Re: Variable expansion with variables containing '%' (ldap with 2.3.6)

[Aki Tuomi via dovecot]

On 2.7.2019 8.24, Aki Tuomi via dovecot wrote:
> On 1.7.2019 13.37, Matthias Lay via dovecot wrote:
>> Am Mon, 1 Jul 2019 13:08:46 +0300 (EEST)
>> schrieb Aki Tuomi :
>>
>>> Hi,
>>>
>>> there seems to be a problem when expanding variables containing a
>>> single '%' in value in dovecot V2.3.6
>>>
>>> having a user defined Variable in user_attrs like
>>>
>>> user_attrs = name=home=/maildir/%Ln,
>>> =myvar=path/%L{ldap:sAMAccountName}
>>>
>>>
>>> and sAMAccountName conains a '%', in my example "sonder%zeichen"
>>> leads to:
>>>
>>> lda(sonder%zeichen)<5723>: Fatal: Failed to
>>> expand plugin setting myvar = 'path/sonder%zeichen': Unknown
>>> variable '%z'
>>>
>>> same setup works with dovecot 2.2.29
>>>
>>> Any Feedback appreciated.
>>> Thanks.
>>> Matze
>>>
>>> You can use %% to escape a %
>>> ---
>>> Aki Tuomi
>>>
>> Hi Aki,
>>
>> nope this doesnt work. if I use 'sonder%%zeichen', the ldap lookup
>> searches for the User/Value "sonder%%zeichen" in ldap/AD. what fails, as
>> this user doesnt exist.
>>
>> and I cant escape the value in all cases anyway, as its an remote
>> value, coming from the ldap server.
>>
>> seems to me the sequence of intepreting variables and modifiers changed
>> between 2.2 ans 2.3
>> now it gets the variable value from remote in the first place, and
>> interprets the value itself for more variables or modifiers, which
>> might not be what you want.
>>
>> like in a subquery using 
>>
>> @mail=%{ldap:mailDN}
>>
>> but I dont use subqueries. just a simple expansion
>>
>> =myvar=%{ldap:mailDN}
>>
>> any more ideas?
>>
>>
>>
>>
>>
> I have to investigate this a bit.
>
>
> Aki
>

Seems to be a bug of a kind. I'll open it in our issue tracker.

Aki

Re: Variable expansion with variables containing '%' (ldap with 2.3.6)

[Aki Tuomi via dovecot]

On 1.7.2019 13.37, Matthias Lay via dovecot wrote:
> Am Mon, 1 Jul 2019 13:08:46 +0300 (EEST)
> schrieb Aki Tuomi :
>
>> Hi,
>>
>> there seems to be a problem when expanding variables containing a
>> single '%' in value in dovecot V2.3.6
>>
>> having a user defined Variable in user_attrs like
>>
>> user_attrs = name=home=/maildir/%Ln,
>> =myvar=path/%L{ldap:sAMAccountName}
>>
>>
>> and sAMAccountName conains a '%', in my example "sonder%zeichen"
>> leads to:
>>
>> lda(sonder%zeichen)<5723>: Fatal: Failed to
>> expand plugin setting myvar = 'path/sonder%zeichen': Unknown
>> variable '%z'
>>
>> same setup works with dovecot 2.2.29
>>
>> Any Feedback appreciated.
>> Thanks.
>> Matze
>>
>> You can use %% to escape a %
>> ---
>> Aki Tuomi
>>
> Hi Aki,
>
> nope this doesnt work. if I use 'sonder%%zeichen', the ldap lookup
> searches for the User/Value "sonder%%zeichen" in ldap/AD. what fails, as
> this user doesnt exist.
>
> and I cant escape the value in all cases anyway, as its an remote
> value, coming from the ldap server.
>
> seems to me the sequence of intepreting variables and modifiers changed
> between 2.2 ans 2.3
> now it gets the variable value from remote in the first place, and
> interprets the value itself for more variables or modifiers, which
> might not be what you want.
>
> like in a subquery using 
>
> @mail=%{ldap:mailDN}
>
> but I dont use subqueries. just a simple expansion
>
> =myvar=%{ldap:mailDN}
>
> any more ideas?
>
>
>
>
>

I have to investigate this a bit.


Aki

Re: Dovecot 2.3.0 TLS

[Aki Tuomi via dovecot]

On 2.7.2019 8.06, Peter via dovecot wrote:
>    On 11.01.2018 13:20, Hauke Fath wrote:
>    >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the
> certificate path bundled in the server certificate? />/No, as a
> separate file, provided from the local (intermediate) CA:
> />//>/ssl_cert = /ssl_key =
> /ssl_ca =
> //>/Worked fine with 2.2.x,
> 2.3 gives />//>/% openssl s_client -connect XXX:993
> />/CONNECTED(0006) />/depth=0 C = DE, ST = Hessen, L = Darmstadt,
> O = Technische
>    Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> />/verify error:num=20:unable to get local issuer certificate
> />/verify return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O =
> Technische
>    Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> />/verify error:num=21:unable to verify the first certificate
> />/verify return:1 />/--- />/Certificate chain />/0
> s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
> />/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> />/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
>     />/--- />/Server
> certificate />/-BEGIN CERTIFICATE- />/[...] />/% />//
>    Seems we might've made a unexpected change here when we revamped
> the ssl
>    code. Can you try if it works if you concatenate the cert and
> cert-chain
>    to single file? We'll start looking if this is misunderstanding or
> bug.
>
>    Aki
>
> -
>
> Hi Aki,
>
> I believe that Dovecot 2.3.6 sends only one certificate even though my
> Dovecot uses two concatenated certificates.
>
> Thanks for looking into this.
>
> Regards,
> Peter


Hi!

Can you provide readable output of

openssl s_client -connect host:993


Aki

Re: Re: Dovecot 2.3.0 TLS

[Peter via dovecot]

   On 11.01.2018 13:20, Hauke Fath wrote:
   >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? 
/>/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = /ssl_key = /ssl_ca = //>/Worked 
fine with 2.2.x, 2.3 gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(0006) />/depth=0 C = DE, ST = 
Hessen, L = Darmstadt, O = Technische
   Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify 
error:num=20:unable to get local issuer certificate />/verify return:1 />/depth=0 C = 
DE, ST = Hessen, L = Darmstadt, O = Technische
   Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=21:unable to 
verify the first certificate />/verify return:1 />/--- />/Certificate chain />/0 
s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de 
/>/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/CN=TUD CA 
G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
    />/--- />/Server certificate 
/>/-BEGIN CERTIFICATE- />/[...] />/% />//
   Seems we might've made a unexpected change here when we revamped the ssl
   code. Can you try if it works if you concatenate the cert and cert-chain
   to single file? We'll start looking if this is misunderstanding or bug.

   Aki

-

Hi Aki,

I believe that Dovecot 2.3.6 sends only one certificate even though my 
Dovecot uses two concatenated certificates.


Thanks for looking into this.

Regards,
Peter

Re: Variable expansion with variables containing '%' (ldap with 2.3.6)

[Matthias Lay via dovecot]

Am Mon, 1 Jul 2019 13:08:46 +0300 (EEST)
schrieb Aki Tuomi :

> Hi,
> 
> there seems to be a problem when expanding variables containing a
> single '%' in value in dovecot V2.3.6
> 
> having a user defined Variable in user_attrs like
> 
> user_attrs = name=home=/maildir/%Ln,
> =myvar=path/%L{ldap:sAMAccountName}
> 
> 
> and sAMAccountName conains a '%', in my example "sonder%zeichen"
> leads to:
> 
> lda(sonder%zeichen)<5723>: Fatal: Failed to
> expand plugin setting myvar = 'path/sonder%zeichen': Unknown
> variable '%z'
> 
> same setup works with dovecot 2.2.29
> 
> Any Feedback appreciated.
> Thanks.
> Matze
> 
> You can use %% to escape a %
> ---
> Aki Tuomi
> 

Hi Aki,

nope this doesnt work. if I use 'sonder%%zeichen', the ldap lookup
searches for the User/Value "sonder%%zeichen" in ldap/AD. what fails, as
this user doesnt exist.

and I cant escape the value in all cases anyway, as its an remote
value, coming from the ldap server.

seems to me the sequence of intepreting variables and modifiers changed
between 2.2 ans 2.3
now it gets the variable value from remote in the first place, and
interprets the value itself for more variables or modifiers, which
might not be what you want.

like in a subquery using 

@mail=%{ldap:mailDN}

but I dont use subqueries. just a simple expansion

=myvar=%{ldap:mailDN}

any more ideas?

Re: Variable expansion with variables containing '%' (ldap with 2.3.6)

[Aki Tuomi via dovecot]

 
 
  
   
  
  
   

   
   

   
   
Hi,
   
   

   
   
there seems to be a problem when expanding variables containing a
   
   
single '%' in value in dovecot V2.3.6
   
   

   
   
having a user defined Variable in user_attrs like
   
   

   
   
user_attrs = name=home=/maildir/%Ln,
   
   
=myvar=path/%L{ldap:sAMAccountName}
   
   

   
   

   
   
and sAMAccountName conains a '%', in my example "sonder%zeichen"
   
   
leads to:
   
   

   
   
lda(sonder%zeichen)<5723>: Fatal: Failed to
   
   
expand plugin setting myvar = 'path/sonder%zeichen': Unknown
   
   
variable '%z'
   
   

   
   
same setup works with dovecot 2.2.29
   
   

   
   
Any Feedback appreciated.
   
   
Thanks.
   
   
Matze
   
  
  
   
  
  
   You can use %% to escape a %
  
  
   ---
Aki Tuomi
   
 

Variable expansion with variables containing '%' (ldap with 2.3.6)

[Matthias Lay via dovecot]

Hi,

there seems to be a problem when expanding variables containing a
single '%' in value in dovecot V2.3.6

having a user defined Variable in user_attrs like

user_attrs = name=home=/maildir/%Ln,
=myvar=path/%L{ldap:sAMAccountName}


and sAMAccountName conains a '%', in my example "sonder%zeichen"
 leads to:

lda(sonder%zeichen)<5723>: Fatal: Failed to
expand plugin setting myvar = 'path/sonder%zeichen': Unknown
variable '%z'

same setup works with dovecot 2.2.29

Any Feedback appreciated.
Thanks.
Matze

Variable expansion with variables containing '%' (ldap with 2.3.6)

[Matthias Lay via dovecot]

Hi,

there seems to be a problem when expanding variables containing a
single '%' in value in dovecot V2.3.6

having a user defined Variable in user_attrs like

user_attrs = name=home=/maildir/%Ln,
=myvar=path/%L{ldap:sAMAccountName}


and sAMAccountName conains a '%', in my example "sonder%zeichen"
 leads to:

lda(sonder%zeichen)<5723>: Fatal: Failed to
expand plugin setting myvar = 'path/sonder%zeichen': Unknown
variable '%z'

same setup works with dovecot 2.2.29

Any Feedback appreciated.
Thanks.
Matze

Re: Dovecot/MSQL issue

[lorek via dovecot]

Actually, it seems I may have been wrong in initial assumption that the
issue with the client was that it was being identified to mysql as coming
from localhost when connecting via tcp.
This is what syslog indicated as a reason for the failure but its not the
whole picture.

As John mentioned I am trying to have dovecot connect over TCP to mysql
(not using the socket), and the issue looked like the cause was the
identified by portion of mysql being read by either mysql incorrectly or
the domain portion being overwritten on dovecot's end (I don't know about
the internals enough to say for sure where).

Just as due dilligence, I added credentials for a mysql user identified by
localhost and removed the jail since the dovecot error was stating that it
failed for connection by user@'localhost' (where there weren't credentials).
After adding the credentials, I performed all the usual mysql tests before
moving testing up to dovecot and still get an auth failure. The log seems
to be a bit of a red herring or at the minimum doesn't show the whole
picture.

Replacing the connection string host with the socket (host=localhost) and
everything works, and using an external IP that's not 127.0.0.1 works as
expected as well. (confirmed by standing up two isolated mysql and dovecot
containers and setting auth up over the bridge).

If the issue was caused by user@'localhost' creating the credentials should
have resolved it, and it didn't. So something weird is going on.
I've got the environment built up in a dockerfile I can provide if anyone
wants to dig into what's causing it.

In the meantime due to time constraints, I'll just be working with the
socket file from now for hosts running most of the mail stack all in one.

Best Regards,
Lorek.

On Sun, Jun 30, 2019 at 10:09 PM John Fawcett via dovecot <
dovecot@dovecot.org> wrote:

> On 30/06/2019 13:36, Aki Tuomi via dovecot wrote:
> >>
> >> Hello, I'm trying to work through an issue that cropped up on a server
> I've been working on and haven't found a very good workaround.
> >>
> >> Dovecot is operating in a jailed environment.
> >>
> >> The configuration in dovecot-sql.conf.ext has been set appropriately
> with the host=127.0.0.1 (which works from a jailed environment) and when
> dovecot attempts to auth it appears to perform a reverse dns lookup and
> overwrites the host with the result localhost before using the msql
> credentials 'user'@'localhost' which then fails after timing out.
> >>
> >> I'm currently running version 2.2.33.2 of dovecot.
> >>
> >> The workaround seems to be to have two credentials for the same user.
> >> 'user@'localhost' and 'user'@'127.0.0.1';
> >> postfix operates in a jail as well and works around the jail issue in
> the same way but doesn't overwrite the specified host with a reverse dns
> lookup.
> >>
> >> Anyone have any suggestions on how to handle this issue better? or
> maybe there's a way to force different behavior which I haven't yet found
> in the documentation?
> >>
> >> Any help is much appreciated.
> >>
> >> Best Regards.
> > Hi!
> >
> > The 127.0.0.1 issue is actually a MySQL issue, unfortunately.
> >
> > " On Unix, MySQL programs treat the host name localhost specially, in a
> way that is likely different from what you expect compared to other
> network-based programs: the client connects using a Unix socket file. The
> --socket option or the MYSQL_UNIX_PORT environment variable may be used to
> specify the socket name. "
> >
> > So not really something we could do much about.
> >
> > Aki
>
> Aki
>
> it is possible to force the use of tcp socket instead of unix socket by
> specifying an ip instead of the hostname localhost. As I understood it
> Nathan is specifying 127.0.0.1 so that will connect with tcp socket.
>
> John
>
>