Re: [auth] epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support epoll)
Hi Alex, I don't know anything about SELinux, beyond that it's a pain to work with and causes all kinds of funky issues. Make sure you turn on verbose logging with SELinux so that you can see all that it's doing, but honestly, I cannot help you much more. John > just for completeness, here are the additional policies to SELinux that > I had enabled (prior to semanage permissive -a dovecot_auth_t): > #= dovecot_auth_t == > # This avc is allowed in the current policy > allow dovecot_auth_t dovecot_t:tcp_socket { accept getattr }; > # This avc is allowed in the current policy > allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; > With these, I do not see any avc in audit.log, but see the core dump. > Best regards > Alex > On Mon, 2023-11-20 at 08:47 +0100, Alexander Vogt wrote: >> Hi John, >> >> thanks - yes, this is a new setup (I am migrating to CentOS 9). SELinux >> is enabled, but audit.log does not show an AVC. However, I ran >> >> semanage permissive -a dovecot_t >> >> and I am now able to dump the core. It is attached. With >> >> semanage permissive -a dovecot_auth_t >> >> auth seems to work. Now that it is established that the issue is due to >> SELinux, I need to figure out how to solve it. SELinux was one of the >> key motivations for the migration :) >> Could you see what is going on from the dump? >> >> Best regards >> Alex >> >> >> On Sun, 2023-11-19 at 20:39 -0500, John Stoffel wrote: >> > > > > > > "Alexander" == Alexander Vogt via dovecot >> > > > > > > writes: >> > >> > Is this a new setup? Do you have SELinux enabled? Or are you doing >> > chroot'd setup? If so, back it all off one by one and see what's >> > going on. The fact that you can't dump core because you can't write >> > somewhere tells me that your systems is locked down really hard in >> > some manner. >> > >> > The fd not supporting epoll() is also suspect to me. Can you give >> > more details on your system setup? Do you have apparmor turned on? >> > Have you looked in your system logs as well? >> > >> > John >> > >> > >> > > dovecot auth service is failing when using an inet_service. The >> > > configuration is essentially: >> > >> > > service auth { >> > > inet_listener { >> > > address = * >> > > port = 12345 >> > > } >> > > unix_listener auth-userdb { >> > > group = vmail >> > > mode = 0666 >> > > user = vmail >> > > } >> > > } >> > >> > > When I connect to port 12345 (real IMAP client or telnet doesn't make a >> > > difference), the auth service crashes. >> > >> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Panic: >> > > epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support >> > > epoll) >> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Error: Raw >> > > backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x46) >> > > [0x7f9319f89486] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x7f9319f895a2] >> > -> /usr/lib64/dovecot/libdovecot.so.0(+0x10a41b) [0x7f9319f9841b] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(+0x10a4b7) [0x7f9319f984b7] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(+0x5d11a) [0x7f9319eeb11a] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(+0x609b0) [0x7f9319eee9b0] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(+0x1215ba) [0x7f9319faf5ba] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(io_add_to+0x1d) [0x7f9319faf62d] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(io_add+0x28) [0x7f9319faf668] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(master_service_io_listeners_add+0x8a >> > > ) [0x7f9319f1d16a] -> >> > > /usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0xff) >> > > [0x7f9319f24bdf] -> dovecot/auth(main+0x389) [0x55745603a4f9] -> >> > > /lib64/libc.so.6(+0x3feb0) [0x7f931963feb0] -> >> > > /lib64/libc.so.6(__libc_start_main+0x80) [0x7f931963ff60] -> >> > > dovecot/auth(_start+0x25) [0x55745603a715] >> > >> > > System info (sysreport attached): >> > > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf >> > > # Pigeonhole version 0.5.16 (09c29328) >> > > # OS: Linux 5.14.0-383.el9.x86_64 x86_64 CentOS Stream release 9 >> > >> > > This exact configuration is known to work on this system: >> > > # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf >> > > # Pigeonhole version 0.4.21 (92477967) >> > >> > > I tried for almost two hours to get a core dump for this, but finally >> > > gave up. I followed https://www.dovecot.org/bugreport-mail/#coredumps >> > > and other sources but the best I could get was >> > >> > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Fatal: master: >> > > service(auth): child 7198 killed with signal 6 (core not dumped - >> > > https://dovecot.org/bugreport.html#coredumps - core wasn't writable?) >> > >> > > for >> > >> > > cat /proc/sys/kernel/core_pattern >> > > /tmp/core.%e.%p >> > >> > > (which is 1777). >> > >> > > Any help to get this resolved would be much appreciated!
Re: [EXT] Re: dovecot and oauth2 (with keycloak) not working
It seems that it works on the dovecot side. When Roundcube sends the token, I get the user authenticated via IMAP/oauth2 in dovecot. What worked for me was: - adding client_id and client_secret - removing the tokeninfo_url, using just the introspect_url and introspect_mode=token. Now gotta fix Roundcube... Best, Francis On 2023-11-20 13:48, Francis Augusto Medeiros-Logeay wrote: --- Francis Augusto Medeiros-Logeay Oslo, Norway On 2023-11-20 09:04, Aki Tuomi wrote: On 20/11/2023 10:03 EET Francis Augusto Medeiros-Logeay wrote: > Try adding /?token= to tokeninfo_url. Dovecot 2.3.7.2 will simply > concatenate tokeninfo_url and token, so you need to provide the URL in > that fashion. > > Aki Thanks Aki. Still no go: Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host created oauth2(fran...@mydomain.com,10.10.40.30,<4Gv83JAKyOcKCige>): oauth2 failed: Token validation failed: connect(10.10.200.10:443) failed: Connection refused ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: [EXT] Re: dovecot and oauth2 (with keycloak) not working
--- Francis Augusto Medeiros-Logeay Oslo, Norway On 2023-11-20 09:04, Aki Tuomi wrote: On 20/11/2023 10:03 EET Francis Augusto Medeiros-Logeay wrote: > Try adding /?token= to tokeninfo_url. Dovecot 2.3.7.2 will simply > concatenate tokeninfo_url and token, so you need to provide the URL in > that fashion. > > Aki Thanks Aki. Still no go: Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host created oauth2(fran...@mydomain.com,10.10.40.30,<4Gv83JAKyOcKCige>): oauth2 failed: Token validation failed: connect(10.10.200.10:443) failed: Connection refused It still doesn't work after I fixed that "connection refused" problem. I had a NAT reflector problem. But with that out of the way, I still don't get it to work: Nov 20 13:43:03 auth: Error: ldap(fran...@mydomain.com,10.10.40.30,): ldap_bind() failed: Constraint violation Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: Host created Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: Host session created Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: Need to perform DNS lookup Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: Performing asynchronous DNS lookup Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client: dns(auth.mydomain.com): Lookup started Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client: Connecting Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=2800,uid=0): Client connected (fd=23) Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=2800,uid=0): Sending version handshake Nov 20 13:43:03 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo?token=eyJhbGciOi..redacted...3MDA0ODQ0ODMsImlhdCI6MTcwMDQ4NDE4MywiYXV0aF...: Submitted (requests left=1) Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=2800,uid=0): dns(auth.mydomain.com): Lookup successful after 5 msecs Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: DNS lookup successful; got 1 IPs Nov 20 13:43:03 auth: Debug: http-client: peer 10.10.20.100:443 (shared): Peer created Nov 20 13:43:03 auth: Debug: http-client: peer 10.10.20.100:443: Peer pool created Nov 20 13:43:03 auth: Debug: http-client[1]: peer 10.10.20.100:443: Peer created Nov 20 13:43:03 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Setting up connection to 10.10.20.100:443 (SSL=auth.mydomain.com) (1 requests pending) Nov 20 13:43:03 auth: Debug: http-client[1]: peer 10.10.20.100:443: Linked queue https://auth.mydomain.com:443 (1 queues linked) Nov 20 13:43:03 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Started new connection to 10.10.20.100:443 (SSL=auth.mydomain.com) Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=2800,uid=0): Disconnected: Connection closed (fd=23) Nov 20 13:43:03 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=2800,uid=0): Disconnect: deinit Nov 20 13:43:03 auth: Debug: http-client[1]: peer 10.10.20.100:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Nov 20 13:43:03 auth: Debug: http-client[1]: peer 10.10.20.100:443: Making new connection 1 of 1 (0 connections exist, 0 pending) Nov 20 13:43:03 auth: Debug: http-client: conn 10.10.20.100:443 [1]: Connecting Nov 20 13:43:03 auth: Debug: http-client: conn 10.10.20.100:443 [1]: Waiting for connect (fd=23) to finish for max 0 msecs Nov 20 13:43:03 auth: Debug: http-client: conn 10.10.20.100:443 [1]: HTTPS connection created (1 parallel connections exist) Nov 20 13:43:03 auth: Debug: http-client: conn 10.10.20.100:443 [1]: Client connected (fd=23) Nov 20 13:43:03 auth: Debug: http-client: conn 10.10.20.100:443 [1]: Connected Nov 20 13:43:03 auth: Debug: http-client: conn 10.10.20.100:443 [1]: Starting SSL handshake Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x10, ret=1: before SSL initialization Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1001, ret=1: before SSL initialization Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1001, ret=1: SSLv3/TLS write client hello Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1001, ret=1: SSLv3/TLS write client hello Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1001, ret=1: SSLv3/TLS read server hello Nov 20 13:43:03 auth: Debug: auth.mydomain.com: SSL: where=0x1002,
Re: [auth] epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support epoll)
Hi John, just for completeness, here are the additional policies to SELinux that I had enabled (prior to semanage permissive -a dovecot_auth_t): #= dovecot_auth_t == # This avc is allowed in the current policy allow dovecot_auth_t dovecot_t:tcp_socket { accept getattr }; # This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; With these, I do not see any avc in audit.log, but see the core dump. Best regards Alex On Mon, 2023-11-20 at 08:47 +0100, Alexander Vogt wrote: > Hi John, > > thanks - yes, this is a new setup (I am migrating to CentOS 9). SELinux > is enabled, but audit.log does not show an AVC. However, I ran > > semanage permissive -a dovecot_t > > and I am now able to dump the core. It is attached. With > > semanage permissive -a dovecot_auth_t > > auth seems to work. Now that it is established that the issue is due to > SELinux, I need to figure out how to solve it. SELinux was one of the > key motivations for the migration :) > Could you see what is going on from the dump? > > Best regards > Alex > > > On Sun, 2023-11-19 at 20:39 -0500, John Stoffel wrote: > > > > > > > "Alexander" == Alexander Vogt via dovecot > > > > > > > writes: > > > > Is this a new setup? Do you have SELinux enabled? Or are you doing > > chroot'd setup? If so, back it all off one by one and see what's > > going on. The fact that you can't dump core because you can't write > > somewhere tells me that your systems is locked down really hard in > > some manner. > > > > The fd not supporting epoll() is also suspect to me. Can you give > > more details on your system setup? Do you have apparmor turned on? > > Have you looked in your system logs as well? > > > > John > > > > > > > dovecot auth service is failing when using an inet_service. The > > > configuration is essentially: > > > > > service auth { > > > inet_listener { > > > address = * > > > port = 12345 > > > } > > > unix_listener auth-userdb { > > > group = vmail > > > mode = 0666 > > > user = vmail > > > } > > > } > > > > > When I connect to port 12345 (real IMAP client or telnet doesn't make a > > > difference), the auth service crashes. > > > > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Panic: > > > epoll_ctl(add, 13) failed: Operation not permitted (fd doesn't support > > > epoll) > > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Error: Raw > > > backtrace: /usr/lib64/dovecot/libdovecot.so.0(backtrace_append+0x46) > > > [0x7f9319f89486] -> > > > /usr/lib64/dovecot/libdovecot.so.0(backtrace_get+0x22) [0x7f9319f895a2] > > -> /usr/lib64/dovecot/libdovecot.so.0(+0x10a41b) [0x7f9319f9841b] -> > > > /usr/lib64/dovecot/libdovecot.so.0(+0x10a4b7) [0x7f9319f984b7] -> > > > /usr/lib64/dovecot/libdovecot.so.0(+0x5d11a) [0x7f9319eeb11a] -> > > > /usr/lib64/dovecot/libdovecot.so.0(+0x609b0) [0x7f9319eee9b0] -> > > > /usr/lib64/dovecot/libdovecot.so.0(+0x1215ba) [0x7f9319faf5ba] -> > > > /usr/lib64/dovecot/libdovecot.so.0(io_add_to+0x1d) [0x7f9319faf62d] -> > > > /usr/lib64/dovecot/libdovecot.so.0(io_add+0x28) [0x7f9319faf668] -> > > > /usr/lib64/dovecot/libdovecot.so.0(master_service_io_listeners_add+0x8a > > > ) [0x7f9319f1d16a] -> > > > /usr/lib64/dovecot/libdovecot.so.0(master_service_init_finish+0xff) > > > [0x7f9319f24bdf] -> dovecot/auth(main+0x389) [0x55745603a4f9] -> > > > /lib64/libc.so.6(+0x3feb0) [0x7f931963feb0] -> > > > /lib64/libc.so.6(__libc_start_main+0x80) [0x7f931963ff60] -> > > > dovecot/auth(_start+0x25) [0x55745603a715] > > > > > System info (sysreport attached): > > > # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf > > > # Pigeonhole version 0.5.16 (09c29328) > > > # OS: Linux 5.14.0-383.el9.x86_64 x86_64 CentOS Stream release 9 > > > > > This exact configuration is known to work on this system: > > > # 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf > > > # Pigeonhole version 0.4.21 (92477967) > > > > > I tried for almost two hours to get a core dump for this, but finally > > > gave up. I followed https://www.dovecot.org/bugreport-mail/#coredumps > > > and other sources but the best I could get was > > > > > Nov 19 22:21:54 imap.linexus.de dovecot[7195]: auth: Fatal: master: > > > service(auth): child 7198 killed with signal 6 (core not dumped - > > > https://dovecot.org/bugreport.html#coredumps - core wasn't writable?) > > > > > for > > > > > cat /proc/sys/kernel/core_pattern > > > /tmp/core.%e.%p > > > > > (which is 1777). > > > > > Any help to get this resolved would be much appreciated! > > > Thanks and best regards > > > Alex > > > [DELETED ATTACHMENT dovecot-sysreport-imap.linexus.de-1700427979.tar.gz, > > > application/x-compressed-tar] > > > ___ > > > dovecot mailing list -- dovecot@dovecot.org > > > To unsubscribe send an email to dovecot-le...@dovecot.org > > ___ > >
Re: [EXT] Re: dovecot and oauth2 (with keycloak) not working
> On 20/11/2023 10:03 EET Francis Augusto Medeiros-Logeay > wrote: > > > > Try adding /?token= to tokeninfo_url. Dovecot 2.3.7.2 will simply > > concatenate tokeninfo_url and token, so you need to provide the URL in > > that fashion. > > > > Aki > > Thanks Aki. > > Still no go: > > > Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host > created oauth2(fran...@mydomain.com,10.10.40.30,<4Gv83JAKyOcKCige>): oauth2 failed: Token validation failed: connect(10.10.200.10:443) failed: Connection refused Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: dovecot and oauth2 (with keycloak) not working
Try adding /?token= to tokeninfo_url. Dovecot 2.3.7.2 will simply concatenate tokeninfo_url and token, so you need to provide the URL in that fashion. Aki Thanks Aki. Still no go: Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host created Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host session created Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Need to perform DNS lookup Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Performing asynchronous DNS lookup Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client: dns(auth.mydomain.com): Lookup started Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client: Connecting Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Client connected (fd=24) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Sending version handshake Nov 20 08:59:19 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/token=eyJhbGci...redacted...TcwMDQ2NzE1OSwiYXV0aF...: Submitted (requests left=1) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): dns(auth.mydomain.com): Lookup successful after 4 msecs Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: DNS lookup successful; got 1 IPs Nov 20 08:59:19 auth: Debug: http-client: peer 10.10.200.10:443 (shared): Peer created Nov 20 08:59:19 auth: Debug: http-client: peer 10.10.200.10:443: Peer pool created Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Peer created Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Setting up connection to 10.10.200.10:443 (SSL=auth.mydomain.com) (1 requests pending) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Linked queue https://auth.mydomain.com:443 (1 queues linked) Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Started new connection to 10.10.200.10:443 (SSL=auth.mydomain.com) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Disconnected: Connection closed (fd=24) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Disconnect: deinit Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Making new connection 1 of 1 (0 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Connecting Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Waiting for connect (fd=24) to finish for max 0 msecs Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: HTTPS connection created (1 parallel connections exist) Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Client connection failed (fd=24) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Connection failed (1 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client: peer 10.10.200.10:443: Failed to make connection (1 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Failed to establish any connection within our peer pool: connect(10.10.200.10:443) failed: Connection refused (1 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Failed to set up connection to 10.10.200.10:443 (SSL=auth.mydomain.com): connect(10.10.200.10:443) failed: Connection refused (1 peers pending, 1 requests pending) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Unlinked queue https://auth.mydomain.com:443 (0 queues linked) Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Failed to set up any connection; failing all queued requests Nov 20 08:59:19 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJaYTFXcXhxb0RULXBSc2o1WXZFdUJfLUxBVUtGNk5SeFFrUS1mNmdTUGs4In0.eyJleHAiOjE3MDA0Njc0NTksImlhdCI6MTcwMDQ2NzE1OSwiYXV0aF...: Error: 9003 connect(10.10.200.10:443) failed: Connection refused Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Dropping request [Req1: GET
Re: dovecot and oauth2 (with keycloak) not working
Hi, I'm running dovecot with keycloak without problems since 1 month. >>Nov 20 08:20:30 auth: Error: oauth2(fran...@mydomain.com,10.10.40.30,): oauth2 failed: connect(10.10.100.10:443) failed: Connection refused It seem's that your keycloak is not responding to connection requests on port 443. You can try "telnet 10.10.100.10 443" from your dovecot server? Regards Urban Am 20.11.23 um 08:29 schrieb Francis Augusto Medeiros-Logeay via dovecot: Hi, I successfully configured Roundcube to use keycloak for oauth2. However, I am having trouble to make it work with dovecot. My configuration is this: cat dovecot-oauth2.conf.ext tokeninfo_url = https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo introspection_url = https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/token/introspect introspection_mode = post username_attribute = postfixMailAddress debug = yes scope = openid Roundcube_email This is what I am getting from the logs: Nov 20 08:20:30 auth: Error: ldap(fran...@mydomain.com,10.10.40.30,): ldap_bind() failed: Constraint violation Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Host created Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Host session created Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: IPs have expired; need to refresh DNS lookup Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Performing asynchronous DNS lookup Nov 20 08:20:30 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/med-lo/protocol/openid-connect/userinfoeyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJaYTFXcXhxb0RULXBSc2o1WXZFdUJfLUxBVUtGNk5SeFFrUS1mNmdTUGs4In0.eyJleHAiOjE3MDA0NjUxMzAsImlhdCI6MTcwMDQ2NDgzMCwiYXV0aF90aW1lIjoxNzAwNDY0Njg5LCJqdGkiOiIzZTk5YWI4Yi0xZTkyLTRlMDYtYjg0NC1kODc4ZDZjODZjOWMiLCJpc3MiOiJodHRwczovL2F1dGgubWVkLWxvLmV1L3JlYWxtcy9tZWQtbG8iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZGE5MDk4NDQtNjlmOS00ZjkzLWI1NjctMGZjOWQ3YzA3MTZmIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicm91bmRjdWJlIiwic2Vzc2lvbl9zdGF0ZSI6ImZkY2I2YTczLTNjNjgtNDlhNS1hOTlkLTdkYmE4ODNlNjg4NiIsImFjciI6IjAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9tYWlsLm1lZC1sby5ldSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtbWVkLWxvIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgUm91bmRjdWJlX2VtYWlsIHByb2ZpbGUgZW1haWwgb3BlbmVkIiwic2lkIjoiZmRjYjZhNzMtM2M2OC00OWE1LWE5OWQtN2RiYTg4M2U2ODg2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInBvc3RmaXhNYWlsQWRkcmVzcyI6ImZyYW5jaXNAbWVkLWxvLmV1IiwicG9zdGZpeE1haWxib3giOiJmcmFuY2lzQG1lZC1sby5ldSIsIm5hbWUiOiJGcmFuY2lzIEF1Z3VzdG8gTWVkZWlyb3MtTG9nZWF5IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZnJhbmNpcyIsImdpdmVuX25hbWUiOiJGcmFuY2lzIEF1Z3VzdG8iLCJmYW1pbHlfbmFtZSI6Ik1lZGVpcm9zLUxvZ2VheSIsImVtYWlsIjoiZnJhbmNpc0BtZWQtbG8uZXUifQ.Cehd8sbCTihfq1SKQitLTPfZZAWHx31sy8I6YydY_3eZvyHRellhQz1F9NxFt0uHaFk3KeddHV6U9z14qT7fStDp18ECJodSdcDt4k6J7geNjSbO3jSXOfk5JTbNPv0agi9e767E54g2ZkStPEezrAYY83msx7JSVpEmwKItSrDyyAWH44jp0OsnaLVCOZP1gBklTgiDt7uVsFwL9kpGamsMt62jNADnIAt6qLapHofiXi7GuIKdQP8-IG_7cCcpY6bEvcHiSgqhIpk5UHgMsljNQOkCKDpQ5rrTmRxloVF1y1zE7LYPNcugC_ZF_5TzxhVTEdEOLL9Q5epdlJvtvQ]: Submitted (requests left=1) Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: DNS lookup successful; got 1 IPs Nov 20 08:20:30 auth: Debug: http-client: peer 10.10.100.10:443 (shared): Peer created Nov 20 08:20:30 auth: Debug: http-client: peer 10.10.100.10:443: Peer pool created Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Peer created Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Setting up connection to 10.10.100.10:443 (SSL=auth.mydomain.com) (1 requests pending) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Linked queue https://auth.mydomain.com:443 (1 queues linked) Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Started new connection to 10.10.100.10:443 (SSL=auth.mydomain.com) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Making new connection 1 of 1 (0 connections exist, 0 pending) Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Connecting Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Waiting for connect (fd=23) to finish for max 0 msecs Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: HTTPS connection created (1 parallel connections exist) Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Client connection failed (fd=23) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Connection failed (1 connections exist, 0 pending) Nov 20 08:20:30 auth: Debug:
Re: dovecot and oauth2 (with keycloak) not working
> On 20/11/2023 09:29 EET Francis Augusto Medeiros-Logeay via dovecot > wrote: > > > Hi, > > I successfully configured Roundcube to use keycloak for oauth2. > > However, I am having trouble to make it work with dovecot. My configuration > is this: > > cat dovecot-oauth2.conf.ext > tokeninfo_url = > https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo > introspection_url = > https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/token/introspect > introspection_mode = post > username_attribute = postfixMailAddress > debug = yes > scope = openid Roundcube_email > > This is what I am getting from the logs: > > > Nov 20 08:20:30 auth: Error: > ldap(fran...@mydomain.com,10.10.40.30,): ldap_bind() > failed: Constraint violation > Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Host created > Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Host > session created > Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: IPs have > expired; need to refresh DNS lookup > Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: ... > > My dovecot version is 2.3.7.2 (3c910f64b). > > I find it odd that it is sending the token as a parameter, when I chose > “post” as the introspection mode. But I don’t know if that is the problem. > > best, > > Francis > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org Try adding /?token= to tokeninfo_url. Dovecot 2.3.7.2 will simply concatenate tokeninfo_url and token, so you need to provide the URL in that fashion. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org