You should also add the pass=yes setting to the master passdb if possible.
It means that Dovecot verifies that the login user really exists before
allowing the master user to log in. Without the setting if a non-existing
login username is given, depending on the configuration, it could either
return an internal login error (the userdb lookup failed) or create a whole
new user (with eg. static userdb). pass=yes doesn't work with PAM or LDAP
with auth_bind=yes, because both of them require knowing the user's
password.
Greetings to all
I need a masteruser/proxy account for some applications to be implemented
and i am having some problems. Normal users are proxyied through
ldap queries to the remote machine and this is working like it sopose to,
but i can't make the master user to work. Below are both the dovecot.conf
and dovecot-ldap.conf and verbose logs on the proxy machine.
If i log directly on the remote machine that should be proxied everything
is working normal ...
dovecot.conf
protocols = pop3 imap managesieve
mail_uid = 10021
mail_gid = 10021
mail_privileged_group = vmail
mail_access_groups = vmail
log_path =
info_log_path =
log_timestamp = "%b %d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
login_log_format = %$: %s
mail_log_prefix = "%Us(%u): "
disable_plaintext_auth = no
login_process_per_connection=yes
auth_default_realm = example.com
login_processes_count = 8
login_max_processes_count = 128
login_max_connections = 256
verbose_proctitle = yes
max_mail_processes = 512
mail_debug = yes
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
login_chroot = yes
ssl = no
protocol imap {
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
tb-extra-mailbox-sep
listen = xx.xx.xx.xx:143
imap_max_line_length = 65536
imap_logout_format = bytes=%i/%o
mail_max_userip_connections = 10
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_enable_last = yes
pop3_uidl_format = %08Xu%08Xv
listen = xx.xx.xx.xx:110
mail_max_userip_connections = 10
}
protocol managesieve {
listen = xx.xx.xx.xx:2000
login_executable =
/usr/local/dovecot/libexec/dovecot/managesieve-login
mail_executable = /usr/local/dovecot/libexec/dovecot/managesieve
managesieve_max_line_length = 65536
managesieve_implementation_string = dovecot
managesieve_logout_format = bytes ( in=%i : out=%o )
}
auth default {
mechanisms = plain login
user = vmail
passdb passwd-file {
args = /etc/dovecot/passwd.masterusers
master = yes
pass = yes
}
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
group = vmail
}
client {
path = /var/spool/postfix/dovecot-auth
mode = 0660
user = postfix
group = postfix
}
}
}
dovecot-ldap.conf
hosts = ldap.example.com
ldap_version = 3
auth_bind = yes
dn = cn=vmail,dc=example,dc=com
dnpass = secret_pass
base = ou=Users,domainName=%d,o=domains,dc=example,dc=com
scope = subtree
deref = never
user_filter =
(&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls))
user_attrs =
storageBaseDirectory=home,mailHost=host,=proxy=yes,=nologin=yes,=nodelay=yes
pass_filter =
(&(mail=%u)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls))
pass_attrs =
userPassword=password,mailHost=host,=proxy=yes,=nologin=yes,=nodelay=yes
default_pass_scheme = CRYPT
/var/log/mail/dovecot.info
Nov 30 14:26:59 dougie dovecot: auth(default): new auth connection:
pid=5873
Nov 30 14:27:28 dougie dovecot: auth(default): client in: AUTH 1 PLAIN
service=pop3 lip=xx.xx.xx.xx rip=192.168.22.222
lport=110 rport=36639
resp=AHRtaWhhbGljZWtAeG5ldC5sYW4qbWlncmF0aW9uQHhuZXQuaHIAbTFncjR0MTBu
Nov 30 14:27:28 dougie dovecot: auth(default):
passwd-file(migration@example.com,192.168.22.222,master): lookup:
user=master_user@example.com
file=/etc/dovecot/passwd.masterusers
Nov 30 14:27:28 dougie dovecot: auth(default):
passdb(master_user@example.com,192.168.22.222,master): Master user logging
in as some_user@example.com
Nov 30 14:27:28 dougie dovecot: auth(default):
ldap(some_user@example.com,192.168.22.222): bind search:
base=ou=Users,domainName=example.com,o=domains,dc=example,dc=com
filter=(&(mail=some_user@example.com)(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=pop3))
Nov 30 14:27:28 dougie dovecot: auth(default):
ldap(some_user@example.com,192.168.22.222): result:
mailHost(host)=xx.xx.xx.xx
Nov 30 14:27:28 dougie dovecot: auth(default):
ldap(some_user@example.com,192.168.22.222): invalid credentials (given
password: master_password)
Nov 30 14:27:28 dougie dovecot: auth(default): client out: FAIL 1
user=some_user@example.com authz nodelay host=xx.xx.xx.xx
proxynologin pass=master_password master=master_user@example.com
Nov 30 14:27:28 dougie dovecot: pop3-login: Ignoring unknown passdb extra
field: authz