a temporary failure

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Tue Jun 23 08:32:54 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 22 Jun 2015, lejeczek wrote:
> On 22/06/15 09:43, Steffen Kaiser wrote:
>> On Mon, 22 Jun 2015, lejeczek wrote:
>>> On 22/06/15 09:16, lejeczek wrote:
>>>> 
>>>> to=<me at my.domain>,orig_to=<root at localhost>, relay=dovecot, delay=39296, 
>>>> delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure)
>>>> 
>>>> and dovecot logs no error, despite having debug to yes in couple of 
>>>> places,
>>>> it shows:
>>>> 
>>>> auth: Debug: master in: USER    1    me at my.domain service=lda
>>>> auth-worker(25343): Debug: passwd(me at my.domain): lookup
>>>> auth-worker(25343): passwd(me at my.domain): unknown user
>>>> auth: Debug: ldap(me at my.domain): user search: 
>>>> base=ou=People,dc=my,dc=domain scope=subtree 
>>>> filter=(&(objectClass=person)(uid=me)) fields=
>>>> auth: Debug: ldap(me at my.domain): result: objectClass=top,top,top,top,
>>>> 
>>>> ... here  goes the whole lot of ldap atrribs, and at the end:
>>>> 
>>>> unused.
>>>> 
>>>> For passdb & userdb in the configs I only configure ldap backed, nothing 
>>>> else. Ldap works, I can query it without failling.
>>>> I believe it's very simple set up but I must be wrong somewhere.
>>>> 
>>>> pass_filter = (&(objectClass=posixAccount)(uid=%n))
>>>> pass_attrs = uid=user=%n,userPassword=password
>> 
>> Use either uid=user oder =user=%n but not uid=user=%n. I would use 
>> uid=user, so the user cannot specify the case of the username.
>> 
>>>> user_attrs = 
>>>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
>>>> user_filter = (&(objectClass=person)(uid=%n))
>>>> 
>>> even stranger, if I use(along with ldap in configs):
>> 
>> Please post:
>> 
>> complete doveconf -n
>> and the complete LDAP config being referenced by the config.
>> 
>>> userdb {
>>>  driver = static
>>>  args = uid=vmail gid=mail home=/var/spool/mail/%d/%n 
>>> mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n 
>>> sieve_storage=/var/spool/mail/%d/%n/SIEVE 
>>> sieve=/var/spool/mail/%d/%n/dovecot.sieve
>>> }
>>> 
>>> dovecot start to core dump:
>>> 
>>> auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core 
>>> dumped)
>
> auth_debug = yes

The first lines should be something like this:

# 2.2.18 (8906101589f9): 
/usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (3df7e50f986d)
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10

What version are you using?

> auth_mechanisms = login
> auth_verbose = yes
> first_valid_uid = 999
> mail_debug = yes
> mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir
> mail_uid = vmail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character 
> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags 
> copy include variables body enotify environment mailbox date ihave
> mbox_write_locks = fcntl
> namespace inbox {
>  inbox = yes
>  location =
>  mailbox Drafts {
>    special_use = \Drafts
>  }
>  mailbox Junk {
>    special_use = \Junk
>  }
>  mailbox Sent {
>    special_use = \Sent
>  }
>  mailbox "Sent Messages" {
>    special_use = \Sent
>  }
>  mailbox Trash {
>    special_use = \Trash
>  }
>  prefix =
> }
> passdb {
>  driver = pam
> }

Did you've removed or commented the line :

10-auth.conf:#!include auth-system.conf.ext

?

> passdb {
>  args = /etc/dovecot/ldap-passdb-my.domain.conf
>  driver = ldap
> }
> plugin {
>  sieve = ~/.dovecot.sieve
>  sieve_dir = ~/sieve
>  sieve_storage = SIEVE
> }
> protocols = imap sieve
> service auth {
>  unix_listener /var/spool/postfix/private/auth {
>    group = mail
>    mode = 0660
>    user = vmail
>  }
>  unix_listener auth-userdb {
>    group = mail
>    mode = 0660
>    user = vmail
>  }
> }
> service imap-login {
>  inet_listener imap {
>    port = 143
>  }
>  inet_listener imaps {
>    port = 993
>  }
> }
> ssl = required
> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
> ssl_key = </etc/pki/dovecot/private/dovecot.pem
> userdb {
>  driver = passwd
> }
> userdb {
>  args = /etc/dovecot/ldap-userdb-my.domain.conf
>  driver = ldap
> }
> protocol lmtp {
>  mail_plugins = " sieve"
> }
> protocol lda {
>  mail_plugins = " sieve"
> }
>
> #ldap-passdb
> hosts = localhost
> uris = ldap://localhost:389/
> ldap_version = 3
> base = ou=People,dc=my,dc=domain
> dn = cn=Manager,dc=my,dc=domain
> dnpass = my.pass
> auth_bind = no
> pass_attrs = uid=%n,userPassword=password

uid=%n makes no sense. Please use just:

pass_attrs = userPassword=password

> pass_filter = (&(objectClass=posixAccount)(uid=%n))
>
>
> #ldap-userdb
> hosts = localhost
> uris = ldap://localhost:389/
> ldap_version = 3
> base = ou=People,dc=my,dc=domain
> dn = cn=Manager,dc=my,dc=domain
> dnpass = my.pass
> auth_bind = no
> user_attrs = 
> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
> user_filter = (&(objectClass=person)(uid=%n))
> default_pass_scheme = SSHA
>
> It cannot be postfix if it relays and dovecots gets these relays. Can it be?

I have tried your config with above mentioned version, with LDAP as only 
passdb and userdb and these LDAP-settings:

hosts = localhost
auth_bind = yes
base = <baseDN>
deref = searching
user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n
user_filter = (&(objectClass=fhMailAlias)(uid=%n))
pass_attrs = userPassword=password
pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls)))
iterate_filter = (objectClass=fhMailAlias)

Note the pass_attrs. Then I submitted a new message with:

socat stdin UNIX:/var/run/dovecot2.2/lmtp
LHLO loc
mail from:<me at example.com>
rcpt to:<other at example.com>
data
Subject: 1

1
.

successfully. Maildir was created and message spooled to 
/var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP 
successfully as well.

I also tried the other order: reload Dovecot to flush any caches, log in 
via IMAP and submit via LMTP.

You should however note the following:

Both filters treat users "me at example.com" and "me at localhost.localdomain" 
as the same user, because they match the same LDAP item (uid=%n), however 
the directories of the users _should_ differ, but they won't as long as 
the user's information is cached in the auth cache.

That means:

doveadm auch cache flush
doveadm user me at example.net
doveadm user me at example.com

returns the date for me at example.net in both cases and

doveadm auch cache flush
doveadm user me at example.com
doveadm user me at example.net

returns the data for me at example.com in both cases.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVYkZtnz1H7kL/d9rAQIZEQf6AsT93VQg1bvF+kla4q9m/0cFlZpAEzDl
t4V1XwiYUENBCCvXuxKpY1QvKCKVwryS+GUbPh0eP0t+Rjl6bOT1wP4qwkOlRIkN
V6kmx6sBabdObTUgI1kl07ss2vt0MVzjFh5WDRPz6Z/UzKRIGkuphzksVle14GDG
UefgtdOYhR+Mfn0nRil2FOSFbWnMgR/9rkKEBr7Ou4vxgU7BF1nfOUA/bmc/tEF+
oMuNkq8xdsKmuN5AhbIghUr3o4DARW0KnLCo4uUJTx7BRreO651Cw4K3fwKlRyAu
Pvt4NqxAkJ2Iyu0lFc60xkN0RX+vndfqGOwfIwRYhiBIbX03Cvesaw==
=Hn9X
-----END PGP SIGNATURE-----

More information about the dovecot mailing list