Re: Debian package for bookworm
Em 16/06/2023 12:59, Claudio Corvino escreveu: Hi guys, I updated to Debian 12 but I can't find repo for bookworm on https://repo.dovecot.org/. When it will be released? Thanks! repo.devocot.org may be maintained by dovecot itself and has nothing to do with debian ecosystem. And if you really care about using a Debian clean system, you rather be use dovecot from debian official repository. -- Claudio ___ dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-le...@dovecot.org Grato. Lucas Castro. OpenPGP_signature Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: GSSAPI mail home mapping problem
Sorry, my fault, I missed some comma on user and pass attrs.
On 8/10/21 1:31 PM, Lucas Castro wrote:
Hello,
I'm trying to map authenticated kerberos users to mail_location,
The problem when I set mail_home =
/var/mail/virtual/domain1.zw.loca/%n works fine.
But if mail_home is set as /var/mail/virtual/%d/%n
I get
Apr 12 19:53:18 postfix10 dovecot: imap-login: Login: user=,
method=GSSAPI, rip=172.16.0.44, lip=10.16.0.220, mpid=2428,
session=
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Added userdb
setting: plugin/=yes
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Effective uid=5000,
gid=5000, home=/var/mail/virtual/domain1.zw.local =login_user=user0/user0
Right here, I can't figure out why login_user=user0/user0
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=maildir:~/mail
Now login_user=user0
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: maildir++:
root=/var/mail/virtual/domain1.zw.local =login_user=user0/user0/mail,
index=, indexpvt=, control=, inbox=/var/mail/virtual/domain1.zw.local
=login_user=user0/user0/mail, alt=
then login_user=user0/user0/mail
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Mailbox INBOX:
Mailbox opened because: SELECT
doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 5.10.0-7-amd64 x86_64 Debian 10.6
# Hostname: postfix10.zw.local
auth_debug = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/imap.keytab
auth_mechanisms = gssapi
auth_verbose = yes
disable_plaintext_auth = no
import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket
KRB5_KTNAME=/etc/dovecot/imap.keytab
mail_debug = yes
mail_gid = 5000
mail_home = /var/mail/virtual/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = mail
mail_uid = 5000
namespace inbox {
disabled = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
type = private
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = " imap lmtp pop3"
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = no
ssl_cert = ldap://ldap10.zw.local
auth_bind = yes
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = zw.local
debug_level = -1
ldap_version = 3
base = dc=zw,dc=local
user_attrs = \
=user=%{ldap:mail} \
=login_user=%{ldap:uid}
user_filter = (uid=%n)
pass_attrs = \
=user=%{ldap:uid},\
=k5principals=%{ldap:krbPrincipalName}
pass_filter = (&(objectClass=krbPrincipalAux)(uid=%n))
--
Lucas Castro
GSSAPI mail home mapping problem
Hello,
I'm trying to map authenticated kerberos users to mail_location,
The problem when I set mail_home = /var/mail/virtual/domain1.zw.loca/%n
works fine.
But if mail_home is set as /var/mail/virtual/%d/%n
I get
Apr 12 19:53:18 postfix10 dovecot: imap-login: Login: user=,
method=GSSAPI, rip=172.16.0.44, lip=10.16.0.220, mpid=2428,
session=
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Added userdb setting:
plugin/=yes
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Effective uid=5000,
gid=5000, home=/var/mail/virtual/domain1.zw.local =login_user=user0/user0
Right here, I can't figure out why login_user=user0/user0
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=maildir:~/mail
Now login_user=user0
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: maildir++:
root=/var/mail/virtual/domain1.zw.local =login_user=user0/user0/mail,
index=, indexpvt=, control=, inbox=/var/mail/virtual/domain1.zw.local
=login_user=user0/user0/mail, alt=
then login_user=user0/user0/mail
Apr 12 19:53:18 postfix10 dovecot: imap(us...@domain1.zw.local
=login_user=user0)<2428>: Debug: Mailbox INBOX:
Mailbox opened because: SELECT
doveconf -n
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 5.10.0-7-amd64 x86_64 Debian 10.6
# Hostname: postfix10.zw.local
auth_debug = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/imap.keytab
auth_mechanisms = gssapi
auth_verbose = yes
disable_plaintext_auth = no
import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket
KRB5_KTNAME=/etc/dovecot/imap.keytab
mail_debug = yes
mail_gid = 5000
mail_home = /var/mail/virtual/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = mail
mail_uid = 5000
namespace inbox {
disabled = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
type = private
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = " imap lmtp pop3"
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = no
ssl_cert = ldap://ldap10.zw.local
auth_bind = yes
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = zw.local
debug_level = -1
ldap_version = 3
base = dc=zw,dc=local
user_attrs = \
=user=%{ldap:mail} \
=login_user=%{ldap:uid}
user_filter = (uid=%n)
pass_attrs = \
=user=%{ldap:uid},\
=k5principals=%{ldap:krbPrincipalName}
pass_filter = (&(objectClass=krbPrincipalAux)(uid=%n))
--
Lucas Castro
Re: Dovecot GSSAPI Authentication problem
On 8/6/21 9:56 AM, Aki Tuomi wrote:
On 04/08/2021 19:47 Lucas Castro wrote:
Hello,
I'm getting problem to setup dovecot imap/pop service authentication
through Kerberos.
Already read https://wiki.dovecot.org/Authentication/Kerberos.
My guess is kerberos is working but something goes wrong after.
Hi!
This looks like a bug indeed. Does things start working if you add
passdb {
driver = static
args = password=pass
}
Aki
Thanks for reply.
Another question, How can I map kerberos principal to mail users?
How can I access us...@domain1.zw.local with user0@ZW.LOCAL
When I set on mail client the user as user0, works fine. but if I set
the user to u...@domain1.zw.local
dovecot return
"User not authorized to log in as user0"
And I don't figure out how to map the kerberos principal to mail account.
Right now, I keep the users information on ldap.
--
Lucas Castro
Re: Dovecot Debian repo instructions need updating
Please, reply to list only! On 8/5/21 12:20 PM, Laura Smith wrote: On Thursday, August 5th, 2021 at 4:06 PM, Lucas Castro wrote: On 8/5/21 8:42 AM, Laura Smith wrote: Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/debian_packages/ The instructions need updating for two reasons: 1. Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster". To "replace", I guess it should me added instruction for others versions. There is very little point supporting EOL systems. As per the table in the link I provided, 8.0 Jessie is EOL unless you are paying money to Debian for ELTS subscription. I really don't know where you read about payment for ELTS subscription. Not (exactly) needed secure connection. Debian will check the package using gpg, Neither official repositories enforce secure connection. As you said "The key MUST be downloaded over secure connection" the key, not the package, the package must be signed by the key. I am not sure what the point you are trying to make here is ? There is no argument that what I am asking for MUST be done. The Debian link I referred to explains in much detaily WHY it is important. The point is package is checked by gpg signature. The link referred "Serving the repository under HTTPS is OPTIONAL" The package is signed using gpg key, The key must be download over secure connection, not the package. -- Lucas Castro
Re: Dovecot Debian repo instructions need updating
On 8/5/21 8:42 AM, Laura Smith wrote: Re: https://doc.dovecot.org/installation_guide/dovecot_community_repositories/debian_packages/ The instructions need updating for two reasons: 1) Keep up to date with Debian releases (https://wiki.debian.org/DebianReleases), i.e. remove reference to 8.0 "Jessie" and replace with 10.0 "Buster". To "replace", I guess it should me added instruction for others versions. Soon will be released bullseye, so must it be replaced again? To add instruction for other version someone need to test and document. 2) The instructions presented for key handling are not inline with Debian best-practices. As per https://wiki.debian.org/DebianRepository/UseThirdParty: "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint." Not (exactly) needed secure connection. Debian will check the package using gpg, Neither official repositories enforce secure connection. As you said "The key MUST be downloaded over secure connection" the key, not the package, the package must be signed by the key. -- Lucas Castro
Dovecot GSSAPI Authentication problem
Hello,
I'm getting problem to setup dovecot imap/pop service authentication
through Kerberos.
Already read https://wiki.dovecot.org/Authentication/Kerberos.
My guess is kerberos is working but something goes wrong after.
The keytab and ticket ( for ldap userdb lookup )
-rw--- 1 dovecot dovecot 498 ago 3 20:20 /etc/dovecot/imap.keytab
-rw--- 1 dovecot root 1503 ago 4 11:40 /etc/dovecot/imap.ticket
dovecot --version
2.3.13 (89f716dc2)
the dovecot setting
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-7-amd64 x86_64 Debian 11.0
# Hostname: postfix10.zw.local
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/imap.keytab
auth_mechanisms = gssapi
auth_username_translation = /@
import_environment = TZ KRB5CCNAME=/etc/dovecot/imap.ticket
KRB5_KTNAME=/etc/dovecot/imap.keytab
mail_gid = 5000
mail_home = /var/mail/virtual/%d/%n
mail_location = maildir:~/mail
mail_privileged_group = mail
mail_uid = 5000
namespace inbox {
disabled = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
type = private
}
protocols = " imap lmtp pop3"
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert = Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in:
AUTH#0111#011GSSAPI#011service=pop3#011session=Q3GdfL7IvLmsEAAs#011lip=10.16.0.220#011rip=172.16.0.44#011lport=110#011rport=47548
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
gssapi(?,172.16.0.44,): Using all keytab entries
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out:
CONT#0111#011
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
gssapi(user0@zw.local,172.16.0.44,): security context
state completed.
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out:
CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvsoco75BA/W0B9tS+UmJnunUg6vIcO5wr0fzZ7iGmCpsz0K2vL/qniGISDIwF9hDXXxs79bljbZE8Yx4dujqVuTPGMtewfhDtNfRNgYGNk/z28sDz7fs/dpIMKF2FAA1m9pFjBupQ1VkGbzMYc77U
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
gssapi(user0@zw.local,172.16.0.44,): Negotiated
security layer
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client passdb out:
CONT#0111#011BQQF/wAMAdf8bQH///86U2L5ErmqfWFYNQA=
Aug 4 13:42:23 postfix10 dovecot: auth: Debug: client in: CONT
Aug 4 13:42:23 postfix10 dovecot: auth: Error:
gssapi(us...@domain1.zw.local,172.16.0.44,): All
password databases were skipped
Aug 4 13:42:23 postfix10 dovecot: auth: Debug:
auth(us...@domain1.zw.local,172.16.0.44,): Auth
request finished
Aug 4 13:42:25 postfix10 dovecot: auth: Debug: client passdb out:
FAIL#0111#011user=us...@domain1.zw.local#011code=temp_fail#011original_user=user0@ZW.LOCAL
Aug 4 13:42:25 postfix10 dovecot: pop3-login: Debug: Ignoring unknown
passdb extra field: original_user
Can someone help on this?
--
Lucas Castro
