[Dovecot] Dovecot proxy to Microsoft Exchange 2013
Hello,
I am trying to do a proxy with dovecot to IMAP backend server that are using Microsoft Exchange 2013. I already did this with Microsoft Exchange 2007 and Microsoft Exchange 2010 and it works perfectly! But with Microsoft Exchange 2013 I can not perform LOGIN.
The error log message is: /imap-login: Error: proxy(user@domain.com.br): Login for exchange2013.domain.com.br:143 timed out in state=4 (after 30 secs, local=x.x.x.x:59640)/
My troubleshoot was:
- tcpdump on dovecot server side: I can see the commands sent/received by Microsoft Exchange. But no the "OK LOGIN" response.
/* OK The Microsoft Exchange IMAP4 service in xxxx is ready.// //C CAPABILITY// //L LOGIN "user@domain.com.br" "123456"// //* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+// //C OK CAPABILITY completed./
- tcpdump with telnet login on dovecot server side: Works fine.
/* OK The Microsoft Exchange IMAP4 service in xxxx is ready.// //a login "user@domain.com.br" "123456"// //a OK LOGIN completed.// //a logout// //* BYE Microsoft Exchange Server 2013 IMAP4 server signing off.// //a OK LOGOUT completed./
- Log verbose on Microsoft Exchange 2013. Look like that Microsoft Exchange did not receive the login command.
Someone already tried do this with Microsoft Exchange 2013 ?
See bellow some information about my dovecot configuration:
/# 2.2.2: dovecot.conf// //# OS: Linux 2.6.32-358.2.1.el6.centos.plus.x86_64 x86_64 CentOS release 6.4 (Final)// // //base_dir = /var/run/dovecot/// //disable_plaintext_auth = no// //listen = x.x.x.x// //mbox_write_locks = fcntl// //passdb {// // args = /etc/dovecot/dovecot-ldap.conf.ext// // driver = ldap// //}// // //protocols = imap pop3// //service imap-login {// // inet_listener imap {// // port = 143// // }// // inet_listener imaps {// // port = 993// // ssl = yes// // }// // process_min_avail = 4// // service_count = 0// // vsz_limit = 512 M// //}// //service pop3-login {// // inet_listener pop3 {// // port = 110// // }// // inet_listener pop3s {// // port = 995// // ssl = yes// // }// // process_min_avail = 4// // service_count = 0// // vsz_limit = 512 M// //}// //ssl_cert = </etc/dovecot/certificate/chained.crt// //ssl_key = </etc/dovecot/certificate/cert.key// //userdb {// // driver = prefetch// //}// // ///etc/dovecot/dovecot-ldap.conf.ext// //hosts = x.x.x.x// //dn = cn=admin,o=email// //dnpass = xxxxxxx// //ldap_version = 3// //base = o=email// //scope=subtree// //pass_filter = mail=%u// //pass_attrs = uid=user,=password=,=proxy=y,mailHost=host,=nopassword=y/
Thanks, Ricardo Machini
On 19.6.2013, at 20.54, Ricardo Machini Barbosa <ricardomachini@gmail.com> wrote:
I am trying to do a proxy with dovecot to IMAP backend server that are using Microsoft Exchange 2013. I already did this with Microsoft Exchange 2007 and Microsoft Exchange 2010 and it works perfectly! But with Microsoft Exchange 2013 I can not perform LOGIN.
The error log message is: /imap-login: Error: proxy(user@domain.com.br): Login for exchange2013.domain.com.br:143 timed out in state=4 (after 30 secs, local=x.x.x.x:59640)/
My troubleshoot was:
- tcpdump on dovecot server side: I can see the commands sent/received by Microsoft Exchange. But no the "OK LOGIN" response.
/* OK The Microsoft Exchange IMAP4 service in xxxx is ready.// //C CAPABILITY// //L LOGIN "user@domain.com.br" "123456"// //* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+// //C OK CAPABILITY completed./
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too.
On Mon, 2013-06-24 at 23:40 +0300, Timo Sirainen wrote:
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too.
Attached another patch that doesn't crash on successful logins :)
Timo, thanks for your help.
But I can't compile with this patch:
/imap-proxy.c: In function âproxy_write_loginâ:// //imap-proxy.c:95: error: âstruct clientâ has no member named âpre_proxy_authâ// //imap-proxy.c: In function âimap_proxy_parse_lineâ:// //imap-proxy.c:217: error: âstruct clientâ has no member named âproxy_bannerâ// //imap-proxy.c:288: error: âstruct clientâ has no member named âpost_proxy_authâ/
Em 24/06/2013 19:22, Timo Sirainen escreveu:
On Mon, 2013-06-24 at 23:40 +0300, Timo Sirainen wrote:
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. Attached another patch that doesn't crash on successful logins :)
Hello Timo,
I tried to compile this patch again on version 2.2.5 and I got the same error:
/imap-proxy.c: In function âproxy_write_loginâ:// //imap-proxy.c:95: error: âstruct clientâ has no member named âpre_proxy_authâ// //imap-proxy.c: In function âimap_proxy_parse_lineâ:// //imap-proxy.c:216: error: âstruct clientâ has no member named âproxy_bannerâ// //imap-proxy.c:287: error: âstruct clientâ has no member named âpost_proxy_authâ/
Thanks, Ricardo Machini
Em 25/06/2013 01:23, Ricardo Machini Barbosa escreveu:
Timo, thanks for your help.
But I can't compile with this patch:
/imap-proxy.c: In function âproxy_write_loginâ:// //imap-proxy.c:95: error: âstruct clientâ has no member named âpre_proxy_authâ// //imap-proxy.c: In function âimap_proxy_parse_lineâ:// //imap-proxy.c:217: error: âstruct clientâ has no member named âproxy_bannerâ// //imap-proxy.c:288: error: âstruct clientâ has no member named âpost_proxy_authâ/
Em 24/06/2013 19:22, Timo Sirainen escreveu:
On Mon, 2013-06-24 at 23:40 +0300, Timo Sirainen wrote:
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed byhttp://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. Attached another patch that doesn't crash on successful logins :)
On Mon, 24 Jun 2013 23:40:57 +0300 Timo Sirainen articulated:
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too.
Timo, I have not really been following this thread very closely, so I am not quite sure what the problem is exactly. I have a friend who has a friend who has input on Microsoft Exchange development. If you could supply me, perhaps off list if you desire, specifics of exactly what you believe Microsoft Exchange 2013 is doing incorrectly, I could forward this information on. You would need to be quite specific though. Generalizations would not be of any use.
-- Jerry ♔
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
On 25.6.2013, at 13.36, Jerry <jerry@seibercom.net> wrote:
On Mon, 24 Jun 2013 23:40:57 +0300 Timo Sirainen articulated:
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too.
Timo, I have not really been following this thread very closely, so I am not quite sure what the problem is exactly. I have a friend who has a friend who has input on Microsoft Exchange development. If you could supply me, perhaps off list if you desire, specifics of exactly what you believe Microsoft Exchange 2013 is doing incorrectly, I could forward this information on. You would need to be quite specific though. Generalizations would not be of any use.
Looking at the first mail in this thread, it looks like when Dovecot sends within one TCP packet:
C CAPABILITY L LOGIN "user@domain.com.br" "123456"
Exchange replies only to the CAPABILITY command with:
- CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+ C OK CAPABILITY completed.
Then the session gets stuck, because Dovecot doesn't send anything, only expects Exchange to also handle the LOGIN command, but it's not doing that, most likely because it didn't think that two commands could be within a single TCP packet.
I'm wondering if this could have anything to do with how Exchange 2013 broke recipient verification?
Discussed recently on the postfix list:
http://postfix.1071664.n5.nabble.com/Semi-OT-Exchange-2013-SMTP-Callout-td58...
In that thread there is this link to a Technet discussion:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/91...
On 2013-06-25 6:52 AM, Timo Sirainen <tss@iki.fi> wrote:
On 25.6.2013, at 13.36, Jerry <jerry@seibercom.net> wrote:
On Mon, 24 Jun 2013 23:40:57 +0300 Timo Sirainen articulated:
Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. Timo, I have not really been following this thread very closely, so I am not quite sure what the problem is exactly. I have a friend who has a friend who has input on Microsoft Exchange development. If you could supply me, perhaps off list if you desire, specifics of exactly what you believe Microsoft Exchange 2013 is doing incorrectly, I could forward this information on. You would need to be quite specific though. Generalizations would not be of any use. Looking at the first mail in this thread, it looks like when Dovecot sends within one TCP packet:
C CAPABILITY L LOGIN "user@domain.com.br" "123456"
Exchange replies only to the CAPABILITY command with:
- CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+ C OK CAPABILITY completed.
Then the session gets stuck, because Dovecot doesn't send anything, only expects Exchange to also handle the LOGIN command, but it's not doing that, most likely because it didn't think that two commands could be within a single TCP packet.
--
Best regards,
Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6224 | 678.514.6299 fax
participants (4)
-
Charles Marcus
-
Jerry
-
Ricardo Machini Barbosa
-
Timo Sirainen