Re: dovecot 2 samba ad-dc

Hi,

No expert, but:

We always use the postmap utility to check that the right mailboxes are actually found:

postmap -q test@test.loc ldap:/etc/postfix/ldap-config.cf

And perhaps show us your postfix main.cf?

MJ

On 2/20/20 8:46 AM, phil wrote:

Helo you,

I try to build a mail server based on Centos 7, postfix and dovecot 2. My backend is a Samba4 ad-dc.

I tried a lot and I don't know what else I could try.I'm new to this mailing list so please forgive me if I don't give right information or anything

Samba4 ad-dc is up incl. dns. Win10 Client joined domain and authentication works.

Postfix is up and checks against ldap whether recipient address exists. It takes mail via telnet and queues them. But can't give it to dovecot.

my master.cf locks like that:

[root@mail1t postfix]# cat master.cf smtp      inet  n       -       -       -       -       smtpd submission inet n       -       -       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes pickup    fifo  n       -       -       60      1       pickup cleanup   unix  n       -       -       -       0       cleanup qmgr      fifo  n       -       n       300     1       qmgr tlsmgr    unix  -       -       -       1000?   1       tlsmgr rewrite   unix  -       -       -       -       -       trivial-rewrite bounce    unix  -       -       -       -       0       bounce defer     unix  -       -       -       -       0       bounce trace     unix  -       -       -       -       0       bounce verify    unix  -       -       -       -       1       verify flush     unix  n       -       -       1000?   0       flush proxymap  unix  -       -       n       -       -       proxymap proxywrite unix -       -       n       -       1       proxymap smtp      unix  -       -       -       -       -       smtp relay     unix  -       -       -       -       -       smtp showq     unix  n       -       -       -       -       showq error     unix  -       -       -       -       -       error retry     unix  -       -       -       -       -       error discard   unix  -       -       -       -       -       discard local     unix  -       n       n       -       -       local virtual   unix  -       n       n       -       -       virtual lmtp      unix  -       -       -       -       -       lmtp anvil     unix  -       -       -       -       1       anvil scache    unix  -       -       -       -       1       scache maildrop  unix  -       n       n       -       -       pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp      unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail    unix  -       n       n       -       -       pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp     unix  -       n       n       -       -       pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix  -   n   n   -   2   pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman   unix  -       n       n       -       -       pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot   unix  -       n       n       -       -       pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop} #smtp      inet  n       -       n       -       1       postscreen #smtpd     pass  -       -       n       -       -       smtpd #dnsblog   unix  -       -       n       -       0       dnsblog #tlsproxy  unix  -       -       n       -       0       tlsproxy postlog   unix-dgram n  -       n       -       1       postlogd

my ldap.conf on mailserver:

[root@mail1t openldap]# cat ldap.conf # # LDAP Defaults #

# See ldap.conf(5) for details # This file should be world readable but not world writable.

#BASE    dc=example,dc=com #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666 URI ldaps://ldap1t.test.loc:636

#SIZELIMIT    12 #TIMELIMIT    15 #DEREF        never

#TLS_CACERTDIR    /etc/openldap/certs TLS_CACERTDIR /etc/pki/tls/certs/ka

# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON    on

TLS_REQCERT never

dovecot.conf:

[root@mail1t dovecot]# cat dovecot.conf auth_mechanisms = plain login mail_uid = vmail mail_gid = vmail ssl_cert =

log_timestamp = "%Y-%m-%d %H:%M:%S " log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot-info.log debug_log_path = /var/log/dovecot-debug.log

#auth_verbose=yes auth_debug=yes auth_debug_passwords=yes mail_debug=yes verbose_ssl=yes

protocols = imap listen = * auth_cache_size = 50000 # ~ 200 Benutzer mit Passwort auth_cache_ttl = 300s # in Sekunden, 5 Minute auth_cache_negative_ttl = 30s # wenn Benutzer nicht existierte bei letztem Check

passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }

userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }

service auth { unix_listener /var/spool/postfix/private/auth_dovecot { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0600 user = root } user = root }

service dict { unix_listener dict { mode = 0660 user = vmail group = vmail } }

namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = }

protocol imap { mail_plugins = quota imap_quota }

plugin { quota = maildir:User quota }

dovecot-ldap.conf.ext:

root@mail1t dovecot]# cat dovecot-ldap.conf.ext #hosts = 192.168.122.30:636 # Windows Active Directory uris = ldaps://192.168.122.30:636

#dn = CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=test,DC=loc dn = CN=Administrator,CN=Users,DC=test,DC=loc dnpass = Test123! tls = no # Benötige ich (!) nicht auth_bind = yes # Für die Dauer der Authentifizierung bindet sich Dovecot als einloggender Mailuser auth_bind_dn = %u ldap_version = 3 base = OU=Identitiy,DC=domain,DC=local # Meine OU mit Benutzern scope = subtree # Oder "base", falls nicht rekursiv in der OU gesucht werden soll pass_attrs =
=user=%{ldap:mail},
=passwerd=%{ladp:user},
user_attrs =
=user=%{ldap:mail}, \

user_filter = (mailRoutingAddress=%u) pass_filter = (mail=%u) iterate_attrs = mail  #mail=user # Wird vor allem von "doveadm" benötigt, um Benutzer zu finden iterate_filter = (objectClass=smiMessageRecipient  #(objectClass=person)

maillog gives me:

Feb 20 08:34:56 mail1t postfix/smtpd[1794]: 04229120B0D: client=unknown[192.168.122.30] Feb 20 08:35:01 mail1t postfix/cleanup[1798]: 04229120B0D: message-id=<> Feb 20 08:35:01 mail1t postfix/qmgr[1268]: 04229120B0D: from=test@test.loc, size=176, nrcpt=1 (queue active) Feb 20 08:35:01 mail1t postfix/pipe[1799]: 04229120B0D: to=test@test.loc, relay=dovecot, delay=12, delays=12/0.01/0/0.07, dsn=4.3.0, status=deferred (temporary failure) Feb 20 08:35:03 mail1t postfix/smtpd[1794]: disconnect from unknown[192.168.122.30] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

dovecot debug log:

2020-02-20 08:31:18 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth 2020-02-20 08:31:18 auth: Debug: Module loaded: /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: userdb lookup(test@test.loc): Started userdb lookup 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Connecting 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Client connected (fd=13) 2020-02-20 08:35:01 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth 2020-02-20 08:35:01 auth: Debug: Module loaded: /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: conn unix:/var/run/dovecot/auth-userdb: Disconnected: Connection closed: read(size=8192) failed: Connection reset by peer (fd=13) 2020-02-20 08:35:01 lda(test@test.loc)<1800><>: Debug: auth-master: userdb lookup(test@test.loc): Userdb lookup failed

a ldap search gives me:

[root@mail1t dovecot]# ldapsearch -D "cn=administrator,cn=Users,dc=test,dc=loc" -W -H ldaps://ldap1t.test.loc:636 -b "ou=Identitiy,dc=test,dc=loc" -s sub -x "(objectclass=person)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=person) # requesting: ALL #

# testuser2, Identitiy, test.loc dn: CN=testuser2,OU=Identitiy,DC=test,DC=loc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: testuser2 instanceType: 4 whenCreated: 20191029150406.0Z uSNCreated: 4540 name: testuser2 objectGUID:: zfJ3SmPoLkO8wrVKP0Mc6g== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAGQ/+ZjR2CNb9IiNGUQQAAA== accountExpires: 9223372036854775807 sAMAccountName: testuser2 sAMAccountType: 805306368 userPrincipalName: testuser2@test.loc objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc mail: test@test.loc userAccountControl: 512 lockoutTime: 0 pwdLastSet: 132257935214848870 lastLogon: 132258326087696220 logonCount: 9 lastLogonTimestamp: 132258326087696220 whenChanged: 20200210182328.0Z uSNChanged: 7912 distinguishedName: CN=testuser2,OU=Identitiy,DC=test,DC=loc

# DovecotAdministrator, ServiceAccounts, Identitiy, test.loc dn: CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=test,DC=loc objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: DovecotAdministrator instanceType: 4 whenCreated: 20191029155812.0Z displayName: DovecotAdministrator uSNCreated: 4735 name: DovecotAdministrator objectGUID:: 6LODLEOIQ0iVbSDrOftLgg== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAGQ/+ZjR2CNb9IiNGUwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: DovecotAdministrator sAMAccountType: 805306368 userPrincipalName: DovecotAdministrator@test.loc objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc userAccountControl: 66048 pwdLastSet: 132240938772523690 lastLogonTimestamp: 132263319652676310 whenChanged: 20200216130605.0Z uSNChanged: 7935 distinguishedName: CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC= test,DC=loc

# search result search: 2 result: 0 Success

# numResponses: 3 # numEntries: 2

Can someone give me a hint?

Best

Phil