dear all
I have a postfix relaying to dovecot's lda but "strangely" it does not work, I mean I imaging it's me doing something wrong, yet I cannot figure out what.
postfix logs:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
Any suggestions very appreciated. thanks
On 22/06/15 09:16, lejeczek wrote:
dear all
I have a postfix relaying to dovecot's lda but "strangely" it does not work, I mean I imaging it's me doing something wrong, yet I cannot figure out what.
postfix logs:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain
service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
Any suggestions very appreciated. thanks
even stranger, if I use(along with ldap in configs):
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYfKoHz1H7kL/d9rAQLhsQgAkwOcfTIoH/NiIXHL+IJcUjzHBpFsQJeT lXdN5XIfyXgZdpzmObXG606ON5Y5higyfR1kby3bLxlvkioyAt4WqWHcTw7XLrwo e5zz9774M7dlnZN+CpY0WAHcyllZeodaD5jVruXzS2JAZmShL8vAV1AIC2QKOtwL h4Z5y0ZYTA4bwD7J6pwZ18kaF3pV9lD6uHiFE0DTq8TupUjp0gV0wLOMKkcetsD2 kpWPvz8CGlc2LBDJTEHVdw1of7/VVIRIJKSqX3mzizWMf+DLy6fAJRue4S1o3cT8 m+4PM48B50ycGQXW1U3dJ9ERAgg21sS0kmUBbuuKnC8BWacsdSFUaA== =QCeP -----END PGP SIGNATURE-----
On 22/06/15 09:43, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYfKoHz1H7kL/d9rAQLhsQgAkwOcfTIoH/NiIXHL+IJcUjzHBpFsQJeT
lXdN5XIfyXgZdpzmObXG606ON5Y5higyfR1kby3bLxlvkioyAt4WqWHcTw7XLrwo
e5zz9774M7dlnZN+CpY0WAHcyllZeodaD5jVruXzS2JAZmShL8vAV1AIC2QKOtwL
h4Z5y0ZYTA4bwD7J6pwZ18kaF3pV9lD6uHiFE0DTq8TupUjp0gV0wLOMKkcetsD2
kpWPvz8CGlc2LBDJTEHVdw1of7/VVIRIJKSqX3mzizWMf+DLy6fAJRue4S1o3cT8
m+4PM48B50ycGQXW1U3dJ9ERAgg21sS0kmUBbuuKnC8BWacsdSFUaA== =QCeP -----END PGP SIGNATURE-----
auth_debug = yes auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYfKoHz1H7kL/d9rAQLhsQgAkwOcfTIoH/NiIXHL+IJcUjzHBpFsQJeT lXdN5XIfyXgZdpzmObXG606ON5Y5higyfR1kby3bLxlvkioyAt4WqWHcTw7XLrwo e5zz9774M7dlnZN+CpY0WAHcyllZeodaD5jVruXzS2JAZmShL8vAV1AIC2QKOtwL h4Z5y0ZYTA4bwD7J6pwZ18kaF3pV9lD6uHiFE0DTq8TupUjp0gV0wLOMKkcetsD2 kpWPvz8CGlc2LBDJTEHVdw1of7/VVIRIJKSqX3mzizWMf+DLy6fAJRue4S1o3cT8 m+4PM48B50ycGQXW1U3dJ9ERAgg21sS0kmUBbuuKnC8BWacsdSFUaA== =QCeP -----END PGP SIGNATURE-----
auth_debug = yes auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
That's neiter your original request nor following:
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYgiXXz1H7kL/d9rAQLvTAgAk4lWQgRkclu9hx8InE1VGukWKSxwDcpI kwpQtVGrqm7AjSnNIn02NMZfyfEAxS67aHfn49fPgjnOkGSDwl6b3WDpUrtJ9XVJ cAcMSDsWPiqyHmAHNY2YTRKfcEySFctc/voMcxo0gFPFtJfpjf7UvNw8EdkX+BmW XRNTlIKDaa6bLSFv48F8NpMH0M7uOUqxgm8R/3DOt8M55qK0aa/Qqvqbxj/L9Ir3 KtCGYI02Lk/QZngzIqtIPIXASOzpVFefLKLxwnIuVFS5Xfv/Wat7URD6TKn5Wx8S dRnC/CH9MduOfcHmoaUMxzsFfVkAeeVMB0rVl/GdljHr6pefUxtrPA== =VsKL -----END PGP SIGNATURE-----
On 22/06/15 15:57, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYfKoHz1H7kL/d9rAQLhsQgAkwOcfTIoH/NiIXHL+IJcUjzHBpFsQJeT lXdN5XIfyXgZdpzmObXG606ON5Y5higyfR1kby3bLxlvkioyAt4WqWHcTw7XLrwo e5zz9774M7dlnZN+CpY0WAHcyllZeodaD5jVruXzS2JAZmShL8vAV1AIC2QKOtwL h4Z5y0ZYTA4bwD7J6pwZ18kaF3pV9lD6uHiFE0DTq8TupUjp0gV0wLOMKkcetsD2 kpWPvz8CGlc2LBDJTEHVdw1of7/VVIRIJKSqX3mzizWMf+DLy6fAJRue4S1o3cT8 m+4PM48B50ycGQXW1U3dJ9ERAgg21sS0kmUBbuuKnC8BWacsdSFUaA== =QCeP -----END PGP SIGNATURE-----
auth_debug = yes auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
That's neiter your original request nor following:
if I use uid=user then dovecot loses domain and I get: .. username changed my@my.domain .> me and still does not work
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYgiXXz1H7kL/d9rAQLvTAgAk4lWQgRkclu9hx8InE1VGukWKSxwDcpI
kwpQtVGrqm7AjSnNIn02NMZfyfEAxS67aHfn49fPgjnOkGSDwl6b3WDpUrtJ9XVJ
cAcMSDsWPiqyHmAHNY2YTRKfcEySFctc/voMcxo0gFPFtJfpjf7UvNw8EdkX+BmW
XRNTlIKDaa6bLSFv48F8NpMH0M7uOUqxgm8R/3DOt8M55qK0aa/Qqvqbxj/L9Ir3
KtCGYI02Lk/QZngzIqtIPIXASOzpVFefLKLxwnIuVFS5Xfv/Wat7URD6TKn5Wx8S
dRnC/CH9MduOfcHmoaUMxzsFfVkAeeVMB0rVl/GdljHr6pefUxtrPA== =VsKL -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
auth_debug = yes
The first lines should be something like this:
# 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
What version are you using?
auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam }
Did you've removed or commented the line :
10-auth.conf:#!include auth-system.conf.ext
?
passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
uid=%n makes no sense. Please use just:
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings:
hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias)
Note the pass_attrs. Then I submitted a new message with:
socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:me@example.com rcpt to:other@example.com data Subject: 1
1 .
successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well.
I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP.
You should however note the following:
Both filters treat users "me@example.com" and "me@localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache.
That means:
doveadm auch cache flush doveadm user me@example.net doveadm user me@example.com
returns the date for me@example.net in both cases and
doveadm auch cache flush doveadm user me@example.com doveadm user me@example.net
returns the data for me@example.com in both cases.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYkZtnz1H7kL/d9rAQIZEQf6AsT93VQg1bvF+kla4q9m/0cFlZpAEzDl t4V1XwiYUENBCCvXuxKpY1QvKCKVwryS+GUbPh0eP0t+Rjl6bOT1wP4qwkOlRIkN V6kmx6sBabdObTUgI1kl07ss2vt0MVzjFh5WDRPz6Z/UzKRIGkuphzksVle14GDG UefgtdOYhR+Mfn0nRil2FOSFbWnMgR/9rkKEBr7Ou4vxgU7BF1nfOUA/bmc/tEF+ oMuNkq8xdsKmuN5AhbIghUr3o4DARW0KnLCo4uUJTx7BRreO651Cw4K3fwKlRyAu Pvt4NqxAkJ2Iyu0lFc60xkN0RX+vndfqGOwfIwRYhiBIbX03Cvesaw== =Hn9X -----END PGP SIGNATURE-----
On 23/06/15 09:32, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
auth_debug = yes
The first lines should be something like this:
# 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
What version are you using?
auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam }
Did you've removed or commented the line :
10-auth.conf:#!include auth-system.conf.ext
?
passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
uid=%n makes no sense. Please use just:
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings:
hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias)
Note the pass_attrs. Then I submitted a new message with:
socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:me@example.com rcpt to:other@example.com data Subject: 1
1 .
successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well.
I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP.
You should however note the following:
Both filters treat users "me@example.com" and "me@localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache.
That means:
doveadm auch cache flush doveadm user me@example.net doveadm user me@example.com
returns the date for me@example.net in both cases and
doveadm auch cache flush doveadm user me@example.com doveadm user me@example.net
returns the data for me@example.com in both cases. it's weird I know, I do:
# doveadm auth test -x service=smtp -x rip=172.25.12.214 me@my.domain Password: passdb: me@my.domain auth succeeded extra fields: user=me@my.domain
and in the logs:
auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): lookup service=dovecot auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me@my.domain rhost=172.25.12.214 auth-worker(32531): pam(me@my.domain,172.25.12.214): unknown user auth: Debug: ldap(me@my.domain,172.25.12.214): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=me@my.domain
so it seems fine, right? only I do simple test on that dovecot locally
echo repli_test | mail -s "repl test" my@my.domain
to get:
auth-worker(365): Debug: passwd(me@my.domain): lookup auth-worker(365): passwd(me@my.domain): unknown user auth: Debug: password(me@my.domain): passdb doesn't support credential lookups auth: Debug: ldap(me@my.domain): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core dumped)
the same error with: doveadm user me@my.domain
so it's must be userdb, right?
maybe it's postfix twisting something?
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYkZtnz1H7kL/d9rAQIZEQf6AsT93VQg1bvF+kla4q9m/0cFlZpAEzDl
t4V1XwiYUENBCCvXuxKpY1QvKCKVwryS+GUbPh0eP0t+Rjl6bOT1wP4qwkOlRIkN
V6kmx6sBabdObTUgI1kl07ss2vt0MVzjFh5WDRPz6Z/UzKRIGkuphzksVle14GDG
UefgtdOYhR+Mfn0nRil2FOSFbWnMgR/9rkKEBr7Ou4vxgU7BF1nfOUA/bmc/tEF+
oMuNkq8xdsKmuN5AhbIghUr3o4DARW0KnLCo4uUJTx7BRreO651Cw4K3fwKlRyAu
Pvt4NqxAkJ2Iyu0lFc60xkN0RX+vndfqGOwfIwRYhiBIbX03Cvesaw== =Hn9X -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, lejeczek wrote:
On 23/06/15 09:32, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
auth_debug = yes
The first lines should be something like this:
# 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
What version are you using?
auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam }
Did you've removed or commented the line :
10-auth.conf:#!include auth-system.conf.ext
?
passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
uid=%n makes no sense. Please use just:
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings:
hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias)
Note the pass_attrs. Then I submitted a new message with:
socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:me@example.com rcpt to:other@example.com data Subject: 1
1 .
successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well.
I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP.
You should however note the following:
Both filters treat users "me@example.com" and "me@localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache.
That means:
doveadm auch cache flush doveadm user me@example.net doveadm user me@example.com
returns the date for me@example.net in both cases and
doveadm auch cache flush doveadm user me@example.com doveadm user me@example.net
returns the data for me@example.com in both cases. it's weird I know, I do:
# doveadm auth test -x service=smtp -x rip=172.25.12.214 me@my.domain Password: passdb: me@my.domain auth succeeded extra fields: user=me@my.domain
and in the logs:
auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): lookup service=dovecot auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me@my.domain rhost=172.25.12.214 auth-worker(32531): pam(me@my.domain,172.25.12.214): unknown user auth: Debug: ldap(me@my.domain,172.25.12.214): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=me@my.domain
so it seems fine, right? only I do simple test on that dovecot locally
echo repli_test | mail -s "repl test" my@my.domain
to get:
auth-worker(365): Debug: passwd(me@my.domain): lookup auth-worker(365): passwd(me@my.domain): unknown user auth: Debug: password(me@my.domain): passdb doesn't support credential lookups auth: Debug: ldap(me@my.domain): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core dumped)
the same error with: doveadm user me@my.domain
so it's must be userdb, right?
No, you've authentificated before and some data are now in the auth cache, which are used by the userdb, too.
You do not have no system users, right? Then remove the passwd userdb and pam passdb.
Did you removed the "uid=user=%n" from pass_attr?
There might be fixes since 2.2.10:
changeset: 18538:d3332ee1d26a user: Timo Sirainen tss@iki.fi date: Thu May 07 17:18:44 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Added assert to make sure previous change is correct.
changeset: 18537:8a3da4ef590f user: Timo Sirainen tss@iki.fi date: Thu May 07 11:27:55 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Fixed credentials lookups via auth-workers when no actual password was returned. For example LDAP lookup with auth_bind=yes should still return any extra fields.
changeset: 18536:5dc00179dd60 user: Timo Sirainen tss@iki.fi date: Thu May 07 11:21:33 2015 +0300 files: src/auth/passdb-ldap.c description: ldap auth: If password is already verified (e.g. master user login), skip LDAP auth binding. This happens only if auth_bind_userdn isn't set, i.e. it only makes sense if the LDAP DN lookup also returns some extra fields.
changeset: 18402:635f9c7d5991 user: Timo Sirainen tss@iki.fi date: Mon Apr 13 20:38:10 2015 +0300 files: src/auth/auth-request.c description: auth: If passdb/userdb changes the username, add the changed username also to the cache.
changeset: 18401:08b2f79e8212 user: Timo Sirainen tss@iki.fi date: Mon Apr 13 20:37:48 2015 +0300 files: src/auth/auth-request.c description: auth: Setting userdb fields from cache didn't set handle any special fields. The special fields were relatively rarely used though.
changeset: 18364:3546457ae3fb user: Timo Sirainen tss@iki.fi date: Tue Mar 17 17:30:33 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Crashfixes for earlier changes. Hopefully works correctly now
changeset: 18363:a4acf88b0c91 user: Timo Sirainen tss@iki.fi date: Tue Mar 17 10:49:20 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Fixed crash when handling invalid SSL option.
changeset: 18362:870cb73e5960 user: Timo Sirainen tss@iki.fi date: Tue Mar 17 09:58:03 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h description: auth ldap: Fixed assert-crash when both passdb ldap and userdb ldap was used
changeset: 18361:0a17875f0ece user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:25:34 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h src/auth/passdb-ldap.c src/auth/userdb-ldap.c description: auth ldap: Start LDAP connection only after auth process initialization is finished. This way even if connecting to LDAP takes a while it won't cause the master process to kill the auth process due to it not sending the startup "I'm ok" notification early enough.
changeset: 18360:d9a0d4f4f4b6 user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:21:05 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Make sure config file path is included in all fatal error messages.
changeset: 18359:ec2e7ae958c5 user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:17:39 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: If any tls_* settings are given when they're not supported, fail with fatal instead of just warning. These may be important for intended security, especially tls_cipher_suite. We shouldn't allow setting them and then somewhat silently just ignore them.
....
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYlMtnz1H7kL/d9rAQJA1gf9FQqfLMutqbE1BWYGzg15tLIT9kH7Nfwu bwA16Er3lVehuEk1GnmbsJxlVmcz96Yei7MFUAOcNmjM9x0JqLj/Jp5LiXKlHa0+ ZAzF+ivMij9wsNlFzPCb9M16B92GaGd6Q8d4ud0Wd5IeQuC/+Vs5avPcgGKdCxon ygqZPeFBhXZDLCxnfgcKuW05lO+mlgkD6zXcywfMLDpjwHwy1EOchGJ+ciwdaZky tKYj3ZPXrDLzIl2sBwXNOEeFpsIQR+FRH1Llje3+coVbvWK09DM6HKa8ynts2YmN pDgQph43yOTgv27LlUMcN80HjNknHjg0sLw05OtJoVt+ZDVOSZTxug== =wlvQ -----END PGP SIGNATURE-----
On 23/06/15 13:10, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, lejeczek wrote:
On 23/06/15 09:32, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:43, Steffen Kaiser wrote:
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 09:16, lejeczek wrote: > > to=me@my.domain,orig_to=root@localhost, > relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, > dsn=4.3.0, status=deferred (temporary failure) > > and dovecot logs no error, despite having debug to > yes in couple of places, > it shows: > > auth: Debug: master in: USER 1 me@my.domain > service=lda > auth-worker(25343): Debug: passwd(me@my.domain): lookup > auth-worker(25343): passwd(me@my.domain): unknown user > auth: Debug: ldap(me@my.domain): user search: > base=ou=People,dc=my,dc=domain scope=subtree > filter=(&(objectClass=person)(uid=me)) fields= > auth: Debug: ldap(me@my.domain): result: > objectClass=top,top,top,top, > > ... here goes the whole lot of ldap atrribs, and at > the end: > > unused. > > For passdb & userdb in the configs I only configure > ldap backed, nothing else. Ldap works, I can query > it without failling. > I believe it's very simple set up but I must be > wrong somewhere. > > pass_filter = (&(objectClass=posixAccount)(uid=%n)) > pass_attrs = uid=user=%n,userPassword=password
Use either uid=user oder =user=%n but not uid=user=%n. I would use uid=user, so the user cannot specify the case of the username.
> user_attrs = > =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n > user_filter = (&(objectClass=person)(uid=%n)) > even stranger, if I use(along with ldap in configs):
Please post:
complete doveconf -n and the complete LDAP config being referenced by the config.
userdb { driver = static args = uid=vmail gid=mail home=/var/spool/mail/%d/%n mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n sieve_storage=/var/spool/mail/%d/%n/SIEVE sieve=/var/spool/mail/%d/%n/dovecot.sieve }
dovecot start to core dump:
auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core dumped)
auth_debug = yes
The first lines should be something like this:
# 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10
What version are you using?
auth_mechanisms = login auth_verbose = yes first_valid_uid = 999 mail_debug = yes mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam }
Did you've removed or commented the line :
10-auth.conf:#!include auth-system.conf.ext
?
passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve sieve_storage = SIEVE } protocols = imap sieve service auth { unix_listener /var/spool/postfix/private/auth { group = mail mode = 0660 user = vmail } unix_listener auth-userdb { group = mail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 } } ssl = required ssl_cert =
#ldap-passdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no pass_attrs = uid=%n,userPassword=password
uid=%n makes no sense. Please use just:
pass_attrs = userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
#ldap-userdb hosts = localhost uris = ldap://localhost:389/ ldap_version = 3 base = ou=People,dc=my,dc=domain dn = cn=Manager,dc=my,dc=domain dnpass = my.pass auth_bind = no user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n)) default_pass_scheme = SSHA
It cannot be postfix if it relays and dovecots gets these relays. Can it be?
I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings:
hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias)
Note the pass_attrs. Then I submitted a new message with:
socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:me@example.com rcpt to:other@example.com data Subject: 1
1 .
successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well.
I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP.
You should however note the following:
Both filters treat users "me@example.com" and "me@localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache.
That means:
doveadm auch cache flush doveadm user me@example.net doveadm user me@example.com
returns the date for me@example.net in both cases and
doveadm auch cache flush doveadm user me@example.com doveadm user me@example.net
returns the data for me@example.com in both cases. it's weird I know, I do:
# doveadm auth test -x service=smtp -x rip=172.25.12.214 me@my.domain Password: passdb: me@my.domain auth succeeded extra fields: user=me@my.domain
and in the logs:
auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): lookup service=dovecot auth-worker(32531): Debug: pam(me@my.domain,172.25.12.214): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me@my.domain rhost=172.25.12.214 auth-worker(32531): pam(me@my.domain,172.25.12.214): unknown user auth: Debug: ldap(me@my.domain,172.25.12.214): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain,172.25.12.214): result: uid=info userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=me@my.domain
so it seems fine, right? only I do simple test on that dovecot locally
echo repli_test | mail -s "repl test" my@my.domain
to get:
auth-worker(365): Debug: passwd(me@my.domain): lookup auth-worker(365): passwd(me@my.domain): unknown user auth: Debug: password(me@my.domain): passdb doesn't support credential lookups auth: Debug: ldap(me@my.domain): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain): result: uid=info userPassword=<hidden> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core dumped)
the same error with: doveadm user me@my.domain
so it's must be userdb, right?
No, you've authentificated before and some data are now in the auth cache, which are used by the userdb, too.
You do not have no system users, right? Then remove the passwd userdb and pam passdb.
Did you removed the "uid=user=%n" from pass_attr?
this is freaking weird, and wrong! If I do no configure pam nor passwd and no userdb+static then! ...ldap works.
I do use, well I'm trying, pam for system users which are not in passwd. PAM gets those system users from LDAP, uid > 1000. I wonder if its possible to have pam auth+lookup for users constructed this way: systemuser@local.domain ?
There might be fixes since 2.2.10:
changeset: 18538:d3332ee1d26a user: Timo Sirainen tss@iki.fi date: Thu May 07 17:18:44 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Added assert to make sure previous change is correct.
changeset: 18537:8a3da4ef590f user: Timo Sirainen tss@iki.fi date: Thu May 07 11:27:55 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Fixed credentials lookups via auth-workers when no actual password was returned. For example LDAP lookup with auth_bind=yes should still return any extra fields.
changeset: 18536:5dc00179dd60 user: Timo Sirainen tss@iki.fi date: Thu May 07 11:21:33 2015 +0300 files: src/auth/passdb-ldap.c description: ldap auth: If password is already verified (e.g. master user login), skip LDAP auth binding. This happens only if auth_bind_userdn isn't set, i.e. it only makes sense if the LDAP DN lookup also returns some extra fields.
changeset: 18402:635f9c7d5991 user: Timo Sirainen tss@iki.fi date: Mon Apr 13 20:38:10 2015 +0300 files: src/auth/auth-request.c description: auth: If passdb/userdb changes the username, add the changed username also to the cache.
changeset: 18401:08b2f79e8212 user: Timo Sirainen tss@iki.fi date: Mon Apr 13 20:37:48 2015 +0300 files: src/auth/auth-request.c description: auth: Setting userdb fields from cache didn't set handle any special fields. The special fields were relatively rarely used though.
changeset: 18364:3546457ae3fb user: Timo Sirainen tss@iki.fi date: Tue Mar 17 17:30:33 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Crashfixes for earlier changes. Hopefully works correctly now
changeset: 18363:a4acf88b0c91 user: Timo Sirainen tss@iki.fi date: Tue Mar 17 10:49:20 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Fixed crash when handling invalid SSL option.
changeset: 18362:870cb73e5960 user: Timo Sirainen tss@iki.fi date: Tue Mar 17 09:58:03 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h description: auth ldap: Fixed assert-crash when both passdb ldap and userdb ldap was used
changeset: 18361:0a17875f0ece user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:25:34 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h src/auth/passdb-ldap.c src/auth/userdb-ldap.c description: auth ldap: Start LDAP connection only after auth process initialization is finished. This way even if connecting to LDAP takes a while it won't cause the master process to kill the auth process due to it not sending the startup "I'm ok" notification early enough.
changeset: 18360:d9a0d4f4f4b6 user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:21:05 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Make sure config file path is included in all fatal error messages.
changeset: 18359:ec2e7ae958c5 user: Timo Sirainen tss@iki.fi date: Mon Mar 16 23:17:39 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: If any tls_* settings are given when they're not supported, fail with fatal instead of just warning. These may be important for intended security, especially tls_cipher_suite. We shouldn't allow setting them and then somewhat silently just ignore them.
....
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYlMtnz1H7kL/d9rAQJA1gf9FQqfLMutqbE1BWYGzg15tLIT9kH7Nfwu
bwA16Er3lVehuEk1GnmbsJxlVmcz96Yei7MFUAOcNmjM9x0JqLj/Jp5LiXKlHa0+
ZAzF+ivMij9wsNlFzPCb9M16B92GaGd6Q8d4ud0Wd5IeQuC/+Vs5avPcgGKdCxon
ygqZPeFBhXZDLCxnfgcKuW05lO+mlgkD6zXcywfMLDpjwHwy1EOchGJ+ciwdaZky
tKYj3ZPXrDLzIl2sBwXNOEeFpsIQR+FRH1Llje3+coVbvWK09DM6HKa8ynts2YmN
pDgQph43yOTgv27LlUMcN80HjNknHjg0sLw05OtJoVt+ZDVOSZTxug== =wlvQ -----END PGP SIGNATURE-----
On Tue, 23 Jun 2015 14:02:53 +0100, lejeczek stated:
this is freaking weird, and wrong! If I do no configure pam nor passwd and no userdb+static then! ...ldap works.
I do use, well I'm trying, pam for system users which are not in passwd. PAM gets those system users from LDAP, uid > 1000. I wonder if its possible to have pam auth+lookup for users constructed this way: systemuser@local.domain ?
I think you posted your "dovecot -n" and LDAP configuration; however, this thread has gone on so long untrimmed, that I am now completely lost.
I assume you have shutdown and restarted these applications after making configuration changes? Sometimes that is the only way to make them work.
-- Jerry
On 23/06/15 14:13, Jerry wrote:
On Tue, 23 Jun 2015 14:02:53 +0100, lejeczek stated:
this is freaking weird, and wrong! If I do no configure pam nor passwd and no userdb+static then! ...ldap works.
I do use, well I'm trying, pam for system users which are not in passwd. PAM gets those system users from LDAP, uid > 1000. I wonder if its possible to have pam auth+lookup for users constructed this way: systemuser@local.domain ? I think you posted your "dovecot -n" and LDAP configuration; however, this thread has gone on so long untrimmed, that I am now completely lost.
I assume you have shutdown and restarted these applications after making configuration changes? Sometimes that is the only way to make them work.
right, I think I'm closer, I have one more question but I'll start a new post the end.
On 22/06/15 09:16, lejeczek wrote:
dear all
I have a postfix relaying to dovecot's lda but "strangely" it does not work, I mean I imaging it's me doing something wrong, yet I cannot figure out what.
postfix logs:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain
service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
Any suggestions very appreciated. thanks
I wonder could there be some kind of collision between user/passdbs, even though I do not configure anything but ldap, when I do: #doveadm user me me@my.domain field value uid 1177 gid 513 home /home/me mail maildir:/var/spool/mail/my.domain/me/Maildir system_groups_user me
uid vmail gid home /var/spool/mail/my.domain/me mail maildir:/var/spool/mail/my.domain/me/Maildir:INDEX=/var/spool/mail/my.domain/me:CONTROL=/var/spool/mail/my.domain/me
I understand that it's dovecot trying something else than just ldap? Or not a collision, and these would be two separate, different users?
Am Montag, den 22.06.2015, 10:05 +0100 schrieb lejeczek:
I wonder could there be some kind of collision between user/passdbs, even though I do not configure anything but ldap, when I do:
passdb { driver = pam } passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap }
Check your whole dovecot config. You have an active PAM passdb lookup and an ldap lookup.
On 22/06/15 15:34, Felix Zielcke wrote:
I wonder could there be some kind of collision between user/passdbs, even though I do not configure anything but ldap, when I do:
Am Montag, den 22.06.2015, 10:05 +0100 schrieb lejeczek: passdb { driver = pam } passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap }
Check your whole dovecot config. You have an active PAM passdb lookup and an ldap lookup.
I assume that all backend are ON by default, even though there are not in the configs? Is it possible to completely disable a backend?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 22 Jun 2015, lejeczek wrote:
On 22/06/15 15:34, Felix Zielcke wrote:
I wonder could there be some kind of collision between user/passdbs, even though I do not configure anything but ldap, when I do:
Am Montag, den 22.06.2015, 10:05 +0100 schrieb lejeczek: passdb { driver = pam } passdb { args = /etc/dovecot/ldap-passdb-my.domain.conf driver = ldap }
Check your whole dovecot config. You have an active PAM passdb lookup and an ldap lookup.
I assume that all backend are ON by default, even though there are not in the configs? Is it possible to completely disable a backend?
Checkout 10-auth.conf and comment out:
#!include auth-system.conf.ext
auth-system.conf.ext enables passwd.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYgisnz1H7kL/d9rAQLhvAf/fzg2ZTV+Bkq+DRcpIqpTCj6ZTmicV30z 4FgnVwJIsM/YP/54bI3lqGDUUbkLbjJIqB3R5+2x31im4NlXV2PrqFoHIJTERx2t RgermJBFEV9E7q/dkmtrEFm2PfjrKTuS4FP9lwdHqpTmIzuSfIfOoLb8vzCntNw1 sdz3mjmmcXgTeGzp1ZMkgvUTN8ZjSG7jbO1xihHOsrXOdW6a6xUQNpJ34DY1uqoR Ok92wt0VTDc/5wfcTcYNsaBvd0uPT8zpiZY1Ini5B0R0Zq1A1JapCFmj/vXrqfZP 9oD6wRNJ4hZdz+lgSpULXQphirjqm+2gwwlrrHYlFwkIK+R6FrRazw== =Wpd+ -----END PGP SIGNATURE-----
On 22/06/15 09:16, lejeczek wrote:
dear all
I have a postfix relaying to dovecot's lda but "strangely" it does not work, I mean I imaging it's me doing something wrong, yet I cannot figure out what.
postfix logs:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain
service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=person)(uid=%n))
Any suggestions very appreciated. thanks
strange thing is that an IMAP clients authenticates just fine. Only problems are when sending messages with smtp/postfix.
Am 22.06.2015 um 18:21 schrieb lejeczek:
On 22/06/15 09:16, lejeczek wrote:
dear all
I have a postfix relaying to dovecot's lda but "strangely" it does not work, I mean I imaging it's me doing something wrong, yet I cannot figure out what.
postfix logs:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
user_filter = (&(objectClass=person)(uid=%n))
Any suggestions very appreciated. thanks
strange thing is that an IMAP clients authenticates just fine. Only problems are when sending messages with smtp/postfix. I had a similar problem. Turned out, that when the message comes from Postfix, the identifier is an email address (surprise ;) and not a username, so my LDAP query looks similar to this:
user_filter = (&(objectClass=person)(|(uid=%u)(email=%u)))
Anyway, when you set auth_verbose=yes and auth_debug=yes, in 10-logging.conf you'll see the exact LDAP query.
On 23/06/15 08:19, Daniel Tröder wrote:
Am 22.06.2015 um 18:21 schrieb lejeczek:
On 22/06/15 09:16, lejeczek wrote:
dear all
I have a postfix relaying to dovecot's lda but "strangely" it does not work, I mean I imaging it's me doing something wrong, yet I cannot figure out what.
postfix logs:
to=me@my.domain,orig_to=root@localhost, relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
and dovecot logs no error, despite having debug to yes in couple of places, it shows:
auth: Debug: master in: USER 1 me@my.domain service=lda auth-worker(25343): Debug: passwd(me@my.domain): lookup auth-worker(25343): passwd(me@my.domain): unknown user auth: Debug: ldap(me@my.domain): user search: base=ou=People,dc=my,dc=domain scope=subtree filter=(&(objectClass=person)(uid=me)) fields= auth: Debug: ldap(me@my.domain): result: objectClass=top,top,top,top,
... here goes the whole lot of ldap atrribs, and at the end:
unused.
For passdb & userdb in the configs I only configure ldap backed, nothing else. Ldap works, I can query it without failling. I believe it's very simple set up but I must be wrong somewhere.
pass_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = uid=user=%n,userPassword=password
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
user_filter = (&(objectClass=person)(uid=%n))
Any suggestions very appreciated. thanks
strange thing is that an IMAP clients authenticates just fine. Only problems are when sending messages with smtp/postfix. I had a similar problem. Turned out, that when the message comes from Postfix, the identifier is an email address (surprise ;) and not a username, so my LDAP query looks similar to this:
user_filter = (&(objectClass=person)(|(uid=%u)(email=%u)))
Anyway, when you set auth_verbose=yes and auth_debug=yes, in 10-logging.conf you'll see the exact LDAP query.
yes, I've seen all the queries in my logs. The thing is that I was all this time able to ldapsearch that query successfully. when smtp send this gets to logs:
auth: Debug: ldap(me@my.domain): pass search: base=ou=my.domain,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=me)(mail=me@my.domain))) fields=uid,userPassword auth: Debug: ldap(me@my.domain): result: uid=me userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me@my.domain): result: uid=me userPassword=<hidden> auth: Fatal: master: service(auth): child 11831 killed with signal 11 (core dumped)
and dovecot is: 2.2.10: /etc/dovecot/dovecot.conf # OS: Linux 3.10.0-229.4.2.el7.x86_64 x86_64 Scientific Linux release 7.1 (Nitrogen) xfs
participants (5)
-
Daniel Tröder
-
Felix Zielcke
-
Jerry
-
lejeczek
-
Steffen Kaiser