a temporary failure

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Tue Jun 23 12:10:30 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 Jun 2015, lejeczek wrote:
> On 23/06/15 09:32, Steffen Kaiser wrote:
>> On Mon, 22 Jun 2015, lejeczek wrote:
>>> On 22/06/15 09:43, Steffen Kaiser wrote:
>>>> On Mon, 22 Jun 2015, lejeczek wrote:
>>>>> On 22/06/15 09:16, lejeczek wrote:
>>>>>> 
>>>>>> to=<me at my.domain>,orig_to=<root at localhost>, relay=dovecot, delay=39296, 
>>>>>> delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
>>>>>> 
>>>>>> and dovecot logs no error, despite having debug to yes in couple of 
>>>>>> places,
>>>>>> it shows:
>>>>>> 
>>>>>> auth: Debug: master in: USER    1    me at my.domain service=lda
>>>>>> auth-worker(25343): Debug: passwd(me at my.domain): lookup
>>>>>> auth-worker(25343): passwd(me at my.domain): unknown user
>>>>>> auth: Debug: ldap(me at my.domain): user search: 
>>>>>> base=ou=People,dc=my,dc=domain scope=subtree 
>>>>>> filter=(&(objectClass=person)(uid=me)) fields=
>>>>>> auth: Debug: ldap(me at my.domain): result: objectClass=top,top,top,top,
>>>>>> 
>>>>>> ... here  goes the whole lot of ldap atrribs, and at the end:
>>>>>> 
>>>>>> unused.
>>>>>> 
>>>>>> For passdb & userdb in the configs I only configure ldap backed, 
>>>>>> nothing else. Ldap works, I can query it without failling.
>>>>>> I believe it's very simple set up but I must be wrong somewhere.
>>>>>> 
>>>>>> pass_filter = (&(objectClass=posixAccount)(uid=%n))
>>>>>> pass_attrs = uid=user=%n,userPassword=password
>>>> 
>>>> Use either uid=user oder =user=%n but not uid=user=%n. I would use 
>>>> uid=user, so the user cannot specify the case of the username.
>>>> 
>>>>>> user_attrs = 
>>>>>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>>>>> user_filter = (&(objectClass=person)(uid=%n))
>>>>>> 
>>>>> even stranger, if I use(along with ldap in configs):
>>>> 
>>>> Please post:
>>>> 
>>>> complete doveconf -n
>>>> and the complete LDAP config being referenced by the config.
>>>> 
>>>>> userdb {
>>>>>  driver = static
>>>>>  args = uid=vmail gid=mail home=/var/spool/mail/%d/%n 
>>>>> mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n 
>>>>> sieve_storage=/var/spool/mail/%d/%n/SIEVE 
>>>>> sieve=/var/spool/mail/%d/%n/dovecot.sieve
>>>>> }
>>>>> 
>>>>> dovecot start to core dump:
>>>>> 
>>>>> auth: Fatal: master: service(auth): child 9188 killed with signal 11 
>>>>> (core dumped)
>>> 
>>> auth_debug = yes
>> 
>> The first lines should be something like this:
>> 
>> # 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.8 (3df7e50f986d)
>> # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
>> 
>> What version are you using?
>> 
>>> auth_mechanisms = login
>>> auth_verbose = yes
>>> first_valid_uid = 999
>>> mail_debug = yes
>>> mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir
>>> mail_uid = vmail
>>> managesieve_notify_capability = mailto
>>> managesieve_sieve_capability = fileinto reject envelope encoded-character 
>>> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags 
>>> copy include variables body enotify environment mailbox date ihave
>>> mbox_write_locks = fcntl
>>> namespace inbox {
>>>  inbox = yes
>>>  location =
>>>  mailbox Drafts {
>>>    special_use = \Drafts
>>>  }
>>>  mailbox Junk {
>>>    special_use = \Junk
>>>  }
>>>  mailbox Sent {
>>>    special_use = \Sent
>>>  }
>>>  mailbox "Sent Messages" {
>>>    special_use = \Sent
>>>  }
>>>  mailbox Trash {
>>>    special_use = \Trash
>>>  }
>>>  prefix =
>>> }
>>> passdb {
>>>  driver = pam
>>> }
>> 
>> Did you've removed or commented the line :
>> 
>> 10-auth.conf:#!include auth-system.conf.ext
>> 
>> ?
>> 
>>> passdb {
>>>  args = /etc/dovecot/ldap-passdb-my.domain.conf
>>>  driver = ldap
>>> }
>>> plugin {
>>>  sieve = ~/.dovecot.sieve
>>>  sieve_dir = ~/sieve
>>>  sieve_storage = SIEVE
>>> }
>>> protocols = imap sieve
>>> service auth {
>>>  unix_listener /var/spool/postfix/private/auth {
>>>    group = mail
>>>    mode = 0660
>>>    user = vmail
>>>  }
>>>  unix_listener auth-userdb {
>>>    group = mail
>>>    mode = 0660
>>>    user = vmail
>>>  }
>>> }
>>> service imap-login {
>>>  inet_listener imap {
>>>    port = 143
>>>  }
>>>  inet_listener imaps {
>>>    port = 993
>>>  }
>>> }
>>> ssl = required
>>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
>>> ssl_key = </etc/pki/dovecot/private/dovecot.pem
>>> userdb {
>>>  driver = passwd
>>> }
>>> userdb {
>>>  args = /etc/dovecot/ldap-userdb-my.domain.conf
>>>  driver = ldap
>>> }
>>> protocol lmtp {
>>>  mail_plugins = " sieve"
>>> }
>>> protocol lda {
>>>  mail_plugins = " sieve"
>>> }
>>> 
>>> #ldap-passdb
>>> hosts = localhost
>>> uris = ldap://localhost:389/
>>> ldap_version = 3
>>> base = ou=People,dc=my,dc=domain
>>> dn = cn=Manager,dc=my,dc=domain
>>> dnpass = my.pass
>>> auth_bind = no
>>> pass_attrs = uid=%n,userPassword=password
>> 
>> uid=%n makes no sense. Please use just:
>> 
>> pass_attrs = userPassword=password
>> 
>>> pass_filter = (&(objectClass=posixAccount)(uid=%n))
>>> 
>>> 
>>> #ldap-userdb
>>> hosts = localhost
>>> uris = ldap://localhost:389/
>>> ldap_version = 3
>>> base = ou=People,dc=my,dc=domain
>>> dn = cn=Manager,dc=my,dc=domain
>>> dnpass = my.pass
>>> auth_bind = no
>>> user_attrs = 
>>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>> user_filter = (&(objectClass=person)(uid=%n))
>>> default_pass_scheme = SSHA
>>> 
>>> It cannot be postfix if it relays and dovecots gets these relays. Can it 
>>> be?
>> 
>> I have tried your config with above mentioned version, with LDAP as only 
>> passdb and userdb and these LDAP-settings:
>> 
>> hosts = localhost
>> auth_bind = yes
>> base = <baseDN>
>> deref = searching
>> user_attrs = 
>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>> user_filter = (&(objectClass=fhMailAlias)(uid=%n))
>> pass_attrs = userPassword=password
>> pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls)))
>> iterate_filter = (objectClass=fhMailAlias)
>> 
>> Note the pass_attrs. Then I submitted a new message with:
>> 
>> socat stdin UNIX:/var/run/dovecot2.2/lmtp
>> LHLO loc
>> mail from:<me at example.com>
>> rcpt to:<other at example.com>
>> data
>> Subject: 1
>> 
>> 1
>> .
>> 
>> successfully. Maildir was created and message spooled to 
>> /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP 
>> successfully as well.
>> 
>> I also tried the other order: reload Dovecot to flush any caches, log in 
>> via IMAP and submit via LMTP.
>> 
>> You should however note the following:
>> 
>> Both filters treat users "me at example.com" and "me at localhost.localdomain" as 
>> the same user, because they match the same LDAP item (uid=%n), however the 
>> directories of the users _should_ differ, but they won't as long as the 
>> user's information is cached in the auth cache.
>> 
>> That means:
>> 
>> doveadm auch cache flush
>> doveadm user me at example.net
>> doveadm user me at example.com
>> 
>> returns the date for me at example.net in both cases and
>> 
>> doveadm auch cache flush
>> doveadm user me at example.com
>> doveadm user me at example.net
>> 
>> returns the data for me at example.com in both cases.
> it's weird I know, I do:
>
> # doveadm auth test -x service=smtp -x rip=172.25.12.214 me at my.domain
> Password:
> passdb: me at my.domain auth succeeded
> extra fields:
>  user=me at my.domain
>
> and in the logs:
>
> auth-worker(32531): Debug: pam(me at my.domain,172.25.12.214): lookup 
> service=dovecot
> auth-worker(32531): Debug: pam(me at my.domain,172.25.12.214): #1/1 style=1 
> msg=Password:
> pam_unix(dovecot:auth): check pass; user unknown
> pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 
> tty=dovecot ruser=me at my.domain rhost=172.25.12.214
> auth-worker(32531): pam(me at my.domain,172.25.12.214): unknown user
> auth: Debug: ldap(me at my.domain,172.25.12.214): pass search: 
> base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree 
> filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain))) 
> fields=uid,userPassword
> auth: Debug: ldap(me at my.domain,172.25.12.214): result: uid=info 
> userPassword=<hidden>; uid,userPassword unused
> auth: Debug: ldap(me at my.domain,172.25.12.214): result: uid=info 
> userPassword=<hidden>
> auth: Debug: client passdb out: OK  1 user=me at my.domain
>
> so it seems fine, right?
> only I do simple test on that dovecot locally
>
> echo repli_test | mail -s "repl test" my at my.domain
>
> to get:
>
> auth-worker(365): Debug: passwd(me at my.domain): lookup
> auth-worker(365): passwd(me at my.domain): unknown user
> auth: Debug: password(me at my.domain): passdb doesn't support credential 
> lookups
> auth: Debug: ldap(me at my.domain): pass search: 
> base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree 
> filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain))) 
> fields=uid,userPassword
> auth: Debug: ldap(me at my.domain): result: uid=info userPassword=<hidden>; 
> uid,userPassword unused
> auth: Debug: ldap(me at my.domain): result: uid=info userPassword=<hidden>
> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core 
> dumped)
>
> the same error with:
> doveadm user me at my.domain
>
> so it's must be userdb, right?

No, you've authentificated before and some data are now in the auth cache, 
which are used by the userdb, too.

1) You do not have no system users, right?
Then remove the passwd userdb and pam passdb.

2) Did you removed the "uid=user=%n" from pass_attr?

There might be fixes since 2.2.10:

changeset:   18538:d3332ee1d26a
user:        Timo Sirainen <tss at iki.fi>
date:        Thu May 07 17:18:44 2015 +0300
files:       src/auth/auth-worker-client.c
description:
auth: Added assert to make sure previous change is correct.


changeset:   18537:8a3da4ef590f
user:        Timo Sirainen <tss at iki.fi>
date:        Thu May 07 11:27:55 2015 +0300
files:       src/auth/auth-worker-client.c
description:
auth: Fixed credentials lookups via auth-workers when no actual password 
was returned.
For example LDAP lookup with auth_bind=yes should still return any extra
fields.


changeset:   18536:5dc00179dd60
user:        Timo Sirainen <tss at iki.fi>
date:        Thu May 07 11:21:33 2015 +0300
files:       src/auth/passdb-ldap.c
description:
ldap auth: If password is already verified (e.g. master user login), skip 
LDAP auth binding.
This happens only if auth_bind_userdn isn't set, i.e. it only makes sense 
if
the LDAP DN lookup also returns some extra fields.


changeset:   18402:635f9c7d5991
user:        Timo Sirainen <tss at iki.fi>
date:        Mon Apr 13 20:38:10 2015 +0300
files:       src/auth/auth-request.c
description:
auth: If passdb/userdb changes the username, add the changed username also 
to the cache.


changeset:   18401:08b2f79e8212
user:        Timo Sirainen <tss at iki.fi>
date:        Mon Apr 13 20:37:48 2015 +0300
files:       src/auth/auth-request.c
description:
auth: Setting userdb fields from cache didn't set handle any special 
fields.
The special fields were relatively rarely used though.


changeset:   18364:3546457ae3fb
user:        Timo Sirainen <tss at iki.fi>
date:        Tue Mar 17 17:30:33 2015 +0200
files:       src/auth/db-ldap.c
description:
auth ldap: Crashfixes for earlier changes.
Hopefully works correctly now


changeset:   18363:a4acf88b0c91
user:        Timo Sirainen <tss at iki.fi>
date:        Tue Mar 17 10:49:20 2015 +0200
files:       src/auth/db-ldap.c
description:
auth ldap: Fixed crash when handling invalid SSL option.


changeset:   18362:870cb73e5960
user:        Timo Sirainen <tss at iki.fi>
date:        Tue Mar 17 09:58:03 2015 +0200
files:       src/auth/db-ldap.c src/auth/db-ldap.h
description:
auth ldap: Fixed assert-crash when both passdb ldap and userdb ldap was 
used


changeset:   18361:0a17875f0ece
user:        Timo Sirainen <tss at iki.fi>
date:        Mon Mar 16 23:25:34 2015 +0200
files:       src/auth/db-ldap.c src/auth/db-ldap.h src/auth/passdb-ldap.c 
src/auth/userdb-ldap.c
description:
auth ldap: Start LDAP connection only after auth process initialization is 
finished.
This way even if connecting to LDAP takes a while it won't cause the 
master
process to kill the auth process due to it not sending the startup "I'm 
ok"
notification early enough.


changeset:   18360:d9a0d4f4f4b6
user:        Timo Sirainen <tss at iki.fi>
date:        Mon Mar 16 23:21:05 2015 +0200
files:       src/auth/db-ldap.c
description:
auth ldap: Make sure config file path is included in all fatal error 
messages.


changeset:   18359:ec2e7ae958c5
user:        Timo Sirainen <tss at iki.fi>
date:        Mon Mar 16 23:17:39 2015 +0200
files:       src/auth/db-ldap.c
description:
auth ldap: If any tls_* settings are given when they're not supported, 
fail with fatal instead of just warning.
These may be important for intended security, especially tls_cipher_suite.
We shouldn't allow setting them and then somewhat silently just ignore 
them.

....

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVYlMtnz1H7kL/d9rAQJA1gf9FQqfLMutqbE1BWYGzg15tLIT9kH7Nfwu
bwA16Er3lVehuEk1GnmbsJxlVmcz96Yei7MFUAOcNmjM9x0JqLj/Jp5LiXKlHa0+
ZAzF+ivMij9wsNlFzPCb9M16B92GaGd6Q8d4ud0Wd5IeQuC/+Vs5avPcgGKdCxon
ygqZPeFBhXZDLCxnfgcKuW05lO+mlgkD6zXcywfMLDpjwHwy1EOchGJ+ciwdaZky
tKYj3ZPXrDLzIl2sBwXNOEeFpsIQR+FRH1Llje3+coVbvWK09DM6HKa8ynts2YmN
pDgQph43yOTgv27LlUMcN80HjNknHjg0sLw05OtJoVt+ZDVOSZTxug==
=wlvQ
-----END PGP SIGNATURE-----


More information about the dovecot mailing list