Re: Working with Active Directory on Windows Server 2012 R2

[Aaron Jenkins]

I’ve removed the dn / dnpass.

When attempting with new user:

$ cat /var/log/dovecot-info.log
Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5553 id=1) 
(internal failure, 1 successful auths): user=, method=PLAIN, 
rip=10.211.55.29, lip=10.211.55.33, mpid=5558, TLS, session=
Nov 27 00:09:29 imap-login: Info: Internal login failure (pid=5559 id=1) 
(internal failure, 1 successful auths): user=, method=PLAIN, 
rip=10.211.55.29, lip=10.211.55.33, mpid=5560, TLS, session=
Nov 27 00:09:29 auth: Info: 
ldap(test.u...@ad.automaton.uk,10.211.55.29,): invalid 
credentials (given password: ThisIsAPass123)
Nov 27 00:09:35 auth: Info: 
ldap(test.u...@ad.automaton.uk,10.211.55.29,): invalid 
credentials (given password: ThisIsAPass123)
Nov 27 00:09:37 imap-login: Info: Disconnected (auth failed, 2 attempts in 8 
secs): user=, method=PLAIN, rip=10.211.55.29, 
lip=10.211.55.33, TLS, session=

$ cat /var/log/dovecot-debug.log
Nov 27 00:13:07 auth: Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/auth
Nov 27 00:13:07 auth: Debug: Loading modules from directory: 
/usr/lib/dovecot/modules/auth
Nov 27 00:13:07 auth: Debug: Module loaded: 
/usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Nov 27 00:13:07 auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6219)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured 
session=/xfdttIIagAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44650
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1 
AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain 
sensitive data)
Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user
Nov 27 00:13:07 auth: Debug: master in: REQUEST 2256273409 6219 1 
a99d65893905abf592245098b369359e session_pid=6223 request_auth_token
Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,): 
user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree 
filter=(&(name=test.user)(objectClass=person)) 
fields=homeDirectory,uidNumber,gidNumber
Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 2256273409
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6224)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured 
session=gn7dttIIawAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44651
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1 
AHRlc3QudXNlcgBUaGlzSXNBUGFzczEyMw== (previous base64 data may contain 
sensitive data)
Nov 27 00:13:07 auth: Debug: client passdb out: OK 1 user=test.user
Nov 27 00:13:07 auth: Debug: master in: REQUEST 1233256449 6224 1 
587c0fc0406dbbdac1ccf4bb6267ff59 session_pid=6225 request_auth_token
Nov 27 00:13:07 auth: Debug: ldap(test.user,10.211.55.29,): 
user search: base=cn=users,dc=ad,dc=automaton,dc=uk scope=subtree 
filter=(&(name=test.user)(objectClass=person)) 
fields=homeDirectory,uidNumber,gidNumber
Nov 27 00:13:07 auth: Debug: master userdb out: FAIL 1233256449
Nov 27 00:13:07 auth: Debug: auth client connected (pid=6226)
Nov 27 00:13:07 auth: Debug: client in: AUTH 1 PLAIN service=imap secured 
session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652
Nov 27 00:13:07 auth: Debug: client passdb out: CONT 1
Nov 27 00:13:07 auth: Debug: client in: CONT 1 
AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 data 
may contain sensitive data)
Nov 27 00:13:09 auth: Debug: client passdb out: FAIL 1 
user=test.u...@ad.automaton.uk
Nov 27 00:13:09 auth: Debug: client in: AUTH 2 PLAIN service=imap secured 
session=Ic3dttIIbAAK0zcd lip=10.211.55.33 rip=10.211.55.29lport=143 rport=44652 
resp=AHRlc3QudXNlckBhZC5hdXRvbWF0b24udWsAVGhpc0lzQVBhc3MxMjM= (previous base64 
data may contain sensitive data)
Nov 27 00:13:15 auth: Debug: client passdb out: FAIL 2 
user=test.u...@ad.automaton.uk

$ ldapsearch -x -H ldap://dc1.ad.automaton.uk -D 
CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk -W - -b 
CN=test.user,CN=users,DC=ad,DC=automaton,DC=uk
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: -
#

# test.user, Users, ad.automaton.uk
dn: CN=test.user,CN=Users,DC=ad,DC=automaton,DC=uk

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

And the password on AD for test.user is 100% ThisIsAPass123.



On November 26, 2014 at 12:16:34 AM, Steffen Kaiser 
(skdove...@smail.inf.fh-brs.de) wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 26 Nov 2014, Aaron Jenkins wrote:

> I’ve attempted the user Mail with the same password with the same result 
> (binding as my own user was a last-ditch attempt).

OK, what about the:

> As I understand auth_bind_userdn, you do not need
> dn/dnpass anyway, because auth_bind_userdn prevents searching for the
> user's DN

Did you removed the dn/dnpass sett

Re: 2.2.15 Panic in mbox_sync_read_next_mail()

[Jernej Porenta]

On 26/11/14 10:09, Matthias Egger wrote:

Hello Hans

On 11/23/2014 05:57 PM, Hans Morten Kind wrote:

On Tue, Nov 04, 2014 at 12:38:02PM +0100, Matthias Egger wrote:

Has someone of you just found any kind of solution to this problem?


We have been running some days with patches 31262a892ba7 and 80ed82a93c1a
from http://hg.dovecot.org/dovecot-2.2/

They are working fine, handling the previously paniced situations smoothly.
Thanks again to the folks at dovecot.org!


Thank you for sharing this. I will give today or tomorrow a look at
these patches.


At least at our side, these patches have fixed a large number of 
segfaults opening mbox files.


Thank you Timo and dovecot team!!!

cheers, Jernej

Re: 2.2.15: SMTP submission server?

[Robert Schetterer]

Am 27.11.2014 um 08:17 schrieb Steffen Kaiser:
> On Wed, 26 Nov 2014, Mark Homoky wrote:
>> On 17/11/2014 07:23, Ron Leach wrote:
>>> On 16/11/2014 07:24, Robert Schetterer wrote (re-ordered):
 Am 16.11.2014 um 02:24 schrieb Reindl Harald:
>>>
>>> Off topic for Dovecot list, but I might think instead about separate
>>> inbound and outbound MTAs to achieve containment of inbound MTA
>>> compromise.
> 
> @Ron: This seems to be the most sensible option for your concerns
> anyway, but with a well-known MSA. The inbound MTA need not advertise
> its existance to the web and, if port 587 is the only one, you could
> bann port probes, because few attackers will start with port 587.
> 
>> As Reindl said switch off SASL on port 25 (hence in the SMTP
>> conversation following the ehlo line, the client isn't even offered
>> AUTH and hence the chance to login to try to relay).
> [cut]
>> You really can't get stronger mail injection than using the standard
>> submission port only accepting AUTH via TLS encrypted connections on
>> port 587
> 
> If both port 25 and port 587 are open on the same server, is there any
> statitic about how much attackers probe port 25 before 587 and if
> disabling AUTH on port 25 helps at all in that case?


at my site, brute force is done on both ports, typical search for weak
passwords, so no cure having submission only for mail clients ( but for
sure this should be state of art )

but in most cases its like

submission/smtpd[27698]: warning: unknown[...]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6

this maybe related to have autoconfig/autodiscover up and running
for all domains,forgotten and/or missconfigured (typos)  on  mobile
clients etc, so someone may argue this isnt a good idea in case of security

Looking to all my servers, over the time, all types of hacking on all
ports are done, in case of mail it might be a good idea to have i.e
fail2ban etc to cover sasl logins, as alternative you may have a look at
https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

Most advance in having submission seperate ( whatever software ) , is
the chance to have other restrictions enabled ( more easy ), typical i.e
you do postscreen on port 25 , and may use other  policies for older
mail clients at submission

To be honest, i dont understand discussions about security and upcomming
dovecot SMTP submission server as long it has no bugs and same advanced
config options i.e like postfix submission, after all everyone is free
to use it or not.

> 
> -- Steffen Kaiser

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: 2.2.15: SMTP submission server?

[Reindl Harald]

Am 27.11.2014 um 08:17 schrieb Steffen Kaiser:

On Wed, 26 Nov 2014, Mark Homoky wrote:

On 17/11/2014 07:23, Ron Leach wrote:

On 16/11/2014 07:24, Robert Schetterer wrote (re-ordered):

Am 16.11.2014 um 02:24 schrieb Reindl Harald:


Off topic for Dovecot list, but I might think instead about separate
inbound and outbound MTAs to achieve containment of inbound MTA
compromise.


@Ron: This seems to be the most sensible option for your concerns
anyway, but with a well-known MSA. The inbound MTA need not advertise
its existance to the web and, if port 587 is the only one, you could
bann port probes, because few attackers will start with port 587.


As Reindl said switch off SASL on port 25 (hence in the SMTP
conversation following the ehlo line, the client isn't even offered
AUTH and hence the chance to login to try to relay).

[cut]

You really can't get stronger mail injection than using the standard
submission port only accepting AUTH via TLS encrypted connections on
port 587


If both port 25 and port 587 are open on the same server, is there any
statitic about how much attackers probe port 25 before 587 and if
disabling AUTH on port 25 helps at all in that case?


surely, nobody cares about 587 because it's typically only possible with 
autentication to submit mail and so in no way useable for deliver spam 
or as open relay


that below is from a honeypot network but keep in mind that in case 
oftry a different port from the same IP "last_port" after testing 25/587 
changes to that one


mysql> select count(*) from dnsbl where dnsbl_last_port=25;
+--+
| count(*) |
+--+
|  790 |
+--+
1 row in set (0.00 sec)

mysql> select count(*) from dnsbl where dnsbl_last_port=587;
+--+
| count(*) |
+--+
|2 |
+--+
1 row in set (0.01 sec)



signature.asc
Description: OpenPGP digital signature

Re: Move mail behavior

[Martin Stigge]

On Wed, 2014-11-26 at 07:31 +0100, Steffen Kaiser wrote:
> On Mon, 24 Nov 2014, Martin Stigge wrote:
> 
> > I've recently migrated my IMAP mail setup from a server running an older
> > Debian Squeeze with dovecot 1.2.15 to a new Debian Jessie system with
> > dovecot 2.2.13. In the old setup, it used to be so that a mail moved
> > from a folder to another one was marked as deleted in the originating
> > folder (in dovecot 1.2.15). In the new setup, the mail just disappears
> > from the originating folder (with dovecot 2.2.13). The mail arrives
> > properly in the target folder, so that's fine. But I actually liked the
> > old behavior.
> 

After a little more digging I found that dovecot 2.2 implements the IMAP
MOVE extension from RFC 6851 which my clients also support. Before that,
a copy with delete was used, explaining the different behavior. I also
see MOVE announced as a capability, so my clients use it. So, no config
issue, just a new feature.

Regards,
Martin

Re: Unable to see virtual users

[Randall Gellens]

I'm still having trouble getting users accepted by postfix + dovecot.

I have a few (<10) virtual users configured in a passwd-style file in 
/etc/dovecot/users.  I can verify that dovecot sees those users and 
can authenticate them using 'doveadm' as well as IMAP.


I also have one system user configured via PAM.  I can verify that 
dovecot sees this user and can authenticate using 'doveadm' as well 
as IMAP.


I configured the 'dovecot' service in /etc/postfix/master.cf and set 
/etc/postfix/main.cf to use it to deliver virtual mail, per the 
dovecot wiki.  I also set the postfix local delivery command to 
dovecot-lda per the dovecot wiki.


I first tried telling postfix to not check local users by setting in 
/etc/postfix/main.cf:


local_recipient_maps =

With this setup, mail is received and delivered for the system user, 
but mail to virtual users is bounced with 'unknown user':


postfix/local ... relay=local ... status=bounced (unknown user: "test")

So then I tried to tell postfix that it had virtual users by 
configuring them in /etc/postfix/virtual_users and creating a hash 
using 'postmap' and then in /etc/postfix/main.cf setting


local_recipient_maps =  proxy:unix:passwd.byname 
hash:/etc/postfix/virtual_users $alias_maps


This made no difference at all.  Mail to virtual users still bounces 
with 'unknown user' while mail to the system user is delivered.


So then I set 'mydestination' to an empty string in 
/etc/postfix/main.cf and set 'virtual_mailbox_domains' to the string 
that had been in 'mydestination', and set 'mydestination' to an empty 
string.


With this setup, mail to virtual users is delivered, but mail to the 
system user bounces with 'unknown user':


dovecot: auth: passwd-file(randy): unknown user
dovecot: auth: passwd-file(randy@domain): unknown user
dovecot: auth-worker(12538): passwd(randy@domain): unknown user
	postfix/pipe[12548]: ... to=, relay=dovecot ... 
status=bounced (user unknown)


My dovecot config:


--
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-39-generic x86_64 Ubuntu 14.04.1 LTS ext4
auth_verbose = yes
first_valid_gid = 120
first_valid_uid = 112
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = mdbox:/local/mnt/mail/%n
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave

namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = username_format=%n /etc/dovecot/passwd
  driver = passwd-file
}
passdb {
  args = username_format=%n
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = randy@domain
protocols = " imap sieve pop3"
ssl_cert = local_recipient_maps = proxy:unix:passwd.byname 
hash:/etc/postfix/virtual_users $alias_maps
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a 
"$RECIPIENT" -d "$USER"

mailbox_size_limit = 0
mydestination =
myhostname = ocean.qualcomm.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
readme_directory = no
recipient_delimiter = +
relayhost = mailhost.qualcomm.com
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks 
permit_sasl_authenticated defer_unauth_destination

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_mailbox_domains = domain, ocean, localhost
virtual_transport = dovecot
--





--
Randall Gellens
Opinions are personal;facts are suspect;I speak for myself only
-- Randomly selected tag: ---
Attaccabottonai (ah-TAHKA-bo-TONE-eye; Italian; noun): a doleful bore
who buttonholes people and tells sad, pointless tales.

auth(default) :Aborted: Worker is buggy

[刘莹莹]

Hi dovecot
when I modify SIEVE_DEFAULT_MAX_REDIRECTS = 25 in 
sieve-file:dovecot-1.2-sieve-0.1.7/src/lib-sieve/sieve-limits.h 
I found this problem occurs about once a week,I'm not sure if it was caused by 
modify  SIEVE_DEFAULT_MAX_REDIRECTS = 25 , defaulte is 
SIEVE_DEFAULT_MAX_REDIRECTS = 4:
LOG:
Nov 25 11:20:12 imap-login: Info: Login: user=, method=PLAIN, 
rip=127.0.0.1, lip=127.0.0.1, secured
Nov 25 11:20:12 auth(default): Error: BUG: Worker sent reply with id 230, 
expected 231
Nov 25 11:20:12 auth(default): Error: worker-server(l...@rails.cn,127.0.0.1): 
Aborted: Worker is buggy
dovecot -n:
namespace:
  type: private
  separator: /
  inbox: yes
  list: yes
  subscriptions: yes
namespace:
  type: shared
  separator: /
  prefix: shared/%%u/
  location: maildir:%Lh/%Ld/%%n/:INDEX=%Lh/%Ld/%Ln/shared/%%u
  list: children
auth default:
  mechanisms: plain login
  default_realm: com
  user: txmail
  master_user_separator: *
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
driver: passwd-file
args: /etc/dovecot.master
pass: yes
master: yes
  passdb:
driver: dict
args: /etc/dovecot-memcached.conf
  userdb:
driver: dict
args: /etc/dovecot-memcached.conf
  socket:
type: listen
client:
  path: /var/spool/postfix/dovecot-auth
  mode: 438
  user: postfix
  group: postfix
master:
  path: /var/run/dovecot/auth-master
  mode: 438
  user: txmail
  group: txmail
plugin:
  quota_warning: storage=90%% %Lh/bin/dovecot-quota-warning.sh 90 %u
  quota_warning2: storage=95%% %Lh/bin/dovecot-quota-warning.sh 95 %u
  acl: vfile
  acl_shared_dict: file:/%Lh/%Ld/shared-mailboxes.db
  quota: maildir
  quota_rule: *:storage=10M
  expire: * 7
  expire_dict: proxy::expire
  auth_socket_path: /var/run/dovecot/auth-master
  sieve: /opt/nsmail/data/sieve/%Ld/%Ln/.dovecot.sieve
  autocreate: trash
  autosubscribe: trash
  autocreate2: rubbishs
  autosubscribe2: rubbishs
  autocreate3: &XfJT0ZABkK5O9g-
  autosubscribe3: &XfJT0ZABkK5O9g-
  autocreate4: &g0l6Pw-
  autosubscribe4: &g0l6Pw-
  autocreate5: decrypt
dict:
  expire: mysql:/etc/dovecot-expire.conf
THANKS  
YINGYING

Re: failed login message

[Rajesh M]

thank you for guidance,

just to recap the issue was about squirrelmail giving a wrong message : 
"connection dropped by imap server" instead of "invalid user or password"

as advised i connected using command line on both my old and new servers, and 
have posted the details including the output of dovevcot -n.


1) command prompt login. i put wrong password

telnet x.x.x.x 143

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE START
TLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] ready.

1 login a...@mydomain.com wrongpass

1 NO [AUTHENTICATIONFAILED] Authentication failed.


2) DOVECOT LOG output

CURRENT SERVER
Nov 28 08:48:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 72 
secs): user=

OLD SERVER
Nov 28 09:06:08 imap-login: Info: Disconnected (auth failed, 1 attempts): 
user=, method=PLAIN, rip=120.62.202.70, lip=72.35.76.156



3) DOVECOT CONFIG FILE DETAILS

# dovecot -n
# 2.2.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.29.2.el6.x86_64 x86_64 CentOS release 6.5 (Final)
auth_cache_negative_ttl = 0
auth_cache_size = 32 M
auth_cache_ttl = 30 mins
auth_mechanisms = plain login digest-md5 cram-md5
default_login_user = vpopmail
disable_plaintext_auth = no
first_valid_gid = 89
first_valid_uid = 89
log_path = /var/log/dovecot.log
login_greeting = ready.
mail_max_userip_connections = 50
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date ihave
namespace {
  inbox = yes
  location =
  prefix =
  separator = .
  type = private
}
passdb {
  args = cache_key=%u webmail=127.0.0.1
  driver = vpopmail
}
plugin {
  quota = maildir:ignore=Trash
  quota_rule = ?:storage=0
}
protocols = imap pop3
service imap-login {
  client_limit = 256
  process_limit = 400
  process_min_avail = 12
  service_count = 0
  vsz_limit = 384 M
}
service pop3-login {
  client_limit = 1000
  process_limit = 400
  process_min_avail = 12
  service_count = 0
  vsz_limit = 512 M
}
ssl_cert = mailto:geda...@gedalya.net]
To: 24x7ser...@24x7server.net,dovecot@dovecot.org
Sent: Tue, 25 Nov 2014 05:54:49 -0500
Subject: Re: failed login message

On 11/25/2014 04:49 AM, 24x7ser...@24x7server.net wrote:
> thanks for your reply
>
> i intentionaly put the wrong password and checked the dovecot log and the 
> message i got was
>
> # tail -f /var/log/dovecot.log | grep "x...@yyy.com"
> Nov 25 08:47:46 imap-login: Info: Aborted login (auth failed, 1 attempts in 2 
> secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
> secured, session=
>
> but in the squirrelmail login page instead of the message "unknown user or 
> password incorrect" i get the message
>
> ERROR: Connection dropped by IMAP server.
> Query: LOGOUT
>
>
> in my old server where it is working correctly dovecot logs shows the error
>
> Nov 25 14:46:12 imap-login: Info: Aborted login (auth failed, 1 attempts): 
> user=<"x...@yyy.com">, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
>
> and squirrelmail gives the error : "unknown user or password incorrect" which 
> is correct.
>
> is there any other place i need to check or some other config file (either 
> squirrelmail or dovecot) that i need to modify
>
> could you kindly guide me
>

1. Please carefully read http://dovecot.org/mailinglists.html
2. Please carefully follow the instructions at
http://dovecot.org/mailinglists.html. In your case, post full details
for both servers.
3. Try to manually log in to both servers using e.g. telnet in order to
see any differences in the way they respond.
Something like

$ telnet 192.168.9.11 143
Trying 192.168.9.11...
Connected to 192.168.9.11.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS LOGINDISABLED] Dovecot ready.
1 login gedalya 1234
* BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but
your client did it anyway. If anyone was listening, the password was
exposed.
1 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure
(SSL/TLS) connections.
2 logout
* BYE Logging out
2 OK Logout completed.
Connection closed by foreign host.

(that's how it responds in my specific case as I disallow plaintext login)

Or if you need TLS (like me):

$ openssl s_client -starttls imap -quiet -connect 192.168.9.11:143
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
. OK Pre-login capabilities listed, post-login capabilities have more.
1 login gedalya 1234
1 NO [AUTHENTICATIONFAILED] Authentication failed.
2 logout
* BYE Logging out
2 OK Logout completed.

Re: auth(default) :Aborted: Worker is buggy

[Andrew Ho]

I don't think you changed the default of the SIEVE_DEFAULT_MAX_REDIRECTS is the 
problem.

The "mode:" is for permission of the auth-userdb socket to lookup the userdb.
Why did you set it to "438"?

reference: http://wiki2.dovecot.org/LDA

--

> On Nov 27, 2014, at 10:35 PM, 刘莹莹  wrote:
> 
> Hi dovecot
> when I modify SIEVE_DEFAULT_MAX_REDIRECTS = 25 in 
> sieve-file:dovecot-1.2-sieve-0.1.7/src/lib-sieve/sieve-limits.h 
> I found this problem occurs about once a week,I'm not sure if it was caused 
> by modify  SIEVE_DEFAULT_MAX_REDIRECTS = 25 , defaulte is 
> SIEVE_DEFAULT_MAX_REDIRECTS = 4:
> LOG:
> Nov 25 11:20:12 imap-login: Info: Login: user=, method=PLAIN, 
> rip=127.0.0.1, lip=127.0.0.1, secured
> Nov 25 11:20:12 auth(default): Error: BUG: Worker sent reply with id 230, 
> expected 231
> Nov 25 11:20:12 auth(default): Error: worker-server(l...@rails.cn,127.0.0.1): 
> Aborted: Worker is buggy
> dovecot -n:
> namespace:
>  type: private
>  separator: /
>  inbox: yes
>  list: yes
>  subscriptions: yes
> namespace:
>  type: shared
>  separator: /
>  prefix: shared/%%u/
>  location: maildir:%Lh/%Ld/%%n/:INDEX=%Lh/%Ld/%Ln/shared/%%u
>  list: children
> auth default:
>  mechanisms: plain login
>  default_realm: com
>  user: txmail
>  master_user_separator: *
>  verbose: yes
>  debug: yes
>  debug_passwords: yes
>  passdb:
>driver: passwd-file
>args: /etc/dovecot.master
>pass: yes
>master: yes
>  passdb:
>driver: dict
>args: /etc/dovecot-memcached.conf
>  userdb:
>driver: dict
>args: /etc/dovecot-memcached.conf
>  socket:
>type: listen
>client:
>  path: /var/spool/postfix/dovecot-auth
>  mode: 438
>  user: postfix
>  group: postfix
>master:
>  path: /var/run/dovecot/auth-master
>  mode: 438
>  user: txmail
>  group: txmail
> plugin:
>  quota_warning: storage=90%% %Lh/bin/dovecot-quota-warning.sh 90 %u
>  quota_warning2: storage=95%% %Lh/bin/dovecot-quota-warning.sh 95 %u
>  acl: vfile
>  acl_shared_dict: file:/%Lh/%Ld/shared-mailboxes.db
>  quota: maildir
>  quota_rule: *:storage=10M
>  expire: * 7
>  expire_dict: proxy::expire
>  auth_socket_path: /var/run/dovecot/auth-master
>  sieve: /opt/nsmail/data/sieve/%Ld/%Ln/.dovecot.sieve
>  autocreate: trash
>  autosubscribe: trash
>  autocreate2: rubbishs
>  autosubscribe2: rubbishs
>  autocreate3: &XfJT0ZABkK5O9g-
>  autosubscribe3: &XfJT0ZABkK5O9g-
>  autocreate4: &g0l6Pw-
>  autosubscribe4: &g0l6Pw-
>  autocreate5: decrypt
> dict:
>  expire: mysql:/etc/dovecot-expire.conf
> THANKS  
>YINGYING
> 
> 

Re: Unable to see virtual users

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 27 Nov 2014, Randall Gellens wrote:


I'm still having trouble getting users accepted by postfix + dovecot.


I suppose in your system + virtual user mix, you should use LMTP:
http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
So Dovecot handles the difference itself.


userdb {
 args = uid=vmail gid=vmail home=/local/mnt/home/%n
 driver = static
}
userdb {
 driver = passwd
}


The static userdb does hide the passwd userdb, because it hits for all 
users. You should change the order.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHgiznz1H7kL/d9rAQLiYggAmpHjMckaMLks8kYcxZ0/WSAsamIwO5G9
VnlKVClnQuE7XDZXYYpXYp5aspfUMPy4sOO22tXkFFG5lcrm9B25t24xbEzhiuG0
TB35PbAMO5It69V5VjGrqZciSoB36Oys0/Zy+SXEUJRgPrruvyp/V7N5/ht1BzZ2
7ee+h7xTzLHaHBsQXJ6cHfXIrh3ljKyE8EbrV6xuIVf1fmGPAscVKjgcj9wCuawE
0qRMOCFLlUjd2STcCFF18s/IpWRx9jkEht4adnq2JFvRdk6GTCCVHnH5xl8X2jTf
7c3GbVHxjxrpQsqePxnK/bJznh0WcA5SYNV9kVfKtbMLK7ftdPxaQw==
=C8Y0
-END PGP SIGNATURE-

Re: failed login message

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 28 Nov 2014, Rajesh M wrote:


just to recap the issue was about squirrelmail giving a wrong message : "connection dropped by 
imap server" instead of "invalid user or password"

as advised i connected using command line on both my old and new servers, and 
have posted the details including the output of dovevcot -n.


Is this the OLD or CURRENT server and what about the other one?

1) command prompt login. i put wrong password

telnet x.x.x.x 143

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE START
TLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] ready.

1 login a...@mydomain.com wrongpass

1 NO [AUTHENTICATIONFAILED] Authentication failed.


at this point: Does Dovecot drop the telnet session or is it still open?


2) DOVECOT LOG output

CURRENT SERVER
Nov 28 08:48:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 72 secs): 
user=

OLD SERVER
Nov 28 09:06:08 imap-login: Info: Disconnected (auth failed, 1 attempts): 
user=, method=PLAIN, rip=120.62.202.70, lip=72.35.76.156


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBVHgkRHz1H7kL/d9rAQJwmwgAr0nuj5FpSyGPzD0aWrU0oFaAVmXtuncH
ksgfn4ftBNkwVQM2xxnBua2+5KCawnnr5/ll33K3fJUowm/FWZA60b+qcQrC52/f
Gx2UY4qUyTgI9FQOvbVdGn3FJZZTz8p5rTXNhOyveDRNxA0y+j95YGMzh9AiGGKH
53YT7b7hwKFXJYYqMPZ1JnArvJEyBiusBRxy4VzM24Ueunb01xmTSDdYpa6msK34
dUHcUtVw1TIuNrB7lWWesw7sOfuqFusXN+judjnIF+lJRZANIqbQhlttZSpyEq6B
wXVUa3lOxG68I1cUV7LiFAitNOidS81FRE1/YPA9Btf2II3btzJASA==
=B1Qx
-END PGP SIGNATURE-