[Dovecot] doveadm not working

13 May 2012


      Hi,
I know I must have done some misconfiguration, but I do not know where to start searching for. All began when looking at my weekly cron message, where doveadm purge -A is run. That fails. So I tried doveadm quota -A as well, which several weeks ago was working perfectly.
Example:
doveadm quota get -A
doveadm(root): Error: User listing returned failure
doveadm: Error: Failed to iterate through some users
Username Quota name Type Value Limit                                                 %
All I see in the logs is:
May 13 13:03:20 mx0 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out
May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Connect error
May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Can't contact LDAP server
Dovecot itself works. Only doveadm does not.
My LDAP is using SASL/EXTERNAL. Certs are in standard folders under /etc/ssl/{certs,private} (see below).
I guess that "some" user (but which?) tries to read the certs but is disallowed.
Can somebody help me please to fix my permissions on that (private used) mail server? Is my "vmail" user required?
Thanks in advance
Here is my doveconf -n:
# 2.1.6: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-41-generic-pae i686 Ubuntu 10.04.4 LTS
auth_master_user_separator = *
auth_mechanisms = plain login
auth_verbose = yes
hostname = mail.roessner-net.de
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_access_groups = vmail
mail_gid = vmail
mail_location = mdbox:~/mdbox
mail_plugins = autocreate quota acl fts fts_solr zlib mail_log notify
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
list = children
location = mdbox:%%h/mdbox
prefix = shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox "Deleted Messages" {
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
mailbox junkmail {
special_use = \Junk
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile
acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db
autocreate = Trash
autocreate2 = Sent
autocreate3 = Drafts
autocreate4 = junkmail
autosubscribe = Trash
autosubscribe2 = Sent
autosubscribe3 = Drafts
autosubscribe4 = junkmail
fts = solr
fts_solr = break-imap-search url=http://localhost:8080/solr/
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size
quota = dict:User quota::file:%h/mdbox/dovecot-quota
quota_rule = *:storage=300M:messages=20000
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
zlib_save = gz
zlib_save_level = 6
}
protocols = imap pop3 lmtp sieve
service auth-worker {
unix_listener auth-worker {
user = vmail
}
user = vmail
}
service auth {
extra_groups = ssl-cert
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = vmail
}
service dict {
unix_listener dict {
mode = 0600
user = vmail
}
}
service lmtp {
inet_listener lmtp {
address = ::1
port = 24
}
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = dovecot
}
ssl_ca = 
And here my ldap stuff:
uris = ldap://ldap0.roessner-net.de/ ldap://db.roessner-net.de/
sasl_bind = yes
sasl_mech = EXTERNAL
tls = yes
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_cert_file = /etc/ssl/certs/mx0.roessner-net.de.pem
tls_key_file = /etc/ssl/private/mx0.roessner-net.de.key.pem
tls_require_cert = hard
base = ou=people,ou=it,dc=roessner-net,dc=de
user_attrs = rnsMSQuota=quota_rule=*:storage=%$,rnsMSMailboxHome=home
user_filter = (&(objectClass=rnsMSDovecotAccount)(rnsMSRecipientAddress=%u))
pass_attrs = rnsMSDeliverToAddress=user,userPassword=password
pass_filter = (&(objectClass=rnsMSDovecotAccount)(rnsMSRecipientAddress=%u)(rnsMSEnableDovecot=TRUE))
iterate_attrs = rnsMSDovecotUser=user
iterate_filter = (objectClass=rnsMSDovecotAccount)
default_pass_scheme = CRYPT
id vmail
uid=5000(vmail) gid=5000(vmail) groups=111(ssl-cert),5000(vmail)
ls -l /etc/ssl/private/mail.roessner-net.de.key.pem
-rw-r----- 1 root ssl-cert 1679 2012-03-29 10:03 /etc/ssl/private/mail.roessner-net.de.key.pem
-Christian Rößner

Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com