dovecot 2 samba ad-dc
mj
lists at merit.unu.edu
Thu Feb 20 09:58:20 EET 2020
Hi,
No expert, but:
We always use the postmap utility to check that the right mailboxes are
actually found:
postmap -q test at test.loc ldap:/etc/postfix/ldap-config.cf
And perhaps show us your postfix main.cf?
MJ
On 2/20/20 8:46 AM, phil wrote:
> Helo you,
>
> I try to build a mail server based on Centos 7, postfix and dovecot 2.
> My backend is a Samba4 ad-dc.
>
> I tried a lot and I don't know what else I could try.I'm new to this
> mailing list so please forgive me if I don't give right information or
> anything
>
> Samba4 ad-dc is up incl. dns. Win10 Client joined domain and
> authentication works.
>
> Postfix is up and checks against ldap whether recipient address exists.
> It takes mail via telnet and queues them. But can't give it to dovecot.
>
>
> my master.cf locks like that:
>
>
> [root at mail1t postfix]# cat master.cf
> smtp inet n - - - - smtpd
> submission inet n - - - - smtpd
> -o smtpd_enforce_tls=yes
> -o smtpd_tls_security_level=encrypt
> -o tls_preempt_cipherlist=yes
> pickup fifo n - - 60 1 pickup
> cleanup unix n - - - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> tlsmgr unix - - - 1000? 1 tlsmgr
> rewrite unix - - - - - trivial-rewrite
> bounce unix - - - - 0 bounce
> defer unix - - - - 0 bounce
> trace unix - - - - 0 bounce
> verify unix - - - - 1 verify
> flush unix n - - 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - - - - smtp
> relay unix - - - - - smtp
> showq unix n - - - - showq
> error unix - - - - - error
> retry unix - - - - - error
> discard unix - - - - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - - - - lmtp
> anvil unix - - - - 1 anvil
> scache unix - - - - 1 scache
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
> $recipient
> scalemail-backend unix - n n - 2 pipe
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}
> mailman unix - n n - - pipe
> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop} ${user}
> dovecot unix - n n - - pipe
> flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f
> ${sender} -d ${user}@${nexthop}
> #smtp inet n - n - 1 postscreen
> #smtpd pass - - n - - smtpd
> #dnsblog unix - - n - 0 dnsblog
> #tlsproxy unix - - n - 0 tlsproxy
> postlog unix-dgram n - n - 1 postlogd
>
>
> my ldap.conf on mailserver:
>
> [root at mail1t openldap]# cat ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE dc=example,dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
> URI ldaps://ldap1t.test.loc:636
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
>
> #TLS_CACERTDIR /etc/openldap/certs
> TLS_CACERTDIR /etc/pki/tls/certs/ka
>
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON on
>
> TLS_REQCERT never
>
>
> dovecot.conf:
>
> [root at mail1t dovecot]# cat dovecot.conf
> auth_mechanisms = plain login
> mail_uid = vmail
> mail_gid = vmail
> ssl_cert = </etc/ssl/mail.pem
> ssl_key = </etc/ssl/key.pem
> login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e
> %c %k"
> #mail_plugins = quota
> ssl_cipher_list =
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
>
> log_timestamp = "%Y-%m-%d %H:%M:%S "
> log_path = /var/log/dovecot.log
> info_log_path = /var/log/dovecot-info.log
> debug_log_path = /var/log/dovecot-debug.log
>
> #auth_verbose=yes
> auth_debug=yes
> auth_debug_passwords=yes
> mail_debug=yes
> verbose_ssl=yes
>
>
> protocols = imap
> listen = *
> auth_cache_size = 50000 # ~ 200 Benutzer mit Passwort
> auth_cache_ttl = 300s # in Sekunden, 5 Minute
> auth_cache_negative_ttl = 30s # wenn Benutzer nicht existierte bei
> letztem Check
>
>
>
> passdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
>
> userdb {
> driver = prefetch
> }
> userdb {
> args = /etc/dovecot/dovecot-ldap.conf.ext
> driver = ldap
> }
>
>
> service auth {
> unix_listener /var/spool/postfix/private/auth_dovecot {
> group = postfix
> mode = 0660
> user = postfix
> }
> unix_listener auth-userdb {
> mode = 0600
> user = root
> }
> user = root
> }
>
> service dict {
> unix_listener dict {
> mode = 0660
> user = vmail
> group = vmail
> }
> }
>
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> auto = subscribe
> special_use = \Drafts
> }
> mailbox Junk {
> auto = subscribe
> special_use = \Junk
> }
> mailbox Sent {
> auto = subscribe
> special_use = \Sent
> }
> mailbox Trash {
> auto = subscribe
> special_use = \Trash
> }
> prefix =
> }
>
> protocol imap {
> mail_plugins = quota imap_quota
> }
>
> plugin {
> quota = maildir:User quota
> }
>
>
> dovecot-ldap.conf.ext:
>
> root at mail1t dovecot]# cat dovecot-ldap.conf.ext
> #hosts = 192.168.122.30:636 # Windows Active Directory
> uris = ldaps://192.168.122.30:636
>
> #dn = CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=test,DC=loc
> dn = CN=Administrator,CN=Users,DC=test,DC=loc
> dnpass = Test123!
> tls = no # Benötige ich (!) nicht
> auth_bind = yes # Für die Dauer der Authentifizierung bindet sich
> Dovecot als einloggender Mailuser
> auth_bind_dn = %u
> ldap_version = 3
> base = OU=Identitiy,DC=domain,DC=local # Meine OU mit Benutzern
> scope = subtree # Oder "base", falls nicht rekursiv in der OU gesucht
> werden soll
> pass_attrs = \
> =user=%{ldap:mail}, \
> =passwerd=%{ladp:user}, \
> user_attrs = \
> =user=%{ldap:mail}, \
>
> user_filter = (mailRoutingAddress=%u)
> pass_filter = (mail=%u)
> iterate_attrs = mail #mail=user # Wird vor allem von "doveadm"
> benötigt, um Benutzer zu finden
> iterate_filter = (objectClass=smiMessageRecipient #(objectClass=person)
>
>
> maillog gives me:
>
> Feb 20 08:34:56 mail1t postfix/smtpd[1794]: 04229120B0D:
> client=unknown[192.168.122.30]
> Feb 20 08:35:01 mail1t postfix/cleanup[1798]: 04229120B0D: message-id=<>
> Feb 20 08:35:01 mail1t postfix/qmgr[1268]: 04229120B0D:
> from=<test at test.loc>, size=176, nrcpt=1 (queue active)
> Feb 20 08:35:01 mail1t postfix/pipe[1799]: 04229120B0D:
> to=<test at test.loc>, relay=dovecot, delay=12, delays=12/0.01/0/0.07,
> dsn=4.3.0, status=deferred (temporary failure)
> Feb 20 08:35:03 mail1t postfix/smtpd[1794]: disconnect from
> unknown[192.168.122.30] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
>
> dovecot debug log:
>
> 2020-02-20 08:31:18 auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/auth
> 2020-02-20 08:31:18 auth: Debug: Module loaded:
> /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
> 2020-02-20 08:35:01 lda(test at test.loc)<1800><>: Debug: auth-master:
> userdb lookup(test at test.loc): Started userdb lookup
> 2020-02-20 08:35:01 lda(test at test.loc)<1800><>: Debug: auth-master: conn
> unix:/var/run/dovecot/auth-userdb: Connecting
> 2020-02-20 08:35:01 lda(test at test.loc)<1800><>: Debug: auth-master: conn
> unix:/var/run/dovecot/auth-userdb: Client connected (fd=13)
> 2020-02-20 08:35:01 auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/auth
> 2020-02-20 08:35:01 auth: Debug: Module loaded:
> /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
> 2020-02-20 08:35:01 lda(test at test.loc)<1800><>: Debug: auth-master: conn
> unix:/var/run/dovecot/auth-userdb: Disconnected: Connection closed:
> read(size=8192) failed: Connection reset by peer (fd=13)
> 2020-02-20 08:35:01 lda(test at test.loc)<1800><>: Debug: auth-master:
> userdb lookup(test at test.loc): Userdb lookup failed
>
>
> a ldap search gives me:
>
> [root at mail1t dovecot]# ldapsearch -D
> "cn=administrator,cn=Users,dc=test,dc=loc" -W -H
> ldaps://ldap1t.test.loc:636 -b "ou=Identitiy,dc=test,dc=loc" -s sub -x
> "(objectclass=person)"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=Identitiy,dc=test,dc=loc> with scope subtree
> # filter: (objectclass=person)
> # requesting: ALL
> #
>
> # testuser2, Identitiy, test.loc
> dn: CN=testuser2,OU=Identitiy,DC=test,DC=loc
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: testuser2
> instanceType: 4
> whenCreated: 20191029150406.0Z
> uSNCreated: 4540
> name: testuser2
> objectGUID:: zfJ3SmPoLkO8wrVKP0Mc6g==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAGQ/+ZjR2CNb9IiNGUQQAAA==
> accountExpires: 9223372036854775807
> sAMAccountName: testuser2
> sAMAccountType: 805306368
> userPrincipalName: testuser2 at test.loc
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc
> mail: test at test.loc
> userAccountControl: 512
> lockoutTime: 0
> pwdLastSet: 132257935214848870
> lastLogon: 132258326087696220
> logonCount: 9
> lastLogonTimestamp: 132258326087696220
> whenChanged: 20200210182328.0Z
> uSNChanged: 7912
> distinguishedName: CN=testuser2,OU=Identitiy,DC=test,DC=loc
>
> # DovecotAdministrator, ServiceAccounts, Identitiy, test.loc
> dn: CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=test,DC=loc
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: DovecotAdministrator
> instanceType: 4
> whenCreated: 20191029155812.0Z
> displayName: DovecotAdministrator
> uSNCreated: 4735
> name: DovecotAdministrator
> objectGUID:: 6LODLEOIQ0iVbSDrOftLgg==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAGQ/+ZjR2CNb9IiNGUwQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: DovecotAdministrator
> sAMAccountType: 805306368
> userPrincipalName: DovecotAdministrator at test.loc
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=loc
> userAccountControl: 66048
> pwdLastSet: 132240938772523690
> lastLogonTimestamp: 132263319652676310
> whenChanged: 20200216130605.0Z
> uSNChanged: 7935
> distinguishedName:
> CN=DovecotAdministrator,OU=ServiceAccounts,OU=Identitiy,DC=
> test,DC=loc
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
> Can someone give me a hint?
>
>
> Best
>
> Phil
>
More information about the dovecot
mailing list