Re: [Dovecot] Proxy config help please

2012-07-02 Thread Timo Sirainen 
On 30.6.2012, at 0.41, Zac Israel wrote:

> # 2.0.19: /etc/dovecot/dovecot.conf
..
> passdb {
>  args = proxy=proxy_always nopassword=y host=172.16.0.13 port=143
> proxy_timeout=5 starttls=y ssl=any-cert

v2.0 has some problems with this. You should use v2.1 and use server name as 
the "host" value instead of IP. But anyway, the main problem is that you 
haven't specified ssl_ca setting that contains the accepted CA certificate.

Re: [Dovecot] Proxy config help please

2012-06-30 Thread Zac Israel 
On Sat, Jun 30, 2012 at 4:52 AM, Charles Marcus
 wrote:
> On 2012-06-29 5:41 PM, Zac Israel  wrote:
>>
>> The system at 172.16.0.13 is a zimbra proxy.  I can see in the logs
>> that it initially complains about my ssl cert, and if I remove
>> ssl=any-cert it fails because my cert is self signed, so I know it is
>> talking to the proxy and doing starttls which is a requirement of
>> zimbra.  Unfortunately I have not found a way to see the full exchange
>> between dovecot and my zimbra proxy other than tcp dump, which just
>> shows a small packet exchange.
>
>
> And unfortunately you failed to provide critical evidence - in this case the
> actual logs (and the tcpdump since you already have it) of a failed session,
> rather than your interpretation of it. But at least you provided your config
> (Timo is so good that often that is enough by itself, but even his crystal
> ball sometimes has problems).
>
> I have found over the years that if you are having a problem to the point
> that you need to ask for help, it is time to step back and take a fresh look
> at *everything* - including having other eyes looking at *all* of the
> evidence.
>
> --
>
> Best regards,
>
> Charles

Very sorry for the omission, please find the dovecot logs and tcpdump
session attached.  Please let me know if I can provide any other
information and thank you again for your time.

Zac
Jun 29 17:00:57 imap-test dovecot: master: Dovecot v2.0.19 starting up (core 
dumps disabled)
Jun 29 17:00:58 imap-test dovecot: auth: Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/auth
Jun 29 17:00:58 imap-test dovecot: auth: Debug: auth client connected 
(pid=31182)
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x10, ret=1: 
before/accept initialization [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: before/accept initialization [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 read client hello A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write server hello A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write certificate A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write key exchange A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write server done A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 flush data [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 read client key exchange A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 read finished A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write session ticket A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write change cipher spec A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 write finished A [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2001, 
ret=1: SSLv3 flush data [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x20, ret=1: 
SSL negotiation finished successfully [127.0.0.1]
Jun 29 17:00:58 imap-test dovecot: imap-login: Warning: SSL: where=0x2002, 
ret=1: SSL negotiation finished successfully [127.0.0.1]
Jun 29 17:01:10 imap-test dovecot: auth: Debug: client in: AUTH 1 PLAIN 
service=imap  secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=49940 
resp=
Jun 29 17:01:10 imap-test dovecot: auth: Debug: 
static(zac.isr...@domain.com,127.0.0.1): lookup
Jun 29 17:01:10 imap-test dovecot: auth: Debug: 
static(zac.isr...@domain.com,127.0.0.1): Allowing any password
Jun 29 17:01:10 imap-test dovecot: auth: Debug: client out: OK  1 
user=zac.isr...@domain.com  proxy host=172.16.0.13  port=143  proxy_timeout=5 
starttls=y  ssl=any-cert  pass=
Jun 29 17:01:10 imap-test dovecot: imap-login: Warning: SSL: where=0x10, ret=1: 
before/connect initialization [127.0.0.1]
Jun 29 17:01:10 imap-test dovecot: imap-login: Warning: SSL: where=0x1001, 
ret=1: before/connect initialization [127.0.0.1]
Jun 29 17:01:10 imap-test dovecot: imap-login: Warning: SSL: where=0x1001, 
ret=1: unknown state [127.0.0.1]
Jun 29 17:01:10 imap-test dovecot: imap-login: Warning: SSL: where=0x1002, 
ret=-1: unknown state [127.0.0.1]
Jun 29 17:01:10 imap-test dovecot: imap-login: Warning: SSL: where=0x1001, 
ret=1: SSLv3 read server hello A [127.0.0.1]
Jun 29 17:01:10 imap-test dovecot: imap-login: Invalid certificate: self signed 
certificate in certificate chain: 
/C=US/ST=State/L=City/O=COMPANY/OU=IT/CN=COMPANY CA/emailAddress=i...@domain.com
Jun 29 17:01:10 imap-test dovecot: imap-login: Invalid

Re: [Dovecot] Proxy config help please

2012-06-30 Thread Charles Marcus 

On 2012-06-29 5:41 PM, Zac Israel  wrote:

The system at 172.16.0.13 is a zimbra proxy.  I can see in the logs
that it initially complains about my ssl cert, and if I remove
ssl=any-cert it fails because my cert is self signed, so I know it is
talking to the proxy and doing starttls which is a requirement of
zimbra.  Unfortunately I have not found a way to see the full exchange
between dovecot and my zimbra proxy other than tcp dump, which just
shows a small packet exchange.


And unfortunately you failed to provide critical evidence - in this case 
the actual logs (and the tcpdump since you already have it) of a failed 
session, rather than your interpretation of it. But at least you 
provided your config (Timo is so good that often that is enough by 
itself, but even his crystal ball sometimes has problems).


I have found over the years that if you are having a problem to the 
point that you need to ask for help, it is time to step back and take a 
fresh look at *everything* - including having other eyes looking at 
*all* of the evidence.


--

Best regards,

Charles

[Dovecot] Proxy config help please

2012-06-29 Thread Zac Israel 
Hello, I am new to dovecot and I am initially trying to setup a basic
imap proxy with password forwarding, I can start the dovecot service,
connect and give it my password, and that is where I hang.  My config
is:

root@imap-test:/etc/dovecot# doveconf -n
# 2.0.19: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-24-generic x86_64 Ubuntu 12.04 LTS
auth_debug = yes
auth_verbose = yes
debug_log_path = syslog
first_valid_uid = 100
imap_capability = CAPABILITY IMAP4rev1 ACL BINARY CATENATE CHILDREN
CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE LIST-EXTENDED
LIST-STATUS LITERAL+ LOGIN-REFERRALS MULTIAPPEND NAMESPACE QRESYNC
QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS
UNSELECT WITHIN XLIST
last_valid_uid = 200
mail_debug = yes
mail_gid = 107
mail_uid = 107
passdb {
  args = proxy=proxy_always nopassword=y host=172.16.0.13 port=143
proxy_timeout=5 starttls=y ssl=any-cert
  driver = static
}
protocols = imap
service imap-login {
  inet_listener imap {
address = *
port = 143
  }
}
ssl = required
ssl_cert =