Dovecot authentication hangs when ldap_start_tls_s() fails for invalid certificate

sebastiano degan sebastiano.degan at frigoveneta.it
Thu Nov 19 12:55:32 EET 2020 

On a Debian10 I've installed postfix 3.4.14 and dovecot 2.3.4.1.
I've configured multiple passdb sources and I expect that if one fails
the other ones are tested.
This is usually the case, except when the failure is due to an invalid
certificate from the ldap server.
In that case all authentication attempts from that moment on will fail.

I've trimmed down the configuration as much as possible (see below),
and this is the syslog output of my tests:

TEST 1 - Everything is configured correctly:
   No output on syslog

TEST 2 - Wrong hostname as a ldap server:
  Auth attempt 1:
    Nov 19 11:25:29 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:29 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-userdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:29 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:35 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
  Auth attempt 2:
    Nov 19 11:25:57 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:25:59 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
  Auth attempt 3:
    Nov 19 11:26:28 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server
    Nov 19 11:26:30 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed: Can't
contact LDAP server

TEST 3 - Invalid certificate:
  Attempt 1:
    Nov 19 11:21:20 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-passdb.conf.ext: ldap_start_tls_s() failed:
Connect error
    Nov 19 11:21:20 debian dovecot: auth: Error: LDAP
/etc/dovecot/dovecot-ldap-userdb.conf.ext: ldap_start_tls_s() failed:
Connect error
  No output on other attempts...


CONFIGURATION FILES:
______________________________________________________
auth.conf:

auth_mechanisms = plain login
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-passdb.conf.ext
}
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
  default_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
}
______________________________________________________

______________________________________________________
dovecot-ldap-passdb.conf.ext:

tls = yes
hosts = DC1.fv.lan
base = ou=Frigoveneta,dc=fv,dc=lan
auth_bind = yes
auth_bind_userdn = %u
______________________________________________________

______________________________________________________
dovecot-ldap-userdb.conf.ext:

tls = yes
hosts = DC1.fv.lan
base = ou=Frigoveneta,dc=fv,dc=lan
dn = ##removed##
dnpass = ##removed##
user_filter = (&(userPrincipalName=%u))
______________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201119/a6a0bef9/attachment.html>

More information about the dovecot mailing list