Hi,
We recently shutdown our old LDAP server and repointed our mail server (dovecot + postfix) to our new LDAP server and ever since we've been unable to fetch mail. Mail is getting delivered, but we just can't pop it. We're using Ubuntu 16.04, btw.
We keep on getting the following error messages in /var/log/dovecote:
2019-05-15 16:27:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Can't contact LDAP server 2019-05-15 16:39:36 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Connect error 2019-05-15 16:39:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Local error
However, our server is finding our LDAP users and postfix doesn't seem to have a problem, just Dovecot. Also, when we try to connect via Dovecot, we get the following message:
-ERR [SYS/TEMP] Temporary authentication failure. [mail:2019-05-15 21:40:06]
Our /etc/dovecot/dovecot.conf contains the following:
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it # instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces # and tabs are ignored. If you want to use either of these explicitly, put the # value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or # source/destination IPs by placing the settings inside sections, for example: # protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment # those. These are exceptions to this though: No sections (e.g. namespace {}) # or plugin settings are added by default, they're listed only as examples. # Paths are also just examples with the real defaults being based on configure # options. The paths listed here are for configure --prefix=/usr # --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols !include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections. # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. # If you want to specify non-default ports or anything more complex, # edit conf.d/master.conf. #listen = *, ::
# Base directory where to store runtime data. #base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands # can use -i <instance_name> to select which instance is used (an alternative # to -c <config_path>). The instance name is also added to Dovecot processes # in ps output. #instance_name = dovecot
# Greeting message for clients. #login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these # IPs are allowed to override their IP addresses and ports (for logging and # for authentication checks). disable_plaintext_auth is also ignored for # these networks. Typically you'd specify your IMAP proxy servers here. #login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap) #login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do # proxying. This isn't necessary normally, but may be useful if the destination # IP is e.g. a load balancer's IP. #auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and # IP address. Useful for seeing who are actually using the IMAP processes # (eg. shared mailboxes or if same uid is used for multiple accounts). #verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down. # Setting this to "no" means that Dovecot can be upgraded without # forcing existing client connections to close (although that could also be # a problem if the upgrade is e.g. because of a security fix). #shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server, # instead of running them directly in the same process. #doveadm_worker_count = 0 # UNIX socket or host:port used for connecting to doveadm server #doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot # startup and passed down to all of its child processes. You can also give # key=value pairs to always set specific settings. #import_environment = TZ
## ## Dictionary server settings ##
# Dictionary can be used to store key=value lists. This is used by several # plugins. The dictionary can be accessed either directly or though a # dictionary server. The following dict block maps dictionary names to URIs # when the server is used. These can then be referenced using URIs in format # "proxy::<name>".
dict { #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext quota = ldap:/etc/dovecot/dovecot-ldap.conf.ext expire = ldap:/etc/dovecot/dovecot-ldap.conf.ext }
# Most of the actual configuration gets included below. The filenames are # first sorted by their ASCII value and parsed in that order. The 00-prefixes # in filenames are intended to make it easier to understand the ordering. !include conf.d/*.conf
# A config file can also tried to be included without giving an error if # it's not found: !include_try local.conf
# Added by Elias protocols = pop3 imap #ssl_cert = </etc/ssl/certs/server.crt #ssl_key = </etc/ssl/private/server.key ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
log_path = /var/log/dovecote info_log_path = /var/log/dovecote_info log_timestamp = "%Y-%m-%d %H:%M:%S " #syslog_facility = mail_dovecote #ssl = no #mail_location = mbox:~/:INBOX=/var/mail/%u #namespace { # type = private # separator = . # inbox = yes #} mail_privileged_group = mail mail_full_filesystem_access = yes mail_debug = yes mmap_disable = yes mail_nfs_storage = yes mail_nfs_index = yes mail_fsync = always mbox_read_locks = dotlock mbox_write_locks = dotlock passdb ldap { driver = ldap # Path for LDAP configuration file args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver=passwd } userdb ldap { driver = ldap # Path for LDAP configuration file args = /etc/dovecot/dovecot-ldap.conf.ext } And our /etc/dovecot/dovecot-ldap.conf.ext has this:
# This file is commonly accessed via passdb {} or userdb {} section in # conf.d/auth-ldap.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/LDAP # # NOTE: If you're not using authentication binds, you'll need to give # dovecot-auth read access to userPassword field in the LDAP server. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should # already be something like this:
# access to attribute=userPassword # by dn="<dovecot's dn>" read # add this # by anonymous auth # by self write # by * none
# Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 139.147.9.135
# LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. #uris = ldaps://139.147.9.135
# Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). dn = cn=admin,dc=cs,dc=lafayette,dc=edu
# Password for LDAP server, if dn is specified. dnpass = blahblah123
# Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. Also note that SASL binds # and auth_bind=yes don't work together. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = # SASL realm to use. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id =
# Use TLS to connect to the LDAP server. tls = yes # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file =/etc/ssl/certs/ldap.crt tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem #tls_ca_cert_dir =/etc/ssl/certs/ #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = /etc/ssl/certs/ldap01_slapd_cert.pem #tls_key_file = /etc/ssl/private/ldap01_slapd_key.pem # Valid values: never, hard, demand, allow, try #tls_require_cert = demand
# Use the given ldaprc path. #ldaprc_path =
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. #debug_level = 0
# Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes
# If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: # auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =
# LDAP protocol version to use. Likely 2 or 3. ldap_version = 3
# LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org base = ou=People,dc=cs,dc=lafayette,dc=edu
# Dereference: never, searching, finding, always deref = never
# Search scope: base, onelevel, subtree scope = subtree
# User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: # uid - System UID # gid - System GID # home - Home directory # mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
# Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): # %u - username # %n - user part in user@domain, same as %u if there's no domain # %d - domain part in user@domain, empty if user there's no domain user_filter = (&(objectClass=posixAccount)(uid=%u))
# Password checking attributes: # user: Virtual user name (user@domain), if you wish to change the # user-given username to something else # password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = uid=user,userPassword=password
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case
you'll
# also have to include user_attrs in pass_attrs field prefixed with
"userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# Filter for password lookups pass_filter = (&(objectClass=posixAccount)(uid=%u))
# Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount)
# Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication #default_pass_scheme = CRYPT
What do you suppose could be the problem?
Thanks, Elias
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 15 May 2019, Elias Falconi via dovecot wrote:
2019-05-15 16:27:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Can't contact LDAP server 2019-05-15 16:39:36 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Connect error 2019-05-15 16:39:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Local error
# Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 139.147.9.135
# Use TLS to connect to the LDAP server. tls = yes # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file =/etc/ssl/certs/ldap.crt tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem
# is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes
# For example: # auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =
are you sure these settings fit each other?
a) IP address, but force tls with cert
- -> is the IP address part of the alternate subjects of the cert?
you seem to use STARTTLS https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-...
b) once you've sorted TLS out looks like auth_bind conflicts with auth_bind_userdn
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBXNz+EsQnQQNheMxiAQI8eggAh8bjcL6FQJgZBUd10bWBzPhR1UQmyUHx 6waUF02hPX2FJW/HnXcyHCcT/lR6sq1fIOYtT+IFniBmXt/MNb9cRi1PwGEdVWgs 6d7QNwRhesHLkfDnuK4WIt2J9/RXoWcUK/KW1DQ4cGPwXDCsDzAJnaFoqYqlN9DF PjnZKyKaKoGvstDLTM0tFk87iHDue4SkWsw72o2sWNNNNEhOxgSdVGfN0taLh1nh Spwdz03mTpZwJJW5MyDplklGofWLEZD8jiclsWsaSOb7A0+05gK7nl4YsLrnCIH7 9lADo4LNmCr4g90Xf6zO4T5HlpUjvQNME3OwiI+mIeoXPvU7wjYinA== =6QRq -----END PGP SIGNATURE-----
On 16.5.2019 9.07, Steffen Kaiser via dovecot wrote:
On Wed, 15 May 2019, Elias Falconi via dovecot wrote:
2019-05-15 16:27:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Can't contact LDAP server 2019-05-15 16:39:36 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Connect error 2019-05-15 16:39:43 auth: Error: LDAP /etc/dovecot/dovecot-ldap.conf.ext: ldap_start_tls_s() failed: Local error
# Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 139.147.9.135
# Use TLS to connect to the LDAP server. tls = yes # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file =/etc/ssl/certs/ldap.crt tls_ca_cert_file =/etc/ssl/certs/ldap6_cacert.pem
# is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = yes
# For example: # auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =
are you sure these settings fit each other?
a) IP address, but force tls with cert -> is the IP address part of the alternate subjects of the cert?
you seem to use STARTTLS https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and-...
b) once you've sorted TLS out looks like auth_bind conflicts with auth_bind_userdn
-- Steffen Kaiser
Also, can you try if setting
blocking=yes
in LDAP configuration helps?
fwiw we have seen this with some customers too but unfortunately it's OpenLDAP issue which we can't really do much anything about.
Aki
participants (3)
-
Aki Tuomi
-
Elias Falconi
-
Steffen Kaiser