Dovecot integration w/ FreeIPA expired password as well as if over quota login notice; local user can't login

Robert Kudyba rkudyba at fordham.edu
Mon Apr 26 20:41:32 EEST 2021


As I continue to test freeipa-server-4.9.3-1,  on Fedora 33 with
dovecot-2.3.14-1 I've run into the following issues with web mail and
Dovecot integration.

1. I followed
https://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On
but
I couldn't get web mail to login until I used the suggestion from
https://blog.delouw.ch/2017/02/19/integrate-dovecot-imap-with-freeipa-using-kerberos-sso/
and
changed logins auth_mechanisms = plain gssapi login which allowed logins of
FreeIPA Kerberos users.

2. even with auth_mechanisms = plain gssapi login, I could then no longer
login to SquirrelMail webmail with any local Unix (non-Kerberized) users.
The dovecot logs show:

auth: Error: policy(localuser at ourdomain.edu,127.0.0.1,<r2eFe+PAvut/AAAB>):
Policy server HTTP error: connect(x.x.x.x:8084) failed: Connection refused
auth: Debug: policy(localuser at ourdomain.edu,127.0.0.1,<r2eFe+PAvut/AAAB>):
Policy report action finished
auth: Debug: http-client[1]: request [Req2: POST
https://x.x.x.x:8084/?command=report]: Destroy (requests left=1)
auth: Debug: http-client[1]: request [Req2: POST
https://x.x.x.x:8084/?command=report]: Free (requests left=0)
auth: Debug: http-client: conn x.x.x.x[2]: Connection close
auth: Debug: http-client: conn x.x.x.x[2]: Connection disconnect
auth: Debug: http-client: conn x.x.x.x[2]: Disconnected: connect() failed:
Connection refused (fd=23)
auth: Debug: http-client: conn x.x.x.x[2]: Detached peer
auth: Debug: http-client: conn x.x.x.x[2]: Connection destroy
auth: Debug: http-client: host x.x.x.x: Idle host timed out
auth: Debug: http-client: host x.x.x.x: Host destroy
auth: Debug: http-client: host x.x.x.x: Host session destroy
auth: Debug: http-client[1]: queue https://x.x.x.x:8084: Destroy
auth: Debug: client passdb out: FAIL    1       user=localuser at ourdomain.edu
 original_user=localuser
imap-login: Debug: Ignoring unknown passdb extra field: original_user
imap-login: Info: Aborted login (auth failed, 1 attempts in 3 secs): user=<
localuser at ourdomain.edu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured, session=<r2eFe+PAvut/AAAB>

3. If a user was over quota there was no way to tell on the webmail page
that they were over quota but the dovecot logs show imap(ouruser): Error:
mkdir(/path/to/ouruser/mail/.imap) failed: Disk quota exceeded.

Would there be a security risk if the web page displayed a warning that
could be generalized to inform the user to either check their quota or
password reset being needed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210426/f3d4bfed/attachment.html>


More information about the dovecot mailing list