[Dovecot] doveadm not working
Hi,
I know I must have done some misconfiguration, but I do not know where to start searching for. All began when looking at my weekly cron message, where doveadm purge -A is run. That fails. So I tried doveadm quota -A as well, which several weeks ago was working perfectly.
Example: doveadm quota get -A doveadm(root): Error: User listing returned failure doveadm: Error: Failed to iterate through some users Username Quota name Type Value Limit %
All I see in the logs is:
May 13 13:03:20 mx0 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Connect error May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Can't contact LDAP server
Dovecot itself works. Only doveadm does not.
My LDAP is using SASL/EXTERNAL. Certs are in standard folders under /etc/ssl/{certs,private} (see below).
I guess that "some" user (but which?) tries to read the certs but is disallowed.
Can somebody help me please to fix my permissions on that (private used) mail server? Is my "vmail" user required?
Thanks in advance
Here is my doveconf -n:
# 2.1.6: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-41-generic-pae i686 Ubuntu 10.04.4 LTS auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes hostname = mail.roessner-net.de lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_access_groups = vmail mail_gid = vmail mail_location = mdbox:~/mdbox mail_plugins = autocreate quota acl fts fts_solr zlib mail_log notify mail_privileged_group = mail mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { list = children location = mdbox:%%h/mdbox prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } mailbox junkmail { special_use = \Junk } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db autocreate = Trash autocreate2 = Sent autocreate3 = Drafts autocreate4 = junkmail autosubscribe = Trash autosubscribe2 = Sent autosubscribe3 = Drafts autosubscribe4 = junkmail fts = solr fts_solr = break-imap-search url=http://localhost:8080/solr/ mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size quota = dict:User quota::file:%h/mdbox/dovecot-quota quota_rule = *:storage=300M:messages=20000 quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = ~/.dovecot.sieve sieve_dir = ~/sieve zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp sieve service auth-worker { unix_listener auth-worker { user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service dict { unix_listener dict { mode = 0600 user = vmail } } service lmtp { inet_listener lmtp { address = ::1 port = 24 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl_ca =
And here my ldap stuff:
uris = ldap://ldap0.roessner-net.de/ ldap://db.roessner-net.de/ sasl_bind = yes sasl_mech = EXTERNAL tls = yes tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt tls_cert_file = /etc/ssl/certs/mx0.roessner-net.de.pem tls_key_file = /etc/ssl/private/mx0.roessner-net.de.key.pem tls_require_cert = hard base = ou=people,ou=it,dc=roessner-net,dc=de user_attrs = rnsMSQuota=quota_rule=*:storage=%$,rnsMSMailboxHome=home user_filter = (&(objectClass=rnsMSDovecotAccount)(rnsMSRecipientAddress=%u)) pass_attrs = rnsMSDeliverToAddress=user,userPassword=password pass_filter = (&(objectClass=rnsMSDovecotAccount)(rnsMSRecipientAddress=%u)(rnsMSEnableDovecot=TRUE)) iterate_attrs = rnsMSDovecotUser=user iterate_filter = (objectClass=rnsMSDovecotAccount) default_pass_scheme = CRYPT
id vmail uid=5000(vmail) gid=5000(vmail) groups=111(ssl-cert),5000(vmail)
ls -l /etc/ssl/private/mail.roessner-net.de.key.pem -rw-r----- 1 root ssl-cert 1679 2012-03-29 10:03 /etc/ssl/private/mail.roessner-net.de.key.pem
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
doveadm quota get -A doveadm(root): Error: User listing returned failure doveadm: Error: Failed to iterate through some users Username Quota name Type Value Limit %
All I see in the logs is:
May 13 13:03:20 mx0 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Connect error May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Can't contact LDAP server
I just enabled Stats in both LDAP servers. When doing a doveadm quota get -A there does not happen any LDAP connection to one of my servers.
If I do a "telnet -4/-6 ... 389" to each of them, I can see the ACCEPT stats. So why does doveadm not connect with LDAP, while the service dovecot works perfectly?
How can I debug this?
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
On Sun, 2012-05-13 at 13:21 +0200, Christian Rößner wrote:
May 13 13:03:20 mx0 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Connect error May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Can't contact LDAP server
Dovecot itself works. Only doveadm does not.
User iteration is done via auth-worker process, because it can take a long time. Regular passdb/userdb lookups are done via auth process, because they are fast. So:
service auth-worker { unix_listener auth-worker { user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail }
I guess you need to add extra_groups=ssl-cert to auth-worker as well.
May 13 13:03:20 mx0 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Connect error May 13 13:03:21 mx0 dovecot: auth-worker(26753): Error: LDAP: ldap_start_tls_s() failed: Can't contact LDAP server
Dovecot itself works. Only doveadm does not.
User iteration is done via auth-worker process, because it can take a long time. Regular passdb/userdb lookups are done via auth process, because they are fast. So:
service auth-worker { unix_listener auth-worker { user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail }
I guess you need to add extra_groups=ssl-cert to auth-worker as well.
Unfortunately I already tested this (and also once again after your answer). Changed the setting, stopped dovecot and restart it. After that doing doveadm qutoa get -A stalls.
What I do not understand is that I can not see any connection attempts to the LDAP servers. If it had problems with the certificates I would expect to see the connection and then a failure in the starttls process.
I alos did chmod o+rx to the folder /etc/ssl/private and also to the private key. So I think it has nothing to do with the privileges of the certificates, does it?
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
On Mon, 2012-05-14 at 17:51 +0200, Christian Rößner wrote:
Unfortunately I already tested this (and also once again after your answer). Changed the setting, stopped dovecot and restart it. After that doing doveadm qutoa get -A stalls.
What I do not understand is that I can not see any connection attempts to the LDAP servers. If it had problems with the certificates I would expect to see the connection and then a failure in the starttls process.
I alos did chmod o+rx to the folder /etc/ssl/private and also to the private key. So I think it has nothing to do with the privileges of the certificates, does it?
I don't know how OpenLDAP works internally. Does it still log about ldap_start_tls_s() failing? Try if increasing OpenLDAP's logging in dovecot-ldap.conf.ext works:
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. #debug_level = 0
Also make sure that the auth and auth-worker processes have the same permissions:
doveconf service/auth > a doveconf service/auth-worker > b diff -u a b
Am 14.05.2012 um 18:36 schrieb Timo Sirainen:
#debug_level = 0
Also make sure that the auth and auth-worker processes have the same permissions:
doveconf service/auth > a doveconf service/auth-worker > b diff -u a b
Okay, for some reason it is working again. I had removed the unix_listener
service auth-worker { unix_listener auth-worker { mode = 0600 user = vmail #group = }
# Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn't necessary, the user should be changed to # $default_internal_user. user = vmail
extra_groups = ssl-cert }
This version shown here now works for me. Thanks again for your help. :-)
-Christian Rößner
Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
participants (2)
-
Christian Rößner
-
Timo Sirainen