On Mon, 2013-02-04 at 21:16 -0500, Andy Dills wrote:
On Feb 4, 2013, at 8:56 PM, Timo Sirainen tss@iki.fi wrote:
On Mon, 2013-02-04 at 12:08 -0500, Andy Dills wrote:
We have a checkpassword authentication with mysql pre-fetch for the userdb lookups.
When trying to do:
doveadm search -u andytest@xecu.net mailbox Trash DELETED
I get:
doveadm(andytest@xecu.net): Error: user andytest@xecu.net: Auth PASS lookup failed doveadm(andytest@xecu.net): Fatal: /var/run/dovecot/auth-userdb: passdb lookup failed (to see if user is proxied, because doveadm_proxy_port is set)
Do you have proxying enabled? If not, remove doveadm_proxy_port and this solves itself
Yes, I apologize, it appears I edited out the paragraph where I described our setup.
Cluster of dovecot dual instance servers, one proxy/director, one backend. The backend config lives in dovecot.conf, the proxy config in proxy.conf (let me know if the specific config would help). Version 2.1.12 (current version in FreeBSD ports).
I should mention, I have to specify the director-admin socket manually when using doveadm director, it's as if doveadm isn't quite aware of the config in the proxy instance.
However, the authentication happens in the primary "dovecot.conf" instance...that's where checkpassword gets called, and where the prefetch is configured. The proxy is "dumb".
OK, so you are using director, so it is good that doveadm is doing a proxy lookup, otherwise it might run it on the wrong server and cause troubles with NFS caching (which is exactly what director is supposed to prevent).
I'm not surprised the checkpassword lookup is failing; the password isn't being supplied. Shouldn't it just be doing the prefetch lookup instead, like the lmtp service?
doveadm doesn't care about the password. It cares about the proxy destination host so that it can automatically connect to the correct host to run the command.
I understand doveadm doesn't care about the password; i was confused why checkpassword was being called when the password is unknown rather than using the mysql prefetch.
So, I guess what you're saying is doveadm should be talking to the proxy instance rather than the backend instance? I assume I need to move the backend to a differently named config and make my proxy instances live in dovecot.conf, so that doveadm sees the "right" config?
I think you need to remove doveadm_proxy_port from the backend dovecot.conf. Then it doesn't perform the PASS lookup. But you also should run doveadm via the proxy instance so that it gets run in the correct server (doveadm -c /etc/dovecot/proxy.conf or doveadm -i proxy if you've given it a name).