Why does Dovecot authentication against Openldap fail when using TLS encryption?

Dimitri KOPRIWA d.kopriwa at gmail.com
Thu Jun 29 13:39:08 EEST 2017


Dear Mailing list,


I have a Dovecot v2.2.9 server that authenticate against a Openldap server.

I want to configure Dovecot to use TLS for LDAP authentication.

I have tried to fetch/send emails using Thunderbird:

- IMAP succeed to fetch mail
- SMTP failed to send mail

The Dovecot server produce the following log :

    Jun 29 08:44:00 mail postfix/submission/smtpd[634]: connect from
virtual.domain.com[172.16.0.1]
    Jun 29 08:44:01 mail dovecot: auth: Debug: auth client connected (pid=0)
    Jun 29 08:44:02 mail dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=172.17.0.15#011rip=172.16.0.1#011secured#011resp=<hidden>
    Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me at domain.com,172.16.0.1):
bind search: base=dc=mail,dc=domain,dc=com
filter=(&(objectClass=CourierMailAccount)(mail=me at domain.com))
    Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me at domain.com,172.16.0.1):
no fields returned by the server
    Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me at domain.com,172.16.0.1):
result:  uid missing
    Jun 29 08:44:02 mail dovecot: auth: Debug: client passdb out:
OK#0111#011user=me at domain.com
    Jun 29 08:44:04 mail postfix/submission/smtpd[661]: connect from
mail.node.domain-ovh.consul[172.16.0.2]
    Jun 29 08:44:04 mail postfix/submission/smtpd[661]: lost connection
after CONNECT from mail.node.domain-ovh.consul[172.16.0.2]
    Jun 29 08:44:04 mail postfix/submission/smtpd[661]: disconnect from
mail.node.domain-ovh.consul[172.16.0.2]
    Jun 29 08:44:07 mail dovecot: auth: Debug: auth client connected
(pid=662)
    Jun 29 08:44:07 mail dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=172.16.0.2, lip=172.17.0.15, TLS
handshaking: Disconnected, session=<MGK6TRVTRACsEAAC>

**Note that before I switch to use TLS**, the server was doing clear
connection to Openldap and the **binding was working fine**.

I have verified the ldap query using `ldapsearch` and it confirmed my
binding must have worked:

    me at dev-01:[~]: ldapsearch -x -D "cn=readonly,dc=domain,dc=com"  -W -H
ldap://ldap.domain.com:389 -b "dc=mail,dc=domain,dc=com"  -LLL
"(&(objectClass=CourierMailAccount)(mail=me at domain.com))"  -ZZ homeDirectory
    Enter LDAP Password:
    dn: mail=me at domain.com,dc=mailAccount,dc=domain.com
,dc=mail,dc=domain,dc=com
    homeDirectory: /var/mail


I have the following `dovecot.cf`:

    login_greeting = server ready
    mail_uid = 5000
    mail_gid = 5000
    auth_mechanisms = plain login
    disable_plaintext_auth = yes

    ssl_ca = </etc/postfix/ssl/cacert.pem

    auth_debug_passwords = no
    auth_debug = yes
    auth_verbose = yes


    userdb {
        driver = ldap
        args = /etc/dovecot/conf.d/auth-ldap.conf.ext
    }

    passdb {
        driver = ldap
        args = /etc/dovecot/conf.d/auth-ldap.conf.ext
    }

    service imap-login {
      inet_listener imap {
        port = 0
      }
      inet_listener imaps {
        port = 993
        ssl = yes
      }
    }

    service pop3-login {
      inet_listener pop3 {
        port = 0
      }
      inet_listener pop3s {
        port = 995
        ssl = yes
      }
    }


And this is the included `/etc/dovecot/conf.d/auth-ldap.conf.ext` file:


    # SSL/TLS
    uris            = ldap://virtual.domain.com
    auth_bind       = yes
    ldap_version    = 3
    dn              = cn=readonly,dc=domain,dc=com
    dnpass          = abc
    base            = dc=mail,dc=domain,dc=com
    user_filter     = (&(objectClass=CourierMailAccount)(mail=%u))
    pass_filter     = (&(objectClass=CourierMailAccount)(mail=%u))
    user_attrs      =
uidNumber=5000,gidNumber=5000,homeDirectory=home,mailbox=mail=maildir:%$/Maildir:LAYOUT=fs
    default_pass_scheme = SSHA
    tls = yes
    tls_ca_cert_dir = /etc/postfix/ssl

Why does Dovecot authentication against Openldap fail when I switch to TLS
encryption?


Hoping this mail will be read by somebody,

Regards,

Dimitri


More information about the dovecot mailing list