On 23/06/15 09:32, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
auth_debug = yes
The first lines should be something like this:
# 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
What version are you using?
auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam }
Did you've removed or commented the line :
10-auth.conf:#!include auth-system.conf.ext
?
passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
uid=%n makes no sense. Please use just:
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings:
hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias)
Note the pass_attrs. Then I submitted a new message with:
socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:me@example.com rcpt to:other@example.com data Subject: 1
1 .
successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well.
I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP.
You should however note the following:
Both filters treat users "me@example.com" and "me@localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache.
That means:
doveadm auch cache flush doveadm user me@example.net doveadm user me@example.com
returns the date for me@example.net in both cases and
doveadm auch cache flush doveadm user me@example.com doveadm user me@example.net
returns the data for me@example.com in both cases. it's weird I know, I do:
# doveadm auth test -x service=smtp -x rip=172.25.12.214 me@my.domain Password: passdb: me@my.domain auth succeeded extra fields: user=me@my.domain
and in the logs:
auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): lookup service=dovecot auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me@my.domain rhost=172.25.12.214 auth-worker(32531): pam(me@my.domain,172.25.12.214): unknown user auth: Debug: ldap(me@my.domain,172.25.12.214): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=me@my.domain
so it seems fine, right? only I do simple test on that dovecot locally
echo repli_test | mail -s "repl test" my@my.domain
to get:
auth-worker(365): Debug: passwd(me@my.domain): lookup auth-worker(365): passwd(me@my.domain): unknown user auth: Debug: password(me@my.domain): passdb doesn't support credential lookups auth: Debug: ldap(me@my.domain): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core dumped)
the same error with: doveadm user me@my.domain
so it's must be userdb, right?
maybe it's postfix twisting something?
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYkZtnz1H7kL/d9rAQIZEQf6AsT93VQg1bvF+kla4q9m/0cFlZpAEzDl
t4V1XwiYUENBCCvXuxKpY1QvKCKVwryS+GUbPh0eP0t+Rjl6bOT1wP4qwkOlRIkN
V6kmx6sBabdObTUgI1kl07ss2vt0MVzjFh5WDRPz6Z/UzKRIGkuphzksVle14GDG
UefgtdOYhR+Mfn0nRil2FOSFbWnMgR/9rkKEBr7Ou4vxgU7BF1nfOUA/bmc/tEF+
oMuNkq8xdsKmuN5AhbIghUr3o4DARW0KnLCo4uUJTx7BRreO651Cw4K3fwKlRyAu
Pvt4NqxAkJ2Iyu0lFc60xkN0RX+vndfqGOwfIwRYhiBIbX03Cvesaw== =Hn9X -----END PGP SIGNATURE-----