[Dovecot] Dovecot LDAP issue
Dovecot version: 2.0.19
grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf
hosts = server.domain.tld:389 ldap_version = 3 auth_bind = yes dn = vmail@domain.tld dnpass = somepassword base = ou=testou,dc=domain,dc=tld scope = subtree deref = never user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) pass_attrs = userPassword=password default_pass_scheme = CRYPT user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
I'm assuming this happens because dovecot is not able to to lookup up that user since that user is outside the testou container. A lot of the AD users are in different places inside the AD structure and I need to be able to configure dovecot to look from the root of the AD structure down. I changed the base to this:
base = dc=domain,dc=tld
but it simply fails to lookup any users at that point.
How would I go about getting dovecot to start at the top of the domain and look at every nested OU within AD?
thanks a lot
D
On 04/ 7/14 01:46 PM, Deeztek Support wrote:
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
Looks like a Postfix error, not Dovecot.
On 4/7/2014 2:08 PM, Oscar del Rio wrote:
On 04/ 7/14 01:46 PM, Deeztek Support wrote:
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
Looks like a Postfix error, not Dovecot.
I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
7.04.2014 20:43, Deeztek Support:
On 4/7/2014 2:08 PM, Oscar del Rio wrote:
On 04/ 7/14 01:46 PM, Deeztek Support wrote:
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
Looks like a Postfix error, not Dovecot.
I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
"User unknown in virtual mailbox table" is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration).
I recommend to check the restrictions you defined in your postfix configuration.
Mit freundlichen Grüßen Christian Schmidt
-- No signature available.
On 4/7/2014 4:42 PM, Christian Schmidt wrote:
7.04.2014 20:43, Deeztek Support:
On 4/7/2014 2:08 PM, Oscar del Rio wrote:
On 04/ 7/14 01:46 PM, Deeztek Support wrote:
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
Looks like a Postfix error, not Dovecot.
I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
"User unknown in virtual mailbox table" is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration).
I recommend to check the restrictions you defined in your postfix configuration.
Mit freundlichen Grüßen Christian Schmidt
The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error:
Sender address rejected: not logged in> #SMTP#
When I do add the address of the sending server in mynetworks in postfix, the email gets delivered. However, when that person tries to reply to that email, they get the following error:
user unknown. Command output: doveconf:
I realize that's a different error from my original message, I don't remember exactly what I did so I can duplicate the previous error, but the problem still persists. Dovecot is not able to lookup the recipient from AD because the recipient is in a different container. I simply need to find out how to get Dovecot to do LDAP lookups from the domain root. When I set the domain root in base = dovecot stops doing ldap lookups and it doesn't work at all.
Am 07.04.2014 23:47, schrieb Deeztek Support:
On 4/7/2014 4:42 PM, Christian Schmidt wrote:
7.04.2014 20:43, Deeztek Support:
On 4/7/2014 2:08 PM, Oscar del Rio wrote:
On 04/ 7/14 01:46 PM, Deeztek Support wrote:
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
Looks like a Postfix error, not Dovecot.
I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
"User unknown in virtual mailbox table" is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration).
I recommend to check the restrictions you defined in your postfix configuration.
The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error
why in the world do you strip logs
syslog contains even the process who generates a entry and so there is not much to guess if you *really* look at the log
On 4/7/2014 6:13 PM, Reindl Harald wrote:
Am 07.04.2014 23:47, schrieb Deeztek Support:
On 4/7/2014 4:42 PM, Christian Schmidt wrote:
7.04.2014 20:43, Deeztek Support:
On 4/7/2014 2:08 PM, Oscar del Rio wrote:
On 04/ 7/14 01:46 PM, Deeztek Support wrote:
I'm authenticating users through AD and it seems to work with no problems. Unfortunately, when I try to send e-mail from a user who's not in the testou container I get the following error:
Sender address rejected: User unknown in virtual mailbox table> #SMTP#.
Looks like a Postfix error, not Dovecot.
I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
"User unknown in virtual mailbox table" is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration).
I recommend to check the restrictions you defined in your postfix configuration.
The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error
why in the world do you strip logs
syslog contains even the process who generates a entry and so there is not much to guess if you *really* look at the log
I'm not stripping any logs. The error I put is from the bounce message. The syslog says the following:
Apr 7 17:39:39 ewa postfix/pipe[7134]: E35AE860B26: to=<someone@domain.tld>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (user unknown. Command output:
So mystery solved, it really is dovecot generating the error.
Question remains, can someone please tell me how to get Dovecot do LDAP looks from the AD root?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 7 Apr 2014, Deeztek Support wrote:
On 4/7/2014 6:13 PM, Reindl Harald wrote:
Am 07.04.2014 23:47, schrieb Deeztek Support:
On 4/7/2014 4:42 PM, Christian Schmidt wrote:
7.04.2014 20:43, Deeztek Support:
On 4/7/2014 2:08 PM, Oscar del Rio wrote:
On 04/ 7/14 01:46 PM, Deeztek Support wrote: > > I'm authenticating users through AD and it seems to work with no > problems. Unfortunately, when I try to send e-mail from a user who's > not in the testou container I get the following error: > > Sender address rejected: User unknown in virtual mailbox table> > #SMTP#. >
Looks like a Postfix error, not Dovecot.
I don't think so. Postfix already looks from the root of the AD down and it has no problems. Dovecot does not authenticate at all if I simply put the AD root in the ldap configuration file.
"User unknown in virtual mailbox table" is what *postfix* tells you. Dovecot does not do SMTP (yet). Thus, I suppose that dovecot doesn't get involved at all (although this depends on your configuration).
I recommend to check the restrictions you defined in your postfix configuration.
The reason I think it's Dovecot generating the error is because when the IP address of the sending server is not in the mynetworks directive of postfix I get the following error
why in the world do you strip logs
syslog contains even the process who generates a entry and so there is not much to guess if you *really* look at the log
I'm not stripping any logs. The error I put is from the bounce message. The syslog says the following:
Apr 7 17:39:39 ewa postfix/pipe[7134]: E35AE860B26: to=<someone@domain.tld>, relay=dovecot, delay=0.02, delays=0/0/0/0.01, dsn=5.1.1, status=bounced (user unknown. Command output:
So mystery solved, it really is dovecot generating the error.
Question remains, can someone please tell me how to get Dovecot do LDAP looks from the AD root?
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
return the user?
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU0OUvXD1/YhP6VMHAQIF9AgAu2wxEpYXMoHwS1uA7fxKbMPY1tGXU2SE Ub0GVd6CZ6tUWsYW4YE7rYsyy2LFdLDlTFkeOttP30XeoLdYbvnh8QqOR+iURJx2 u2Y/x91SfTIqhRIjDLckq6pmcgugyaLngWKMBCWvkpra03GTqCUmY7Wndh9FoXRm /S1F3u/q0vID1JDEZWeoEInrpKh7KCxX4WPDiUTLUho1CwnzYiMpDlLYJMHNn7P/ K8P2ESPapFwr16tShUewXi7l2hGVGt8Eaqb/z2OqnkWEdSNILejnv5TkZif6GT6H sh8/AxPsotpmV2kEh/IjMG4mjihHCnzvxngpMu96xkTufsBcgt4RyQ== =dM6R -----END PGP SIGNATURE-----
On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'return the user?
yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU.
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear.
Dovecot is able to authenticate with active directory as long as the "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error "user unknown" because it's not able to find the Exchange user since it's in a different OU. When I set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether
On Tuesday 08 April 2014 05:36:51 Deeztek Support wrote:
On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389 \
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl :1.2.840.113556.1.4.803:=2)))'> return the user?yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU.
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear.
Dovecot is able to authenticate with active directory as long as the "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error "user unknown" because it's not able to find the Exchange user since it's in a different OU. When I set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether
As I already said, authentication is one thing and delivery is other thing. This filter receive probably different variable as %u when deliver ( posibly the mail address or the user part from it, depending on your master.cf . You can use an | in the ldap filter to accomodate that , it's ugly but it works.
-- Mihai Bădici http://mihai.badici.ro
On 4/8/2014 6:12 AM, Mihai Badici wrote:
As I already said, authentication is one thing and delivery is other thing. This filter receive probably different variable as %u when deliver ( posibly the mail address or the user part from it, depending on your master.cf . You can use an | in the ldap filter to accomodate that , it's ugly but it works.
In this particular setup the "%u" variable will encompass the username as well as the email address as they are the same. Unless I'm not understanding what you mean.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 8 Apr 2014, Deeztek Support wrote:
Date: Tue, 8 Apr 2014 05:36:51 -0400 From: Deeztek Support <support@deeztek.com> Reply-To: Dovecot Mailing List <dovecot@dovecot.org> To: dovecot@dovecot.org Subject: Re: [Dovecot] Dovecot LDAP issue
On 4/8/2014 2:18 AM, Steffen Kaiser wrote:
The primary question is: Does
ldapsearch -H ldap://server.domain.tld:389
-b dc=domain,dc=tld -D ... -W
'(&(userPrincipalName=<<user>>)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'return the user?
yes it does. The authentication with AD works as it should as long as dovecot is pointing to the right OU.
You misunderstood the vivid points of this command: a) the base DN is the one you want, but is not working with Dovecot b) you perform a LDAP search in the local DC, not in Global Catalog c) that you've authentificated correctedly is just a side effect to know
How many domain controllers to you have in the AD? Which of them holds which domains? See http://technet.microsoft.com/en-us/library/cc978012.aspx
I have on domain controller and there is only one domain. I think we are getting off track here. There is no problem with authentication. Maybe I need to be more clear.
Dovecot is able to authenticate with active directory as long as the "base = " parameter in "/etc/dovecot/dovecot-ldap.conf" is pointing to the OU that the dovecot users are. However, I have another OU where my Exchange users are. So, when I try to send email from a dovecot user to an Exchange user, dovecot throws the error "user unknown" because it's not able to find the Exchange user since it's in a different OU. When I set the "base =" parameter in "/etc/dovecot/dovecot-ldap.conf" to domain root i.e. instead of having it say:
base = ou=testou,dc=domain,dc=tld
I set it to:
base = dc=domain,dc=tld
so it can lookup all users in the entire domain
then dovecot stops authenticating with AD altogether
as the page points points out, there are differences between LDAP and GC search in the sense of what results are found.
See: http://wiki2.dovecot.org/AuthDatabase/LDAP
"Active Directory
When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx "
The ldapsearch is to verify that your AD searches more than one OU at all.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU0QHXXD1/YhP6VMHAQKsSQgAl/22Zo1KUJfKOML5Gb7P3xUv/Wl9heub ZskcKOIdH+QTkaiSaTeDfnPlugvJKKg5kXvhjfjVn5NrezUxiwa9gLvWypwDwYRM CT2Ba10c0Fokl/JRTfmVwaaOt5VDIaValg7gw/xfQRTFEQ5Ls6QefWyVJhkZrnuo pgB8Y3vLekyeg0gXfB0nj4lk5bU6GdacPMJJdcbTHsWOIQRpsxErF3oijJwWInea DBFHcJsQJLnoP6LqpaLGAkalrbYdLY3zqzheIE978olDTBk75dqeiqEO88Fs3kpX cgtO+vpeIQVRXVrtnGYAkIhCegTJ2IWLpsU0pgOjJtvEFUgUCBSLug== =mWc0 -----END PGP SIGNATURE-----
On Monday 07 April 2014 13:46:20 Deeztek Support wrote:
Dovecot version: 2.0.19
grep -v '^ *\(#.*\)\?$' /etc/dovecot/dovecot-ldap.conf
hosts = server.domain.tld:389 ldap_version = 3 auth_bind = yes dn = vmail@domain.tld dnpass = somepassword base = ou=testou,dc=domain,dc=tld scope = subtree deref = never user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.11 3556.1.4.803:=2))) pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.11 3556.1.4.803:=2))) pass_attrs = userPassword=password default_pass_scheme = CRYPT user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld /%Ln/Maildir -----------------------------------------------------
Your %u need to be matched by the string postfix send to dovecot ( check your master.cf) As I say in a previous post, this filter is invoked from two parts, with (possible) different parameters : from authentication, with the username of the client, and from delivery, with usually the e-mail address or whatewer you set in postfix. IMHO is a bad design, but it works as is.
participants (6)
-
Christian Schmidt
-
Deeztek Support
-
Mihai Badici
-
Oscar del Rio
-
Reindl Harald
-
Steffen Kaiser