Thanks Timo, turns out I'm more of a rookie at sysconfiguring than I thought, so perhaps this helps identify stuff that a rookie wouldn't already know...<G>
On Thu, 2003-02-20 at 19:46, Timo Sirainen wrote:
I've not configured up LDAP on my server yet, so it's just plain PAM for now. I'm able to login fine with all my other apps, so I doubt it's a problem with PAM, but not impossible. I haven't done anything with PAM on this machine yet as it's live. I've been testing things out on another machine(NON-SMP/RH8), which I'll try tomorrow if I get a chance.)
You have to have it configured in /etc/pam.d/imap. For example:
auth required pam_unix.so nullok account required pam_unix.so
Thanks this makes more sense than the options you provide in doc/auth.txt, so you may wish to change that. On both RH7.3 and a RH8.0 box here, I don't have pwdfile, it's apparently been replaced by other functionality.
each imap-login is waiting at a read(7,
That's the problem then. It really shouldn't be blocking there. Could you get the backtrace to see where it's hanging? ie. run as root:
gdb /usr/local/libexec/dovecot/imap-login <pid of the imap-login>
and "bt" in it.
It's hung up in SSL_CTX_use_PrivateKey() in ssl-proxy-openssl.c, which as you correctly surmised below, is due to a password protected key.
I've located and used mkcert.sh. As a note the only docs for doc/mkcert.sh are halfway through the NEWS file and rapidly receeding as you add new releases, (congrats on the fast progress by the way!), however you might consider adding a short note about it to the doc/auth.txt or doc/configuration.txt file for those new to dovecot.
I do call fflush() after each write to log. Killing with SIGTERM will do clean exit which may log more things, maybe it's just that? Also killing child processes makes master process log their exits.
I usually note the messages log (watched by a tail -f) show up after I kill the dovecot master process.(Kill -9)
Depends on what the messages are I guess. But if you're kill -9ing the master process, it's quite likely that the child processes will complain about losing it.
After playing a bit, I think that those messages were due to the kill -9, SIGTERM is nicer. I still end up with little in the way of verbose debugging messages, by my standards. Usually all I see is login and logout messages. Otherwise, I get the occasional lockfile message, which is something that I need to sort out with Exim, and completely on my end.
dovecot: Feb 20 18:11:51 Info: Dovecot starting up imap-login: Dec 31 16:00:00 Fatal: Can't load private key file /usr/local/ssl/private/cedarintkey.pem: error:0906406D:PEM routines:DEF_CALLBACK:problems getting password
Err, isn't this the reason why your SSL doesn't work? :) Or was that just an example? If your private key is crypted with some password, Dovecot can't use it at least currently..
Correct! Doh! I have been able to use imaps, since I built a non-passworded private key. I was using passworded keys that I'd built for Apache, and would eventually like to have one set of keys that I can reference for each virtual domain. Were you planning on something like the Apache startssl option?
I can live with the constraint of one 'connection' key for now. Have you considered allowing each virtual domain to have it's own keys? Kind of difficult as the secure pipe to the server is already in place by the time the login name is seen... Kinda makes it tough for a true virtual presence without explicit assigned IP's. Hmmm, any plans for at least a different keys/identity per IP? If I understand the configuration file for now, it seems to be designed for one cert per machine.
Thanks for the help, I've just got to sort out the lockfile differences between Exim and Dovecot and I should then be functional. After that I'll start using LDAP.
TJ