Why does Dovecot authentication against Openldap fail when using TLS encryption?
Dear Mailing list,
I have a Dovecot v2.2.9 server that authenticate against a Openldap server.
I want to configure Dovecot to use TLS for LDAP authentication.
I have tried to fetch/send emails using Thunderbird:
- IMAP succeed to fetch mail
- SMTP failed to send mail
The Dovecot server produce the following log :
Jun 29 08:44:00 mail postfix/submission/smtpd[634]: connect from
virtual.domain.com[172.16.0.1] Jun 29 08:44:01 mail dovecot: auth: Debug: auth client connected (pid=0) Jun 29 08:44:02 mail dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=172.17.0.15#011rip=172.16.0.1#011secured#011resp=<hidden> Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me@domain.com,172.16.0.1): bind search: base=dc=mail,dc=domain,dc=com filter=(&(objectClass=CourierMailAccount)(mail=me@domain.com)) Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me@domain.com,172.16.0.1): no fields returned by the server Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me@domain.com,172.16.0.1): result: uid missing Jun 29 08:44:02 mail dovecot: auth: Debug: client passdb out: OK#0111#011user=me@domain.com Jun 29 08:44:04 mail postfix/submission/smtpd[661]: connect from mail.node.domain-ovh.consul[172.16.0.2] Jun 29 08:44:04 mail postfix/submission/smtpd[661]: lost connection after CONNECT from mail.node.domain-ovh.consul[172.16.0.2] Jun 29 08:44:04 mail postfix/submission/smtpd[661]: disconnect from mail.node.domain-ovh.consul[172.16.0.2] Jun 29 08:44:07 mail dovecot: auth: Debug: auth client connected (pid=662) Jun 29 08:44:07 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.16.0.2, lip=172.17.0.15, TLS handshaking: Disconnected, session=<MGK6TRVTRACsEAAC>
**Note that before I switch to use TLS**, the server was doing clear connection to Openldap and the **binding was working fine**.
I have verified the ldap query using ldapsearch
and it confirmed my
binding must have worked:
me@dev-01:[~]: ldapsearch -x -D "cn=readonly,dc=domain,dc=com" -W -H
ldap://ldap.domain.com:389 -b "dc=mail,dc=domain,dc=com" -LLL "(&(objectClass=CourierMailAccount)(mail=me@domain.com))" -ZZ homeDirectory Enter LDAP Password: dn: mail=me@domain.com,dc=mailAccount,dc=domain.com ,dc=mail,dc=domain,dc=com homeDirectory: /var/mail
I have the following dovecot.cf
:
login_greeting = server ready
mail_uid = 5000
mail_gid = 5000
auth_mechanisms = plain login
disable_plaintext_auth = yes
ssl_ca = </etc/postfix/ssl/cacert.pem
auth_debug_passwords = no
auth_debug = yes
auth_verbose = yes
userdb {
driver = ldap
args = /etc/dovecot/conf.d/auth-ldap.conf.ext
}
passdb {
driver = ldap
args = /etc/dovecot/conf.d/auth-ldap.conf.ext
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
And this is the included /etc/dovecot/conf.d/auth-ldap.conf.ext
file:
# SSL/TLS
uris = ldap://virtual.domain.com
auth_bind = yes
ldap_version = 3
dn = cn=readonly,dc=domain,dc=com
dnpass = abc
base = dc=mail,dc=domain,dc=com
user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
user_attrs =
uidNumber=5000,gidNumber=5000,homeDirectory=home,mailbox=mail=maildir:%$/Maildir:LAYOUT=fs default_pass_scheme = SSHA tls = yes tls_ca_cert_dir = /etc/postfix/ssl
Why does Dovecot authentication against Openldap fail when I switch to TLS encryption?
Hoping this mail will be read by somebody,
Regards,
Dimitri
participants (1)
-
Dimitri KOPRIWA