Issue with exim and auth protocol
Hi,
I'm trying to set up exim (4.83) as a submission server, and need to set up the dovecot authentication in exim. I'm having an issue with that (documented at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756258)
The problem is that exim doesn't follow the handshake as described here: http://wiki2.dovecot.org/Design/AuthProtocol. The wiki page says that the client should start the handshake, but exim waits for the server to start and to receive the DONE command until it starts its own handshake.
What I actually get is:
exim connects to dovecot auth
dovecot VERSION 1 1
dovecot SPID 48And then, dovecot stops (I presume it waits for the client handshake, VERSION and CPID). Exim on its side waits for the DONE. This results in the SMTP connection by exim never replying to the AUTH PLAIN command.
This is exim 4.80 (or 4.83) and dovecot 2.1.7.
I have another server set up almost exactly the same (but with dovecot 2.1.17) where it does work. In that case, dovecot finishes the handshake before exim starts its handshake. It results in:
exim connects to dovecot auth
dovecot VERSION 1 1
dovecot MECH PLAIN plaintext
dovecot SPID 10905
dovecot CUID 1
dovecot COOKIE d3861d29441f06d962490eab8549fd46
dovecot DONE
exim VERSION 1 0
exim CPID 10619
exim AUTH 1 PLAIN service=smtp securedrip=82.247.184.53 lip=80.67.179.36 nologin resp=<base64 encoded string>
I don't understand what could change the dovecot behaviour in that regard. Is there a solution that would only require modifying the configuration?
Thank you,
Mildred
Could it be related to something in your dovecot configuration (which you didn't post)? Despite the fact that an interesting conversation is developing in the exim bug report, this setup does usually work, including on one of your servers as you have indicated. On my end, I never had issues between dovecot 2.1.7 and 2.2.13, using the exact same authenticator config in exim.
On 07/30/2014 04:18 PM, Mildred Ki'Lya wrote:
Hi,
I'm trying to set up exim (4.83) as a submission server, and need to set up the dovecot authentication in exim. I'm having an issue with that (documented at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756258)
The problem is that exim doesn't follow the handshake as described here: http://wiki2.dovecot.org/Design/AuthProtocol. The wiki page says that the client should start the handshake, but exim waits for the server to start and to receive the DONE command until it starts its own handshake.
What I actually get is:
exim connects to dovecot auth dovecot VERSION 1 1 dovecot SPID 48And then, dovecot stops (I presume it waits for the client handshake, VERSION and CPID). Exim on its side waits for the DONE. This results in the SMTP connection by exim never replying to the AUTH PLAIN command.
This is exim 4.80 (or 4.83) and dovecot 2.1.7.
I have another server set up almost exactly the same (but with dovecot 2.1.17) where it does work. In that case, dovecot finishes the handshake before exim starts its handshake. It results in:
exim connects to dovecot auth dovecot VERSION 1 1 dovecot MECH PLAIN plaintext dovecot SPID 10905 dovecot CUID 1 dovecot COOKIE d3861d29441f06d962490eab8549fd46 dovecot DONE exim VERSION 1 0 exim CPID 10619 exim AUTH 1 PLAIN service=smtp securedrip=82.247.184.53 lip=80.67.179.36 nologin resp=<base64 encoded string>
I don't understand what could change the dovecot behaviour in that regard. Is there a solution that would only require modifying the configuration?
Thank you,
Mildred
On 30/07/2014 23:32, Gedalya wrote:
Could it be related to something in your dovecot configuration (which you didn't post)? Despite the fact that an interesting conversation is developing in the exim bug report, this setup does usually work, including on one of your servers as you have indicated. On my end, I never had issues between dovecot 2.1.7 and 2.2.13, using the exact same authenticator config in exim.
See at the end of the e-mail my dovecot configuration (my /etc/dovecot/local.conf). This configuration is included by the default dovecot configuration (as packaged by Debian, but I think there are not so many changes made by Debian).
I agree that it could be related to my configuration, but I don't see how the changes I made could have altered how the auth server is working.
I'm looking at the dovecot sources and found two different implementation for the auth protocol. One in auth-master-connection.c and one in auth-client-connection.c. One seems to send SPID and VERSION and wait for further commands before continuing. The other send the complete handshake.
I think I'm connecting to a socket speaking the wrong protocol.
exim is configured to use socket /var/run/dovecot/auth-userdb dovecot has the following configuration in 10-master.conf:
service auth { # ... some comments removed ... unix_listener auth-userdb { #mode = 0666 #user = #group = } }
I think I completely misunderstood how dovecot sockets were configured ... If I set up exim to connect to auth-client instead of auth-userdb, it fixes the problem (I get a meaningful error message, probably because things are not configured properly elsewhere).
What I don't understand is that the socket auth-client is nowhere to be found in the configuration. Where is it specified?
Also, I don't understand because the production server I have currently running have the following configuration in 10-master.conf:
service auth { unix_listener auth-userdb { mode = 0660 user = vmail group = vmail }
#SASL unix_listener auth-client { mode = 0660 user = vmail group = vmail } }
And exim is configured to use auth-client socket, and everything works. I naively thought that I could remove auth-client and use auth+userdb instead when I was looking at this configuration.
Could someone enlighten me how sockets are configured in dovecot?
Thanks,
Mildred
##### /etc/dovecot/local.conf #####
!include conf.d/auth-passwdfile.conf.ext
log_path = /dev/stderr # FIXME: remove debug log auth_verbose = yes auth_verbose_passwords = plain auth_debug = yes auth_debug_passwords = yes
mail_location = maildir:~/Maildir first_valid_uid = 1
ssl_cert =
recipient_delimiter = - lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes protocol lda { mail_plugins = $mail_plugins sieve }
protocol imap { mail_max_userip_connections = 100 }
protocol lmtp { mail_plugins = $mail_plugins sieve }
service managesieve-login { } service managesieve { } protocol sieve { }
plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve recipient_delimiter = - }
!include /var/mail/dovecot.user.conf # Note that /var/mail/dovecot.user.conf is empty. It is for further user customisation in a docker container.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 31 Jul 2014, Mildred Ki'Lya wrote:
On 30/07/2014 23:32, Gedalya wrote:
Could it be related to something in your dovecot configuration (which you didn't post)? Despite the fact that an interesting conversation is developing in the exim bug report, this setup does usually work, including on one of your servers as you have indicated. On my end, I never had issues between dovecot 2.1.7 and 2.2.13, using the exact same authenticator config in exim.
See at the end of the e-mail my dovecot configuration (my /etc/dovecot/local.conf). This configuration is included by the default dovecot configuration (as packaged by Debian, but I think there are not so many changes made by Debian).
I agree that it could be related to my configuration, but I don't see how the changes I made could have altered how the auth server is working.
I'm looking at the dovecot sources and found two different implementation for the auth protocol. One in auth-master-connection.c and one in auth-client-connection.c. One seems to send SPID and VERSION and wait for further commands before continuing. The other send the complete handshake.
I think I'm connecting to a socket speaking the wrong protocol.
exim is configured to use socket /var/run/dovecot/auth-userdb dovecot has the following configuration in 10-master.conf:
service auth { # ... some comments removed ... unix_listener auth-userdb { #mode = 0666 #user = #group = } }
I think I completely misunderstood how dovecot sockets were configured ... If I set up exim to connect to auth-client instead of auth-userdb, it fixes the problem (I get a meaningful error message, probably because things are not configured properly elsewhere).
What I don't understand is that the socket auth-client is nowhere to be found in the configuration. Where is it specified?
Also, I don't understand because the production server I have currently running have the following configuration in 10-master.conf:
service auth { unix_listener auth-userdb { mode = 0660 user = vmail group = vmail }
#SASL unix_listener auth-client { mode = 0660 user = vmail group = vmail } }
And exim is configured to use auth-client socket, and everything works. I naively thought that I could remove auth-client and use auth+userdb instead when I was looking at this configuration.
Could someone enlighten me how sockets are configured in dovecot?
Well, first of all auth-userdb and auth-client are completely different things.
exim must connect to auth-client and _not_ auth-userdb.
2nd: If the config does not enlist auth-client, look at the full config:
doveconf -a
There you see all effective settings. hence, I guess you need to replicate the setting from your running server into your local.conf in order to get exim access permissions.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU9obG3z1H7kL/d9rAQJ/owf9G8F1D4yaO6kGn+BB3gC+U0ZEwRmZp6DE kKkoIWBk82SCPsmwc7LIcpAbh+zhEPx0A2Sk2Vw4qlXAd+xp8awGXjifeN5cyS7H vDNRQ4BeeaH1rrqjpRugAp+Sk5i8dhlMI14/lWUFzz1JZyOzBwwdUbOaKeB7v54Q BUBsjCVjOH1R4Qc/QKMPSrRdsrC5HQ3lE357z4O0DQsqK88+aQZvfbHZe64+IhE8 fE5QRJ0Jn7OvpWCyEfFFF1pCAZkaYdJlyD1gkmw/P8geZ5PPZ+ljRpsrrarh+/ka cj4tS9BWOAr6kKfodHlYTal6n4wkDkg6w1MwPQ9brEdBJR3gSUCcfA== =DeKm -----END PGP SIGNATURE-----
Well, first of all auth-userdb and auth-client are completely different things.
exim must connect to auth-client and _not_ auth-userdb.
2nd: If the config does not enlist auth-client, look at the full config:
doveconf -a
There you see all effective settings. hence, I guess you need to replicate the setting from your running server into your local.conf in order to get exim access permissions.
Thank you.
What I don't understand is how unix_listener works and how to specify independently the socket file used and the protocol spoken on the socket.
For example, to get postfix to work (I was using postfix before I used exim), we configure the auth service this way:
service auth { unix_listener /var/spool/postfix/private/auth { ... } }
What I deduced from this is that the unix_listener command took a file path as argument and the permissions inside the {} block.
Now, when I look at the configuration for auth-userdb and auth-client, I see:
service auth { unix_listener auth-client {... } unix_listener auth-userdb { ... } }
Using the rule deduced above, I see two sockets being declared. auth-client is a path relative to /var/run/dovecot, and auth-userdb is also a path in /var/run/dovecot. I see no difference between the two, except the file path. I deduce then that those two sockets respond to the same protocol provided by the service auth.
Obviously, I am wrong.
Then, how does the auth service knows which protocol to speak on /var/run/dovecot/auth-userdb, /var/run/dovecot/auth-client and /var/spool/postfix/private/auth? This is not specified in the configuration (even doveconf -a).
If I specify:
service auth { unix_listener some-socket-file {... } }
I suppose I'll find a socket in /var/run/dovecot/some-socket-file. Which protocol does it speak?
More generally, is there somewhere when the configuration file is documented? I always wondered what happened when I redefined a section ("service auth" for example). Will it replace completely the previous section or will it only overwrite the variables specified?
Thank you
Mildred
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 31 Jul 2014, Mildred Ki'Lya wrote:
Well, first of all auth-userdb and auth-client are completely different things.
exim must connect to auth-client and _not_ auth-userdb.
2nd: If the config does not enlist auth-client, look at the full config:
doveconf -a
There you see all effective settings. hence, I guess you need to replicate the setting from your running server into your local.conf in order to get exim access permissions.
Thank you.
What I don't understand is how unix_listener works and how to specify independently the socket file used and the protocol spoken on the socket.
For example, to get postfix to work (I was using postfix before I used exim), we configure the auth service this way:
service auth { unix_listener /var/spool/postfix/private/auth { ... } }
What I deduced from this is that the unix_listener command took a file path as argument and the permissions inside the {} block.
Now, when I look at the configuration for auth-userdb and auth-client, I see:
service auth { unix_listener auth-client {... } unix_listener auth-userdb { ... } }
Using the rule deduced above, I see two sockets being declared. auth-client is a path relative to /var/run/dovecot, and auth-userdb is also a path in /var/run/dovecot. I see no difference between the two, except the file path. I deduce then that those two sockets respond to the same protocol provided by the service auth.
Obviously, I am wrong.
Then, how does the auth service knows which protocol to speak on /var/run/dovecot/auth-userdb, /var/run/dovecot/auth-client and /var/spool/postfix/private/auth? This is not specified in the configuration (even doveconf -a).
See http://wiki2.dovecot.org/Services#auth
"With UNIX listeners the client type is selected based on the filename after the last "-" in the filename. For example "anything-userdb" is of "userdb" type. The default type is "client" for inet insteners and unrecognized UNIX listeners. "
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU9o1pnz1H7kL/d9rAQJHDAf/YQkjw3JktdxLq/5444UrBda1+dP15uQa 4yV4ocJOe2pvYok41saxB7qYvHHKIWjOMKVTPSyntjyzNklwNzCNB3k3UptBKlFn cRomJp2UXbn91xc1Z1JnBDlzPWOSh8DOqBo/pQhwFf+PhgyzDNz/YVclf9XhnD5b rLR/OPkQPtoEi7/m14riKjqSzIJVn2RDm9gX91V0jMcWjjSFybBid9dnQtzXElin W48im0izEYr/K9nT4RBdIh6kTcXwm7nzCjCe5zfXL8I1pn10Ij+6yIDXDNZqQM4M TAArRfhWCyPXdxHzut9Za3R6zD+qh6r2SO8hQCGn24Um45Jdq8Q6ug== =hNGK -----END PGP SIGNATURE-----
On 31/07/2014 14:25, Steffen Kaiser wrote:
See http://wiki2.dovecot.org/Services#auth
"With UNIX listeners the client type is selected based on the filename after the last "-" in the filename. For example "anything-userdb" is of "userdb" type. The default type is "client" for inet insteners and unrecognized UNIX listeners. "
Thank you, I understand better now.
participants (3)
-
Gedalya
-
Mildred Ki'Lya
-
Steffen Kaiser