Re: [Dovecot] Dovecot LDAP issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 7 Apr 2014, Deeztek Support wrote: On 4/7/2014 6:13 PM, Reindl Harald wrote: Am 07.04.2014 23:47, schrieb Deeztek Support: On 4/7/2014 4:42 PM, Christian Schmidt wrote: 7.04.2014 20:43, Deeztek Support: On 4/7/2014 2:08 PM, Oscar del Rio wrote: On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot. I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file. User unknown in virtual mailbox table is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration). I recommend to check the restrictions you defined in your postfix configuration. The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error why in the world do you strip logs syslog contains even the process who generates a entry and so there is not much to guess if you *really* look at the log I'm not stripping any logs. The error I put is from the bounce message. The syslog says the following: Apr 7 17:39:39 ewa postfix/pipe[7134]: E35AE860B26: to=some...@domain.tld, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (user unknown. Command output: So mystery solved, it really is dovecot generating the error. Question remains, can someone please tell me how to get Dovecot do LDAP looks from the AD root? The primary question is: Does ldapsearch -H ldap://server.domain.tld:389 \ -b dc=domain,dc=tld -D ... -W \ '((userPrincipalName=user)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' return the user? How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU0OUvXD1/YhP6VMHAQIF9AgAu2wxEpYXMoHwS1uA7fxKbMPY1tGXU2SE Ub0GVd6CZ6tUWsYW4YE7rYsyy2LFdLDlTFkeOttP30XeoLdYbvnh8QqOR+iURJx2 u2Y/x91SfTIqhRIjDLckq6pmcgugyaLngWKMBCWvkpra03GTqCUmY7Wndh9FoXRm /S1F3u/q0vID1JDEZWeoEInrpKh7KCxX4WPDiUTLUho1CwnzYiMpDlLYJMHNn7P/ K8P2ESPapFwr16tShUewXi7l2hGVGt8Eaqb/z2OqnkWEdSNILejnv5TkZif6GT6H sh8/AxPsotpmV2kEh/IjMG4mjihHCnzvxngpMu96xkTufsBcgt4RyQ== =dM6R -END PGP SIGNATURE-
Re: [Dovecot] Dovecot LDAP issue
On Monday 07 April 2014 13:46:20 Deeztek Support wrote: Dovecot version: 2.0.19 --- grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf hosts = server.domain.tld:389 ldap_version= 3 auth_bind = yes dn = vm...@domain.tld dnpass = somepassword base= ou=testou,dc=domain,dc=tld scope = subtree deref = never user_filter = ((userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.11 3556.1.4.803:=2))) pass_filter = ((userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.11 3556.1.4.803:=2))) pass_attrs = userPassword=password default_pass_scheme = CRYPT user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld /%Ln/Maildir - Your %u need to be matched by the string postfix send to dovecot ( check your master.cf) As I say in a previous post, this filter is invoked from two parts, with (possible) different parameters : from authentication, with the username of the client, and from delivery, with usually the e-mail address or whatewer you set in postfix. IMHO is a bad design, but it works as is.
Re: [Dovecot] Dovecot LDAP issue
On 4/8/2014 2:18 AM, Steffen Kaiser wrote: The primary question is: Does ldapsearch -H ldap://server.domain.tld:389 \ -b dc=domain,dc=tld -D ... -W \ '((userPrincipalName=user)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' return the user? yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU. How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear. Dovecot is able to authenticate with active directory as long as the base = parameter in /etc/dovecot/dovecot-ldap.conf is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error user unknown because it's not able to find the Exchange user since it's in a different OU. When I set the base = parameter in /etc/dovecot/dovecot-ldap.conf to domain root i.e. instead of having it say: base = ou=testou,dc=domain,dc=tld I set it to: base = dc=domain,dc=tld so it can lookup all users in the entire domain then dovecot stops authenticating with AD altogether
Re: [Dovecot] Dovecot LDAP issue
On Tuesday 08 April 2014 05:36:51 Deeztek Support wrote: On 4/8/2014 2:18 AM, Steffen Kaiser wrote: The primary question is: Does ldapsearch -H ldap://server.domain.tld:389 \ -b dc=domain,dc=tld -D ... -W \ '((userPrincipalName=user)(objectClass=person)(!(userAccountControl :1.2.840.113556.1.4.803:=2)))' return the user? yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU. How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear. Dovecot is able to authenticate with active directory as long as the base = parameter in /etc/dovecot/dovecot-ldap.conf is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error user unknown because it's not able to find the Exchange user since it's in a different OU. When I set the base = parameter in /etc/dovecot/dovecot-ldap.conf to domain root i.e. instead of having it say: base = ou=testou,dc=domain,dc=tld I set it to: base = dc=domain,dc=tld so it can lookup all users in the entire domain then dovecot stops authenticating with AD altogether As I already said, authentication is one thing and delivery is other thing. This filter receive probably different variable as %u when deliver ( posibly the mail address or the user part from it, depending on your master.cf . You can use an | in the ldap filter to accomodate that , it's ugly but it works. -- Mihai Bădici http://mihai.badici.ro
Re: [Dovecot] Dovecot LDAP issue
On 4/8/2014 6:12 AM, Mihai Badici wrote: As I already said, authentication is one thing and delivery is other thing. This filter receive probably different variable as %u when deliver ( posibly the mail address or the user part from it, depending on your master.cf . You can use an | in the ldap filter to accomodate that , it's ugly but it works. In this particular setup the %u variable will encompass the username as well as the email address as they are the same. Unless I'm not understanding what you mean.
Re: [Dovecot] Dovecot LDAP issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 8 Apr 2014, Deeztek Support wrote: Date: Tue, 8 Apr 2014 05:36:51 -0400 From: Deeztek Support supp...@deeztek.com Reply-To: Dovecot Mailing List dovecot@dovecot.org To: dovecot@dovecot.org Subject: Re: [Dovecot] Dovecot LDAP issue On 4/8/2014 2:18 AM, Steffen Kaiser wrote: The primary question is: Does ldapsearch -H ldap://server.domain.tld:389 \ -b dc=domain,dc=tld -D ... -W \ '((userPrincipalName=user)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' return the user? yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU. You misunderstood the vivid points of this command: a) the base DN is the one you want, but is not working with Dovecot b) you perform a LDAP search in the local DC, not in Global Catalog c) that you've authentificated correctedly is just a side effect to know How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear. Dovecot is able to authenticate with active directory as long as the base = parameter in /etc/dovecot/dovecot-ldap.conf is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error user unknown because it's not able to find the Exchange user since it's in a different OU. When I set the base = parameter in /etc/dovecot/dovecot-ldap.conf to domain root i.e. instead of having it say: base = ou=testou,dc=domain,dc=tld I set it to: base = dc=domain,dc=tld so it can lookup all users in the entire domain then dovecot stops authenticating with AD altogether as the page points points out, there are differences between LDAP and GC search in the sense of what results are found. See: http://wiki2.dovecot.org/AuthDatabase/LDAP Active Directory When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx The ldapsearch is to verify that your AD searches more than one OU at all. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU0QHXXD1/YhP6VMHAQKsSQgAl/22Zo1KUJfKOML5Gb7P3xUv/Wl9heub ZskcKOIdH+QTkaiSaTeDfnPlugvJKKg5kXvhjfjVn5NrezUxiwa9gLvWypwDwYRM CT2Ba10c0Fokl/JRTfmVwaaOt5VDIaValg7gw/xfQRTFEQ5Ls6QefWyVJhkZrnuo pgB8Y3vLekyeg0gXfB0nj4lk5bU6GdacPMJJdcbTHsWOIQRpsxErF3oijJwWInea DBFHcJsQJLnoP6LqpaLGAkalrbYdLY3zqzheIE978olDTBk75dqeiqEO88Fs3kpX cgtO+vpeIQVRXVrtnGYAkIhCegTJ2IWLpsU0pgOjJtvEFUgUCBSLug== =mWc0 -END PGP SIGNATURE-
[Dovecot] Dovecot LDAP issue
Dovecot version: 2.0.19 --- grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf hosts = server.domain.tld:389 ldap_version= 3 auth_bind = yes dn = vm...@domain.tld dnpass = somepassword base= ou=testou,dc=domain,dc=tld scope = subtree deref = never user_filter = ((userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_filter = ((userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_attrs = userPassword=password default_pass_scheme = CRYPT user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir - I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. I'm assuming this happens because dovecot is not able to to lookup up that user since that user is outside the testou container. A lot of the AD users are in different places inside the AD structure and I need to be able to configure dovecot to look from the root of the AD structure down. I changed the base to this: base = dc=domain,dc=tld but it simply fails to lookup any users at that point. How would I go about getting dovecot to start at the top of the domain and look at every nested OU within AD? thanks a lot D
Re: [Dovecot] Dovecot LDAP issue
On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot.
Re: [Dovecot] Dovecot LDAP issue
On 4/7/2014 2:08 PM, Oscar del Rio wrote: On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot. I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
Re: [Dovecot] Dovecot LDAP issue
7.04.2014 20:43, Deeztek Support: On 4/7/2014 2:08 PM, Oscar del Rio wrote: On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot. I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file. User unknown in virtual mailbox table is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration). I recommend to check the restrictions you defined in your postfix configuration. Mit freundlichen Grüßen Christian Schmidt -- No signature available.
Re: [Dovecot] Dovecot LDAP issue
On 4/7/2014 4:42 PM, Christian Schmidt wrote: 7.04.2014 20:43, Deeztek Support: On 4/7/2014 2:08 PM, Oscar del Rio wrote: On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot. I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file. User unknown in virtual mailbox table is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration). I recommend to check the restrictions you defined in your postfix configuration. Mit freundlichen Grüßen Christian Schmidt The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error: Sender address rejected: not logged in #SMTP# When I do add the address of the sending server in mynetworks in postfix, the email gets delivered. However, when that person tries to reply to that email, they get the following error: user unknown. Command output: doveconf: I realize that's a different error from my original message, I don't remember exactly what I did so I can duplicate the previous error, but the problem still persists. Dovecot is not able to lookup the recipient from AD because the recipient is in a different container. I simply need to find out how to get Dovecot to do LDAP lookups from the domain root. When I set the domain root in base = dovecot stops doing ldap lookups and it doesn't work at all.
Re: [Dovecot] Dovecot LDAP issue
Am 07.04.2014 23:47, schrieb Deeztek Support: On 4/7/2014 4:42 PM, Christian Schmidt wrote: 7.04.2014 20:43, Deeztek Support: On 4/7/2014 2:08 PM, Oscar del Rio wrote: On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot. I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file. User unknown in virtual mailbox table is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration). I recommend to check the restrictions you defined in your postfix configuration. The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error why in the world do you strip logs syslog contains even the process who generates a entry and so there is not much to guess if you *really* look at the log signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Dovecot LDAP issue
On 4/7/2014 6:13 PM, Reindl Harald wrote: Am 07.04.2014 23:47, schrieb Deeztek Support: On 4/7/2014 4:42 PM, Christian Schmidt wrote: 7.04.2014 20:43, Deeztek Support: On 4/7/2014 2:08 PM, Oscar del Rio wrote: On 04/ 7/14 01:46 PM, Deeztek Support wrote: I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error: Sender address rejected: User unknown in virtual mailbox table #SMTP#. Looks like a Postfix error, not Dovecot. I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file. User unknown in virtual mailbox table is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration). I recommend to check the restrictions you defined in your postfix configuration. The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error why in the world do you strip logs syslog contains even the process who generates a entry and so there is not much to guess if you *really* look at the log I'm not stripping any logs. The error I put is from the bounce message. The syslog says the following: Apr 7 17:39:39 ewa postfix/pipe[7134]: E35AE860B26: to=some...@domain.tld, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (user unknown. Command output: So mystery solved, it really is dovecot generating the error. Question remains, can someone please tell me how to get Dovecot do LDAP looks from the AD root?
Re: [Dovecot] Dovecot+LDAP lda problem
inline: NTH_logo_e-mail.jpg
Re: [Dovecot] Dovecot+LDAP lda problem
On 10/12/2013 09:00, Zeljko Culek wrote: Your email looks blank to me, with a jpg NTH logo. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature
[Dovecot] Dovecot+LDAP lda problem
Hello everyone, I need some help with Dovecot+LDAP config and local delivery. We're using Dovecot 2.0.9 on Centos 6.4. Before, we used Qmail with the same LDAP. Our LDAP accounts have the attribute deliveryMode which we used for mailing lists (OK, they are in fact mailing groups rather than lists). When the attribute is set to deliveryMode = nolocal Qmail did not deliver mail to the list mailbox, only to the accounts on the list/group. Now with Dovecot(+postfix) I can't achieve the same behaviour. Can Dovecot be set up not to deliver the mail to the list mailbox if the list has the attribute deliveryMode = nolocal? This is my /etc/dovecot/conf.d/dovecot-ldap.conf.ext hosts = xxx.xxx.xxx.xxx auth_bind = yes dn = cn=admin,dc=nth,dc=ch dnpass = xx ldap_version = 3 base = dc=nth,dc=ch #deref = always scope = subtree user_attrs = mail=user user_filter = (|((objectclass=inetOrgPerson)(mail=%u))(|(mailAlternateAddress=%u))) pass_attrs = uid=user pass_filter = ((objectclass=inetOrgPerson)(|(mail=%u)(mailAlternateAddress=%u))) default_pass_scheme = CRYPT Basicaly, I want to make check: if deliveryMode=nolocal do not deliver to mail=some.m...@tld.com (only to mailForwardingAddress) else deliver normally :) Thnx, Zeljko
Re: [Dovecot] Dovecot+LDAP lda problem
I'll try to simplify to be more understandable: I have a mailing group (or list if you prefer) e.g. develop...@nth.ch. This group has many recipients, defined with LDAP attribute maiForwardingAddress for develop...@nth.ch. Those recipients can be both internal (nth.ch) and external (any other domain - gmail, yahoo, etc.). So, when mail is sent to develop...@nth.ch, it is delivered to all of the recipients in mailForwardingAddress, but also to develop...@nth.ch mailbox; with qmail, that mailbox didn't even exist, i.e. mail was delivered only to mailForwardingAddress recipients, and no develop...@nth.ch mailbox was created or deliverd a message. So, that's what I want to achieve - mail to be delivered only to mailForwardingAddress recipient mailboxes. So, deliveryMode=nolocal with qmail meant - don't deliver mail to mail=something, only deliver to mailForwardingAddress=something. Zeljko On 10.12.2013 08:22, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Dec 2013, Zeljko Culek wrote: I need some help with Dovecot+LDAP config and local delivery. We're using Dovecot 2.0.9 on Centos 6.4. Before, we used Qmail with the same LDAP. Our LDAP accounts have the attribute deliveryMode which we used for mailing lists (OK, they are in fact mailing groups rather than lists). When the attribute is set to deliveryMode = nolocal Qmail did not deliver mail to the list mailbox, only to the accounts on the list/group. So, there are multiple recipients per mail group? Or can the recipient be external? Now with Dovecot(+postfix) I can't achieve the same behaviour. Can Dovecot be set up not to deliver the mail to the list mailbox if the list has the attribute deliveryMode = nolocal? This is my /etc/dovecot/conf.d/dovecot-ldap.conf.ext hosts = xxx.xxx.xxx.xxx auth_bind = yes dn = cn=admin,dc=nth,dc=ch dnpass = xx ldap_version = 3 base = dc=nth,dc=ch #deref = always scope = subtree user_attrs = mail=user user_filter = (|((objectclass=inetOrgPerson)(mail=%u))(|(mailAlternateAddress=%u))) pass_attrs = uid=user pass_filter = ((objectclass=inetOrgPerson)(|(mail=%u)(mailAlternateAddress=%u))) default_pass_scheme = CRYPT Basicaly, I want to make check: if deliveryMode=nolocal do not deliver to mail=some.m...@tld.com (only to mailForwardingAddress) else deliver normally If my above statement is true, this is the job of postfix to split the delivery into all recipients, possibly sending the message off the host. As it was with qmail. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUqbBGl3r2wJMiz2NAQKsRQf+IAhLCkueWTypSorHJ6a/mSCbBb+KdIbU n1aJEptp5iaVQ4L27NLSNGrnbFDjn0rOwgV3e1IQ86pS1rufX9KR3yoXGIsMuNZE 98EtrwUc5FPtydxWY8+aNOT9xwbB360qxMs6xlkzKl7bWqA/CnTBsYdegqh5Ku4d xvaGWXR1SqN2QGHL1/ScFNzul9CPfJbZPIH2TntpbKnsIWzRv/So49K9PgrqOURH 5ttJxWVqZM0LaRbz3ypgLQa3gWY3aQx8o976RcBjUVyhTP/WUvAi4MdoUrNA5fLg GC7PiNuK4SMrqaxVlElQnZ6+f9xZ5kQb5VYHqwG5sFuRgTCM/4TJtA== =miiD -END PGP SIGNATURE-
Re: [Dovecot] Dovecot+LDAP lda problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Dec 2013, Zeljko Culek wrote: I'll try to simplify to be more understandable: I have a mailing group (or list if you prefer) e.g. develop...@nth.ch. This group has many recipients, defined with LDAP attribute maiForwardingAddress for develop...@nth.ch. Those recipients can be both internal (nth.ch) and external (any other domain - gmail, yahoo, etc.). So, when mail is sent to develop...@nth.ch, it is delivered to all of the recipients in mailForwardingAddress, but also to develop...@nth.ch mailbox; with qmail, that mailbox didn't even exist, i.e. mail was delivered only to mailForwardingAddress recipients, and no develop...@nth.ch mailbox was created or deliverd a message. So, that's what I want to achieve - mail to be delivered only to mailForwardingAddress recipient mailboxes. So, deliveryMode=nolocal with qmail meant - don't deliver mail to mail=something, only deliver to mailForwardingAddress=something. OK, that's definitely the job of postfix. See http://www.linuxtopia.org/online_books/mail_systems/postfix_documentation/ADDRESS_REWRITING_README_005.html /usr/sbin/sendmail -bv develop...@nth.ch must not return develop...@nth.ch as recipient. Also check out postmap to see, what the query actually returns. Maybe, someone has aliased a recipient back to develop...@nth.ch. On 10.12.2013 08:22, Steffen Kaiser wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Dec 2013, Zeljko Culek wrote: I need some help with Dovecot+LDAP config and local delivery. We're using Dovecot 2.0.9 on Centos 6.4. Before, we used Qmail with the same LDAP. Our LDAP accounts have the attribute deliveryMode which we used for mailing lists (OK, they are in fact mailing groups rather than lists). When the attribute is set to deliveryMode = nolocal Qmail did not deliver mail to the list mailbox, only to the accounts on the list/group. So, there are multiple recipients per mail group? Or can the recipient be external? Now with Dovecot(+postfix) I can't achieve the same behaviour. Can Dovecot be set up not to deliver the mail to the list mailbox if the list has the attribute deliveryMode = nolocal? This is my /etc/dovecot/conf.d/dovecot-ldap.conf.ext hosts = xxx.xxx.xxx.xxx auth_bind = yes dn = cn=admin,dc=nth,dc=ch dnpass = xx ldap_version = 3 base = dc=nth,dc=ch #deref = always scope = subtree user_attrs = mail=user user_filter = (|((objectclass=inetOrgPerson)(mail=%u))(|(mailAlternateAddress=%u))) pass_attrs = uid=user pass_filter = ((objectclass=inetOrgPerson)(|(mail=%u)(mailAlternateAddress=%u))) default_pass_scheme = CRYPT Basicaly, I want to make check: if deliveryMode=nolocal do not deliver to mail=some.m...@tld.com (only to mailForwardingAddress) else deliver normally If my above statement is true, this is the job of postfix to split the delivery into all recipients, possibly sending the message off the host. As it was with qmail. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUqbBGl3r2wJMiz2NAQKsRQf+IAhLCkueWTypSorHJ6a/mSCbBb+KdIbU n1aJEptp5iaVQ4L27NLSNGrnbFDjn0rOwgV3e1IQ86pS1rufX9KR3yoXGIsMuNZE 98EtrwUc5FPtydxWY8+aNOT9xwbB360qxMs6xlkzKl7bWqA/CnTBsYdegqh5Ku4d xvaGWXR1SqN2QGHL1/ScFNzul9CPfJbZPIH2TntpbKnsIWzRv/So49K9PgrqOURH 5ttJxWVqZM0LaRbz3ypgLQa3gWY3aQx8o976RcBjUVyhTP/WUvAi4MdoUrNA5fLg GC7PiNuK4SMrqaxVlElQnZ6+f9xZ5kQb5VYHqwG5sFuRgTCM/4TJtA== =miiD -END PGP SIGNATURE- - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUqcsXl3r2wJMiz2NAQIp6wgArEb+VjOZ4RRgPU0GEGI1E2BjusZ4UNN1 aYjn9xnVqXDiFtYQ4ruKlVyDqXn4RfEB92oQZYjaCX5PxpxNqdDmJvUfHO9oG3Ja xUCQa1fBDYK50F8XS5ycr1SKrGJWc8su+H9+2ERxMxLh11gyOdVV2U1WrR9RdbMf RAUUyebWTJ5vom/QpiMWWmp46qretylvwtvQs2qGoauCXtJRMrH0LfSLOpiTqnAd 0uaXRDw3cDoeecd0vXiFSAKUwIImVmVOqLrKJLiRBnBRrLDr6ypHV4zeq3Uysxeh eMWeliRGTk8CL0PijcSegNk34SWgy4px6I0YmfvwYpSSv/umH1TDkg== =KLZi -END PGP SIGNATURE-
[Dovecot] Dovecot+LDAP lda problem
inline: NTH_logo_e-mail.jpg
Re: [Dovecot] Dovecot+LDAP lda problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 10 Dec 2013, Zeljko Culek wrote: I need some help with Dovecot+LDAP config and local delivery. We're using Dovecot 2.0.9 on Centos 6.4. Before, we used Qmail with the same LDAP. Our LDAP accounts have the attribute deliveryMode which we used for mailing lists (OK, they are in fact mailing groups rather than lists). When the attribute is set to deliveryMode = nolocal Qmail did not deliver mail to the list mailbox, only to the accounts on the list/group. So, there are multiple recipients per mail group? Or can the recipient be external? Now with Dovecot(+postfix) I can't achieve the same behaviour. Can Dovecot be set up not to deliver the mail to the list mailbox if the list has the attribute deliveryMode = nolocal? This is my /etc/dovecot/conf.d/dovecot-ldap.conf.ext hosts = xxx.xxx.xxx.xxx auth_bind = yes dn = cn=admin,dc=nth,dc=ch dnpass = xx ldap_version = 3 base = dc=nth,dc=ch #deref = always scope = subtree user_attrs = mail=user user_filter = (|((objectclass=inetOrgPerson)(mail=%u))(|(mailAlternateAddress=%u))) pass_attrs = uid=user pass_filter = ((objectclass=inetOrgPerson)(|(mail=%u)(mailAlternateAddress=%u))) default_pass_scheme = CRYPT Basicaly, I want to make check: if deliveryMode=nolocal do not deliver to mail=some.m...@tld.com (only to mailForwardingAddress) else deliver normally If my above statement is true, this is the job of postfix to split the delivery into all recipients, possibly sending the message off the host. As it was with qmail. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBUqbBGl3r2wJMiz2NAQKsRQf+IAhLCkueWTypSorHJ6a/mSCbBb+KdIbU n1aJEptp5iaVQ4L27NLSNGrnbFDjn0rOwgV3e1IQ86pS1rufX9KR3yoXGIsMuNZE 98EtrwUc5FPtydxWY8+aNOT9xwbB360qxMs6xlkzKl7bWqA/CnTBsYdegqh5Ku4d xvaGWXR1SqN2QGHL1/ScFNzul9CPfJbZPIH2TntpbKnsIWzRv/So49K9PgrqOURH 5ttJxWVqZM0LaRbz3ypgLQa3gWY3aQx8o976RcBjUVyhTP/WUvAi4MdoUrNA5fLg GC7PiNuK4SMrqaxVlElQnZ6+f9xZ5kQb5VYHqwG5sFuRgTCM/4TJtA== =miiD -END PGP SIGNATURE-
Re: [Dovecot] dovecot-ldap : can't find user in OU subtree // solved
Am 31.10.2013 01:11, schrieb m...@electronico.nc: Le 31/10/2013 10:42, Achim Gottinger a écrit : Am 30.10.2013 21:17, schrieb m...@electronico.nc: Hello and thanks for your answer. Le 30/10/2013 19:32, Steffen Kaiser a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 30 Oct 2013, m...@electronico.nc wrote: passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap } /etc/dovecot/dovecot-ldap-passdb.conf.ext: hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = ((objectClass=person)(cn=%u)(mail=*)) You should use /etc/dovecot/dovecot-ldap-passdb.conf.ext hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = ((objectClass=person)(cn=%u)(mail=*)) That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template. Hello Achim, Thanks for your answer :-) Sure it works OK, as soon as I specify dn dnpass (that I omitted in passdb... :-[ ) Many thanks again ! Nicolas The problem was auth_bind_userdn which only matched users in OU=users. If you use that type of passwort check pass_filter is not used. Now dovecot binds as user dn first, does an lookup of the users dn via pass_filter and uses the result as the dn for the password verification via an second bind to ldap. If you use the LDAP Server from an Active Directory i'd recommen you use. pass_filter = ((objectClass=person)(sAMAccountName=%u)(mail=*)). Because if you use Windows Remote Admin Tools to create users the users dn is usually someting like dn=cn=[Full Name],ou=Users,dc=domain,dc=lan and cn=[Full Name]. sAMAccountName however holds the users login name.
Re: [Dovecot] dovecot-ldap : can't find user in OU subtree
Am 30.10.2013 21:17, schrieb m...@electronico.nc: Hello and thanks for your answer. Le 30/10/2013 19:32, Steffen Kaiser a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 30 Oct 2013, m...@electronico.nc wrote: passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap } /etc/dovecot/dovecot-ldap-passdb.conf.ext: hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = ((objectClass=person)(cn=%u)(mail=*)) You should use /etc/dovecot/dovecot-ldap-passdb.conf.ext hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = ((objectClass=person)(cn=%u)(mail=*)) That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template.
Re: [Dovecot] dovecot-ldap : can't find user in OU subtree // solved
Le 31/10/2013 10:42, Achim Gottinger a écrit : Am 30.10.2013 21:17, schrieb m...@electronico.nc: Hello and thanks for your answer. Le 30/10/2013 19:32, Steffen Kaiser a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 30 Oct 2013, m...@electronico.nc wrote: passdb { args = /etc/dovecot/dovecot-ldap-passdb.conf.ext driver = ldap } /etc/dovecot/dovecot-ldap-passdb.conf.ext: hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,OU=users,dc=domain,dc=lan You define your bind DN as cn=%u,OU=users,dc=domain,dc=lan ldap_version = 3 base = ou=users,dc=domain,dc=lan scope = subtree pass_filter = ((objectClass=person)(cn=%u)(mail=*)) You should use /etc/dovecot/dovecot-ldap-passdb.conf.ext hosts = localhost dn = cn=ldap,cn=Users,DC=domain,DC=lan dnpass = My_secret_pass auth_bind = yes ldap_version = 3 base = OU=users,DC=domain,DC=lan scope = subtree pass_filter = ((objectClass=person)(cn=%u)(mail=*)) That way pass_filter should match cn=%u,OU=administrative,OU=Users,DC=domain,DC=lan as well. Take an look at http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds DN lookup vs. DN template. Hello Achim, Thanks for your answer :-) Sure it works OK, as soon as I specify dn dnpass (that I omitted in passdb... :-[ ) Many thanks again ! Nicolas
Re: [Dovecot] dovecot+LDAP/AD encoding issue
Hi Matthew, You mentioned Roundcube earlier. I notice this in Roundcube's default main.inc.php: // Password charset. // Use it if your authentication backend doesn't support UTF-8. // Defaults to ISO-8859-1 for backward compatibility $rcmail_config['password_charset'] = 'ISO-8859-1'; ...so changing that to UTF-8 may fix the problem so far as Roundcube is concerned. But you may still face a problem with other clients. We just discussed Thunderbird's behaviour a few days back... D'oh... This fixed it. I haven't taken this into account yet because of the dumpio log, which told me this is already an UTF-8 encoded string... [Tue Aug 07 10:56:37 2012] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-TRANSIENT): _pass=T%C3%A4st1234 Now the authentication works within Roundcube... Thanks for the hint. Greetings, Helge Helge Wiethoff Medienzentrum Telefon: +49 (234) 968 8717 Fax: +49 (234) 968 3453 E-Mail: wieth...@tfh-bochum.de Technische Fachhochschule Georg Agricola für Rohstoff, Energie und Umwelt zu Bochum Staatlich anerkannte Fachhochschule der DMT-Gesellschaft für Lehre und Bildung mbH Herner Straße 45 44787 Bochum http://www.tfh-bochum.de Träger: DMT-Gesellschaft für Lehre und Bildung mbH Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum Handelsregister: B 4052 Geschäftsführung: Prof. Dr. Jürgen Kretschmann (Vorsitzender) Manfred Freitag
Re: [Dovecot] dovecot+LDAP/AD encoding issue
Hello Daniel, Daniel Parthey wrote: Probably you are interested in reading the discussion from 2008: http://www.dovecot.org/list/dovecot/2008-November/035263.html I think, a simple and robust solution would be to limit the allowed characters for user passwords in your password management system to 7-bit ASCII characters (only) and reset passwords of all users having any login problems. Thanks for the link! I think I understood the major problem. But there is one point I couldn’t find out: From the dovecot auth-log I traced a password (Täst1234) with Umlaut: D-AS01:/var/log # grep st1234\) mail | cut -c 127-134 | hexdump -C 54 e4 73 74 31 32 33 34 0a |T.st1234.| 0009 As you can see this is ISO-8859-1: e4 -- ä But the first incoming String from the client was UTF-8 encoded!? [Tue Aug 07 10:56:37 2012] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-TRANSIENT): _pass=T%C3%A4st1234 Anyway... I guess I have to force our users to 7-bit Characters :-( Greetings, Helge Helge Wiethoff Medienzentrum Telefon: +49 (234) 968 8717 Fax: +49 (234) 968 3453 E-Mail: wieth...@tfh-bochum.de Technische Fachhochschule Georg Agricola für Rohstoff, Energie und Umwelt zu Bochum Staatlich anerkannte Fachhochschule der DMT-Gesellschaft für Lehre und Bildung mbH Herner Straße 45 44787 Bochum http://www.tfh-bochum.de Träger: DMT-Gesellschaft für Lehre und Bildung mbH Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum Handelsregister: B 4052 Geschäftsführung: Prof. Dr. Jürgen Kretschmann (Vorsitzender) Manfred Freitag
Re: [Dovecot] dovecot+LDAP/AD encoding issue
On 2012-08-08, at 7.56, Wiethoff, Helge wieth...@tfh-bochum.de wrote: As you can see this is ISO-8859-1: e4 -- ä But the first incoming String from the client was UTF-8 encoded!? [Tue Aug 07 10:56:37 2012] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-TRANSIENT): _pass=T%C3%A4st1234 Anyway... I guess I have to force our users to 7-bit Characters :-( You mentioned Roundcube earlier. I notice this in Roundcube's default main.inc.php: // Password charset. // Use it if your authentication backend doesn't support UTF-8. // Defaults to ISO-8859-1 for backward compatibility $rcmail_config['password_charset'] = 'ISO-8859-1'; ...so changing that to UTF-8 may fix the problem so far as Roundcube is concerned. But you may still face a problem with other clients. We just discussed Thunderbird's behaviour a few days back... -- Matthew Powell matt...@atom.net
[Dovecot] dovecot+LDAP/AD encoding issue
Hello everybody, i have a problem with dovecot+Active Directory as Authentication-Service. I am not able to use special characters (äöüß (german umlaut)) within a password. Normally I would suggest that the ldap-query is done in UTF-8 but as I debugged the auth-process, I have seen that the password is ISO-8859-1 encoded. The original query (from roundcube for example) is UTF-8 encoded (I dumped the POST-Query). So far I wasn't able to find my error by myself or by searching the web. Maybe someone of you can give me a hint :-) Thanks and greetings from Germany, Helge dovecot --version 2.0.16 D-AS01:/etc/dovecot # grep -v '^ *\(#.*\)\?$' dovecot-ldap.conf.ext uris = ldap://10.37.5.90 dn = CN=ldap-d-as01,CN=Users,DC=tfh-bochum,DC=de dnpass = auth_bind = yes ldap_version = 3 base = ou=Benutzer, ou=Lehre, dc=tfh-bochum, dc=de user_attrs = =uid=1,=gid=1,=home=/srv/mail/%Ld/%Ln user_filter = mail=%u pass_attrs = =uid=1,=gid=1,=home=/srv/mail/%Ld/%Ln pass_filter = ((mail=%u)(!(extensionAttribute3=*))) dovecot -n # 2.0.16: /etc/dovecot/dovecot.conf # OS: Linux 2.6.37.6-0.11-default x86_64 openSUSE 11.4 (x86_64) auth_debug = yes auth_mechanisms = plain login auth_username_translation = %Lu auth_verbose = yes mail_location = maildir:~/Maildir mail_max_userip_connections = 1000 mail_plugins = quota managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { inbox = yes list = yes location = prefix = INBOX/ separator = / subscriptions = yes type = private } namespace { list = yes location = maildir:%%h/Maildir:INDEX=%h/Maildir/shared/%%u:CONTROL=%h/Maildir/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_shared_dict = file:/srv/mail/shared-mailboxes quota = maildir:Quota quota_rule = *:storage=1G sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_max_redirects = 10 } protocols = imap pop3 sieve lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0770 user = root } } service imap-login { process_min_avail = 4 service_count = 0 } service managesieve-login { inet_listener sieve { address = * port = 4190 } inet_listener sieve_deprecated { address = * port = 2000 } process_min_avail = 2 service_count = 0 } ssl_ca = /etc/ssl/certs/tfh_dfn_dtag_cacert.pem ssl_cert = /etc/ssl/certs/imap.stud.tfh-bochum.de-20110530-cert-302177588.pem ssl_key = /etc/ssl/private/imap.stud.tfh-bochum.de-20110530.key userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = quota } protocol imap { mail_plugins = quota acl imap_acl imap_quota } protocol pop3 { mail_plugins = quota } Helge Wiethoff Medienzentrum Telefon: +49 (234) 968 8717 Fax: +49 (234) 968 3453 E-Mail: wieth...@tfh-bochum.de Technische Fachhochschule Georg Agricola für Rohstoff, Energie und Umwelt zu Bochum Staatlich anerkannte Fachhochschule der DMT-Gesellschaft für Lehre und Bildung mbH Herner Straße 45 44787 Bochum http://www.tfh-bochum.de Träger: DMT-Gesellschaft für Lehre und Bildung mbH Sitz der Gesellschaft: Bochum Registergericht: Amtsgericht Bochum Handelsregister: B 4052 Geschäftsführung: Prof. Dr. Jürgen Kretschmann (Vorsitzender) Manfred Freitag
Re: [Dovecot] dovecot+LDAP/AD encoding issue
Wiethoff, Helge wrote: Hello everybody, i have a problem with dovecot+Active Directory as Authentication-Service. I am not able to use special characters (äöüß (german umlaut)) within a password. Normally I would suggest that the ldap-query is done in UTF-8 but as I debugged the auth-process, I have seen that the password is ISO-8859-1 encoded. The original query (from roundcube for example) is UTF-8 encoded (I dumped the POST-Query). So far I wasn't able to find my error by myself or by searching the web. Maybe someone of you can give me a hint :-) Thanks and greetings from Germany, Helge Hello Helge, In order to make it work with LDAP, the password transmitted over the IMAP connection needs to be encoded with the same character set as the password used to generate the hash. IMAP does not specify how the mail client should encode the password during the login process. So some older clients use Latin1 and some newer use UTF-8. Probably you are interested in reading the discussion from 2008: http://www.dovecot.org/list/dovecot/2008-November/035263.html Possibly you could reencode your passwords with some IMAP proxy like nginx and the mail and mail_auth modules and detect german umlauts, but such a setup will quickly get complex. I think, a simple and robust solution would be to limit the allowed characters for user passwords in your password management system to 7-bit ASCII characters (only) and reset passwords of all users having any login problems. Greetings, Daniel -- https://plus.google.com/103021802792276734820
[Dovecot] dovecot, ldap and multiple auth_bind_userdn
Hello List! I'm having some troubles for a client of mine: he has two ldap branches which may contain valid users for imap login... For now, dovecot is configured so that it uses the auth_bind: uris = ldap://localhost:389/ auth_bind = yes auth_bind_userdn = uid=%u,ou=user,dc=org ldap_version = 3 base = dc=artemis user_attrs = user_global_uid = 8 user_global_gid = 8 pass_attrs = uid=user ## other options user_filter = (uid=%u) pass_filter = (uid=%u) default_pass_scheme = CRYPT Unfortunately, I cannot manage to tell him hey guy, uses those two branches: uid=%u,ou=user,dc=org and uid=%u,ou=external,dc=org Is there a special way to do that ? Is it even possible ? I cannot modify the ldap tree, so this option is out, unfortunately :(. My dovecot version: dovecot --version 1.2.15 Thanks in advance for your answers. Cheers, C.
Re: [Dovecot] dovecot, ldap and multiple auth_bind_userdn
On 1.5.2012, at 11.33, Cédric Jeanneret wrote: Unfortunately, I cannot manage to tell him hey guy, uses those two branches: uid=%u,ou=user,dc=org and uid=%u,ou=external,dc=org Is there a special way to do that ? Is it even possible ? I cannot modify the ldap tree, so this option is out, unfortunately :(. Create two passdb ldap {} sections with different config files using different auth_bind_userdns.
[Dovecot] Dovecot + LDAP login issues
Morning all, I've managed to work my self into a corner and hoping someone can help me out I have OpenLDAP and Dovecot installed based on the following documents: https://help.ubuntu.com/community/DovecotLDAP https://help.ubuntu.com/community/OpenLDAPServer When Dovecot is set up to log in without using LDAP, connections work fine. However as soon as I change the dovecot.conf to use ldap I get the following error when trying to log in: error in syslog: dovecot: auth(default): ldap(myuser,10.10.10.10): invalid credentials (given password: myuserpasswd) dovecot: auth(default): client out: FAIL#0112#011user=myuser I have checked via phpLDAPadmin that the password I am entering matches what is in the database, so from what I can see the issue lies in how Dovecot is passing the password to openLDAP, though I may be way off base here. No special characters in the passphrase other than spaces. Would anyone be able to shed some light on this? Server Setup and Dovecot Config Ubuntu Server 11.04 # uname -a Linux base 2.6.38-10-server #46-Ubuntu SMP Tue Jun 28 16:31:00 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux[ # slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Apr 7 2011 18:00:55) $[/CODE][CODE] # dovecot --version 1.2.15 # cat dovecot.conf base_dir = /var/run/dovecot/ protocols = imaps imap listen = * disable_plaintext_auth = no shutdown_clients = yes log_timestamp = %Y-%m-%d %H:%M:%S ###ssl_disable = no ssl_cert_file = /etc/ssl/private/mail_mydomain_com.crt ssl_key_file = /etc/ssl/private/mail_mydomain_com.key ssl_ca_file = /etc/ssl/private/comodo-bundle.crt mail_location = maildir:/home/MAIL/%n mail_privileged_group = mail mail_debug = yes protocol imap { ### login_greeting_capability = yes imap_client_workarounds = tb-extra-mailbox-sep } protocol lda { postmaster_address = postmas...@mydomain.com hostname = base auth_socket_path = /var/run/dovecot/auth-master mail_plugins = cmusieve } auth_verbose = no auth_debug = yes auth_debug_passwords = yes auth default { mechanisms = plain passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } # passdb passwd-file { # args = /etc/dovecot/passwd # } userdb static { args = uid=vmail gid=vmail home=/home/MAIL/%n allow_all_users=yes } user = vmail socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail # User running Dovecot LDA group = vmail # Or alternatively mode 0660 + LDA user in this group } } } dict { } plugin { #cat dovecot-ldap.conf (with a number of commented out lines removed) # Space separated list of LDAP hosts to use. host:port is allowed too. hosts= localhost # Distinguished Name - the username used to login to the LDAP server dn= cn=admin,dc=mydomain # Password for LDAP server dnpass = alongpasswd auth_bind = yes auth_bind_userdn = uid=%u,ou=Users,dc=mydomain # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3 # LDAP base. %variables can be used here. base = ou=Users,dc=mydomain # Dereference: never, searching, finding, always deref = never # Search scope: base, onelevel, subtree scope = subtree user_attrs = mail=uid user_filter = ((objectClass=posixAccount)(uid=%n)) # Password checking attributes: pass_attrs = uid=user,userPassword=password ###,homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid # Filter for password lookups pass_filter = ((objectClass=posixAccount)(uid=%n)) # Default password scheme. {scheme} before password overrides this. # List of supported schemes is in: http://wiki.dovecot.org/Authentication default_pass_scheme = MD5
Re: [Dovecot] dovecot ldap failed to recover
On Wed, 2011-03-30 at 15:26 +0200, Jan-Frode Myklebust wrote: The problem seemed to start with this log entry: Mar 29 18:57:21 popimap1 dovecot: auth(default): ldap(us...@example.com,192.168.42.15): Connection appears to be hanging, reconnecting So far looks ok.. and this suspicious entry a few seconds later: Mar 29 18:57:41 popimap1 dovecot: auth(default): LDAP: Reply with unknown msgid 2 This probably has something to do with it. Afterward 18:57:21 it was unable to authenticate any users before I restarted the dovecot service. I couldn't reproduce this by sending a SIGSTOP to slapd and bringing it back up with SIGCONT. Anyway, for v2.0 this hopefully makes Dovecot fix itself: http://hg.dovecot.org/dovecot-2.0/rev/cef23de90ff1
[Dovecot] dovecot ldap failed to recover
One of our backend pop/imap-server running dovecot v1.2.16 experienced some problems yesterday. It suddenly couldn't authenticate users anymore, flooding the logs with: pop3-login: Disconnected (auth failed, 1 attempts): user=us...@example.com, method=PLAIN, rip=192.168.42.15, lip=192.168.42.28 The problem seemed to start with this log entry: Mar 29 18:57:21 popimap1 dovecot: auth(default): ldap(us...@example.com,192.168.42.15): Connection appears to be hanging, reconnecting and this suspicious entry a few seconds later: Mar 29 18:57:41 popimap1 dovecot: auth(default): LDAP: Reply with unknown msgid 2 Afterward 18:57:21 it was unable to authenticate any users before I restarted the dovecot service. Also some of our postfix servers reported ldap lookup failures between 18:56-18:58, but then recovered. Looking at the ldap server side, we saw no problems logged, but netstat reports there being 3 active ldap sessions towards the dovecot server that failed yesterday, while the dovecot server only has 1: ldap1$ netstat -na |grep 192.168.42.28 tcp 0 0 192.168.43.2:389 192.168.42.28:44408 ESTABLISHED tcp 0 0 192.168.43.2:389 192.168.42.28:36464 ESTABLISHED tcp 0 0 192.168.43.2:389 192.168.42.28:60580 ESTABLISHED popimap1$ netstat -na| grep 192.168.43.2 tcp 0 0 192.168.42.28:60580 192.168.43.2:389 ESTABLISHED So it looks to us like there was some problem with either the network, or the ldap-server for a short periode, and that dovecot then wasn't able to recover from this. -jf
Re: [Dovecot] Dovecot ldap connection reconnecting after inactivity
On Tue, 2010-11-16 at 20:48 -0400, Aliet Santiesteban Sifontes wrote: Hi people, I have a setup configured using ldap, I have noticed that after a period of user inactivity if a client open connections to dovecot first attemps fails with this: Nov 16 19:34:43 cl05-02 dovecot: auth: Error: ldap(u...@xxx.xx.xx,172.29.13.26): Connection appears to be hanging, reconnecting After the connections to ldap has been restablished everything starts working ok, is this a expected behavior or I'm missing something?? You have a firewall or something that drops the connection after it has been idling for a while. And when Dovecot continues trying to send another LDAP request, it simply drops the packets instead of even bothering to reject them. Not good.
[Dovecot] Dovecot ldap connection reconnecting after inactivity
Hi people, I have a setup configured using ldap, I have noticed that after a period of user inactivity if a client open connections to dovecot first attemps fails with this: Nov 16 19:34:43 cl05-02 dovecot: auth: Error: ldap(u...@xxx.xx.xx,172.29.13.26): Connection appears to be hanging, reconnecting After the connections to ldap has been restablished everything starts working ok, is this a expected behavior or I'm missing something?? Best regards
[Dovecot] Dovecot Ldap Problem
Hi All, My server is running with Dovecot 1.2.11 and openldap 2.4.17 it was working fine but suddenly my dovecot auth started to failing sometimes. After restarting dovecot everything will work fine. The slapd log file is showing deffering operation: too many executing. When i googled i have seen that if the client is not properly disconnecting the connection slapd will give this error. Can you please let me know whether it is a dovecot problem and if so why it is occuring. -- Rgds, Aravind M D aravind.divaka...@yukthi.com Helpdesk Team Yukthi Systems Pvt Ltd Ph:- 08042351119 08042351120
Re: [Dovecot] Dovecot Ldap Problem
On 10.8.2010, at 7.16, Aravind Divakaran wrote: My server is running with Dovecot 1.2.11 and openldap 2.4.17 it was working fine but suddenly my dovecot auth started to failing sometimes. After restarting dovecot everything will work fine. The slapd log file is showing deffering operation: too many executing. When i googled i have seen that if the client is not properly disconnecting the connection slapd will give this error. Can you please let me know whether it is a dovecot problem and if so why it is occuring. Dovecot never disconnects from LDAP server. You're using passdb/userdb ldap and not pam_ldap, right?
Re: [Dovecot] Dovecot Ldap Problem
Dovecot never disconnects from LDAP server. You're using passdb/userdb ldap and not pam_ldap, right? I am using passdb/userdb ldap not pam_ldap. -- Rgds, Aravind M D
Re: [Dovecot] Dovecot Ldap Problem
On Tue, 2010-08-10 at 18:13 +0550, Aravind Divakaran wrote: Dovecot never disconnects from LDAP server. You're using passdb/userdb ldap and not pam_ldap, right? I am using passdb/userdb ldap not pam_ldap. My googling shows: It means there are too many operations active on the given connection, so further operations on that connection will be queued until some of the active operations complete. Maybe you need to reduce this: /* Maximum number of pending requests before delaying new requests. */ #define DB_LDAP_MAX_PENDING_REQUESTS 128 I don't actually know what OpenLDAP's limit is.. Anyway, if so many requests are being queued, it sounds like you're getting more authentication attempts than your server(s) can handle in time. Try enabling Dovecot's auth cache? http://wiki.dovecot.org/Authentication/Caching
Re: [Dovecot] Dovecot Ldap Problem
On Tue, 2010-08-10 at 14:01 +0100, Timo Sirainen wrote: /* Maximum number of pending requests before delaying new requests. */ #define DB_LDAP_MAX_PENDING_REQUESTS 128 A quick look at OpenLDAP code shows that it defaults to 16 worker threads. I guess I should reduce this to 8 or something. :)
Re: [Dovecot] dovecot ldap search result ordering?
?? Mon, 28 Jun 2010 21:22:36 +0100 Timo Sirainen t...@iki.fi : On Sat, 2010-06-26 at 14:53 +0800, chasye wrote: It works fine, but some account failed to get their domain in pass_attrs. I check the log. when it success, the result order is mail, uid, userPassword when it failed, the order is userPassword, uid, mail You didn't mention what Dovecot version you're using. Anyway, I guess this is fixed by: http://hg.dovecot.org/dovecot-1.2/rev/a3e4af3df83d I use Dovecot 1.2.11 from debian. May be I shall try a newer version. thanks from you reply -- ?s?o ???X ???T?e?? ???I
Re: [Dovecot] dovecot ldap search result ordering?
?? Thu, 1 Jul 2010 10:11:23 +0200 (CEST) Steffen Kaiser skdove...@smail.inf.fh-brs.de : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 26 Jun 2010, chasye wrote: pass_attrs = mail=user, uid=userdb_home=/home/xadmin/%d/%$,userPassword=password pass_filter = ((objectClass=posixAccount)(uid=%u)) default_pass_scheme = SSHA user_attrs = mail=user, uid=home=/home/xadmin/%d/%$ user_filter = ((objectClass=posixAccount)(|(mail=%u)(mailAlias=%u))) It works fine, but some account failed to get their domain in pass_attrs. I check the log. when it success, the result order is mail, uid, userPassword when it failed, the order is userPassword, uid, mail we just use a username to login. I think dovecot cant get the domain before username changed to usern...@domain. So can dovecot sort the result I guess you have to drop the uid=userdb_home and rely on the second query. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBTCxNrb+Vh58GPL/cAQIydAf/fB07yAHzzJQdeXNutnA8NEikLyJ8oevL Vblt2clSEWM8tkTJK42EC9916lOhKA/EOmGvuRjgSfoal1AJlVTptiQjxCaELeS6 5afwC2aEvvIYRKOaw42S98TYOzr5V0HU3QcxQmlMRxpB9cESzIG5Pw6Z9Ol52whJ HJd+3MO29LUdHcgn8yxxsuk+VowPn8CL4WK0WiDhpLFMc2z5Z6SkthqyGOOAtvkj y35pAiTBx/DiOPEtU+VLu6IRddtL4GYYnMvAn05b63sZO9e1CquVpbr5Qb3q2I52 w5HFeqYKqH9zBZD3xdYxUdrSSK8tU5WfjUYYcnZzQlYv5oeWYS3NaQ== =tbno -END PGP SIGNATURE- I have tried this, but if user has mailAlias from other domain, this is still not work as expected. Mails will go to orig domain directory. May be It's fixed in newer version as Timo said. I will try a newer version. thank for your reply -- ?s?o ???X ???T?e?? ???I
Re: [Dovecot] dovecot ldap search result ordering?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 26 Jun 2010, chasye wrote: pass_attrs = mail=user, uid=userdb_home=/home/xadmin/%d/%$,userPassword=password pass_filter = ((objectClass=posixAccount)(uid=%u)) default_pass_scheme = SSHA user_attrs = mail=user, uid=home=/home/xadmin/%d/%$ user_filter = ((objectClass=posixAccount)(|(mail=%u)(mailAlias=%u))) It works fine, but some account failed to get their domain in pass_attrs. I check the log. when it success, the result order is mail, uid, userPassword when it failed, the order is userPassword, uid, mail we just use a username to login. I think dovecot cant get the domain before username changed to usern...@domain. So can dovecot sort the result I guess you have to drop the uid=userdb_home and rely on the second query. Regards, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBTCxNrb+Vh58GPL/cAQIydAf/fB07yAHzzJQdeXNutnA8NEikLyJ8oevL Vblt2clSEWM8tkTJK42EC9916lOhKA/EOmGvuRjgSfoal1AJlVTptiQjxCaELeS6 5afwC2aEvvIYRKOaw42S98TYOzr5V0HU3QcxQmlMRxpB9cESzIG5Pw6Z9Ol52whJ HJd+3MO29LUdHcgn8yxxsuk+VowPn8CL4WK0WiDhpLFMc2z5Z6SkthqyGOOAtvkj y35pAiTBx/DiOPEtU+VLu6IRddtL4GYYnMvAn05b63sZO9e1CquVpbr5Qb3q2I52 w5HFeqYKqH9zBZD3xdYxUdrSSK8tU5WfjUYYcnZzQlYv5oeWYS3NaQ== =tbno -END PGP SIGNATURE-
Re: [Dovecot] dovecot ldap search result ordering?
On Sat, 2010-06-26 at 14:53 +0800, chasye wrote: It works fine, but some account failed to get their domain in pass_attrs. I check the log. when it success, the result order is mail, uid, userPassword when it failed, the order is userPassword, uid, mail You didn't mention what Dovecot version you're using. Anyway, I guess this is fixed by: http://hg.dovecot.org/dovecot-1.2/rev/a3e4af3df83d
[Dovecot] dovecot ldap search result ordering?
I use openLDAP as dovecot pass/user db. here is main part of dovecot-ldap.conf: pass_attrs = mail=user, uid=userdb_home=/home/xadmin/%d/%$,userPassword=password pass_filter = ((objectClass=posixAccount)(uid=%u)) default_pass_scheme = SSHA user_attrs = mail=user, uid=home=/home/xadmin/%d/%$ user_filter = ((objectClass=posixAccount)(|(mail=%u)(mailAlias=%u))) It works fine, but some account failed to get their domain in pass_attrs. I check the log. when it success, the result order is mail, uid, userPassword when it failed, the order is userPassword, uid, mail we just use a username to login. I think dovecot cant get the domain before username changed to usern...@domain. So can dovecot sort the result order and How? -- ?s?o ???X ???T?e?? ???I
[Dovecot] Dovecot LDAP problems
I'm currently trying to configure a linux mailserver running centos to use an xserve running snow leopard. I am configuring the mailserver to run dovecot,sendmail,clamav,spam assassin and squirrelmail so it matches those used by the mac. The problem I am having is that I cannot get the server to authenticate properly to the macs LDAP database. As far as I can tell it is either a problem authenticating passwords or username and passwords. mail.app says its the password it cant authenticate Thunderbird says it could be either. It seems to be a problem in dovecot-ldap.conf, (as I can run ldapsearch from the linux server authenticate correctly and gain user information) What I'd like to know is there a standard set of settings required to authenticate to the LDAP on the mac? I'm currently running the od with no requirements for Kerberos, SSL or anything else it can authenticate with plain passwords (it will be once it is implemented I'm trying to have as few variables as possible at the moment). Copy of dovecot-ldap.conf below; 1. This file is opened as root, so it should be owned by root and mode 0600. # 1. http://wiki.dovecot.org/AuthDatabase/LDAP # 1. NOTE: If you're not using authentication binds, you'll need to give 2. dovecot-auth read access to userPassword field in the LDAP server. 3. With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should 4. already be something like this: 1. access to attribute=userPassword 2. by dn=dovecot's dn read # add this 3. by anonymous auth 4. by self write 5. by * none 1. Space separated list of LDAP hosts to use. host:port is allowed too. hosts =hostname.com 1. LDAP URIs to use. You can use this instead of hosts list. Note that this 2. setting isn't supported by all LDAP libraries. #uris = 1. Distinguished Name - the username used to login to the LDAP server dn= uid=wmuser,cn=#,dc=##,dc=###,dc=### 1. Password for LDAP server dnpass = password 1. Use SASL binding instead of the simple binding. Note that this changes 2. ldap_version automatically to be 3 if it's lower. Also note that SASL binds 3. and auth_bind=yes don't work together. #sasl_bind = no 1. SASL mechanism name to use. #sasl_mech = 1. SASL realm to use. #sasl_realm = 1. SASL authorization ID, ie. the dnpass is for this master user, but the 2. dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id = 1. Use TLS to connect to the LDAP server. #tls = no 1. Use authentication binding for verifying password's validity. This works by 2. logging into LDAP server using the username and password given by client. 3. The pass_filter is used to find the DN for the user. Note that the pass_attrs 4. is still used, only the password field is ignored in it. Before doing any 5. search, the binding is switched back to the default DN. auth_bind = yes 1. If authentication binding is used, you can save one LDAP request per login 2. if users' DN can be specified with a common template. The template can use 3. the standard %variables (see user_filter). Note that you can't 4. use any pass_attrs if you use this setting. # 1. If you use this setting, it's a good idea to use a different 2. dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the 3. filename is different in userdb's args). That way one connection is used only 4. for LDAP binds and another connection is used for user lookups. Otherwise 5. the binding is changed to the default DN before each user lookup. # 1. For example: auth_bind_userdn = cn=%u,cn=users,dc=##,dc=###,dc=### # #auth_bind_userdn = 1. LDAP protocol version to use. Likely 2 or 3. ldap_version = 3 1. LDAP base. %variables can be used here. base = dc=##, dc=###, dc=### 1. Dereference: never, searching, finding, always #deref = never 1. Search scope: base, onelevel, subtree #scope = subtree 1. User attributes are given in LDAP-name=dovecot-internal-name list. The 2. internal names are: 3. uid - System UID 4. gid - System GID 5. home - Home directory 6. mail - Mail location # 1. There are also other special fields which can be returned, see 2. http://wiki.dovecot.org/UserDatabase/ExtraFields user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid 1. Filter for user lookup. Some variables can be used (see 2. http://wiki.dovecot.org/Variables for full list): 3. %u - username 4. %n - user part in u...@domain, same as %u if there's no domain 5. %d - domain part in u...@domain, empty if user there's no domain user_filter = ((objectClass=posixAccount)(uid=%u)) 1. Password checking attributes: 2. user: Virtual user name (u...@domain), if you wish to change the 3. user-given username to something else 4. password: Password, may optionally start with {type}, eg. {crypt}
Re: [Dovecot] Dovecot+LDAP issues
Hey there, first of all, sorry for the late reply, the long easter weekend got in the way... Answering your questions: Em 31-03-2010 17:13, Hugo Monteiro escreveu: Hi Daniel, Are you using by any chance the slapo-rwm overlay? There is mention in openldap 2.4.13 changelog that prior versions would rewrite an undefined filter. No, but I'm using the dynlist overlay. Have you tried issuing the exact search on both servers, using ldapseach for instance, and see if they both return the same information? Yes, I tried it often and they always return the same information (provided the changes aren't very recent, since the extra server updates itself every 6 hours). Like I mentioned, the extra server got an undefined filter, so it really looks like a client side (ie. dovecot) issue and not a server issue. Regards, Hugo Monteiro. Em 01-04-2010 08:55, Brian Candler escreveu: On Wed, Mar 31, 2010 at 02:59:28PM +0100, Daniel Gomes wrote: I am having some problems with a LDAP passdb authentication on Dovecot. Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot 1.0.5 connecting to 2 different machines running LDAP servers: gold with OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication slave of gold). If you can replicate this problem on a test IMAP box pointing to the same two LDAP servers, it might be worth checking whether dovecot-1.2.11 has the same problem. At least, there are more people on this list who would be able to replicate it using current code. I set up my test box (Ubuntu 9.04) with dovecot 1.1.11 (it's the one available on repositories) and with the same configuration as the production server**, and everything seems to work fine. I tried: - Both LDAP servers up: as expected, no troubles here - I stopped the first LDAP server (gold) and verified that after losing the connection, dovecot went to the second server (extra) and I was also able to authenticate (I verified extra's slapd logs to make sure it was really querying it). - I restarted gold's LDAP and killed extra's, and dovecot went back to (successfully) authenticating users against gold's LDAP. **: the only difference in the server's configurations is the use of TLS: I had my main dovecot server with TLS activated (that is, it would use safe connections to the LDAP servers) but it seems to fail randomly on some occasions (even with other tools such as phpLDAPadmin, although it seems to work fine with the ldap* tools). So in my main dovecot server I set tls = no when I first had these issues, whereas on the test machine I decided to try it with tls (tls = yes). But like I mentioned, the troubles came when using TLS, so trying it on the test machine with TLS enabled just helps proving it ain't its fault. Also, you could try swapping master and slave around in the dovecot-ldap.conf (i.e. try extra first, then gold). You state that the two LDAP databases are clones, but they are running different versions of openldap, so may behave differently. I tried this too, and it also worked. I then killed extra's LDAP (now the first on the list) and dovecot successfully authenticated against gold's ldap. I then also killed that server, after which I obviously couldn't login. As expected, bringing extra's LDAP back on restored functionality. As a final test, I re-did these steps (logging in with both LDAPs on, killing the first and then logging in again) with my production server, and it also worked fine. It really just looks like a random error (I almost wrote bug here but I don't want to blame it on dovecot itself just yet ;-) ) which won't be so easy to reproduce. My fear here is that it will randomly (even if not often) happen while in production and basically bring down the mail system with it (you can imagine the angry costumers hehe). Of course I will leave the MySQL passdb after the LDAP one as a safeguard, so that setup should minimize the chances of a total service failure... Regards, Brian. P.S. Unrelated, but I hope you're aware that Ubuntu 7.10 went out of support on Apr 18th last year? https://wiki.ubuntu.com/Releases Thanks for the heads up! We (and by we I mean me) are slowly upgrading our servers for the latest LTS version (Hardy), but it's still a work in progress You reckon the old Ubuntu/dovecot version is contributing to the issue here? Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal
Re: [Dovecot] Dovecot+LDAP issues
On Mon, Apr 05, 2010 at 11:16:04AM +0100, Daniel Gomes wrote: P.S. Unrelated, but I hope you're aware that Ubuntu 7.10 went out of support on Apr 18th last year? https://wiki.ubuntu.com/Releases Thanks for the heads up! We (and by we I mean me) are slowly upgrading our servers for the latest LTS version (Hardy), but it's still a work in progress You reckon the old Ubuntu/dovecot version is contributing to the issue here? Probably not the old Ubuntu, but quite possibly the old dovecot. There's Lucid LTS just around the corner, although your old Gutsy will need to be updated to Hardy first anyway.
Re: [Dovecot] Dovecot+LDAP issues
On Wed, Mar 31, 2010 at 02:59:28PM +0100, Daniel Gomes wrote: I am having some problems with a LDAP passdb authentication on Dovecot. Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot 1.0.5 connecting to 2 different machines running LDAP servers: gold with OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication slave of gold). If you can replicate this problem on a test IMAP box pointing to the same two LDAP servers, it might be worth checking whether dovecot-1.2.11 has the same problem. At least, there are more people on this list who would be able to replicate it using current code. Also, you could try swapping master and slave around in the dovecot-ldap.conf (i.e. try extra first, then gold). You state that the two LDAP databases are clones, but they are running different versions of openldap, so may behave differently. Regards, Brian. P.S. Unrelated, but I hope you're aware that Ubuntu 7.10 went out of support on Apr 18th last year? https://wiki.ubuntu.com/Releases
Re: [Dovecot] Dovecot+LDAP issues
On Wed, Mar 31, 2010 at 02:59:28PM +0100, Daniel Gomes wrote: Unfortunately, I seemed to have run into a big problem on an occasion when dovecot was unable to connect my first server (gold) and hence went to the second one (extra). I set up a simple test by configuring hosts = 10.1.1.1 x.x.x.x where x.x.x.x is the real ldap server, and 10.1.1.1 is a non-existent host, and then restarted dovecot. It took dovecot a minute or two to timeout connecting to the first one (during which time an incoming POP3 connection just waited), and then it connected to the second one and from then on authenticated happily. This is dovecot-1.2.11 under FreeBSD 7.2 So I would suspect that your second LDAP server really is behaving differently. Actually I forgot the obvious test: just put a single entry in your dovecot-ldap.conf, firstly hosts = gold and secondly hosts = extra, restarting dovecot after each change of course. Then see how the authentication goes. If it works consistently with one and fails consistently with the other, then clearly it's not an issue with failover. Regards, Brian.
[Dovecot] Dovecot+LDAP issues
Dear list members, I am having some problems with a LDAP passdb authentication on Dovecot. Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot 1.0.5 connecting to 2 different machines running LDAP servers: gold with OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication slave of gold). The initial setup of dovecot was with a MySQL passdb, which is still the first passdb, now followed by my new LDAP passdb, all with a static userdb. Here is my dovecot-ldap.conf (the LDAP passdb) (I switched the domain with example.com for privacy sake): - #Servidor hosts = gold.example.com extra.example.com tls = yes ldap_version = 3 base = ou=people,dc=example,dc=com scope = onelevel #uid/gid user_global_uid = 5000 user_global_gid = 5000 #Bind para ler coisas dn = cn=dovecot,ou=people,dc=example,dc=com dnpass = secret sasl_bind = no sasl_mech = #passdb: usar password lookups para autenticar utilizadores auth_bind = no pass_attrs =userPassword=password #, =userdb_home=/home/vmail/%d/%n pass_filter = ((maildrop=%u)(mailacceptinguser=1)) default_pass_scheme = PLAIN-MD5 - This setup is currently working for some tests users (the others are still being auth'ed with the old MySQL passdb). Unfortunately, I seemed to have run into a big problem on an occasion when dovecot was unable to connect my first server (gold) and hence went to the second one (extra). Backtracking from the logs (starting with dovecot-error.log): Mar 31 13:11:50 bunker dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Mar 31 13:11:50 bunker dovecot: auth-worker(default): LDAP: ldap_result() failed: Can't contact LDAP server This is when the users stopped being able to login via imap, with the following message being shown on dovecot-info.log: Mar 31 13:13:00 bunker dovecot: auth(default): ldap(u...@domain.com,xxx.xxx.xxx.xxx): unknown user (I know, an auth_debug log would be handy here, but it wasn't activated at the time). I went on to investigate and from the slapd logs I noticed that the second LDAP server (extra) was being contacted for the passdb lookups, thus proving that dovecot considered the gold to be dead (it wasn't, but that's a different matter). Anyway, the problem is that dovecot doesn't seem to be able to retrieve the user information from extra. As the slapd log shows: Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH base=ou=people,dc=example,dc=com scope=1 deref=0 filter=((?=undefined)(?=undefined)) Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH attr=userPassword Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SEARCH RESULT tag=101 err=0 nentries=0 text= For some reason, dovecot sends an undefined filter to extra, even though the same filter works without issues with gold (and remember they are clones). I just can't see how this is caused by any of my configurations! Any ideas? Thanks in advance, -- Daniel Gomes
Re: [Dovecot] Dovecot+LDAP issues
On 03/31/2010 02:59 PM, Daniel Gomes wrote: Dear list members, I am having some problems with a LDAP passdb authentication on Dovecot. Before I forget, the specs: it's a Ubuntu 7.10 server running Dovecot 1.0.5 connecting to 2 different machines running LDAP servers: gold with OpenLDAP 2.4.19 and extra with OpenLDAP 2.4.9 (extra is a replication slave of gold). The initial setup of dovecot was with a MySQL passdb, which is still the first passdb, now followed by my new LDAP passdb, all with a static userdb. Here is my dovecot-ldap.conf (the LDAP passdb) (I switched the domain with example.com for privacy sake): - #Servidor hosts = gold.example.com extra.example.com tls = yes ldap_version = 3 base = ou=people,dc=example,dc=com scope = onelevel #uid/gid user_global_uid = 5000 user_global_gid = 5000 #Bind para ler coisas dn = cn=dovecot,ou=people,dc=example,dc=com dnpass = secret sasl_bind = no sasl_mech = #passdb: usar password lookups para autenticar utilizadores auth_bind = no pass_attrs =userPassword=password #, =userdb_home=/home/vmail/%d/%n pass_filter = ((maildrop=%u)(mailacceptinguser=1)) default_pass_scheme = PLAIN-MD5 - This setup is currently working for some tests users (the others are still being auth'ed with the old MySQL passdb). Unfortunately, I seemed to have run into a big problem on an occasion when dovecot was unable to connect my first server (gold) and hence went to the second one (extra). Backtracking from the logs (starting with dovecot-error.log): Mar 31 13:11:50 bunker dovecot: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server Mar 31 13:11:50 bunker dovecot: auth-worker(default): LDAP: ldap_result() failed: Can't contact LDAP server This is when the users stopped being able to login via imap, with the following message being shown on dovecot-info.log: Mar 31 13:13:00 bunker dovecot: auth(default): ldap(u...@domain.com,xxx.xxx.xxx.xxx): unknown user (I know, an auth_debug log would be handy here, but it wasn't activated at the time). I went on to investigate and from the slapd logs I noticed that the second LDAP server (extra) was being contacted for the passdb lookups, thus proving that dovecot considered the gold to be dead (it wasn't, but that's a different matter). Anyway, the problem is that dovecot doesn't seem to be able to retrieve the user information from extra. As the slapd log shows: Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH base=ou=people,dc=example,dc=com scope=1 deref=0 filter=((?=undefined)(?=undefined)) Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SRCH attr=userPassword Mar 31 13:41:37 extra slapd[31473]: conn=4 op=140 SEARCH RESULT tag=101 err=0 nentries=0 text= For some reason, dovecot sends an undefined filter to extra, even though the same filter works without issues with gold (and remember they are clones). I just can't see how this is caused by any of my configurations! Any ideas? Thanks in advance, Hi Daniel, Are you using by any chance the slapo-rwm overlay? There is mention in openldap 2.4.13 changelog that prior versions would rewrite an undefined filter. Have you tried issuing the exact search on both servers, using ldapseach for instance, and see if they both return the same information? Regards, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email: hugo.monte...@fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.ptap...@fct.unl.pt fct.unl.pt:~# _
[Dovecot] dovecot + ldap
Hi, I have a configuration with dovecot authenticating to AD. I would like to authenticate using the user logon name in AD. and mail box were created according to the field mail in AD anyone have any idea about this? my dovecot-ldap: hosts = xx.xx.xx.xx base = dc=domain,dc=com ldap_version = 3 auth_bind = yes auth_bind_userdn = domain\%u thanks. -- Bely Silva Junior
[Dovecot] dovecot + ldap
Hi, I have a configuration with dovecot authenticating to AD. I would like to authenticate using the user logon name in AD. and mail box were created according to the field mail in AD anyone have any idea about this? my dovecot-ldap: hosts = xx.xx.xx.xx base = dc=domain,dc=com ldap_version = 3 auth_bind = yes auth_bind_userdn = domain\%u thanks. -- Bely Silva Junior
Re: [Dovecot] Dovecot LDAP Auth Usernames with dashes
On Fri, 2009-10-02 at 21:20 +0100, Chris Jones wrote: We're seeing an issue with LDAP auth when the username contains a - char. We're using 1.0.15 as packaged for Debian Lenny Oct 2 12:29:02 silver dovecot: auth(default): LDAP: binding failed (dn (none)): Protocol error Either your LDAP server doesn't like it, or Dovecot should be escaping '-' characters. What does it log with auth_debug=yes? What LDAP server do you use? If you can compile sources, you could also try adding '-' to IS_LDAP_ESCAPED_CHAR() in src/auth/db-ldap.c signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot Ldap Logs
On Fri, 2008-09-12 at 09:56 +0400, Proskurin Kirill wrote: Timo Sirainen wrote: Info: auth(default): ldap([EMAIL PROTECTED],172.16.1.80): result: accountStatus(?unknown?)= cn(?unknown?)= givenName(?unknown?)= initials(?unknown?)= l(?unknown?)= o(?unknown?)= objectClass(?unknown?)= telephoneNumber(?unknown?)= sn(?unknown?)= title(?unknown?)= uid(?unknown?)= userPassword(?unknown?)= mail(?unknown?)= .. user_attrs = Empty user_attrs means Dovecot looks up all the fields from LDAP. ?unknown? means that the field hasn't been mapped to anything and Dovecot uses that field as-is. You probably won't need userdb ldap at all. Use userdb static instead: http://wiki.dovecot.org/UserDatabase/Static signature.asc Description: This is a digitally signed message part
[Dovecot] Dovecot Ldap Logs
Hello all! One question about ldap. In my logs im see this: Info: auth(default): ldap([EMAIL PROTECTED],172.16.1.80): user search: base=dc=CAS scope=subtree filter=((objectClass=mailUser)([EMAIL PROTECTED])) fields=(all) Info: auth(default): ldap([EMAIL PROTECTED],172.16.1.80): result: accountStatus(?unknown?)= cn(?unknown?)= givenName(?unknown?)= initials(?unknown?)= l(?unknown?)= o(?unknown?)= objectClass(?unknown?)= telephoneNumber(?unknown?)= sn(?unknown?)= title(?unknown?)= uid(?unknown?)= userPassword(?unknown?)= mail(?unknown?)= --- What is that mean? And how can im get a rid of this? -- Best regards, Proskurin Kirill
Re: [Dovecot] Dovecot Ldap Logs
On Thu, 2008-09-11 at 19:45 +0400, Proskurin Kirill wrote: Hello all! One question about ldap. In my logs im see this: Info: auth(default): ldap([EMAIL PROTECTED],172.16.1.80): user search: base=dc=CAS scope=subtree filter=((objectClass=mailUser)([EMAIL PROTECTED])) fields=(all) Info: auth(default): ldap([EMAIL PROTECTED],172.16.1.80): result: accountStatus(?unknown?)= cn(?unknown?)= givenName(?unknown?)= initials(?unknown?)= l(?unknown?)= o(?unknown?)= objectClass(?unknown?)= telephoneNumber(?unknown?)= sn(?unknown?)= title(?unknown?)= uid(?unknown?)= userPassword(?unknown?)= mail(?unknown?)= --- What is that mean? And how can im get a rid of this? Show your dovecot-ldap.conf signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot Ldap Logs
Timo Sirainen wrote: Info: auth(default): ldap([EMAIL PROTECTED],172.16.1.80): result: accountStatus(?unknown?)= cn(?unknown?)= givenName(?unknown?)= initials(?unknown?)= l(?unknown?)= o(?unknown?)= objectClass(?unknown?)= telephoneNumber(?unknown?)= sn(?unknown?)= title(?unknown?)= uid(?unknown?)= userPassword(?unknown?)= mail(?unknown?)= --- What is that mean? And how can im get a rid of this? Show your dovecot-ldap.conf %grep -v # /usr/local/etc/dovecot-ldap.conf hosts = 127.0.0.1 dn = cn=root,dc=CAS dnpass = secret tls = no auth_bind = no ldap_version = 3 base = dc=CAS deref = never scope = subtree user_attrs = user_filter = ((objectClass=mailUser)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = ((objectClass=mailUser)(mail=%u)) default_pass_scheme = CRYPT -- Best regards, Proskurin Kirill
[Dovecot] Dovecot, LDAP and something akin to Postfix' table search order from virtual deliver.
hi, i've found this topic while looking for a solution for the way to use 'mail groups' with dovecot an postfix, using dovecot as LDA. i'm not sure if this patch is implemented into the source or not. or maybe there is a 'special' way to have multilpe mailboxes served by postfix/dovecot? -- Maciej Paczesny [EMAIL PROTECTED] ***Gdyby nie wymyślono elektryczności, siedziałbym przed kompem przy świeczkach***
Re: [Dovecot] dovecot + LDAP + SASL?
On Thu, 2007-11-01 at 11:37 +0100, Hadmut Danisch wrote: So is there a way to configure dovecot to just pass SASL through to LDAP, allowing the IMAP client to talk SASL with the LDAP server through dovecot? No, there's no SASL proxying support. But Dovecot doesn't necessarily require a password, you could use auth_bind=yes to support plaintext authentication. signature.asc Description: This is a digitally signed message part
[Dovecot] dovecot + LDAP + SASL?
Hi, I would like to setup an IMAP server with SASL and LDAP support. As far as I can see dovecot supports SASL and LDAP, but not the way I need it. If I understand dovecot correctly, it has it's own set of SASL mechnisms and uses the LDAP server just to store the plaintext password. In case of authentication dovecot fetches the plaintext password from LDAP and then performs the SASL steps internally. I need to support proprietary SASL mechanisms built into an LDAP server, which are not based on just a single password. So is there a way to configure dovecot to just pass SASL through to LDAP, allowing the IMAP client to talk SASL with the LDAP server through dovecot? regards Hadmut
[Dovecot] dovecot + LDAP-SASL ?
Hi, just a question: I know that dovecot supports SASL authentication and supports LDAP. Which means that dovecot performs the SASL methods itself and stores the plaintext secret on LDAP. But it is also possible to have the LDAP do the SASL work and dovecot just pass SASL messages through? Even when the LDAP server uses a proprietary SASL method not supported by dovecot? regards Hadmut
Re: [Dovecot] dovecot + LDAP-SASL ?
Hi Hadmut, You can keep crypted passwords in LDAP also. See man (8) slappasswd: -h scheme If -h is specified, one of the following RFC 2307 schemes may be specified: {CRYPT}, {MD5}, {SMD5}, {SSHA}, and {SHA}. The default is {SSHA}. Note that scheme names may need to be protected, due to { and }, from expansion by the user's command interpreter. {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), the lat- ter with a seed. {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the latter with a seed. {CRYPT} uses the crypt(3). {CLEARTEXT} indicates that the new password should be added to userPassword as clear text. Tuesday, August 7, 2007, 9:38:20 AM, you wrote: Hi, just a question: I know that dovecot supports SASL authentication and supports LDAP. Which means that dovecot performs the SASL methods itself and stores the plaintext secret on LDAP. But it is also possible to have the LDAP do the SASL work and dovecot just pass SASL messages through? Even when the LDAP server uses a proprietary SASL method not supported by dovecot? regards Hadmut -- Sergey
Re: [Dovecot] dovecot + LDAP-SASL ?
On Tue, 2007-08-07 at 08:38 +0200, Hadmut Danisch wrote: Hi, just a question: I know that dovecot supports SASL authentication and supports LDAP. Which means that dovecot performs the SASL methods itself and stores the plaintext secret on LDAP. But it is also possible to have the LDAP do the SASL work and dovecot just pass SASL messages through? Even when the LDAP server uses a proprietary SASL method not supported by dovecot? For plaintext authentication you can use authentication binds and have the password stored on LDAP side in any way you want. For non-plaintext authentication Dovecot needs the secret in plaintext or some other specific format. LDAP doesn't support SASL forwarding. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] dovecot + LDAP-SASL ?
Timo Sirainen wrote: For plaintext authentication you can use authentication binds and have the password stored on LDAP side in any way you want. For non-plaintext authentication Dovecot needs the secret in plaintext or some other specific format. LDAP doesn't support SASL forwarding. Neither one doesn't help in this particular case. I need to port a proprietary, non-publish one time password authentication method (not compatible with opie/skey) from older software into SASL or LDAP, to make it available for several unix applications. The current plan is to implement a plugin for cyrus-sasl which is used by most sasl-aware applications, and thus to have the openldap server accept sasl authentication for those applications which allow to authenticate against an LDAP server, not just with plaintext passwords, but with SASL as well. As far as I know dovecot does (or version 1.1) will support SASL methods, but does implement them itself, so does not work with a cyrus-sasl plugin and does not work against an LDAP server. Since SASL authentication is implemented as a communication protocol passing opaque byte sequences between client and servers, the idea was whether dovecot could act like a SASL proxy, i.e. passing the SASL traffic between the IMAP client on one side and the LDAP server on the other side just through without touching it and waiting for the result of the authentication process. A second method intended to be implemented is to pass web authentication (e.g. if a user authenticatis with SSL client certificates over HTTPS) through webserver - webmailer - IMAP Server -Authentication database which could also be implemented as a SASL plugin. Therefore would be nice to have a SASL pass through without the need to modify dovecot or teach dovecot new authentication methods regards Hadmut
Re: [Dovecot] Dovecot LDAP schema?
Hi Sergey, Sergey A. Kobzar wrote: You can use standard LDAP attributes. It's more than enough. Well, I know that it works with standard LDAP attributes, that's what I do right now. But that is what I want to avoid, because I want to have IMAP users *without* standard uid/gid attributes because they are not Unix users. To avoid confusion and security holes I'd prefer to use separate Attributes for the LDAP objects. And in some cases I need to override the default PATH variable, which requires a new attribute. And I cannot work with static uid/gid schemes as in your example, because every IMAP user is managed by one of several Unix users, therefore they cannot share the same uid/gid. I can define my own LDAP scheme, what I did in a test environment. But I'd prefer if there was a common dovecot scheme for such cases. regards Hadmut
Re: [Dovecot] Dovecot LDAP schema?
Hi Hadmut, Monday, July 30, 2007, 11:27:37 AM, you wrote: Hi Sergey, Sergey A. Kobzar wrote: You can use standard LDAP attributes. It's more than enough. Well, I know that it works with standard LDAP attributes, that's what I do right now. But that is what I want to avoid, because I want to have IMAP users *without* standard uid/gid attributes because they are not Unix users. To avoid confusion and security holes I'd prefer to use separate Attributes for the LDAP objects. And in some cases I need to override the default PATH variable, which requires a new attribute. And I cannot work with static uid/gid schemes as in your example, because every IMAP user is managed by one of several Unix users, therefore they cannot share the same uid/gid. I can define my own LDAP scheme, what I did in a test environment. But I'd prefer if there was a common dovecot scheme for such cases. There is no such scheme because your case is not common. regards Hadmut -- Sergey
[Dovecot] Dovecot LDAP schema?
Hi, does dovecot define its own LDAP schema or should I create my own one? (I want to provide IMAP boxes for virtual users that do not have a Unix account on the mail server and thus do not want to use the plain uid/gid entries of the posix account objectclass to avoid confusion and accidently giving access to accounts.) regards Hadmut
Re: [Dovecot] Dovecot LDAP schema?
Hi Hadmut, You can use standard LDAP attributes. It's more than enough. My configs: dovecot.conf: first_valid_uid = 8 last_valid_uid = 8 first_valid_gid = 12 last_valid_gid = 12 auth_username_format = %Lu auth default { mechanisms = plain passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } userdb static { args = uid=mail gid=mail } } dovecot-ldap.conf: hosts = localhost dn = cn=Dovecot,ou=DSA,o=top dnpass = xxx ldap_version = 3 base = ou=Users,dc=%d,o=top scope = onelevel pass_attrs = userPassword=password pass_filter = uid=%n Saturday, July 28, 2007, 12:53:09 PM, you wrote: Hi, does dovecot define its own LDAP schema or should I create my own one? (I want to provide IMAP boxes for virtual users that do not have a Unix account on the mail server and thus do not want to use the plain uid/gid entries of the posix account objectclass to avoid confusion and accidently giving access to accounts.) regards Hadmut -- Sergey
Re: [Dovecot] dovecot + ldap tls
On Wed, 2007-05-23 at 13:58 +0300, Timo Sirainen wrote: dovecot: May 22 15:48:31 Error: auth(default): LDAP: ldap_start_tls_s() failed: Can't contact LDAP server Does it manage to get a TCP connection at all (check with eg. tcpdump), or is the error message just bad? I checked OpenLDAP's sources to see if there's any way to get usable error messages. Looks like the only way is to compile it with debugging enabled. Then it'll log everything to stderr. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] dovecot-ldap and ldap_result() failed.
On 5/1/2007 funkypunky drunky ([EMAIL PROTECTED]) wrote: I am using postfix with dovecot 1.31 I assume you mean 1.0rc31? Of course, it is recommended to now be using the release version, 1.0.0 Not sure if that will fix this particular problem though, but it makes it easier for those who use LDAP to help... -- Best regards, Charles
Re: [Dovecot] dovecot-ldap and ldap_result() failed.
Yes, there were some LDAP-related fixes in RC32 (http://www.dovecot.org/list/dovecot-news/2007-April/42.html) I think it would worth a shoot. Láďa -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Marcus Sent: Tuesday, May 01, 2007 12:07 PM To: dovecot@dovecot.org Subject: Re: [Dovecot] dovecot-ldap and ldap_result() failed. On 5/1/2007 funkypunky drunky ([EMAIL PROTECTED]) wrote: I am using postfix with dovecot 1.31 I assume you mean 1.0rc31? Of course, it is recommended to now be using the release version, 1.0.0 Not sure if that will fix this particular problem though, but it makes it easier for those who use LDAP to help... -- Best regards, Charles
Re: [Dovecot] dovecot-ldap and ldap_result() failed.
Thanks for your comments. i will upgrade dovecot to 1.0.0 .It may solve the problem. If it is solved, i will inform you. Thanx everybody. 2007/5/1, Láďa [EMAIL PROTECTED]: Yes, there were some LDAP-related fixes in RC32 (http://www.dovecot.org/list/dovecot-news/2007-April/42.html) I think it would worth a shoot. Láďa -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Marcus Sent: Tuesday, May 01, 2007 12:07 PM To: dovecot@dovecot.org Subject: Re: [Dovecot] dovecot-ldap and ldap_result() failed. On 5/1/2007 funkypunky drunky ([EMAIL PROTECTED]) wrote: I am using postfix with dovecot 1.31 I assume you mean 1.0rc31? Of course, it is recommended to now be using the release version, 1.0.0 Not sure if that will fix this particular problem though, but it makes it easier for those who use LDAP to help... -- Best regards, Charles
[Dovecot] dovecot + ldap + quota
hi i using dovecot 1.0rc26 and i started to configure quota plugin but i think its not working fine. i configure like suggested in http://wiki.dovecot.org/Quota in dovecot.conf: protocol imap { mail_plugins = quota imap_quota } plugin { # 10 MB quota limit quota = maildir:storage=10240 } in dovecot-ldap.conf: user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,quotaStorage=quota if a mua send a attach near 9MB i receive a message tell me that the server don't have more space, but if i attach files of 2MB this messages are sending ok, and the cur directory of this user have 15 MB. another question: in ldap entry, the attribute quota are the attibute that A represents the quota on a mailbox, ¿so why i put 10MB as limit? uota = maildir:storage=10240 ¿this value is for all entryes or the quota limit is the entry quota limit? i you can see, i not understand how dovecot works with the attribute quota in ldap entry; ¿can anybody explain me this? Thanks in advance!!!
Re: [Dovecot] dovecot + ldap + quota
I had some problems to implement this and here follows my config file to help you. I've configured quota information in my ldap server, but in my config file I kept local quota configuration (commented): /etc/dovecot.conf protocols = imap imaps pop3 pop3s ssl_disable = no ssl_cert_file = /usr/share/ssl/certs/cert.pem ssl_key_file = /usr/share/ssl/private/key.pem mail_extra_groups = mail valid_chroot_dirs = ~vmail/domains default_mail_env = maildir:~vmail/domains/%d/%n/mail::INDEX=/var/indexes/%d/%n lock_method = dotlock mmap_disable = yes auth_debug = yes auth_debug_passwords = yes first_valid_uid = 100 last_valid_uid = 100 first_valid_gid = 101 last_valid_gid = 101 maildir_copy_with_hardlinks = no disable_plaintext_auth = no protocol imap { mail_plugins = quota imap_quota } protocol lda { mail_plugins = quota } protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = quota } auth default_with_listener { mechanisms = plain login userdb ldap { args = /etc/dovecot-ldap.conf } passdb ldap { args = /etc/dovecot-ldap.conf } socket listen { master { path = /var/run/dovecot/auth-master mode = 0660 user = vmail group = mail } } } plugin { #quota = maildir:/home/vmail/%d/%u/mail:storage=102400 convert_mail = maildir:/home/vmail/%d/%u/mail #quota = maildir:storage=102400 quota = maildir } Hope this helps you. And an advise, use the latest stable release :) http://www.dovecot.org/download.html not the release candidate. Regards, Venilton C. Junior HP Certified Professional Sercompe Computadores Ltda. Office: +55 47 3431-9700 Fax: +55 47 3431-9747 Mobile: +55 47 9653-5872 www.sercompe.com.br -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of aza zel Sent: sexta-feira, 27 de abril de 2007 16:43 To: Dovecot Mailing List Subject: [Dovecot] dovecot + ldap + quota hi i using dovecot 1.0rc26 and i started to configure quota plugin but i think its not working fine. i configure like suggested in http://wiki.dovecot.org/Quota in dovecot.conf: protocol imap { mail_plugins = quota imap_quota } plugin { # 10 MB quota limit quota = maildir:storage=10240 } in dovecot-ldap.conf: user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,quotaStorage=quota if a mua send a attach near 9MB i receive a message tell me that the server don't have more space, but if i attach files of 2MB this messages are sending ok, and the cur directory of this user have 15 MB. another question: in ldap entry, the attribute quota are the attibute that A represents the quota on a mailbox, ¿so why i put 10MB as limit? uota = maildir:storage=10240 ¿this value is for all entryes or the quota limit is the entry quota limit? i you can see, i not understand how dovecot works with the attribute quota in ldap entry; ¿can anybody explain me this? Thanks in advance!!!
Re: [Dovecot] dovecot + ldap + quota
aza zel wrote: hi i using dovecot 1.0rc26 Please upgrade to 1.0.0 release version, then if you are still having problems, come back and provide dovecot -n output... and i started to configure quota plugin but i think its not working fine. i configure like suggested in http://wiki.dovecot.org/Quota in dovecot.conf: protocol imap { mail_plugins = quota imap_quota } plugin { # 10 MB quota limit quota = maildir:storage=10240 } in dovecot-ldap.conf: user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,quotaStorage=quota if a mua send a attach near 9MB i receive a message tell me that the server don't have more space, but if i attach files of 2MB this messages are sending ok, and the cur directory of this user have 15 MB. another question: in ldap entry, the attribute quota are the attibute that A represents the quota on a mailbox, ¿so why i put 10MB as limit? uota = maildir:storage=10240 ¿this value is for all entryes or the quota limit is the entry quota limit? i you can see, i not understand how dovecot works with the attribute quota in ldap entry; ¿can anybody explain me this? Thanks in advance!!! -- Best regards, Charles Marcus I.T. Director Media Brokers International 678.514.6200 x224 678.514.6299 fax
Re: [Dovecot] dovecot + ldap + quota
Here follows /etc/dovecot-ldap.conf entries working: user_attrs = mail,homeDirectoryquota=quota=maildir:storage user_filter = ((objectClass=VirtualMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE)) Regards, Venilton C. Junior HP Certified Professional Sercompe Computadores Ltda. Office: +55 47 3431-9700 Fax: +55 47 3431-9747 Mobile: +55 47 9653-5872 www.sercompe.com.br -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Marcus Sent: sexta-feira, 27 de abril de 2007 16:54 To: aza zel Cc: Dovecot Mailing List Subject: Re: [Dovecot] dovecot + ldap + quota aza zel wrote: hi i using dovecot 1.0rc26 Please upgrade to 1.0.0 release version, then if you are still having problems, come back and provide dovecot -n output... and i started to configure quota plugin but i think its not working fine. i configure like suggested in http://wiki.dovecot.org/Quota in dovecot.conf: protocol imap { mail_plugins = quota imap_quota } plugin { # 10 MB quota limit quota = maildir:storage=10240 } in dovecot-ldap.conf: user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,quotaStorage=quota if a mua send a attach near 9MB i receive a message tell me that the server don't have more space, but if i attach files of 2MB this messages are sending ok, and the cur directory of this user have 15 MB. another question: in ldap entry, the attribute quota are the attibute that A represents the quota on a mailbox, ¿so why i put 10MB as limit? uota = maildir:storage=10240 ¿this value is for all entryes or the quota limit is the entry quota limit? i you can see, i not understand how dovecot works with the attribute quota in ldap entry; ¿can anybody explain me this? Thanks in advance!!! -- Best regards, Charles Marcus I.T. Director Media Brokers International 678.514.6200 x224 678.514.6299 fax
Re: [Dovecot] dovecot-ldap for active directory 2003 r2
On Thu, 29 Mar 2007 17:15:51 -0300 Claudio Roberto Prateat [EMAIL PROTECTED] wrote: Hi, You have example of the dovecot-ldap.conf for authenticate in active directory 2003 r2 ? I have squid, apache authenticate in active directory, but dovecot return failed. Help, please... Lets see your configuration and the error message then. Best regards ! PS. Reply to the list, not to me. Dominic