Re: running alternate dovecot instances on the same server

Aki,

Thankyou for your advice. I finally got around to this. I'm retired, working part time, and have more to do than fits the time. Anyway . . .

I did the configuration in /etc/dovecot/local.conf, which is included in the /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before the local.conf. I  believe that means that the entries in the conf.d come first and have precedence. I was getting authorization failures. The section of my local.conf is as follows:

#
# master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list 3/21/2022,
# modified based on example from
https://doc.dovecot.org/configuration_manual/authentication/master_users/
# also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to
resolve precedence.
#      CGH
#
auth_master_user_separator = *
passdb {
   driver = passwd-file
   args = /etc/dovecot/passwd.masterusers
   master = yes
   result_success = continue
}
passdb {
   driver = pam
   args = session=yes %Ls
}
userdb {
   driver = passwd
}

I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for passdb and passwd for userdb. I commented those two lines out since I had them covered in my local.conf. That failed with the control process exiting with an error code. I quickly uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up alright with the above local.conf, but master user doesn't seem to work.

I'm testing with the following (master username and passwrd replaced):

chrisho@marlin:/etc/dovecot$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
Dovecot ready.
1 login chrisho*masteruser masterpassword
1 NO [AUTHORIZATIONFAILED] Authorization failed
2 exit
Connection closed by foreign host.

What I'm seeing in the logs is:

Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname=
uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
"uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0
euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
"uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)

The output of doveconf -n is as follows:

# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
auth_master_user_separator = *
default_process_limit = 200
first_valid_gid = 98
first_valid_uid = 1000
login_access_sockets = tcpwrap
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_max_userip_connections = 8
mail_privileged_group = mail
mbox_write_locks = dotlock fcntl
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   driver = pam
}
passdb {
   args = /etc/dovecot/passwd.masterusers
   driver = passwd-file
   master = yes
   result_success = continue
}
passdb {
   args = session=yes %Ls
   driver = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_reuse_xuidl = yes
pop3_uidl_format = %08Xv%08Xu
protocols = " imap pop3"
service imap-login {
   inet_listener imap {
     address = localhost
     port = 143
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
}
service pop3-login {
   inet_listener pop3 {
     port = 0
   }
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
}
service tcpwrap {
   unix_listener login/tcpwrap {
     group = $default_login_user
     mode = 0600
     user = $default_login_user
   }
}
ssl = required
ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
ssl_cert = </etc/mail/tls/marlin/sendmail.pem
ssl_key = </etc/mail/tls/marlin/sendmail.pem
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local2
userdb {
   driver = passwd
}
userdb {
   driver = passwd
}

And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server. So we do get security patches and the hope is that we can do a release upgrade this summer.

Any further guidance would be much appreciated. If any further information is needed, I can provide it.

On 3/21/22 1:57 AM, Aki Tuomi wrote:

...

On 20/03/2022 22:36 Chris Hoogendyk hoogendyk@bio.umass.edu wrote:

I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?

We have two servers (dovecot --version:  2.2.22 (fe789d2)) that handle email for two different departments.

We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.

Hi!

It is totally possible to use LDAP with master password, using configuration like this:

# this must be first passdb { driver = static args = password=masterpass }

# current passdb config

# you probably already have this userdb { driver = ldap args = /path/to/ldap/userdb }

If this does not work, please send your doveconf -n as well.

Aki

--

Chris Hoogendyk

• O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III

<hoogendyk@bio.umass.edu>

---------------

Erdös 4