Hi,
No expert, but:
We always use the postmap utility to check that the right mailboxes are actually found:
postmap -q test@test.loc ldap:/etc/postfix/ldap-config.cf
And perhaps show us your postfix main.cf?
MJ
On 2/20/20 8:46 AM, phil wrote:
Helo you,
I try to build a mail server based on Centos 7, postfix and dovecot 2. My backend is a Samba4 ad-dc.
I tried a lot and I don't know what else I could try.I'm new to this mailing list so please forgive me if I don't give right information or anything
Samba4 ad-dc is up incl. dns. Win10 Client joined domain and authentication works.
Postfix is up and checks against ldap whether recipient address exists. It takes mail via telnet and queues them. But can't give it to dovecot.
my master.cf locks like that:
[root@mail1t postfix]# cat master.cf smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy postlog unix-dgram n - n - 1 postlogd
my ldap.conf on mailserver:
[root@mail1t openldap]# cat ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 URI ldaps://ldap1t.test.loc:636
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
#TLS_CACERTDIR /etc/openldap/certs TLS_CACERTDIR /etc/pki/tls/certs/ka
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
TLS_REQCERT never
dovecot.conf:
[root@mail1t dovecot]# cat dovecot.conf auth_mechanisms = plain login mail_uid = vmail mail_gid = vmail ssl_cert = method=%m rip=%r lip=%l mpid=%e %c %k" #mail_plugins = quota ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
log_timestamp = "%Y-%m-%d %H:%M:%S " log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot-info.log debug_log_path = /var/log/dovecot-debug.log
#auth_verbose=yes auth_debug=yes auth_debug_passwords=yes mail_debug=yes verbose_ssl=yes
protocols = imap listen = * auth_cache_size = 50000 # ~ 200 Benutzer mit Passwort auth_cache_ttl = 300s # in Sekunden, 5 Minute auth_cache_negative_ttl = 30s # wenn Benutzer nicht existierte bei letztem Check
passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
service auth { unix_listener /var/spool/postfix/private/auth_dovecot { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0600 user = root } user = root }
service dict { unix_listener dict { mode = 0660 user = vmail group = vmail } }
namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = }
protocol imap { mail_plugins = quota imap_quota }
plugin { quota = maildir:User quota }
dovecot-ldap.conf.ext:
root@mail1t dovecot]# cat dovecot-ldap.conf.ext #hosts = 192.168.122.30:636 # Windows Active Directory uris = ldaps://192.168.122.30:636
#dn = CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=test,DC=loc dn = CN=Administrator,CN=Users,DC=test,DC=loc dnpass = Test123! tls = no # Benötige ich (!) nicht auth_bind = yes # Für die Dauer der Authentifizierung bindet sich Dovecot als einloggender Mailuser auth_bind_dn = %u ldap_version = 3 base = OU=Identitiy,DC=domain,DC=local # Meine OU mit Benutzern scope = subtree # Oder "base", falls nicht rekursiv in der OU gesucht werden soll pass_attrs =
=user=%{ldap:mail},
=passwerd=%{ladp:user},
user_attrs =
=user=%{ldap:mail}, \user_filter = (mailRoutingAddress=%u) pass_filter = (mail=%u) iterate_attrs = mail #mail=user # Wird vor allem von "doveadm" benötigt, um Benutzer zu finden iterate_filter = (objectClass=smiMessageRecipient #(objectClass=person)
maillog gives me:
Feb 20 08:34:56 mail1t postfix/smtpd[1794]: 04229120B0D: client=unknown[192.168.122.30] Feb 20 08:35:01 mail1t postfix/cleanup[1798]: 04229120B0D: message-id=<> Feb 20 08:35:01 mail1t postfix/qmgr[1268]: 04229120B0D: from=test@test.loc, size=176, nrcpt=1 (queue active) Feb 20 08:35:01 mail1t postfix/pipe[1799]: 04229120B0D: to=test@test.loc, relay=dovecot, delay=12, delays=12/0.01/0/0.07, dsn=4.3.0, status=deferred (temporary failure) Feb 20 08:35:03 mail1t postfix/smtpd[1794]: disconnect from unknown[192.168.122.30] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
dovecot debug log:
2020-02-20 08:31:18 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth 2020-02-20 08:31:18 auth: Debug: Module loaded: /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: userdb lookup(test@test.loc): Started userdb lookup 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Client connected (fd=13) 2020-02-20 08:35:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth 2020-02-20 08:35:01 auth: Debug: Module loaded: /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Disconnected: Connection closed: read(size=8192) failed: Connection reset by peer (fd=13) 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: userdb lookup(test@test.loc): Userdb lookup failed
a ldap search gives me:
[root@mail1t dovecot]# ldapsearch -D "cn=administrator,cn=Users,dc=test,dc=loc" -W -H ldaps://ldap1t.test.loc:636 -b "ou=Identitiy,dc=test,dc=loc" -s sub -x "(objectclass=person)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base
with scope subtree # filter: (objectclass=person) # requesting: ALL # # testuser2, Identitiy, test.loc dn: CN=testuser2,OU=Identitiy,DC=test,DC=loc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testuser2 instanceType: 4 whenCreated: 20191029150406.0Z uSNCreated: 4540 name: testuser2 objectGUID:: zfJ3SmPoLkO8wrVKP0Mc6g== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAGQ/+ZjR2CNb9IiNGUQQAAA== accountExpires: 9223372036854775807 sAMAccountName: testuser2 sAMAccountType: 805306368 userPrincipalName: testuser2@test.loc objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc mail: test@test.loc userAccountControl: 512 lockoutTime: 0 pwdLastSet: 132257935214848870 lastLogon: 132258326087696220 logonCount: 9 lastLogonTimestamp: 132258326087696220 whenChanged: 20200210182328.0Z uSNChanged: 7912 distinguishedName: CN=testuser2,OU=Identitiy,DC=test,DC=loc
# DovecotAdministrator, ServiceAccounts, Identitiy, test.loc dn: CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=test,DC=loc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: DovecotAdministrator instanceType: 4 whenCreated: 20191029155812.0Z displayName: DovecotAdministrator uSNCreated: 4735 name: DovecotAdministrator objectGUID:: 6LODLEOIQ0iVbSDrOftLgg== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAGQ/+ZjR2CNb9IiNGUwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: DovecotAdministrator sAMAccountType: 805306368 userPrincipalName: DovecotAdministrator@test.loc objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc userAccountControl: 66048 pwdLastSet: 132240938772523690 lastLogonTimestamp: 132263319652676310 whenChanged: 20200216130605.0Z uSNChanged: 7935 distinguishedName: CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC= test,DC=loc
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
Can someone give me a hint?
Best
Phil