running alternate dovecot instances on the same server
I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?
We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different departments.
We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.
Would it be possible to run an alternate dovecot process that would use local account authentication, have a master password, and use an alternate port for connecting? Ideally it would only read accounts without changing anything, and would not interfere with the operation of the other dovecot process. I'm hoping that I could copy the configuration files, make these changes, and then launch it manually without any startup scripts in /etc/inetd.conf.
Oh, by the way, we are running Ubuntu 16.04 LTS and have contracts with Ubuntu Advantage for ongoing patch support. The dovecot version is from the distribution, installed with aptitude.
--
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
On 20/03/2022 22:36 Chris Hoogendyk hoogendyk@bio.umass.edu wrote:
I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?
We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different departments.
We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.
Hi!
It is totally possible to use LDAP with master password, using configuration like this:
# this must be first passdb { driver = static args = password=masterpass }
# current passdb config
# you probably already have this userdb { driver = ldap args = /path/to/ldap/userdb }
If this does not work, please send your doveconf -n
as well.
Aki
Aki,
Thankyou for your advice. I finally got around to this. I'm retired, working part time, and have more to do than fits the time. Anyway . . .
I did the configuration in /etc/dovecot/local.conf, which is included in the /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before the local.conf. I believe that means that the entries in the conf.d come first and have precedence. I was getting authorization failures. The section of my local.conf is as follows:
#
# master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list 3/21/2022,
# modified based on example from
https://doc.dovecot.org/configuration_manual/authentication/master_users/
# also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to
resolve precedence.
# CGH
#
auth_master_user_separator = *
passdb {
driver = passwd-file
args = /etc/dovecot/passwd.masterusers
master = yes
result_success = continue
}
passdb {
driver = pam
args = session=yes %Ls
}
userdb {
driver = passwd
}
I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for passdb and passwd for userdb. I commented those two lines out since I had them covered in my local.conf. That failed with the control process exiting with an error code. I quickly uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up alright with the above local.conf, but master user doesn't seem to work.
I'm testing with the following (master username and passwrd replaced):
chrisho@marlin:/etc/dovecot$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
Dovecot ready.
1 login chrisho*masteruser masterpassword
1 NO [AUTHORIZATIONFAILED] Authorization failed
2 exit
Connection closed by foreign host.
What I'm seeing in the logs is:
Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname=
uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
"uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0
euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
"uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
The output of doveconf -n is as follows:
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
auth_master_user_separator = *
default_process_limit = 200
first_valid_gid = 98
first_valid_uid = 1000
login_access_sockets = tcpwrap
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_max_userip_connections = 8
mail_privileged_group = mail
mbox_write_locks = dotlock fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
result_success = continue
}
passdb {
args = session=yes %Ls
driver = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_reuse_xuidl = yes
pop3_uidl_format = %08Xv%08Xu
protocols = " imap pop3"
service imap-login {
inet_listener imap {
address = localhost
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
ssl = required
ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
ssl_cert = </etc/mail/tls/marlin/sendmail.pem
ssl_key = </etc/mail/tls/marlin/sendmail.pem
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local2
userdb {
driver = passwd
}
userdb {
driver = passwd
}
And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server. So we do get security patches and the hope is that we can do a release upgrade this summer.
Any further guidance would be much appreciated. If any further information is needed, I can provide it.
On 3/21/22 1:57 AM, Aki Tuomi wrote:
On 20/03/2022 22:36 Chris Hoogendyk hoogendyk@bio.umass.edu wrote:
I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?
We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different departments.
We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.
Hi!
It is totally possible to use LDAP with master password, using configuration like this:
# this must be first passdb { driver = static args = password=masterpass }
# current passdb config
# you probably already have this userdb { driver = ldap args = /path/to/ldap/userdb }
If this does not work, please send your
doveconf -n
as well.Aki
--
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
Progress???
I realized that the error might indicate I had an empty conf paragraph or whatever you call it when dovecot failed to start. That is I commented out the driver = pam, but left the enclosing passdb { } with no contents. That was the error. So I commented out everything in /etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me the right precedence for masteruser and regular logins.
Then my login from telnet still failed. So I had two terminal windows, one with sudo journalctl -u dovecot.service -f
to follow the journal entries form dovecot, and another to do my telnet
localhost 143. Now, when I tried to login with the masteruser, I got an error in the journal that said:
May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error: pam(chrisho,127.0.0.1):
pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)
hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries, including dovecot. Then there are some entries that start with common and include common-auth, common-session, common-password, etc. The dovecot entry simply includes those. So, I tried just setting up a symlink from imap pointing at the dovecot file. Then I tried logging in again via telnet. Now I simply get:
May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth failed, 2 attempts in 112
secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
session=<2BspEfndKMN/AAAB>
The entry of that line in the journal seemed to be slightly delayed. It showed up when I entered 2 logout
.
At this point, my dovecot -n output is as follows:
chrisho@marlin:/etc/dovecot$ sudo doveconf -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
auth_master_user_separator = *
default_process_limit = 200
first_valid_gid = 98
first_valid_uid = 1000
login_access_sockets = tcpwrap
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_max_userip_connections = 8
mail_privileged_group = mail
mbox_write_locks = dotlock fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
result_success = continue
}
passdb {
args = session=yes %Ls
driver = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_reuse_xuidl = yes
pop3_uidl_format = %08Xv%08Xu
protocols = " imap pop3"
service imap-login {
inet_listener imap {
address = localhost
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
ssl = required
ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
ssl_cert = </etc/mail/tls/marlin/sendmail.pem
ssl_key = </etc/mail/tls/marlin/sendmail.pem
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local2
userdb {
driver = passwd
}
On 4/30/22 8:00 PM, Chris Hoogendyk wrote:
Aki,
Thankyou for your advice. I finally got around to this. I'm retired, working part time, and have more to do than fits the time. Anyway . . .
I did the configuration in /etc/dovecot/local.conf, which is included in the /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before the local.conf. I believe that means that the entries in the conf.d come first and have precedence. I was getting authorization failures. The section of my local.conf is as follows:
# # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list 3/21/2022, # modified based on example from https://doc.dovecot.org/configuration_manual/authentication/master_users/ # also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to resolve precedence. # CGH # auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/passwd.masterusers master = yes result_success = continue } passdb { driver = pam args = session=yes %Ls } userdb { driver = passwd }
I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for passdb and passwd for userdb. I commented those two lines out since I had them covered in my local.conf. That failed with the control process exiting with an error code. I quickly uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up alright with the above local.conf, but master user doesn't seem to work.
I'm testing with the following (master username and passwrd replaced):
chrisho@marlin:/etc/dovecot$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. 1 login chrisho*masteruser masterpassword 1 NO [AUTHORIZATIONFAILED] Authorization failed 2 exit Connection closed by foreign host.
What I'm seeing in the logs is:
Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1 Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials) Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1 Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
The output of doveconf -n is as follows:
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS auth_master_user_separator = * default_process_limit = 200 first_valid_gid = 98 first_valid_uid = 1000 login_access_sockets = tcpwrap mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_max_userip_connections = 8 mail_privileged_group = mail mbox_write_locks = dotlock fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/passwd.masterusers driver = passwd-file master = yes result_success = continue } passdb { args = session=yes %Ls driver = pam } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh pop3_reuse_xuidl = yes pop3_uidl_format = %08Xv%08Xu protocols = " imap pop3" service imap-login { inet_listener imap { address = localhost port = 143 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } ssl = required ssl_ca =
And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server. So we do get security patches and the hope is that we can do a release upgrade this summer.
Any further guidance would be much appreciated. If any further information is needed, I can provide it.
On 3/21/22 1:57 AM, Aki Tuomi wrote:
On 20/03/2022 22:36 Chris Hoogendyk hoogendyk@bio.umass.edu wrote:
I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?
We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different departments.
We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.
Hi!
It is totally possible to use LDAP with master password, using configuration like this:
# this must be first passdb { driver = static args = password=masterpass }
# current passdb config
# you probably already have this userdb { driver = ldap args = /path/to/ldap/userdb }
If this does not work, please send your
doveconf -n
as well.Aki
--
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
I've changed the subject line on this email to more closely address the current issue.
I'm hoping that with the most recent release out the door for a while there might be time to answer this.
I believe I have the configuration done correctly to use a master password, but for some reason
Dovecot seems to be going to ldap rather than just transferring to the requested user account. Since
I don't really know what Dovecot is doing, it's hard to know what to try or whether it will actually
work. In my mind it seems like Dovecot is could do something similar to a sudo su user
, bypassing
the usual authentication since it was given the master password.
Details below and already on the dovecot mailing list.
I've got a limited time to get this running, because central IT wants to transfer these accounts from our department server to the central IT servers this month. We have hundreds of accounts, so it doesn't scale to try to copy over individual accounts using individual's passwords.
Thank you,
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
On 5/1/22 4:59 PM, Chris Hoogendyk wrote:
> Progress???
>
> I realized that the error might indicate I had an empty conf paragraph or whatever you call it
> when dovecot failed to start. That is I commented out the driver = pam, but left the enclosing
> passdb { } with no contents. That was the error. So I commented out everything in
> /etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me the right precedence
> for masteruser and regular logins.
>
> Then my login from telnet still failed. So I had two terminal windows, one with `sudo journalctl
> -u dovecot.service -f` to follow the journal entries form dovecot, and another to do my telnet
> localhost 143. Now, when I tried to login with the masteruser, I got an error in the journal that
> said:
>
> May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error: pam(chrisho,127.0.0.1):
> pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)
>
> hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries, including dovecot. Then
> there are some entries that start with common and include common-auth, common-session,
> common-password, etc. The dovecot entry simply includes those. So, I tried just setting up a
> symlink from imap pointing at the dovecot file. Then I tried logging in again via telnet. Now I
> simply get:
>
> May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth failed, 2 attempts in 112
> secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
> session=<2BspEfndKMN/AAAB>
>
> The entry of that line in the journal seemed to be slightly delayed. It showed up when I entered
> `2 logout`.
>
> At this point, my dovecot -n output is as follows:
>
> chrisho@marlin:/etc/dovecot$ sudo doveconf -n
> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.13 (7b14904)
> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
> auth_master_user_separator = *
> default_process_limit = 200
> first_valid_gid = 98
> first_valid_uid = 1000
> login_access_sockets = tcpwrap
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> mail_max_userip_connections = 8
> mail_privileged_group = mail
> mbox_write_locks = dotlock fcntl
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = /etc/dovecot/passwd.masterusers
> driver = passwd-file
> master = yes
> result_success = continue
> }
> passdb {
> args = session=yes %Ls
> driver = pam
> }
> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
> pop3_reuse_xuidl = yes
> pop3_uidl_format = %08Xv%08Xu
> protocols = " imap pop3"
> service imap-login {
> inet_listener imap {
> address = localhost
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service pop3-login {
> inet_listener pop3 {
> port = 0
> }
> inet_listener pop3s {
> port = 995
> ssl = yes
> }
> }
> service tcpwrap {
> unix_listener login/tcpwrap {
> group = $default_login_user
> mode = 0600
> user = $default_login_user
> }
> }
> ssl = required
> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
> ssl_cert = </etc/mail/tls/marlin/sendmail.pem
> ssl_key = </etc/mail/tls/marlin/sendmail.pem
> ssl_protocols = !SSLv2 !SSLv3
> syslog_facility = local2
> userdb {
> driver = passwd
> }
>
>
> On 4/30/22 8:00 PM, Chris Hoogendyk wrote:
>> Aki,
>>
>> Thankyou for your advice. I finally got around to this. I'm retired, working part time, and have
>> more to do than fits the time. Anyway . . .
>>
>> I did the configuration in /etc/dovecot/local.conf, which is included in the
>> /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before
>> the local.conf. I believe that means that the entries in the conf.d come first and have
>> precedence. I was getting authorization failures. The section of my local.conf is as follows:
>>
>> #
>> # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list 3/21/2022,
>> # modified based on example from
>> https://doc.dovecot.org/configuration_manual/authentication/master_users/
>> # also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to
>> resolve precedence.
>> # CGH
>> #
>> auth_master_user_separator = *
>> passdb {
>> driver = passwd-file
>> args = /etc/dovecot/passwd.masterusers
>> master = yes
>> result_success = continue
>> }
>> passdb {
>> driver = pam
>> args = session=yes %Ls
>> }
>> userdb {
>> driver = passwd
>> }
>>
>> I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for
>> passdb and passwd for userdb. I commented those two lines out since I had them covered in my
>> local.conf. That failed with the control process exiting with an error code. I quickly
>> uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of
>> users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up
>> alright with the above local.conf, but master user doesn't seem to work.
>>
>> I'm testing with the following (master username and passwrd replaced):
>>
>> chrisho@marlin:/etc/dovecot$ telnet localhost 143
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
>> Dovecot ready.
>> 1 login chrisho*masteruser masterpassword
>> 1 NO [AUTHORIZATIONFAILED] Authorization failed
>> 2 exit
>> Connection closed by foreign host.
>>
>> What I'm seeing in the logs is:
>>
>> Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname=
>> uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
>> Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>> Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0
>> euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
>> Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>>
>> The output of doveconf -n is as follows:
>>
>> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.13 (7b14904)
>> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
>> auth_master_user_separator = *
>> default_process_limit = 200
>> first_valid_gid = 98
>> first_valid_uid = 1000
>> login_access_sockets = tcpwrap
>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>> mail_max_userip_connections = 8
>> mail_privileged_group = mail
>> mbox_write_locks = dotlock fcntl
>> namespace inbox {
>> inbox = yes
>> location =
>> mailbox Drafts {
>> special_use = \Drafts
>> }
>> mailbox Junk {
>> special_use = \Junk
>> }
>> mailbox Sent {
>> special_use = \Sent
>> }
>> mailbox "Sent Messages" {
>> special_use = \Sent
>> }
>> mailbox Trash {
>> special_use = \Trash
>> }
>> prefix =
>> }
>> passdb {
>> driver = pam
>> }
>> passdb {
>> args = /etc/dovecot/passwd.masterusers
>> driver = passwd-file
>> master = yes
>> result_success = continue
>> }
>> passdb {
>> args = session=yes %Ls
>> driver = pam
>> }
>> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>> pop3_reuse_xuidl = yes
>> pop3_uidl_format = %08Xv%08Xu
>> protocols = " imap pop3"
>> service imap-login {
>> inet_listener imap {
>> address = localhost
>> port = 143
>> }
>> inet_listener imaps {
>> port = 993
>> ssl = yes
>> }
>> }
>> service pop3-login {
>> inet_listener pop3 {
>> port = 0
>> }
>> inet_listener pop3s {
>> port = 995
>> ssl = yes
>> }
>> }
>> service tcpwrap {
>> unix_listener login/tcpwrap {
>> group = $default_login_user
>> mode = 0600
>> user = $default_login_user
>> }
>> }
>> ssl = required
>> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
>> ssl_cert = </etc/mail/tls/marlin/sendmail.pem
>> ssl_key = </etc/mail/tls/marlin/sendmail.pem
>> ssl_protocols = !SSLv2 !SSLv3
>> syslog_facility = local2
>> userdb {
>> driver = passwd
>> }
>> userdb {
>> driver = passwd
>> }
>>
>> And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server.
>> So we do get security patches and the hope is that we can do a release upgrade this summer.
>>
>> Any further guidance would be much appreciated. If any further information is needed, I can
>> provide it.
>>
>>
>> On 3/21/22 1:57 AM, Aki Tuomi wrote:
>>>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk@bio.umass.edu> wrote:
>>>>
>>>> I'm posting to the list, but not on the list. I presume that means a reply-all to get to me
>>>> as well
>>>> as the list?
>>>>
>>>> We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different
>>>> departments.
>>>>
>>>> We are transitioning mail service to the University central IT. They need to move accounts in an
>>>> automated fashion and therefore need a master password to our dovecot servers. However, we are
>>>> running with LDAP authentication, and I understand that a master password is not possible in that
>>>> configuration.
>>>>
>>> Hi!
>>>
>>> It is totally possible to use LDAP with master password, using configuration like this:
>>>
>>> # this must be first
>>> passdb {
>>> driver = static
>>> args = password=masterpass
>>> }
>>>
>>> # current passdb config
>>>
>>> # you probably already have this
>>> userdb {
>>> driver = ldap
>>> args = /path/to/ldap/userdb
>>> }
>>>
>>> If this does not work, please send your `doveconf -n` as well.
>>>
>>> Aki
>>
--
Hoping that someone can help with this. It's a critical project that requires getting the master password to work.
I've managed to get the logging at maximum level and what I'm seeing is the following. Testing with:
chrisho@marlin:~$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
Dovecot ready.
a login chrisho+<masteruser> <masterpassword>
a NO [AUTHORIZATIONFAILED] Authorization failed
* BYE Disconnected for inactivity.
Connection closed by foreign host.
chrisho@marlin:~$
And what I see in the log files is:
Jun 17 12:16:10 marlin dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=<stuffhere>#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=60150#011resp<stuffhere>
(previous base64 data may contain sensitive data)
Jun 17 12:16:10 marlin dovecot: auth: Debug: passwd-file(<masteruser>,127.0.0.1,master,<hash>):
Master user lookup for login: chrisho
Jun 17 12:16:10 marlin dovecot: auth: Debug: passwd-file(<masteruser>,127.0.0.1,master,<hash>):
lookup: user=<masteruser> file=/etc/dovecot/passwd.masterusers
Jun 17 12:16:10 marlin dovecot: auth: passwd-file(<masteruser>,127.0.0.1,master,<hash>): Master
user logging in as chrisho
Jun 17 12:16:10 marlin dovecot: auth-worker(9763): Debug: pam(chrisho,127.0.0.1): lookup
service=imap
Jun 17 12:16:10 marlin dovecot: auth-worker(9763): Debug: pam(chrisho,127.0.0.1): #1/1 style=1
msg=Password:
Jun 17 12:16:12 marlin dovecot: auth-worker(9763): pam(chrisho,127.0.0.1): pam_authenticate()
failed: Authentication failure (password mismatch?) (given password: <masterpassword>)
Jun 17 12:18:53 marlin dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in
163 secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
I've replaced sensitive content with <masteruser>, <masterpassword>, <stuffhere>, and <hash>. BUT, note that in the next to the last line, where dovecot is attempting to authenticate the user via pam using the master password!! Why?? 1st, it shouldn't be trying to authenticate, it already has the master user authenticated. 2nd, why would it try to use what it should know is the master password to authenticate the regular user?
Irrespective of those two questions, which are given primarily as what I would see as significant clues, what do I need to do to get it to work? Is this an issue with my dovecot configuration? An issue with my pam configuration? Or a bug in dovecot? Note also that I am using ldap as a user database. One of the criteria set up in pam is that the user must also exist in the local /etc/passwd, but the authentication goes to ldap.
Any help very much appreciated.
My doveconf output is already included in this thread, so I won't repeat it. The only thing I've changed is the debug levels. If there is anything else that would be useful to know, please let me know.
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
On 6/5/22 2:40 PM, Chris Hoogendyk wrote:
> I've changed the subject line on this email to more closely address the current issue.
>
> I'm hoping that with the most recent release out the door for a while there might be time to
> answer this.
>
> I believe I have the configuration done correctly to use a master password, but for some reason
> Dovecot seems to be going to ldap rather than just transferring to the requested user account.
> Since I don't really know what Dovecot is doing, it's hard to know what to try or whether it will
> actually work. In my mind it seems like Dovecot is could do something similar to a `sudo su user`,
> bypassing the usual authentication since it was given the master password.
>
> Details below and already on the dovecot mailing list.
>
> I've got a limited time to get this running, because central IT wants to transfer these accounts
> from our department server to the central IT servers this month. We have hundreds of accounts, so
> it doesn't scale to try to copy over individual accounts using individual's passwords.
>
> Thank you,
>
>
> ---------------
>
> Chris Hoogendyk
>
> -
> O__ ---- Systems Administrator, Retired
> c/ /'_ --- Biology & Geosciences Departments
> (*) \(*) -- 315 Morrill Science Center III
> ~~~~~~~~~~ - University of Massachusetts, Amherst
>
> <hoogendyk@bio.umass.edu>
>
> ---------------
>
> Erdös 4
>
>
> On 5/1/22 4:59 PM, Chris Hoogendyk wrote:
>> Progress???
>>
>> I realized that the error might indicate I had an empty conf paragraph or whatever you call it
>> when dovecot failed to start. That is I commented out the driver = pam, but left the enclosing
>> passdb { } with no contents. That was the error. So I commented out everything in
>> /etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me the right
>> precedence for masteruser and regular logins.
>>
>> Then my login from telnet still failed. So I had two terminal windows, one with `sudo journalctl
>> -u dovecot.service -f` to follow the journal entries form dovecot, and another to do my telnet
>> localhost 143. Now, when I tried to login with the masteruser, I got an error in the journal that
>> said:
>>
>> May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error: pam(chrisho,127.0.0.1):
>> pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)
>>
>> hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries, including dovecot. Then
>> there are some entries that start with common and include common-auth, common-session,
>> common-password, etc. The dovecot entry simply includes those. So, I tried just setting up a
>> symlink from imap pointing at the dovecot file. Then I tried logging in again via telnet. Now I
>> simply get:
>>
>> May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth failed, 2 attempts in 112
>> secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
>> session=<2BspEfndKMN/AAAB>
>>
>> The entry of that line in the journal seemed to be slightly delayed. It showed up when I entered
>> `2 logout`.
>>
>> At this point, my dovecot -n output is as follows:
>>
>> chrisho@marlin:/etc/dovecot$ sudo doveconf -n
>> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.4.13 (7b14904)
>> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
>> auth_master_user_separator = *
>> default_process_limit = 200
>> first_valid_gid = 98
>> first_valid_uid = 1000
>> login_access_sockets = tcpwrap
>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>> mail_max_userip_connections = 8
>> mail_privileged_group = mail
>> mbox_write_locks = dotlock fcntl
>> namespace inbox {
>> inbox = yes
>> location =
>> mailbox Drafts {
>> special_use = \Drafts
>> }
>> mailbox Junk {
>> special_use = \Junk
>> }
>> mailbox Sent {
>> special_use = \Sent
>> }
>> mailbox "Sent Messages" {
>> special_use = \Sent
>> }
>> mailbox Trash {
>> special_use = \Trash
>> }
>> prefix =
>> }
>> passdb {
>> args = /etc/dovecot/passwd.masterusers
>> driver = passwd-file
>> master = yes
>> result_success = continue
>> }
>> passdb {
>> args = session=yes %Ls
>> driver = pam
>> }
>> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>> pop3_reuse_xuidl = yes
>> pop3_uidl_format = %08Xv%08Xu
>> protocols = " imap pop3"
>> service imap-login {
>> inet_listener imap {
>> address = localhost
>> port = 143
>> }
>> inet_listener imaps {
>> port = 993
>> ssl = yes
>> }
>> }
>> service pop3-login {
>> inet_listener pop3 {
>> port = 0
>> }
>> inet_listener pop3s {
>> port = 995
>> ssl = yes
>> }
>> }
>> service tcpwrap {
>> unix_listener login/tcpwrap {
>> group = $default_login_user
>> mode = 0600
>> user = $default_login_user
>> }
>> }
>> ssl = required
>> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
>> ssl_cert = </etc/mail/tls/marlin/sendmail.pem
>> ssl_key = </etc/mail/tls/marlin/sendmail.pem
>> ssl_protocols = !SSLv2 !SSLv3
>> syslog_facility = local2
>> userdb {
>> driver = passwd
>> }
>>
>>
>> On 4/30/22 8:00 PM, Chris Hoogendyk wrote:
>>> Aki,
>>>
>>> Thankyou for your advice. I finally got around to this. I'm retired, working part time, and have
>>> more to do than fits the time. Anyway . . .
>>>
>>> I did the configuration in /etc/dovecot/local.conf, which is included in the
>>> /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before
>>> the local.conf. I believe that means that the entries in the conf.d come first and have
>>> precedence. I was getting authorization failures. The section of my local.conf is as follows:
>>>
>>> #
>>> # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list 3/21/2022,
>>> # modified based on example from
>>> https://doc.dovecot.org/configuration_manual/authentication/master_users/
>>> # also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to
>>> resolve precedence.
>>> # CGH
>>> #
>>> auth_master_user_separator = *
>>> passdb {
>>> driver = passwd-file
>>> args = /etc/dovecot/passwd.masterusers
>>> master = yes
>>> result_success = continue
>>> }
>>> passdb {
>>> driver = pam
>>> args = session=yes %Ls
>>> }
>>> userdb {
>>> driver = passwd
>>> }
>>>
>>> I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for
>>> passdb and passwd for userdb. I commented those two lines out since I had them covered in my
>>> local.conf. That failed with the control process exiting with an error code. I quickly
>>> uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of
>>> users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up
>>> alright with the above local.conf, but master user doesn't seem to work.
>>>
>>> I'm testing with the following (master username and passwrd replaced):
>>>
>>> chrisho@marlin:/etc/dovecot$ telnet localhost 143
>>> Trying 127.0.0.1...
>>> Connected to localhost.
>>> Escape character is '^]'.
>>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN]
>>> Dovecot ready.
>>> 1 login chrisho*masteruser masterpassword
>>> 1 NO [AUTHORIZATIONFAILED] Authorization failed
>>> 2 exit
>>> Connection closed by foreign host.
>>>
>>> What I'm seeing in the logs is:
>>>
>>> Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname=
>>> uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
>>> Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
>>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>>> Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0
>>> euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
>>> Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
>>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>>>
>>> The output of doveconf -n is as follows:
>>>
>>> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
>>> # Pigeonhole version 0.4.13 (7b14904)
>>> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
>>> auth_master_user_separator = *
>>> default_process_limit = 200
>>> first_valid_gid = 98
>>> first_valid_uid = 1000
>>> login_access_sockets = tcpwrap
>>> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>>> mail_max_userip_connections = 8
>>> mail_privileged_group = mail
>>> mbox_write_locks = dotlock fcntl
>>> namespace inbox {
>>> inbox = yes
>>> location =
>>> mailbox Drafts {
>>> special_use = \Drafts
>>> }
>>> mailbox Junk {
>>> special_use = \Junk
>>> }
>>> mailbox Sent {
>>> special_use = \Sent
>>> }
>>> mailbox "Sent Messages" {
>>> special_use = \Sent
>>> }
>>> mailbox Trash {
>>> special_use = \Trash
>>> }
>>> prefix =
>>> }
>>> passdb {
>>> driver = pam
>>> }
>>> passdb {
>>> args = /etc/dovecot/passwd.masterusers
>>> driver = passwd-file
>>> master = yes
>>> result_success = continue
>>> }
>>> passdb {
>>> args = session=yes %Ls
>>> driver = pam
>>> }
>>> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
>>> pop3_reuse_xuidl = yes
>>> pop3_uidl_format = %08Xv%08Xu
>>> protocols = " imap pop3"
>>> service imap-login {
>>> inet_listener imap {
>>> address = localhost
>>> port = 143
>>> }
>>> inet_listener imaps {
>>> port = 993
>>> ssl = yes
>>> }
>>> }
>>> service pop3-login {
>>> inet_listener pop3 {
>>> port = 0
>>> }
>>> inet_listener pop3s {
>>> port = 995
>>> ssl = yes
>>> }
>>> }
>>> service tcpwrap {
>>> unix_listener login/tcpwrap {
>>> group = $default_login_user
>>> mode = 0600
>>> user = $default_login_user
>>> }
>>> }
>>> ssl = required
>>> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
>>> ssl_cert = </etc/mail/tls/marlin/sendmail.pem
>>> ssl_key = </etc/mail/tls/marlin/sendmail.pem
>>> ssl_protocols = !SSLv2 !SSLv3
>>> syslog_facility = local2
>>> userdb {
>>> driver = passwd
>>> }
>>> userdb {
>>> driver = passwd
>>> }
>>>
>>> And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server.
>>> So we do get security patches and the hope is that we can do a release upgrade this summer.
>>>
>>> Any further guidance would be much appreciated. If any further information is needed, I can
>>> provide it.
>>>
>>>
>>> On 3/21/22 1:57 AM, Aki Tuomi wrote:
>>>>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk@bio.umass.edu> wrote:
>>>>>
>>>>> I'm posting to the list, but not on the list. I presume that means a reply-all to get to me
>>>>> as well
>>>>> as the list?
>>>>>
>>>>> We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different
>>>>> departments.
>>>>>
>>>>> We are transitioning mail service to the University central IT. They need to move accounts in an
>>>>> automated fashion and therefore need a master password to our dovecot servers. However, we are
>>>>> running with LDAP authentication, and I understand that a master password is not possible in that
>>>>> configuration.
>>>>>
>>>> Hi!
>>>>
>>>> It is totally possible to use LDAP with master password, using configuration like this:
>>>>
>>>> # this must be first
>>>> passdb {
>>>> driver = static
>>>> args = password=masterpass
>>>> }
>>>>
>>>> # current passdb config
>>>>
>>>> # you probably already have this
>>>> userdb {
>>>> driver = ldap
>>>> args = /path/to/ldap/userdb
>>>> }
>>>>
>>>> If this does not work, please send your `doveconf -n` as well.
>>>>
>>>> Aki
>>>
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator, Retired
c/ /'_ --- Biology & Geosciences Departments
(*) \(*) -- 315 Morrill Science Center III
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
So this is resolved.
Turns out that getting rid of the "result_success = continue" fixed it. Which is odd, because I thought from the documentation that that was required.
Anyway. Fixed.
On 6/20/22 2:53 PM, Chris Hoogendyk wrote:
Hoping that someone can help with this. It's a critical project that requires getting the master password to work.
I've managed to get the logging at maximum level and what I'm seeing is the following. Testing with:
chrisho@marlin:~$ telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. a login chrisho+<masteruser> <masterpassword> a NO [AUTHORIZATIONFAILED] Authorization failed * BYE Disconnected for inactivity. Connection closed by foreign host. chrisho@marlin:~$
And what I see in the log files is:
Jun 17 12:16:10 marlin dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=<stuffhere>#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=60150#011resp<stuffhere> (previous base64 data may contain sensitive data) Jun 17 12:16:10 marlin dovecot: auth: Debug: passwd-file(<masteruser>,127.0.0.1,master,<hash>): Master user lookup for login: chrisho Jun 17 12:16:10 marlin dovecot: auth: Debug: passwd-file(<masteruser>,127.0.0.1,master,<hash>): lookup: user=<masteruser> file=/etc/dovecot/passwd.masterusers Jun 17 12:16:10 marlin dovecot: auth: passwd-file(<masteruser>,127.0.0.1,master,<hash>): Master user logging in as chrisho Jun 17 12:16:10 marlin dovecot: auth-worker(9763): Debug: pam(chrisho,127.0.0.1): lookup service=imap Jun 17 12:16:10 marlin dovecot: auth-worker(9763): Debug: pam(chrisho,127.0.0.1): #1/1 style=1 msg=Password: Jun 17 12:16:12 marlin dovecot: auth-worker(9763): pam(chrisho,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) (given password: <masterpassword>) Jun 17 12:18:53 marlin dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in 163 secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,
I've replaced sensitive content with <masteruser>, <masterpassword>, <stuffhere>, and <hash>. BUT, note that in the next to the last line, where dovecot is attempting to authenticate the user via pam using the master password!! Why?? 1st, it shouldn't be trying to authenticate, it already has the master user authenticated. 2nd, why would it try to use what it should know is the master password to authenticate the regular user?
Irrespective of those two questions, which are given primarily as what I would see as significant clues, what do I need to do to get it to work? Is this an issue with my dovecot configuration? An issue with my pam configuration? Or a bug in dovecot? Note also that I am using ldap as a user database. One of the criteria set up in pam is that the user must also exist in the local /etc/passwd, but the authentication goes to ldap.
Any help very much appreciated.
My doveconf output is already included in this thread, so I won't repeat it. The only thing I've changed is the debug levels. If there is anything else that would be useful to know, please let me know.
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu> --------------- Erdös 4 On 6/5/22 2:40 PM, Chris Hoogendyk wrote: > I've changed the subject line on this email to more closely address the current issue. > > I'm hoping that with the most recent release out the door for a while there might be time to > answer this. > > I believe I have the configuration done correctly to use a master password, but for some reason > Dovecot seems to be going to ldap rather than just transferring to the requested user account. > Since I don't really know what Dovecot is doing, it's hard to know what to try or whether it will > actually work. In my mind it seems like Dovecot is could do something similar to a `sudo su > user`, bypassing the usual authentication since it was given the master password. > > Details below and already on the dovecot mailing list. > > I've got a limited time to get this running, because central IT wants to transfer these accounts > from our department server to the central IT servers this month. We have hundreds of accounts, so > it doesn't scale to try to copy over individual accounts using individual's passwords. > > Thank you, > > > --------------- > > Chris Hoogendyk > > - > O__ ---- Systems Administrator, Retired > c/ /'_ --- Biology & Geosciences Departments > (*) \(*) -- 315 Morrill Science Center III > ~~~~~~~~~~ - University of Massachusetts, Amherst > > <hoogendyk@bio.umass.edu> > > --------------- > > Erdös 4 > > > On 5/1/22 4:59 PM, Chris Hoogendyk wrote: >> Progress??? >> >> I realized that the error might indicate I had an empty conf paragraph or whatever you call it >> when dovecot failed to start. That is I commented out the driver = pam, but left the enclosing >> passdb { } with no contents. That was the error. So I commented out everything in >> /etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me the right >> precedence for masteruser and regular logins. >> >> Then my login from telnet still failed. So I had two terminal windows, one with `sudo journalctl >> -u dovecot.service -f` to follow the journal entries form dovecot, and another to do my telnet >> localhost 143. Now, when I tried to login with the masteruser, I got an error in the journal >> that said: >> >> May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error: pam(chrisho,127.0.0.1): >> pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?) >> >> hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries, including dovecot. Then >> there are some entries that start with common and include common-auth, common-session, >> common-password, etc. The dovecot entry simply includes those. So, I tried just setting up a >> symlink from imap pointing at the dovecot file. Then I tried logging in again via telnet. Now I >> simply get: >> >> May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth failed, 2 attempts in 112 >> secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, >> session=<2BspEfndKMN/AAAB> >> >> The entry of that line in the journal seemed to be slightly delayed. It showed up when I entered >> `2 logout`. >> >> At this point, my dovecot -n output is as follows: >> >> chrisho@marlin:/etc/dovecot$ sudo doveconf -n >> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.13 (7b14904) >> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS >> auth_master_user_separator = * >> default_process_limit = 200 >> first_valid_gid = 98 >> first_valid_uid = 1000 >> login_access_sockets = tcpwrap >> mail_location = mbox:~/mail:INBOX=/var/mail/%u >> mail_max_userip_connections = 8 >> mail_privileged_group = mail >> mbox_write_locks = dotlock fcntl >> namespace inbox { >> inbox = yes >> location = >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix = >> } >> passdb { >> args = /etc/dovecot/passwd.masterusers >> driver = passwd-file >> master = yes >> result_success = continue >> } >> passdb { >> args = session=yes %Ls >> driver = pam >> } >> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh >> pop3_reuse_xuidl = yes >> pop3_uidl_format = %08Xv%08Xu >> protocols = " imap pop3" >> service imap-login { >> inet_listener imap { >> address = localhost >> port = 143 >> } >> inet_listener imaps { >> port = 993 >> ssl = yes >> } >> } >> service pop3-login { >> inet_listener pop3 { >> port = 0 >> } >> inet_listener pop3s { >> port = 995 >> ssl = yes >> } >> } >> service tcpwrap { >> unix_listener login/tcpwrap { >> group = $default_login_user >> mode = 0600 >> user = $default_login_user >> } >> } >> ssl = required >> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt >> ssl_cert = </etc/mail/tls/marlin/sendmail.pem >> ssl_key = </etc/mail/tls/marlin/sendmail.pem >> ssl_protocols = !SSLv2 !SSLv3 >> syslog_facility = local2 >> userdb { >> driver = passwd >> } >> >> >> On 4/30/22 8:00 PM, Chris Hoogendyk wrote: >>> Aki, >>> >>> Thankyou for your advice. I finally got around to this. I'm retired, working part time, and >>> have more to do than fits the time. Anyway . . . >>> >>> I did the configuration in /etc/dovecot/local.conf, which is included in the >>> /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the /etc/dovecot/conf.d/* before >>> the local.conf. I believe that means that the entries in the conf.d come first and have >>> precedence. I was getting authorization failures. The section of my local.conf is as follows: >>> >>> # >>> # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot support list >>> 3/21/2022, >>> # modified based on example from >>> https://doc.dovecot.org/configuration_manual/authentication/master_users/ >>> # also added userdb at bottom of this and removed lines from conf.d/auth-system.conf.ext to >>> resolve precedence. >>> # CGH >>> # >>> auth_master_user_separator = * >>> passdb { >>> driver = passwd-file >>> args = /etc/dovecot/passwd.masterusers >>> master = yes >>> result_success = continue >>> } >>> passdb { >>> driver = pam >>> args = session=yes %Ls >>> } >>> userdb { >>> driver = passwd >>> } >>> >>> I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set drivers to pam for >>> passdb and passwd for userdb. I commented those two lines out since I had them covered in my >>> local.conf. That failed with the control process exiting with an error code. I quickly >>> uncommented those two lines in auth-system.conf.ext and it started just fine (I have a lot of >>> users dependent on this, although it is Saturday afternoon and a bit slow). Dovecot starts up >>> alright with the above local.conf, but master user doesn't seem to work. >>> >>> I'm testing with the following (master username and passwrd replaced): >>> >>> chrisho@marlin:/etc/dovecot$ telnet localhost 143 >>> Trying 127.0.0.1... >>> Connected to localhost. >>> Escape character is '^]'. >>> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] >>> Dovecot ready. >>> 1 login chrisho*masteruser masterpassword >>> 1 NO [AUTHORIZATIONFAILED] Authorization failed >>> 2 exit >>> Connection closed by foreign host. >>> >>> What I'm seeing in the logs is: >>> >>> Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication failure; logname= >>> uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1 >>> Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user >>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials) >>> Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication failure; logname= uid=0 >>> euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1 >>> Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user >>> "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials) >>> >>> The output of doveconf -n is as follows: >>> >>> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf >>> # Pigeonhole version 0.4.13 (7b14904) >>> # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS >>> auth_master_user_separator = * >>> default_process_limit = 200 >>> first_valid_gid = 98 >>> first_valid_uid = 1000 >>> login_access_sockets = tcpwrap >>> mail_location = mbox:~/mail:INBOX=/var/mail/%u >>> mail_max_userip_connections = 8 >>> mail_privileged_group = mail >>> mbox_write_locks = dotlock fcntl >>> namespace inbox { >>> inbox = yes >>> location = >>> mailbox Drafts { >>> special_use = \Drafts >>> } >>> mailbox Junk { >>> special_use = \Junk >>> } >>> mailbox Sent { >>> special_use = \Sent >>> } >>> mailbox "Sent Messages" { >>> special_use = \Sent >>> } >>> mailbox Trash { >>> special_use = \Trash >>> } >>> prefix = >>> } >>> passdb { >>> driver = pam >>> } >>> passdb { >>> args = /etc/dovecot/passwd.masterusers >>> driver = passwd-file >>> master = yes >>> result_success = continue >>> } >>> passdb { >>> args = session=yes %Ls >>> driver = pam >>> } >>> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh >>> pop3_reuse_xuidl = yes >>> pop3_uidl_format = %08Xv%08Xu >>> protocols = " imap pop3" >>> service imap-login { >>> inet_listener imap { >>> address = localhost >>> port = 143 >>> } >>> inet_listener imaps { >>> port = 993 >>> ssl = yes >>> } >>> } >>> service pop3-login { >>> inet_listener pop3 { >>> port = 0 >>> } >>> inet_listener pop3s { >>> port = 995 >>> ssl = yes >>> } >>> } >>> service tcpwrap { >>> unix_listener login/tcpwrap { >>> group = $default_login_user >>> mode = 0600 >>> user = $default_login_user >>> } >>> } >>> ssl = required >>> ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt >>> ssl_cert = </etc/mail/tls/marlin/sendmail.pem >>> ssl_key = </etc/mail/tls/marlin/sendmail.pem >>> ssl_protocols = !SSLv2 !SSLv3 >>> syslog_facility = local2 >>> userdb { >>> driver = passwd >>> } >>> userdb { >>> driver = passwd >>> } >>> >>> And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account for this server. >>> So we do get security patches and the hope is that we can do a release upgrade this summer. >>> >>> Any further guidance would be much appreciated. If any further information is needed, I can >>> provide it. >>> >>> >>> On 3/21/22 1:57 AM, Aki Tuomi wrote: >>>>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk@bio.umass.edu> wrote: >>>>> >>>>> I'm posting to the list, but not on the list. I presume that means a reply-all to get to me >>>>> as well >>>>> as the list? >>>>> >>>>> We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different >>>>> departments. >>>>> >>>>> We are transitioning mail service to the University central IT. They need to move accounts in an >>>>> automated fashion and therefore need a master password to our dovecot servers. However, we are >>>>> running with LDAP authentication, and I understand that a master password is not possible in >>>>> that >>>>> configuration. >>>>> >>>> Hi! >>>> >>>> It is totally possible to use LDAP with master password, using configuration like this: >>>> >>>> # this must be first >>>> passdb { >>>> driver = static >>>> args = password=masterpass >>>> } >>>> >>>> # current passdb config >>>> >>>> # you probably already have this >>>> userdb { >>>> driver = ldap >>>> args = /path/to/ldap/userdb >>>> } >>>> >>>> If this does not work, please send your `doveconf -n` as well. >>>> >>>> Aki >>> --
Chris Hoogendyk
- O__ ---- Systems Administrator, Retired c/ /'_ --- Biology & Geosciences Departments (*) \(*) -- 315 Morrill Science Center III
<hoogendyk@bio.umass.edu>
---------------
Erdös 4
Hello Chris,
Did you find a solutions for this problem? I also have to migrate some users to Office365 and was looking at exactly the same problem. I don't have that many users, and it is totally possible to ask all users to enter their password in the migration tool, but it would be a lot easier if we could do the migration without this.
Jan Hugo Prins
On 3/20/22 21:36, Chris Hoogendyk wrote:
I'm posting to the list, but not on the list. I presume that means a reply-all to get to me as well as the list?
We have two servers (dovecot --version: 2.2.22 (fe789d2)) that handle email for two different departments.
We are transitioning mail service to the University central IT. They need to move accounts in an automated fashion and therefore need a master password to our dovecot servers. However, we are running with LDAP authentication, and I understand that a master password is not possible in that configuration.
Would it be possible to run an alternate dovecot process that would use local account authentication, have a master password, and use an alternate port for connecting? Ideally it would only read accounts without changing anything, and would not interfere with the operation of the other dovecot process. I'm hoping that I could copy the configuration files, make these changes, and then launch it manually without any startup scripts in /etc/inetd.conf.
Oh, by the way, we are running Ubuntu 16.04 LTS and have contracts with Ubuntu Advantage for ongoing patch support. The dovecot version is from the distribution, installed with aptitude.
participants (3)
-
Aki Tuomi
-
Chris Hoogendyk
-
Jan Hugo Prins