[Dovecot] dovecot imap hangs

26 Nov 2007

      All,
I recently did a fresh install/setup on centos 5 to replace my older
courier-imap and all seemed to go well until today I started to notice
that it simply hangs. I use thunderbird and squirrel mail and after a
while it seems like I"m simply rejected. I'm almost guessing that it has
to do with the session timing out and then dovecot is unwilling or
unable to renew the session. I can't login and there is little or no
information in the logs. I've set up a cron job to restart dovecot every
5 minutes to deal with this for now.
I'm new to dovecot, what sort of info should I send to you guys?
I'm using centos 5, qmail-ldap and Maildir for my mail format.
OpenLDAP: slapd 2.3.27
dovecot-1.0-1.2.rc15.el5
my /etc/dovecot.conf
mail_location = maildir:%h
namespace private {
prefix = INBOX.
inbox = yes
}
mail_debug = yes
maildir_copy_with_hardlinks = yes
auth default {
mechanisms = plain
passdb ldap {
# Path for LDAP configuration file, see doc/dovecot-ldap.conf for
example
args = /etc/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot-ldap.conf
}
}
my dovecot-ldap.conf
This file is opened as root, so it should be owned by root and mode 0600.

NOTE: If you're not using authentication binds, you'll need to give
dovecot-auth read access to userPassword field in the LDAP server.
With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
already be something like this:
access to attribute=userPassword
by dn="<dovecot's dn>" read # add this
by anonymous auth
by self write
by * none
Space separated list of LDAP hosts to use. host:port is allowed too.
hosts =127.0.0.1:389
LDAP URIs to use. You can use this instead of hosts list. Note that this
setting isn't supported by all LDAP libraries.
#uris =
Distinguished Name - the username used to login to the LDAP server
#dn =
dn=cn=Manager,dc=cttechhosting,dc=net
dnpass=secret
Password for LDAP server
#dnpass =
Use SASL binding instead of the simple binding. Note that this changes
ldap_version automatically to be 3 if it's lower. Also note that SASL binds
and auth_bind=yes don't work together.
#sasl_bind = no
SASL mechanism name to use.
#sasl_mech =
SASL realm to use.
#sasl_realm =
SASL authorization ID, ie. the dnpass is for this "master user", but the
dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =
Use authentication binding for verifying password's validity. This works by
logging into LDAP server using the username and password given by client.
The pass_filter is used to find the DN for the user. Note that the pass_attrs
is still used, only the password field is ignored in it. Before doing any
search, the binding is switched back to the default DN.
auth_bind = yes
If authentication binding is used, you can save one LDAP request per login
if users' DN can be specified with a common template. The template can use
the standard %variables (see user_filter). Note that you can't
use any pass_attrs if you use this setting.

If you use this setting, it's a good idea to use a different
dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the
filename is different in userdb's args). That way one connection is used only
for LDAP binds and another connection is used for user lookups. Otherwise
the binding is changed to the default DN before each user lookup.

For example:
auth_bind_userdn = cn=%u,ou=people,o=org

auth_bind_userdn = uid=%u,ou=accounts,dc=cttechhosting,dc=net
LDAP protocol version to use. Likely 2 or 3.
#ldap_version = 2
ldap_version=3
LDAP base. %variables can be used here.
base = ou=accounts,dc=cttechhosting,dc=net
Dereference: never, searching, finding, always
#deref = never
Search scope: base, onelevel, subtree
#scope = subtree
User attributes are given in LDAP-name=dovecot-internal-name list. The
internal names are:
uid - System UID
gid - System GID
home - Home directory
mail - Mail location

There are also other special fields which can be returned, see
http://wiki.dovecot.org/UserDatabase/ExtraFields
user_attrs = mailMessageStore=home,qmailUID=uid,qmailGID=gid,mailMessageStore=mail
Filter for user lookup. Some variables can be used (see
http://wiki.dovecot.org/Variables for full list):
%u - username
%n - user part in user@domain, same as %u if there's no domain
%d - domain part in user@domain, empty if user there's no domain
user_filter = (&(objectClass=qmailUser)(uid=%u))
Password checking attributes:
user: Virtual user name (user@domain), if you wish to change the
user-given username to something else
password: Password, may optionally start with {type}, eg. {crypt}
There are also other special fields which can be returned, see
http://wiki.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = mail=user,userPassword=password
If you wish to avoid two LDAP lookups (passdb + userdb), you can use
userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
also have to include user_attrs in pass_attrs field prefixed with "userdb_"
string. For example:
#pass_attrs = uid=user,userPassword=password,homeDirectory=userdb_home,qmailUID=userdb_uid,qmailGID=userdb_gid
Filter for password lookups
pass_filter = (&(objectClass=qmailUser)(uid=%u))
Default password scheme. "{scheme}" before password overrides this.
List of supported schemes is in: http://wiki.dovecot.org/Authentication
default_pass_scheme = LDAP-SHA
You can use same UID and GID for all user accounts if you really want to.
If the UID/GID is still found from LDAP reply, it overrides these values.
#user_global_uid =
#user_global_gid =
===================

[Dovecot] dovecot imap hangs

russ

my /etc/dovecot.conf

my dovecot-ldap.conf

This file is opened as root, so it should be owned by root and mode 0600.

NOTE: If you're not using authentication binds, you'll need to give

dovecot-auth read access to userPassword field in the LDAP server.

With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should

already be something like this:

access to attribute=userPassword

by dn="<dovecot's dn>" read # add this

by anonymous auth

by self write

by * none

Space separated list of LDAP hosts to use. host:port is allowed too.

LDAP URIs to use. You can use this instead of hosts list. Note that this

setting isn't supported by all LDAP libraries.

Distinguished Name - the username used to login to the LDAP server

Password for LDAP server

Use SASL binding instead of the simple binding. Note that this changes

ldap_version automatically to be 3 if it's lower. Also note that SASL binds

and auth_bind=yes don't work together.

SASL mechanism name to use.

SASL realm to use.

SASL authorization ID, ie. the dnpass is for this "master user", but the

dn is still the logged in user. Normally you want to keep this empty.

Use authentication binding for verifying password's validity. This works by

logging into LDAP server using the username and password given by client.

The pass_filter is used to find the DN for the user. Note that the pass_attrs

is still used, only the password field is ignored in it. Before doing any

search, the binding is switched back to the default DN.

If authentication binding is used, you can save one LDAP request per login

if users' DN can be specified with a common template. The template can use

the standard %variables (see user_filter). Note that you can't

use any pass_attrs if you use this setting.

If you use this setting, it's a good idea to use a different

dovecot-ldap.conf for userdb (it can even be a symlink, just as long as the

filename is different in userdb's args). That way one connection is used only

for LDAP binds and another connection is used for user lookups. Otherwise

the binding is changed to the default DN before each user lookup.

For example:

auth_bind_userdn = cn=%u,ou=people,o=org

LDAP protocol version to use. Likely 2 or 3.

LDAP base. %variables can be used here.

Dereference: never, searching, finding, always

Search scope: base, onelevel, subtree

User attributes are given in LDAP-name=dovecot-internal-name list. The

internal names are:

uid - System UID

gid - System GID

home - Home directory

mail - Mail location

There are also other special fields which can be returned, see

http://wiki.dovecot.org/UserDatabase/ExtraFields

Filter for user lookup. Some variables can be used (see

http://wiki.dovecot.org/Variables for full list):

%u - username

%n - user part in user@domain, same as %u if there's no domain

%d - domain part in user@domain, empty if user there's no domain

Password checking attributes:

user: Virtual user name (user@domain), if you wish to change the

user-given username to something else

password: Password, may optionally start with {type}, eg. {crypt}

There are also other special fields which can be returned, see

http://wiki.dovecot.org/PasswordDatabase/ExtraFields

If you wish to avoid two LDAP lookups (passdb + userdb), you can use

userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll

also have to include user_attrs in pass_attrs field prefixed with "userdb_"

string. For example:

Filter for password lookups

Default password scheme. "{scheme}" before password overrides this.

List of supported schemes is in: http://wiki.dovecot.org/Authentication

You can use same UID and GID for all user accounts if you really want to.

If the UID/GID is still found from LDAP reply, it overrides these values.

#user_global_uid =