Re: Howto authenticate smartPhone via Active Directory

[Mark Foley]

Unfortunately, I tried for weeks to figure out passdb ldap without success. I 
guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The 
dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says 
is:

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP 
fields are
available in port 3268. Use whatever works. 
http://technet.microsoft.com/en-us/library/cc978012.aspx

I have not been able to find an example of someone using Dovecot and ldap with 
AD.

However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required 
parameters back
to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
pointing to my
checkpassword executable. 

passdb {
  driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

The one issue I have with this at the moment is that dovecot runs checkpassword 
for every user,
smartphone or otherwise:

Dec 03 18:56:32 auth-worker(14903): Info: 
shadow(charmaine,192.168.0.52,): unknown user  - trying the 
next passdb
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Received input: 
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): exit_status=1
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Credentials: 
Dec 03 18:56:32 auth: Debug: client passdb out: OK  1   user=charmaine  
original_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001  14902   1   
586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): lookup
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): username changed charmaine 
-> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001  
HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003gid=1 
  home=/home/HPRS/charmaine   
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 
auth_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, 
rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)

Notice after the "shadow" auth fails it says, "unknown user - trying the next 
passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also 
succeeds.  Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My 
mechanisms are:

auth_mechanisms = plain login gssapi

THX, --Mark

--Mark

-Original Message-
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi 
To: Mark Foley , dovecot@dovecot.org

with passdb ldap i guess.

---Aki Tuomi
Dovecot oy

 Original message 
From: Mark Foley  
Date: 03/12/2017  21:18  (GMT+02:00) 
To: dovecot@dovecot.org 
Subject: Re: Howto authenticate smartPhone via Active Directory 

Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-
> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi 
> To: Mark Foley , dovecot@dovecot.org
>
> Actually you are authenticating gssapi clients from ad and everyone else from 
> shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
>  Original message 
> From: Mark Foley  
> Date: 03/12/2017  06:03  (GMT+02:00) 
> To: dovecot@dovecot.org 
> Subject: Howto authenticate smartPhone via Active Directory 

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
> domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
> authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain 
> members so if the
> shadow authentication fails, no other methods are tried and no 

Re: Recommended tool for migrating IMAP servers

[x9p]

Hi,

I vouch for imapsync. Have used it in the past with quite a big amount of
emails.

cheers.

x0p

> Hi Friends,
> I would like to ask you a suggestion:
> I need to migrate a imap server to a new one and then dismiss the old
> one.
> Reading from relative Dovecot documentation page
> (https://wiki.dovecot.org/Migration), more tools are shown:
>
> UW-IMAP's mailutil, imapsync, YippieMove and Larch.
>
> The each mail servers are Linux based, one of this (mine) is Dovecot.
> Based on your experience which of these tools would be preferable to
> use?
>
>
> Thank you very much
>
> Davide
>

Recommended tool for migrating IMAP servers

[Davide Marchi]

Hi Friends,
I would like to ask you a suggestion:
I need to migrate a imap server to a new one and then dismiss the old 
one.
Reading from relative Dovecot documentation page 
(https://wiki.dovecot.org/Migration), more tools are shown:


UW-IMAP's mailutil, imapsync, YippieMove and Larch.

The each mail servers are Linux based, one of this (mine) is Dovecot.
Based on your experience which of these tools would be preferable to 
use?



Thank you very much

Davide

Re: Howto authenticate smartPhone via Active Directory

[Aki Tuomi]

with passdb ldap i guess.
---Aki TuomiDovecot oy
 Original message From: Mark Foley  Date: 
03/12/2017  21:18  (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto 
authenticate smartPhone via Active Directory 
Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-
> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi 
> To: Mark Foley , dovecot@dovecot.org
>
> Actually you are authenticating gssapi clients from ad and everyone else from 
> shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
>  Original message 
> From: Mark Foley  
> Date: 03/12/2017  06:03  (GMT+02:00) 
> To: dovecot@dovecot.org 
> Subject: Howto authenticate smartPhone via Active Directory 

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
> domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
> authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain 
> members so if the
> shadow authentication fails, no other methods are tried and no connection is 
> made. 
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2 
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = 
>  ssl_key =  userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark

Re: Howto authenticate smartPhone via Active Directory

[Mark Foley]

Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-
> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi 
> To: Mark Foley , dovecot@dovecot.org
>
> Actually you are authenticating gssapi clients from ad and everyone else from 
> shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
>  Original message 
> From: Mark Foley  
> Date: 03/12/2017  06:03  (GMT+02:00) 
> To: dovecot@dovecot.org 
> Subject: Howto authenticate smartPhone via Active Directory 

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
> domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
> authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain 
> members so if the
> shadow authentication fails, no other methods are tried and no connection is 
> made. 
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2 
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = 
>  ssl_key =  userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark

Re: Upgrade to 2.2.32 from 2.2.15 failed

[Mark Foley]

On Sat, 25 Nov 2017 10:13:58 +0200 (EET) Aki Tuomi  wrote:
>
> > On November 25, 2017 at 7:04 AM Mark Foley  wrote:
> > 
> > I have a problem. I have been running Dovecot 2.2.15 and I'd like to 
> > upgrade. My distro
> > (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, 
> > but it didn't work.
> > No one was able to get messages from the dovecot server on their 
> > workstations. The following is
> > the entire dovecot log file from startup to the last message generated. No 
> > more messages went
> > into the logfile after line 76, even with clients trying to connect. The 
> > 174.233.134.88 IP is
> > from an external user connecting from his iPhone. The normal successful 
> > message from this user
> > are shown at bottom.
> > 
> > I'm suspecting something to do with line 18 where is says "Auth process 
> > broken." If anyone has
> > any insight I'd deeply appreciate it as I'd love to upgrade.
> > 
> > THX -- Mark
> >
>
> Can you try adding
>
> service auth {
>   executable = strace -o /tmp/auth.trace /usr/libexec/dovecot/auth
> }
>
> and see if it gives any insight why it dies?
>
> Aki
>

The problem was that I did an install from sbopkg which downloads and installs 
the package in
the SlackBuilds repository. This mechanism does not easily allow setting 
options. I needed to
have the --with-gssapi=yes option set.

So, I just downloaded directly from 
http://www.dovecot.org/releases/2.2/dovecot-2.2.33.2.tar.gz
and did:

./configure --with-gssapi=yes
make
make install

and everything appears to be working fine!

--Mark

Dovecot (doveadm, ssl, sync) - SSL error

[Arkadiusz Majewski]

Hello!

I've got a problem to run syncing between both dovecot services on the
separate servers.
The error indicates to the problem with SSL.

Directly using openssl command to connect from one server to other and vice
versa is passed without any errors.

 

OS: FreeBSD 11.1-RELEASE-p4

Dovecot: 2.2.33.2_2 and the older one dovecot-2.2.32.1_1 (or similar) -
build by ports.

OpenSSL: 1.0.2k-freebsd 26 Jan 2017

 

dovecot: doveadm(10.18.1.15): Error: doveadm client disconnected before
handshake: SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 

dovecot.conf (on both servers):

 

mail_plugins = $mail_plugins notify replication

 

service replicator {

  process_min_avail = 1

}

 

service aggregator {

  fifo_listener replication-notify-fifo {

user = dovecot

  }

  unix_listener replication-notify {

user = dovecot

  }

}

 

service replicator {

  unix_listener replicator-doveadm {

mode = 0600

  }

}

 

replication_max_conns = 10

 

service doveadm {

  inet_listener {

port = 12130

ssl = yes

  }

}

 

ssl = required
ssl_protocols = SSLv3 TLSv1 TLSv1.1 TLSv1.2
ssl_cert = 

doveadm with 2-level user/domain quotas scheme

[Max Kostikov]

Hi!

I believe now it a right time to return to previous discussion about 
Dovecot's in 2-level user/domain quotas scheme wich was finished here 
https://dovecot.org/pipermail/dovecot/2015-October/102346.html


Here is configuration.

1. Dictionary storage placed in MySQL table "quota2"
root@localhost [(none)]> SHOW COLUMNS FROM quota2 FROM exim;
+--+--+--+-+-+---+
| Field| Type | Null | Key | Default | Extra |
+--+--+--+-+-+---+
| username | varchar(100) | NO   | PRI | NULL|   |
| bytes| bigint(20)   | NO   | | 0   |   |
| messages | int(11)  | NO   | | 0   |   |
+--+--+--+-+-+---+
3 rows in set (0,00 sec)

2. Two types of quota - for domains with index "2" and for users without 
index.

...
plugin {
  quota = dict:user_quota::proxy::sqluserquota
  quota_rule2 = Trash:storage=+10%%
  quota_rule3 = Junk:storage=+10%%
  quota_warning = storage=100%% quota-exceeded 100 %u
  quota_warning2 = storage=95%% quota-warning 95 %u
  quota_warning3 = storage=90%% quota-warning 90 %u
  quota_warning4 = storage=75%% quota-warning 75 %u
  quota2 = dict:domain_quota:%d:proxy::sqldomainquota
}
dict {
  sqluserquota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql-user.conf
  sqldomainquota = 
mysql:/usr/local/etc/dovecot/dovecot-dict-sql-domain.conf

}
service dict {
  unix_listener dict {
  user = mailnull
  mode = 0660
  }
}
...

3. Both stored in the same table and files "dovecot-dict-sql-user.conf" 
and "dovecot-dict-sql-domain.conf" are identical.


connect = host=localhost dbname=exim user=user password=password
map {
  pattern = priv/quota/storage
  table = quota2
  username_field = username
  value_field = bytes
}
map {
  pattern = priv/quota/messages
  table = quota2
  username_field = username
  value_field = messages
}

All quotas for users and domains are calculates correctly until "doveadm 
quota recalc" use.


root@beta:~ # doveadm quota recalc -u foo@my.domain
root@beta:~ # doveadm quota get -u foo@my.domain
Quota name   Type  Value Limit   
%
user_quota   STORAGE 7850978 -   
0
user_quota   MESSAGE   32474 -   
0
domain_quota STORAGE 7850978 -   
0
domain_quota MESSAGE   32474 -,  
 0


If we look at MySQL table directly foo@my.domain quota was counted right 
but last users data was copied into domains values.

...
root@localhost [exim]> SELECT * FROM quota2 WHERE username LIKE 
'%my.domain';

+---+-+--+
| username  | bytes   | messages |
+---+-+--+
| foo@my.domain |  8039401321 |32474 |
| my.domain |  8039401321 |32474 |
| john@my.domain|  3455382803 |11142 |
| mary@my.domain|   544637146 | 1965 |
+---+-+--+
4 rows in set (0.00 sec)
...

Also you may see that "doveadm quota get" above gave wrong values. For 
domain its produces empty output


root@beta:~ # doveadm quota get -u my.domain
doveadm(my.domain): Error: User doesn't exist
Quota name Type Value Limit  
%


Than if we are trying to calculate quota for domain or for all users 
(-A) it produces an error.


root@beta:~ # doveadm quota recalc -u my.domain
doveadm(my.domain): Error: User doesn't exist
root@beta:~ # doveadm quota recalc -A
Error: User listing returned failure
doveadm: Error: Failed to iterate through some users

So "doveadm quota" almost useless for such quotas scheme except single 
user.
I wrote small shell-script "dovequota.sh" to resolve this issue but I 
believe that doveadm need to be fixed too.
(script may be found here 
https://kostikov.co/problemy-uchyota-domennoj-kvoty-v-dovecot-2).


--
With best regards,
Max Kostikov

BBM: 24CA5DF8 | W: https://kostikov.co


signature.asc
Description: OpenPGP digital signature

Re: Howto authenticate smartPhone via Active Directory

[Aki Tuomi]

Actually you are authenticating gssapi clients from ad and everyone else from 
shadow. maybe you need to configure pam module?
---Aki TuomiDovecot oy
 Original message From: Mark Foley  Date: 
03/12/2017  06:03  (GMT+02:00) To: dovecot@dovecot.org Subject: Howto 
authenticate smartPhone via Active Directory 
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
domain credentials
using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
authentication via
shadow first and. failing that, it does authenticate via GSSAPI.

Smartphones connect to Dovecot via port 143 and SSL.  They are not domain 
members so if the
shadow authentication fails, no other methods are tried and no connection is 
made. 

What can I do with my dovecot config to fix this?

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert =