[Dovecot] dovecot 2 in ubuntu 12.04 or Debian Squeeze
Dear sir,
I have to set up a mail gateway which will be explored to Internet and a secure mail server in the Intranet. I need a smart imap proxy in the mail gateway which will fetch the mail from server and present to user through either a stand alone mail client or a web mail client. All authentication is through ldap server.
I have installed Dovecot 2.2 Unstable in my Ubuntu 12.04 with ssl enabled But when I am starting dovecot, I am getting the following error
*doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting: ssl_cert*
I couldn't figure out what is wrong. Please help me to sort it out.
Thanks & Regards,
Suja PV LEOS
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 5 Mar 2013, pvsuja wrote:
I have installed Dovecot 2.2 Unstable in my Ubuntu 12.04 with ssl enabled But when I am starting dovecot, I am getting the following error
*doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting: ssl_cert*
What's line #12 in /usr/local/etc/dovecot/conf.d/10-ssl.conf ? Does it match http://wiki2.dovecot.org/SSL ?
What's your doveconf -n output?
Does ./sbin/dovecot --build-options tells you that SSL is build in at all?
Are you sure that you try to start Dovecot v2 rather than Dovecot v1? I mean, maybe you have multiple versions of Dovecot on your system and the init script starts another binary with the new config.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUTbkwF3r2wJMiz2NAQIx2wf+J4Jl2j6V45T+F7wrezB4Da4O3oimHgN3 7MKwi07kxFcsXyexmvEPQFBJGZuit6Kh7fsr/HQ06LD1+mMNOQbQKKpQPR9Ohc6M VQ6GrVC0geHYRLohUkvUoU450HqXWwa3bM5w57phlAaWp4js6+orQ/OcY+hO1x1U f0SR0P6dmJa9pelbarqRvWzACpVWzOd3WVB8LB43S08tI/dY2bxRjmEuQPUcwdfh J5CX1YeJ3JZyQr5kp95+KWvUXnLM2jHU8VQXaOTn7dWC3+dZ/FgYUMgcD1cgQmDt v+Q0ceyID7N/A/c1tAzq8BbNu3MbOLunCMjIIW4JyJFHryOgP7UGfQ== =RHx6 -----END PGP SIGNATURE-----
Line #12 is ssl_cert =
doveconf -n gives the error:
<b>doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting: ssl_cert*
./sbin/dovecot --build-options gives: *Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc_stub pop3c_stub raw SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file *
Note: I have not changed any settings. Simply copied from example_config and tried doveconf and getting this error.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
Am 06.03.2013 09:01, schrieb pvsuja:
Line #12 is ssl_cert =
doveconf -n gives the error:
<b>doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting: ssl_cert*
Please post your 10-ssl.conf file on Pastebin and add the link.
Greetings, Jan
I installed the stable version 2.1 and its working fine. Now there is a separate issue. I have set up my mail server to disable all plaintext auth. Now when i am trying to login with the imapcproxy, its giving error Unknown user/password
The log says:
In proxy: /mailproxy dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxx>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<1pBG/03XogB/AAAB> / In server: /mailserver dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): rip=10.x.x.x, lip=10.x.x.y/
Regards, Suja
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
Am 07.03.2013 05:26, schrieb pvsuja:
In proxy: /mailproxy dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxx>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<1pBG/03XogB/AAAB>
Well....as you see, your mail-client tries to speak PLAIN, so it shouldn't work.
Hi Jan,
Thanks for your response and Sorry for this late reply. I was out of station.
And my question is why my mail client is sending the auth details in plain text? how will i make sure, auth is done after starttls only?
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
Am 14.03.2013 06:41, schrieb pvsuja:
Hi Jan,
Thanks for your response and Sorry for this late reply. I was out of station.
And my question is why my mail client is sending the auth details in plain text? Configuration? I don't know which client you use, but in my Thunderbird you can configure between "Password, normal (plain), Crypted, Kerberos, NTLM, TLS-Certificate" (Hope this is correctly translated).
Here i use "Password, normal".
Also i can configure how the client talk the server "Connection Security: Unsecure, STARTTLS, SSL/TLS" which is set to "SSL / TLS".
how will i make sure, auth is done after starttls only?
Trust your client? Don't trust your client and listen with wireshark? Use "SSL / TLS" from the beginning?
Tell us your client, I think that would help.
Greetings, Jan
Small correction:
Am 14.03.2013 06:41, schrieb pvsuja:
how will i make sure, auth is done after starttls only?
In proxy: /mailproxy dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxx>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<1pBG/03XogB/AAAB>
your proxy says that the authentication was going over TLS. :)
Yes, proxy log says that its over TLS. but the server is receiving username and password in plain text. I verified it in wireshark. I am using squirrelmail web client n had configured it for STARTTLS.
*My dovecot settings for Server:*
suja@mailserver:/etc/dovecot# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.6 ext3 log_timestamp: %Y-%m-%d %H:%M:%S ssl: required ssl_cert_file: /etc/postfix/certs/public_cert.pem ssl_key_file: /etc/postfix/certs/private_key.pem login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:/email/%n:INBOX=/email/%n/INBOX mbox_write_locks: fcntl dotlock auth default: mechanisms: plain login passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap-userdb.conf
*My dovecot settings for Proxy:*
suja@mailproxy:/usr/local/etc/dovecot# dovecot -n # 2.1.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.2.0-35-generic-pae i686 Ubuntu 12.04.1 LTS auth_mechanisms = plain login imapc_host = 10.131.1.16 mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_uid = imapproxy passdb { args = host=10.131.1.16 default_fields = userdb_imapc_user=%u userdb_imapc_password=%w driver = imap } protocols = imap service auth { inet_listener { port = 12345 } } ssl = required ssl_ca =
Thanks & regards,
Suja
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
Am 18.03.2013 10:36, schrieb pvsuja:
passdb { args = host=10.131.1.16 default_fields = userdb_imapc_user=%u userdb_imapc_password=%w driver = imap }
Well, I dunno where you listened with wireshark, but as far as I see you communicate between your proxy and the other server with IMAP without SSL/TLS or STARTTLS, see http://wiki2.dovecot.org/PasswordDatabase/IMAP for more.
Can't say anything specific about squirrelmail to dovecot-proxy, is that the full doveconf -n? Please add the full one, if possible from both dovecot servers.
Greetings, Jan
Are you sure you wheren't looking at the ldap communication for the
username+password instead of imap?
Is ldap configured to use ssl?
Quoting pvsuja pvsuja@gmail.com:
Yes, proxy log says that its over TLS. but the server is receiving username and password in plain text. I verified it in wireshark. I am using squirrelmail web client n had configured it for STARTTLS.
*My dovecot settings for Server:*
suja@mailserver:/etc/dovecot# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.6 ext3 log_timestamp: %Y-%m-%d %H:%M:%S ssl: required ssl_cert_file: /etc/postfix/certs/public_cert.pem ssl_key_file: /etc/postfix/certs/private_key.pem login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_location: maildir:/email/%n:INBOX=/email/%n/INBOX mbox_write_locks: fcntl dotlock auth default: mechanisms: plain login passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap-userdb.conf
*My dovecot settings for Proxy:*
suja@mailproxy:/usr/local/etc/dovecot# dovecot -n # 2.1.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.2.0-35-generic-pae i686 Ubuntu 12.04.1 LTS auth_mechanisms = plain login imapc_host = 10.131.1.16 mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_uid = imapproxy passdb { args = host=10.131.1.16 default_fields = userdb_imapc_user=%u userdb_imapc_password=%w driver = imap } protocols = imap service auth { inet_listener { port = 12345 } } ssl = required ssl_ca =
Thanks & regards,
Suja
-- View this message in context:
http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
I am using imap passwd driver for proxy and ldap for server. proxy will contact mail server for authentication which in turn will contact ldap server. the server auth with ldap is already tested and its working fine.
now i guess i got the auth working properly; but not the mail retrieval through imapc from the logs:
Mar 19 09:33:16 mailspace dovecot: imap-login: Debug: SSL: where=0x2002,
ret=1: SSL negotiation finished successfully [127.0.0.1]
Mar 19 09:33:16 mailspace dovecot: imap-login: Login: user=<suja>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=26029, TLS,
session=
with the following dovecot conf:
root@mailspace:/usr/local/etc/dovecot# dovecot -n # 2.1.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.2.0-35-generic-pae i686 Ubuntu 12.04.1 LTS auth_mechanisms = plain login imapc_host = 10.131.1.16 imapc_ssl = starttls imapc_ssl_ca_dir = /usr/local/etc/dovecot/certs mail_gid = imapproxy mail_home = /home/imapproxy/%u mail_location = imapc:~/imapc mail_uid = imapproxy passdb { args = host=10.131.1.16 ssl=starttls ssl_ca_dir=/usr/local/etc/dovecot/certs default_fields = userdb_imapc_user=%u userdb_imapc_password=%w ssl=starttls driver = imap } protocols = imap service auth { inet_listener { port = 12345 } } ssl = required ssl_ca =
I guess my SSL certificate configuration is not done properly.
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
On Mon, 2013-03-18 at 22:56 -0700, pvsuja wrote:
Mar 19 09:33:16 mailspace dovecot: imap(suja): Invalid certificate: self signed certificate in certificate chain: /C=IN/ST=Karnataka/O=xxx/OU=YYY CA/CN=mailserver.domain.com/emailAddress=sysadm@domain.com Mar 19 09:33:16 mailspace dovecot: imap(suja): Error:
ssl = required
to ensure things are working, change this to "no", if you can get mail then, change it to "yes", dont absolute force until you have everything fixed.
ssl_ca =
I guess my SSL certificate configuration is not done properly.
How did you generate this? is it really self signed, or is it a CA signed (you can get free certs)
If it's CA signed, ensure you created it like this (the order *is* important): cat mail.crt sub.crt ca.crt > dovecot.pem
*remove ssl_ca = ....stuff* ssl_cert_file =
Been loooong time since I use self signed, but from memory
openssl req -x509 -days 999 -nodes -newkey rsa:2048 -keyout domain.key -out domain.crt (and IIRC tou need to ssl_ca = stuff) dovecot wiki should have the correct format for self signed
I got it working with the configuration i sent in last mail (without ssl_ca setting) And i had to give the hostname in place of ip address of server since the ssl certificates were having the host name.
Thanks to all of you for your time and support.. Thanks a bunch
-- View this message in context: http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squ... Sent from the Dovecot mailing list archive at Nabble.com.
participants (5)
-
Jan Phillip Greimann
-
Noel Butler
-
Patrick Domack
-
pvsuja
-
Steffen Kaiser