[Dovecot] Problem with multiple Dovecot Instances
Hello,
first i want to say that i never used a mailing list before, so if i made something wrong do not hesitate to contact me via e-mail.
I try to set up multiple Dovecot instances running at the same time. Goal is to provide IMAPS with a valid SSL Certificate on selected IP Addresses. To reach this i want to set it up as follows:
1 Dovecot Daemon listening on localhost (for webmail), providing LDA and Authentification (over MySQL) 4 Dovecot Daemons listening on each IP Address, querying the localhost daemon for authentification
Just for your Information: I replaced all real data with placeholders, like the IP Address of my Server with MY_IP. Also i removed some absolutely non relevant lines from the configuration output (like settings for logging)
This is my localhost config-output:
# 1.1.2: /opt/dovecot/etc/dovecot.conf base_dir: /var/run/dovecot protocols: pop3 imap listen(default): 127.0.0.1:143 listen(imap): 127.0.0.1:143 listen(pop3): 127.0.0.1:110 ssl_disable: yes login_dir: /var/run/dovecot/login login_executable(default): /opt/dovecot/libexec/dovecot/imap-login login_executable(imap): /opt/dovecot/libexec/dovecot/imap-login login_executable(pop3): /opt/dovecot/libexec/dovecot/pop3-login login_chroot: no first_valid_uid: 5000 last_valid_uid: 5000 mail_location: mbox:/home/vmail/%d/%u mail_executable(default): /opt/dovecot/libexec/dovecot/imap mail_executable(imap): /opt/dovecot/libexec/dovecot/imap mail_executable(pop3): /opt/dovecot/libexec/dovecot/pop3 mail_plugin_dir(default): /opt/dovecot/lib/dovecot/imap mail_plugin_dir(imap): /opt/dovecot/lib/dovecot/imap mail_plugin_dir(pop3): /opt/dovecot/lib/dovecot/pop3 auth default: mechanisms: plain login user: nobody passdb: driver: sql args: /opt/dovecot/etc/dovecot-sql.conf userdb: driver: sql args: /opt/dovecot/etc/dovecot-sql.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 438 user: dovecot group: dovecot
deliver and webmail works fine when i start this Daemon. Now i made a second conf-file:
# 1.1.2: /opt/dovecot/etc/dovecot_main.conf base_dir: /var/run/dovecot_main protocols: pop3s imaps ssl_listen(default): MY_IP:993 ssl_listen(imap): MY_IP:993 ssl_listen(pop3): MY_IP:995 ssl_cert_file: /opt/certs/example.crt ssl_key_file: /opt/certs/example.key ssl_cipher_list: ALL:!LOW:!SSLv2 login_dir: /var/run/dovecot/login login_executable(default): /opt/dovecot/libexec/dovecot/imap-login login_executable(imap): /opt/dovecot/libexec/dovecot/imap-login login_executable(pop3): /opt/dovecot/libexec/dovecot/pop3-login login_chroot: no first_valid_uid: 5000 last_valid_uid: 5000 mail_location: mbox:/home/vmail/%d/%u mail_executable(default): /opt/dovecot/libexec/dovecot/imap mail_executable(imap): /opt/dovecot/libexec/dovecot/imap mail_executable(pop3): /opt/dovecot/libexec/dovecot/pop3 mail_plugin_dir(default): /opt/dovecot/lib/dovecot/imap mail_plugin_dir(imap): /opt/dovecot/lib/dovecot/imap mail_plugin_dir(pop3): /opt/dovecot/lib/dovecot/pop3 auth extern: socket: type: connect master: path: /var/run/dovecot/auth-master mode: 384
Starting up the second Daemon is also no problem, it listen to the correct IP, Logfiles does not show any errors. When i try to connect with Thunderbird to this Daemon using IMAPS, i got the following errors logged:
Logfile for dovecot_main:
dovecot: “2008-08-21 19:16:47 ”Info: imap-login: Internal login failure
(auth failed, 1 attempts): user=
Logfile for dovecot_local:
dovecot: Info: auth(default): client in: AUTH 1 PLAIN
service=imap secured lip=LOCAL_IP rip=REMOTE_IP lport=993
rport=3107
dovecot: Info: auth(default): client out: CONT 1
dovecot: Info: auth(default): client in: CONT<hidden>
dovecot: Info: auth-worker(default): sql(MY_EMAIL,REMOTE_IP): query: SELECT
email AS user, NULL AS password, 1 AS nopassword,
'/home/vmail/MY_DOMAIN/MY_USERNAME' AS userdb_home,
'mbox:/home/vmail/MY_DOMAIN/MY_USERNAME' AS userdb_mail, 5000 AS
userdb_uid, 5000 AS userdb_gid FROM users WHERE email = 'MY_EMAIL' AND
password = MD5('MY_PASSWORD') AND locked = 0 AND inactive = 0
dovecot: Info: auth(default): client out: OK 1 user=MY_EMAIL
dovecot: Info: auth(default): master in: REQUEST 1 5416 1
dovecot: Error: auth(default): Master requested auth for nonexisting client
5416
I understand what this error message means, when i run top during login i can see one imap-login process (running under the Daemon "main") is disappearing and coming up again a few seconds later. What is causing this behaviour?
Thanks in advance.
Manuel
On Thu, 2008-08-21 at 19:44 +0200, Manuel Maurer wrote:
# 1.1.2: /opt/dovecot/etc/dovecot.conf base_dir: /var/run/dovecot .. login_dir: /var/run/dovecot/login .. # 1.1.2: /opt/dovecot/etc/dovecot_main.conf base_dir: /var/run/dovecot_main .. login_dir: /var/run/dovecot/login
By default login_dir is relative to base_dir. Your base_dirs are correctly set to different locations, but login_dirs point to the same dir so they'll cause conflicts. Just uncomment login_dir.
login_chroot: no
Why no chrooting?
Hi,
thanks for the reply.
On Fri, 22 Aug 2008 01:40:14 +0300, Timo Sirainen tss@iki.fi wrote:
On Thu, 2008-08-21 at 19:44 +0200, Manuel Maurer wrote:
# 1.1.2: /opt/dovecot/etc/dovecot.conf base_dir: /var/run/dovecot .. login_dir: /var/run/dovecot/login .. # 1.1.2: /opt/dovecot/etc/dovecot_main.conf base_dir: /var/run/dovecot_main .. login_dir: /var/run/dovecot/login
By default login_dir is relative to base_dir. Your base_dirs are correctly set to different locations, but login_dirs point to the same dir so they'll cause conflicts. Just uncomment login_dir. OK, i deleted the line and now i have a new problem:
Info: Dovecot v1.1.2 starting up Info: Generating Diffie-Hellman parameters for the first time. This may take a while.. Info: ssl-build-param: SSL parameters regeneration completed Error: file_copy(/opt/dovecot/var/lib/dovecot/ssl-parameters.dat, /var/run/dovecot_main/login/ssl-parameters.dat) failed: No such file or directory Fatal: pop3-login: chroot(/var/run/dovecot_main/login) failed: No such file or directory Error: Temporary failure in creating login processes, slowing down for now
The folder /var/run/dovecot_main was created at startup, just the login directory not, why?
If i create the login folder by hand, dovecot is starting up normally, but when i try to connect i get this message logged:
Fatal: imap-login: No authentication sockets found
It is filling up the file with this line, so i have to stop the Process.
At the moment i got it up and running by using an own auth-process for every dovecot instance. But i would prefer authentification via one single process.
login_chroot: no
Why no chrooting? Was just for testing. I was not sure what the error caused so i tried a lot of things. I removed the line now.
Manuel
On Fri, 2008-08-22 at 03:45 +0200, Manuel Maurer wrote:
The folder /var/run/dovecot_main was created at startup, just the login directory not, why?
Because you were using external authentication.
At the moment i got it up and running by using an own auth-process for every dovecot instance. But i would prefer authentification via one single process.
I didn't notice this in your previous settings. Unfortunately it doesn't work like that currently, because Dovecots get confused as to who owns which auth connection.
On Fri, 22 Aug 2008 04:50:40 +0300, Timo Sirainen tss@iki.fi wrote:
On Fri, 2008-08-22 at 03:45 +0200, Manuel Maurer wrote:
The folder /var/run/dovecot_main was created at startup, just the login directory not, why?
Because you were using external authentication. But why do the logfiles say this directory is missing? As far as i understood the Login-Process, every imap-login and pop3-login process is chrooted inside the login folder until the user is authentificated. In this case it would be necessary to have this folder. When i create it by hand it is missing the authentification socket. Is this the socket "default", normally located inside the login folder? If so, why is this also not created?
At the moment i got it up and running by using an own auth-process for every dovecot instance. But i would prefer authentification via one single process.
I didn't notice this in your previous settings. Unfortunately it doesn't work like that currently, because Dovecots get confused as to who owns which auth connection. Sorry, i misspresented this. I am not using this configuration when i try to set up the single auth-process. Just recognized that it is also possible to run dovecot in that way. But that's not what i want. The configuration i posted the very first time is that what i use (now with chroot and login_dir set to default). If i absolutely do not get it running with single auth, i would use an auth-server for every dovecot instance.
Manuel
On Fri, 2008-08-22 at 04:14 +0200, Manuel Maurer wrote:
On Fri, 22 Aug 2008 04:50:40 +0300, Timo Sirainen tss@iki.fi wrote:
On Fri, 2008-08-22 at 03:45 +0200, Manuel Maurer wrote:
The folder /var/run/dovecot_main was created at startup, just the login directory not, why?
Because you were using external authentication. But why do the logfiles say this directory is missing? As far as i understood the Login-Process, every imap-login and pop3-login process is chrooted inside the login folder until the user is authentificated. In this case it would be necessary to have this folder. When i create it by hand it is missing the authentification socket. Is this the socket "default", normally located inside the login folder? If so, why is this also not created?
The directory isn't created if external authentication is used. I guess the reason for this was that in such a case Dovecot can't really know what the correct directory permissions would be. I guess it could still create the directory if completely missing, but .. well, no-one uses external auth. :)
At the moment i got it up and running by using an own auth-process for every dovecot instance. But i would prefer authentification via one single process.
I didn't notice this in your previous settings. Unfortunately it doesn't work like that currently, because Dovecots get confused as to who owns which auth connection. Sorry, i misspresented this. I am not using this configuration when i try to set up the single auth-process. Just recognized that it is also possible to run dovecot in that way. But that's not what i want. The configuration i posted the very first time is that what i use (now with chroot and login_dir set to default). If i absolutely do not get it running with single auth, i would use an auth-server for every dovecot instance.
Currently there's no way to share the auth server. I'm not actually sure if it's ever going to work, but hopefully with v2.0 you don't have to run multiple instances because it'll be so much more configurable.
Thanks a lot for your Help. I set up now every dovecot instance with it's own auth-server while waiting for v2.0 :-)
Manuel
Timo Sirainen wrote:
On Fri, 2008-08-22 at 04:14 +0200, Manuel Maurer wrote:
On Fri, 22 Aug 2008 04:50:40 +0300, Timo Sirainen tss@iki.fi wrote:
On Fri, 2008-08-22 at 03:45 +0200, Manuel Maurer wrote:
The folder /var/run/dovecot_main was created at startup, just the login directory not, why?
Because you were using external authentication.
But why do the logfiles say this directory is missing? As far as i understood the Login-Process, every imap-login and pop3-login process is chrooted inside the login folder until the user is authentificated. In this case it would be necessary to have this folder. When i create it by hand it is missing the authentification socket. Is this the socket "default", normally located inside the login folder? If so, why is this also not created?
The directory isn't created if external authentication is used. I guess the reason for this was that in such a case Dovecot can't really know what the correct directory permissions would be. I guess it could still create the directory if completely missing, but .. well, no-one uses external auth. :)
At the moment i got it up and running by using an own auth-process for every dovecot instance. But i would prefer authentification via one single process.
I didn't notice this in your previous settings. Unfortunately it doesn't work like that currently, because Dovecots get confused as to who owns which auth connection.
Sorry, i misspresented this. I am not using this configuration when i try to set up the single auth-process. Just recognized that it is also possible to run dovecot in that way. But that's not what i want. The configuration i posted the very first time is that what i use (now with chroot and login_dir set to default). If i absolutely do not get it running with single auth, i would use an auth-server for every dovecot instance.
Currently there's no way to share the auth server. I'm not actually sure if it's ever going to work, but hopefully with v2.0 you don't have to run multiple instances because it'll be so much more configurable.
participants (2)
-
Manuel Maurer
-
Timo Sirainen