one running on one of their machines in their infrastructure. I therefore doubt that this error could be related to some network issue. The monitor just makes a normal IMAP login and fails with the SSL error - and a few minutes later everything is fine again. Could it be that I need to offer more login processes or that I should raise some of my configuration values? The mail_max_userip_connections does not seem to solve the problem. usually you get some warning in the logs, if such limit is reached. I desperately searched all kinds of logs - but nothing indicates a problem that would explain these arbitrary logon errors. I always thought that I should be more generous with login processes or other system resources in order to overcome this - but it seems that I am on the wrong track, if my doveconf -n does not show any oddities. I fear I will have to accept this error as being "normal" - which is really odd as my former server ran for years with the same config without any warning at all. Maybe the next will do it again ... :))) Hi Vince, just a shot into the dark: if you are running out of entropy, you might get SSL errors. If this is a virtual machine, there are not many entropy sources. Consider installing alternative entropy sources like haveged(*), available in many distro repos. Regards, Olaf (*) http://www.issihosts.com/haveged/ -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: olaf.h...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. smime.p7s Description: S/MIME Cryptographic Signature
RE: service-specific userdb affecting lmtp, quota-service
Update: I was able to eliminate the /var/log/mail.err error messages (shown below) by creating a userdb.quota-status and userdb.lmtp passwd-file. However, since userdb.pop3 and userdb.imap will have different extra-fields values for namespace (different namespace/xxx/inbox=yes values) I can't simply create userdb.quota-status and userdb.lmtp as the union of userdb.pop3 and userdb.imap. At a minimum, the extra-fields namespace info has to be left out. So this creates the question: For each service, which fields does the userdb need to contain? I can't find that documented anywhere. For example, for the quota-status service, I presume the following are needed: -- username -- home directory (since mail_location = maildir:~/Maildir) -- any "quota=" overrides in the extra-fields -- nothing else Is that right? And I presume userdb.lmtp needs to return: -- username -- home directory (since mail_location = maildir:~/Maildir) -- nothing else Is that right? Thanks, Michael > -Original Message- > > The service specific passwd-file userdb is causing quota-status and lmtp > to > fail. > > Using: > userdb { > args = ... /etc/dovecot/auth.d/%d/userdb.%s > } > > I'm getting the following in /var/log/mail.err when I try to send/receive > mail: > > Aug 1 15:46:57 n6mef-gw dovecot: auth: Error: > passwd-file(mef...@email.n6mef.org): > stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.quota-status) failed: > Address family not supported by protocol > Aug 1 15:47:08 n6mef-gw dovecot: auth: Error: > passwd-file(mef...@email.n6mef.org): > stat(/etc/dovecot/auth.d/email.n6mef.org/userdb.lmtp) failed: Address > family > not supported by protocol > > I don't have a userdb.quota-status or userdb.lmtp. > > Is there something else that needs to be in the configuration to prevent > these services from needing their own userdb? > > Thanks, > Michael > > > $ doveconf -n > # 2.2.9: /etc/dovecot/dovecot.conf > # OS: Linux 3.16.0-76-generic x86_64 Ubuntu 14.04.4 LTS > auth_mechanisms = cram-md5 > auth_verbose = yes > mail_gid = vmail > mail_location = maildir:~/Maildir > mail_plugins = " quota" > mail_uid = vmail > namespace inbox { > inbox = yes > location = > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = > } > passdb { > args = /etc/dovecot/deny-users > deny = yes > driver = passwd-file > } > passdb { > args = scheme=cram-md5 username_format=%n /etc/dovecot/auth.d/%d/passdb > driver = passwd-file > } > plugin { > quota = maildir:User quota > quota_grace = 10%% > quota_rule = *:storage=50MB > quota_rule2 = Trash:storage=+10%% > quota_status_nouser = DUNNO > quota_status_overquota = 552 5.2.2 Mailbox is full > quota_status_success = DUNNO > quota_status_toolarge = 552 5.2.3 Message is too large > quota_warning = storage=90%% quota-warning 90 %n %d > quota_warning2 = storage=75%% quota-warning 75 %n %d > } > pop3_lock_session = yes > protocols = pop3 imap lmtp > service auth { > unix_listener /var/spool/postfix/private/dovecot-auth { > group = postfix > mode = 0660 > user = postfix > } > unix_listener auth-userdb { > group = vmail > mode = 0600 > user = vmail > } > } > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > group = postfix > mode = 0600 > user = postfix > } > } > service pop3 { > executable = pop3 postlogin > process_limit = 25 > } > service postlogin { > executable = script-login /etc/dovecot/postlogin.sh > group = vmail > user = vmail > } > service quota-status { > client_limit = 1 > executable = quota-status -p postfix > inet_listener { > port = 12340 > } > } > service quota-warning { > executable = /etc/dovecot/quota-warning.sh > user = vmail > } > ssl = required > ssl_cert = ssl_key = ssl_protocols = !SSLv2 !SSLv3 > userdb { > args = username_format=%n /etc/dovecot/auth.d/%d/userdb.%s > default_fields = home=/var/vmail/%d/%n > driver = passwd-file > } > verbose_ssl = yes > protocol lmtp { > postmaster_address = x > } > protocol imap { > mail_max_userip_connections = 10 > } > protocol pop3 { > mail_max_userip_connections = 1 > } > remote 192.168.7.0/24/24 { > ssl = yes > } > remote 192.168.7.0/27/27 { > ssl = no > } > $
Error: Timeout (180s) while waiting for lock for transaction log file dovecot.index.log
Hi, our maildir store is on a NFS share which was working fine for some time with the recommended setting from the dovecot wiki; suddenly today i got informed that one user has login problems to his mails and I have some messages in the logs: Error: Timeout (180s) while waiting for lock for transaction log file ../Maildir/dovecot.index.log My current guess is a hick up in the network during a router configuration this weekend. My question: How to solve the problem? I can restart the nfs service/server later this day, as well as the mailserver ... as there is a kernel update too. Do I have to initiate some resync or deletion of index or whatsoever files? Thanks for any feedback and regards . Götz smime.p7s Description: S/MIME Cryptographic Signature
Re: [BUG] auth_bind with "()#<>"\:," in username not working
sorry forgot password for all test users is "insecure" and you´ll need the function in the header too diff --git a/src/auth/db-ldap.h b/src/auth/db-ldap.h index 8a51081..82ed1b3 100644 --- a/src/auth/db-ldap.h +++ b/src/auth/db-ldap.h @@ -197,6 +197,8 @@ void db_ldap_enable_input(struct ldap_connection *conn, bool enable); const char *ldap_escape(const char *str, const struct auth_request *auth_request); +const char *ldapdn_escape(const char *str, + const struct auth_request *auth_request); const char *ldap_get_error(struct ldap_connection *conn); struct db_ldap_result_iterate_context * On Tue, 2 Aug 2016 14:32:48 +0200 Matthias Lay wrote: > Hi once again, replying to myself > > > I think I tracked down the problem with a local openldap server. > > IMO the point is, you are using a ldap search escaping for a DN > Request which needs another kind of escaping. > the '(' worked well with my NULL-Patch because '(' is a char that > needs escaping for a search filter but not for DN. > > I experienced some more problems with users containing a '+', '<' for > example. so I googled a bit and found this one. > > http://www.openldap.org/lists/openldap-software/200407/msg00722.html > > So you might be missing (or I didnt find it) a special DN escaping > function. I added one in the following patch and all the special chars > seems to work find in the bind AND search requests. > > > > diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c > index 1476fa9..e9218ca 100644 > --- a/src/auth/db-ldap.c > +++ b/src/auth/db-ldap.c > @@ -1423,6 +1422,35 @@ db_ldap_value_get_var_expand_table(struct > auth_request *auth_request, return table; > } > > + > +#define IS_LDAPDN_ESCAPED_CHAR(c) \ > + ((c) == '"' || (c) == '+' || (c) == ',' || (c) == '\\' || (c) > == '<' || (c) == '>' || (c) == ';') + > +const char *ldapdn_escape(const char *str, > + const struct auth_request *auth_request > ATTR_UNUSED) +{ > + const char *p; > + string_t *ret; > + > + for (p = str; *p != '\0'; p++) { > + if (IS_LDAPDN_ESCAPED_CHAR(*p)) > + break; > + } > + > + if (*p == '\0') > + return str; > + > + ret = t_str_new((size_t) (p - str) + 64); > + str_append_n(ret, str, (size_t) (p - str)); > + > + for (; *p != '\0'; p++) { > + if (IS_LDAPDN_ESCAPED_CHAR(*p)) > + str_append_c(ret, '\\'); > + str_append_c(ret, *p); > + } > + return str_c(ret); > +} > + > #define IS_LDAP_ESCAPED_CHAR(c) \ > ((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\') > > > > > > diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c > index c1c2544..5629d85 100644 > --- a/src/auth/passdb-ldap.c > +++ b/src/auth/passdb-ldap.c > @@ -367,7 +374,7 @@ ldap_verify_plain_auth_bind_userdn(struct > auth_request *auth_request, > brequest->request.type = LDAP_REQUEST_TYPE_BIND; > > - vars = auth_request_get_var_expand_table(auth_request, > ldap_escape); > + vars = auth_request_get_var_expand_table(auth_request, > ldapdn_escape); > dn = t_str_new(512); > var_expand(dn, conn->set.auth_bind_userdn, vars); > > > > > > an ldif file for testing. > add them with > # slapadd -l filename > > > # cat user.ldif > dn: dc=uma,dc=local > dc: uma > objectClass: dcObject > objectClass: domain > structuralObjectClass: domain > entryUUID: 5cdda309-7ad5-4b03-b981-784c1b7ec27e > creatorsName: cn=admin,dc=uma,dc=local > createTimestamp: 20160729231019Z > entryCSN: 20160729231019.057480Z#00#000#00 > modifiersName: cn=admin,dc=uma,dc=local > modifyTimestamp: 20160729231019Z > > dn: ou=users,dc=uma,dc=local > ou: users > objectClass: organizationalUnit > structuralObjectClass: organizationalUnit > entryUUID: cc56753d-09aa-404a-8446-5d0bf75531a3 > creatorsName: cn=admin,dc=uma,dc=local > createTimestamp: 20160729231019Z > entryCSN: 20160729231019.147739Z#00#000#00 > modifiersName: cn=admin,dc=uma,dc=local > modifyTimestamp: 20160729231019Z > > dn: uid=s\+schmidt,ou=users,dc=uma,dc=local > givenName: Stefan > uid: s+schmidt > sn: Schmidt > mail:: cy5zY2htaWR0QHR0dC1wb2ludC5sb2NhbA0= > cn: Stefan Schmidt > objectClass: person > objectClass: inetOrgPerson > userPassword:: aW5zZWN1cmU= > structuralObjectClass: inetOrgPerson > entryUUID: fffad6fe-d083-4ab9-b6c2-da82067d510b > creatorsName: cn=admin,dc=uma,dc=local > createTimestamp: 20160729231039Z > entryCSN: 20160729231039.234641Z#00#000#00 > modifiersName: cn=admin,dc=uma,dc=local > modifyTimestamp: 20160729231039Z > > dn: uid=m\\mueller,ou=users,dc=uma,dc=local > givenName: Melanie > uid: m\mueller > sn: Mueller > mail:: bS5tdWVsbGVyQHR0dC1wb2ludC5sb2NhbA0= > cn: Melanie Mueller > objectClass: person > objectClass: inetOrgPerson > userPassword:: aW5zZWN1cmU= > structuralObjectClass: inetOrgPerson > entryUUID:
[BUG] auth_bind with "()#<>"\:," in username not working
Hi once again, replying to myself I think I tracked down the problem with a local openldap server. IMO the point is, you are using a ldap search escaping for a DN Request which needs another kind of escaping. the '(' worked well with my NULL-Patch because '(' is a char that needs escaping for a search filter but not for DN. I experienced some more problems with users containing a '+', '<' for example. so I googled a bit and found this one. http://www.openldap.org/lists/openldap-software/200407/msg00722.html So you might be missing (or I didnt find it) a special DN escaping function. I added one in the following patch and all the special chars seems to work find in the bind AND search requests. diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c index 1476fa9..e9218ca 100644 --- a/src/auth/db-ldap.c +++ b/src/auth/db-ldap.c @@ -1423,6 +1422,35 @@ db_ldap_value_get_var_expand_table(struct auth_request *auth_request, return table; } + +#define IS_LDAPDN_ESCAPED_CHAR(c) \ + ((c) == '"' || (c) == '+' || (c) == ',' || (c) == '\\' || (c) == '<' || (c) == '>' || (c) == ';') + +const char *ldapdn_escape(const char *str, + const struct auth_request *auth_request ATTR_UNUSED) +{ + const char *p; + string_t *ret; + + for (p = str; *p != '\0'; p++) { + if (IS_LDAPDN_ESCAPED_CHAR(*p)) + break; + } + + if (*p == '\0') + return str; + + ret = t_str_new((size_t) (p - str) + 64); + str_append_n(ret, str, (size_t) (p - str)); + + for (; *p != '\0'; p++) { + if (IS_LDAPDN_ESCAPED_CHAR(*p)) + str_append_c(ret, '\\'); + str_append_c(ret, *p); + } + return str_c(ret); +} + #define IS_LDAP_ESCAPED_CHAR(c) \ ((c) == '*' || (c) == '(' || (c) == ')' || (c) == '\\') diff --git a/src/auth/passdb-ldap.c b/src/auth/passdb-ldap.c index c1c2544..5629d85 100644 --- a/src/auth/passdb-ldap.c +++ b/src/auth/passdb-ldap.c @@ -367,7 +374,7 @@ ldap_verify_plain_auth_bind_userdn(struct auth_request *auth_request, brequest->request.type = LDAP_REQUEST_TYPE_BIND; - vars = auth_request_get_var_expand_table(auth_request, ldap_escape); + vars = auth_request_get_var_expand_table(auth_request, ldapdn_escape); dn = t_str_new(512); var_expand(dn, conn->set.auth_bind_userdn, vars); an ldif file for testing. add them with # slapadd -l filename # cat user.ldif dn: dc=uma,dc=local dc: uma objectClass: dcObject objectClass: domain structuralObjectClass: domain entryUUID: 5cdda309-7ad5-4b03-b981-784c1b7ec27e creatorsName: cn=admin,dc=uma,dc=local createTimestamp: 20160729231019Z entryCSN: 20160729231019.057480Z#00#000#00 modifiersName: cn=admin,dc=uma,dc=local modifyTimestamp: 20160729231019Z dn: ou=users,dc=uma,dc=local ou: users objectClass: organizationalUnit structuralObjectClass: organizationalUnit entryUUID: cc56753d-09aa-404a-8446-5d0bf75531a3 creatorsName: cn=admin,dc=uma,dc=local createTimestamp: 20160729231019Z entryCSN: 20160729231019.147739Z#00#000#00 modifiersName: cn=admin,dc=uma,dc=local modifyTimestamp: 20160729231019Z dn: uid=s\+schmidt,ou=users,dc=uma,dc=local givenName: Stefan uid: s+schmidt sn: Schmidt mail:: cy5zY2htaWR0QHR0dC1wb2ludC5sb2NhbA0= cn: Stefan Schmidt objectClass: person objectClass: inetOrgPerson userPassword:: aW5zZWN1cmU= structuralObjectClass: inetOrgPerson entryUUID: fffad6fe-d083-4ab9-b6c2-da82067d510b creatorsName: cn=admin,dc=uma,dc=local createTimestamp: 20160729231039Z entryCSN: 20160729231039.234641Z#00#000#00 modifiersName: cn=admin,dc=uma,dc=local modifyTimestamp: 20160729231039Z dn: uid=m\\mueller,ou=users,dc=uma,dc=local givenName: Melanie uid: m\mueller sn: Mueller mail:: bS5tdWVsbGVyQHR0dC1wb2ludC5sb2NhbA0= cn: Melanie Mueller objectClass: person objectClass: inetOrgPerson userPassword:: aW5zZWN1cmU= structuralObjectClass: inetOrgPerson entryUUID: 6e1a3a14-dd75-4766-a308-44a8437a0139 creatorsName: cn=admin,dc=uma,dc=local createTimestamp: 20160729231039Z entryCSN: 20160729231039.308360Z#00#000#00 modifiersName: cn=admin,dc=uma,dc=local modifyTimestamp: 20160729231039Z dn: uid=k(lammer,ou=users,dc=uma,dc=local givenName: karl uid: k(lammer sn: klammer mail:: a0BzcGRldi5sb2NhbA0= cn: karl klammer objectClass: person objectClass: inetOrgPerson userPassword:: aW5zZWN1cmU= structuralObjectClass: inetOrgPerson entryUUID: b5a26caf-62b1-4cf5-985c-3167424d90c7 creatorsName: cn=admin,dc=uma,dc=local createTimestamp: 20160729231039Z entryCSN: 20160729231039.315462Z#00#000#00 modifiersName: cn=admin,dc=uma,dc=local modifyTimestamp: 20160729231039Z dn: uid=g\>ross,ou=users,dc=uma,dc=local givenName: v uid: g>ross sn: n mail:: Z0BzcGRldi5sb2NhbA0= cn: v n objectClass: person objectClass: inetOrgPerson userPassword:: aW5zZWN1cmU= structuralObjectClass: inetOrgPerson entryUUID: fb7ad7cc-a028-444c-8109-cfe9dd182b0b creators
"Plaintext authentication disallowed on non-secure (SSL/TLS) connections" despite correct configuration to allow this
Hello, this is basically a repeat of this query from last year, which unfortunately got a deafening silence for replies: --- http://dovecot.org/pipermail/dovecot/2015-August/101720.html --- I have mostly 2.1.7 (Debian Wheezy) mailbox servers and the current proxies are also of that vintage. So with "ssl=yes" and "disable_plaintext_auth=no" plaintext logins work, as per the documentation (http://wiki2.dovecot.org/SSL/DovecotConfiguration) and historically expected. Trying to use a 2.2.24 (Debian Jessie backports) dovecot proy with the same parameters fails like this: --- Aug 2 15:45:57 smtp12 dovecot: pop3-login: proxy(chibi...@gol.com): Login failed to mbxx.xxx.gol.com:110: Plaintext authentication disallowed on non-secure (SSL/TLS) connections.: user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, pid=16066 --- Changing things to "ssl=no" doesn't help and setting trusted networks only changes the last bit to have "secured" appended but still fails the same otherwise. I really need 2.2.x to behave the same way as before and documented. Any ideas and feedback would be most welcome. Regards, Christian -- Christian BalzerNetwork/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/