Active directory bind and quota stuff
Hi list, first of all, please excuse me for any grammar mistake on my text, I'm still learning english. I'm making a Dovecot installation using my Active Directory like pass and user DB. I'm setting the per-user quota from an AD field (Initials) and everything seems to work fine, but I would like to know if you could help me to improve a couple of things. --- --- I'm using CentOS 7, this is my Dovecot build: --- # dovecot --build-options Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite Passdb: checkpassword ldap pam passwd passwd-file shadow sql Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql # dovecot --version 2.2.10 And this is my /etc/dovecot/dovecot-ldap.conf.ext file: --- hosts = adserver1.dom, adserver2.dom base = DC=dom ldap_version = 3 auth_bind = yes auth_bind_userdn = dom\%u dn = cn=imapUser,cn=Users,dc=dom dnpass = user_filter = (&(samaccountname=%u)(objectClass=person)(|(mail=%u...@dom.com)(othermailbox=%u...@dom.com))) pass_filter = (&(samaccountname=%u)(objectClass=person)(|(mail=%u...@dom.com)(othermailbox=%u...@dom.com))) pass_attrs = userPassword=password user_attrs = Initials=quota_rule=*:storage=%$MB --- --- My questions: 1) My AD doesn't allow anonymous searches and I was thinking in a way to avoid the need of have a specific user account with his password stored in a configuration file to do the bind. And I don't know if this is posible, but, does it exist a way to use the same user you are trying to validate to do bind with the AD server? 2) As you can see (user_attrs = Initials=quota_rule=*:storage=%$MB), to set the per-user quota value, I require a numeric value in "Initials" field of my AD. I've realized that if some wrong value is introduced in that field, Dovecot throws an error when you try to validate the user, and hence, imap logon fails. Does it exist any way to bypass that and to use the default quota value if something is wrong with the per-user quota set? Error log with wrong quota values (I wrote the value e34 in the Initials field of user1 in AD, instead of a valid numeric value): * quota refresh command: [root@dmail02 dovecot]# doveadm quota recalc -u user1 doveadm(user1): Error: user user1: Initialization failed: Failed to initialize quota: Invalid quota root quota: Invalid rule *:storage=e34MB: Invalid rule limit value 'storage=e34MB': Unknown unit: e34MB * imap login: Mar 13 14:12:10 dmail02 dovecot: imap(user1): Error: user user1: Initialization failed: Failed to initialize quota: Invalid quota root quota: Invalid rule *:storage=e34MB: Invalid rule limit value 'storage=e34MB': Unknown unit: e34MB Mar 13 14:12:10 dmail02 dovecot: imap(user1): Error: Invalid user settings. Refer to server log for more information. Thank you very much in advance, Fran
My dovecot works fine against Active Directory 2003, but not against AD2008
Hello, my dovecot installation has been working fine against AD till we upgrade from AD 2003 to AD 2008. As http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to connect AD through 389 port. The port 3268 works fine though. (...) Sep 7 19:02:05 dovecot: imap-login: Error: master(imap): Auth request timed out (received 0/12 bytes) Sep 7 19:02:05 dovecot: imap-login: Internal login failure (pid=4846 id=1) (internal failure, 1 successful auths): user=<>, method=PLAIN, rip=, lip=, TLS, session= (...) Sep 7 19:02:06 dovecot: auth: Error: ldap(,,): Connection appears to be hanging, reconnecting Sep 7 19:02:06 dovecot: auth: Error: ldap(,,): LDAP search returned multiple entries (...) Is there a technical reason for this problem? Does it exist any workaround? The use of Global Catalog (port 3268) is not a solution for me, since it misses many attributes. (ex. I use the field "initials" to set the quota and this field is not available through port 3268). I also noticed that, now, it uses any DC available in the domain, it doesn't care what I configured in "hosts = " parameter. This is using "hosts = dc03.domain:389": --- [root@ ~]# netstat -anp | grep dovecot | grep auth tcp 22 0 :55217 :389 ESTABLISHED 4872/dovecot/auth tcp 22 0 :57645 :389ESTABLISHED 4872/dovecot/auth tcp0 0 :55216 :389 ESTABLISHED 4872/dovecot/auth It looks like it does a look up for other domains controller (I don't know how nor why) and it connect aleatory to any DC in my domain (in this case dc06.domain, but it changes any time), additionally to the configured one (dc03.domain). This is using "hosts = dc03.domain:3268": [root@ ~]# netstat -anp | grep dovecot | grep auth tcp0 0 :58485 :3268 ESTABLISHED 4982/dovecot/auth In this case, only the configured server in host parameter is used (I think this is the right behaviour) Aditional info: --- CentOS Linux release 7.0.1406 (Core) dovecot 2.2.10 Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite Passdb: checkpassword ldap pam passwd passwd-file shadow sql Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql My /etc/dovecot/dovecot-ldap.conf.ext -- #hosts = dc03.domain:3268 hosts = dc03.domain:389 #uris = ldap://dc03.domain base = DC=domain #tls = yes tls = no ldap_version = 3 auth_bind = yes auth_bind_userdn = %u@domain #auth_bind_userdn = DOMAIN\%u dn = cn=,cn=Users,dc=domain dnpass = #scope = subtree #deref = never user_filter = (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) pass_filter = (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) pass_attrs = userPassword=password user_attrs = Initials=quota_rule=*:storage=%$MB --- -- Log trace using PORT 389: -- Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [] Sep 7 19:00:35 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Sep 7 19:00:35 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Sep 7 19:00:35 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Sep 7 19:00:35 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [] Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [] Sep 7 19:00:35 dovecot:
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
I've logged a session using the option debug_level = -1. The log is attached. I still don't understand what is happening and why all my domain controllers are being used even when I just use one of them in "host" parameter in my /etc/dovecot/dovecot-ldap.conf.ext. Thanks in advance, Regards El 08/09/2015 a las 11:00, Fran escribió: > Hello, > > my dovecot installation has been working fine against AD till we upgrade > from AD 2003 to AD 2008. As http://wiki2.dovecot.org/AuthDatabase/LDAP > said, now I'm not able to connect AD through 389 port. The port 3268 > works fine though. > > (...) > Sep 7 19:02:05 dovecot: imap-login: Error: > master(imap): Auth request timed out (received 0/12 bytes) > Sep 7 19:02:05 dovecot: imap-login: Internal login > failure (pid=4846 id=1) (internal failure, 1 successful auths): > user=<>, method=PLAIN, rip=, > lip=, TLS, session= > (...) > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,,): Connection appears > to be hanging, reconnecting > Sep 7 19:02:06 dovecot: auth: Error: > ldap(,,): LDAP search returned > multiple entries > (...) > > Is there a technical reason for this problem? Does it exist any workaround? > > The use of Global Catalog (port 3268) is not a solution for me, since it > misses many attributes. (ex. I use the field "initials" to set the quota > and this field is not available through port 3268). > > I also noticed that, now, it uses any DC available in the domain, it > doesn't care what I configured in "hosts = " parameter. > > This is using "hosts = dc03.domain:389": > --- > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp 22 0 :55217 > :389 ESTABLISHED 4872/dovecot/auth > tcp 22 0 :57645 > :389ESTABLISHED 4872/dovecot/auth > tcp0 0 :55216 > :389 ESTABLISHED 4872/dovecot/auth > > It looks like it does a look up for other domains controller (I don't > know how nor why) and it connect aleatory to any DC in my domain (in > this case dc06.domain, but it changes any time), additionally to the > configured one (dc03.domain). > > This is using "hosts = dc03.domain:3268": > > [root@ ~]# netstat -anp | grep dovecot | grep auth > tcp0 0 :58485 > :3268 ESTABLISHED 4982/dovecot/auth > > In this case, only the configured server in host parameter is used (I > think this is the right behaviour) > > > Aditional info: > --- > CentOS Linux release 7.0.1406 (Core) > > dovecot 2.2.10 > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > SQL driver plugins: mysql postgresql sqlite > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > My /etc/dovecot/dovecot-ldap.conf.ext > -- > #hosts = dc03.domain:3268 > hosts = dc03.domain:389 > #uris = ldap://dc03.domain > base = DC=domain > #tls = yes > tls = no > ldap_version = 3 > auth_bind = yes > auth_bind_userdn = %u@domain > #auth_bind_userdn = DOMAIN\%u > dn = cn=,cn=Users,dc=domain > dnpass = > > #scope = subtree > #deref = never > > user_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_filter = > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > pass_attrs = userPassword=password > user_attrs = Initials=quota_rule=*:storage=%$MB > --- > > > -- > Log trace using PORT 389: > -- > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x10, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: before/accept initialization [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 read client hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write server hello A [] > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > where=0x2001, ret=1: SSLv3 write certificate A [] > Sep 7 19:00:35 dovecot: auth:
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Matthias, thank you very much! that fixed the problem. I had workaround the problem by using "base = ou=, dc=dom", instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because that also worked (I don't know why, but the problem happen if you use as base just the domain, but not if you add a second level). But that forced to me to use several userdb/passdb blocks definitions, one for each OU in which I have users, so I think that your fix is better. I'm not able to understand the actual reason behind all this though... What's the technical explanation behind this behaviour?? I mean, it seems to be that the problem is that the Domain controller (DC) was sending a "referrals" answer and dovecot auth made a connection to these others DC but something wrong happened (dovecot can't deal correctly with that kind of answers?? I don't know). Anyways, as far as I know: 1) A referral answer should be done by a DC when it can't provide the object that the client are requesting 2) REFERRALS off in ldap.conf means that the client should not follow referrals returned by the DC So, if a referral answer is given from my DC, I think that is because such DC can't provide the object which the client is looking for, so, why works fine just by telling dovecot: "Don't follow referrals"? Regards El 09/09/2015 a las 17:22, Matthias Lay escribió: > hi, > > check your > > /etc/openldap/ldap.conf > > for > > REFERRALS off > > I had this errors with "referrals on" in misconfigured dns environments. > > > you can debug the dns packets by strace-ing the auth process > > > > > On Tue, 8 Sep 2015 11:00:37 +0200 > Fran wrote: > >> Hello, >> >> my dovecot installation has been working fine against AD till we >> upgrade from AD 2003 to AD 2008. As >> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to >> connect AD through 389 port. The port 3268 works fine though. >> >> (...) >> Sep 7 19:02:05 dovecot: imap-login: Error: >> master(imap): Auth request timed out (received 0/12 bytes) >> Sep 7 19:02:05 dovecot: imap-login: Internal login >> failure (pid=4846 id=1) (internal failure, 1 successful auths): >> user=<>, method=PLAIN, rip=, >> lip=, TLS, session= >> (...) >> Sep 7 19:02:06 dovecot: auth: Error: >> ldap(,,): Connection appears >> to be hanging, reconnecting >> Sep 7 19:02:06 dovecot: auth: Error: >> ldap(,,): LDAP search >> returned multiple entries >> (...) >> >> Is there a technical reason for this problem? Does it exist any >> workaround? >> >> The use of Global Catalog (port 3268) is not a solution for me, since >> it misses many attributes. (ex. I use the field "initials" to set the >> quota and this field is not available through port 3268). >> >> I also noticed that, now, it uses any DC available in the domain, it >> doesn't care what I configured in "hosts = " parameter. >> >> This is using "hosts = dc03.domain:389": >> --- >> >> [root@ ~]# netstat -anp | grep dovecot | grep auth >> tcp 22 0 :55217 >> :389 ESTABLISHED 4872/dovecot/auth >> tcp 22 0 :57645 >> :389ESTABLISHED 4872/dovecot/auth >> tcp0 0 :55216 >> :389 ESTABLISHED 4872/dovecot/auth >> >> It looks like it does a look up for other domains controller (I don't >> know how nor why) and it connect aleatory to any DC in my domain (in >> this case dc06.domain, but it changes any time), additionally to the >> configured one (dc03.domain). >> >> This is using "hosts = dc03.domain:3268": >> >> [root@ ~]# netstat -anp | grep dovecot | grep auth >> tcp0 0 :58485 >> :3268 ESTABLISHED 4982/dovecot/auth >> >> In this case, only the configured server in host parameter is used (I >> think this is the right behaviour) >> >> >> Aditional info: >> --- >> CentOS Linux release 7.0.1406 (Core) >> >> dovecot 2.2.10 >> >> Build options: ioloop=epoll notify=inotify ipv6 openssl >> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox >> cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite >> Passdb: checkpassword ldap pam passwd passwd-file shadow sql >> Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql >> >> >> My /etc/dovecot/dovecot-ldap.c
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Hi Mark, when I say AD 2003/8 I mean Active Directory 2003/8. My configuration is attached. I based my installation (dovecot+postfix) in the guides of this site: http://www.linuxmail.info The LDAP part is this: http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ You can also use PAM to connect to AD (http://www.linuxmail.info/active-directory-dovecot-pam-authentication/) but that way doesn't allow to retrieve custom fields from the AD (ex. a field to set quota per user), so I'm using the standard LDAP method. Regards El 10/09/2015 a las 4:51, Mark Foley escribió: > Fran and/or Matthias, > > Could you publish your doveconf -n? I can't get dovecot to authenticate with > my > AD. Maybe you have a solution I could try. > > What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8 > and are therefore using Outlook? > > --Mark > > -Original Message- >> Date: Wed, 9 Sep 2015 17:22:34 +0200 >> From: Matthias Lay >> To: Dovecot Mailing List >> Subject: Re: My dovecot works fine against Active Directory 2003, but not >> against AD2008 >> >> >> hi, >> >> check your >> >> /etc/openldap/ldap.conf >> >> for >> >> REFERRALS off >> >> I had this errors with "referrals on" in misconfigured dns environments. >> >> >> you can debug the dns packets by strace-ing the auth process >> >> >> >> >> On Tue, 8 Sep 2015 11:00:37 +0200 >> Fran wrote: >> >>> Hello, >>> >>> my dovecot installation has been working fine against AD till we >>> upgrade from AD 2003 to AD 2008. As >>> http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to >>> connect AD through 389 port. The port 3268 works fine though. >>> >>> (...) >>> Sep 7 19:02:05 dovecot: imap-login: Error: >>> master(imap): Auth request timed out (received 0/12 bytes) >>> Sep 7 19:02:05 dovecot: imap-login: Internal login >>> failure (pid=4846 id=1) (internal failure, 1 successful auths): >>> user=<>, method=PLAIN, rip=, >>> lip=, TLS, session= >>> (...) >>> Sep 7 19:02:06 dovecot: auth: Error: >>> ldap(,,): Connection appears >>> to be hanging, reconnecting >>> Sep 7 19:02:06 dovecot: auth: Error: >>> ldap(,,): LDAP search >>> returned multiple entries >>> (...) >>> >>> Is there a technical reason for this problem? Does it exist any >>> workaround? >>> >>> The use of Global Catalog (port 3268) is not a solution for me, since >>> it misses many attributes. (ex. I use the field "initials" to set the >>> quota and this field is not available through port 3268). >>> >>> I also noticed that, now, it uses any DC available in the domain, it >>> doesn't care what I configured in "hosts = " parameter. >>> >>> This is using "hosts = dc03.domain:389": >>> --- >>> >>> [root@ ~]# netstat -anp | grep dovecot | grep auth >>> tcp 22 0 :55217 >>> :389 ESTABLISHED 4872/dovecot/auth >>> tcp 22 0 :57645 >>> :389ESTABLISHED 4872/dovecot/auth >>> tcp0 0 :55216 >>> :389 ESTABLISHED 4872/dovecot/auth >>> >>> It looks like it does a look up for other domains controller (I don't >>> know how nor why) and it connect aleatory to any DC in my domain (in >>> this case dc06.domain, but it changes any time), additionally to the >>> configured one (dc03.domain). >>> >>> This is using "hosts = dc03.domain:3268": >>> >>> [root@ ~]# netstat -anp | grep dovecot | grep auth >>> tcp0 0 :58485 >>> :3268 ESTABLISHED 4982/dovecot/auth >>> >>> In this case, only the configured server in host parameter is used (I >>> think this is the right behaviour) >>> >>> >>> Aditional info: >>> --- >>> CentOS Linux release 7.0.1406 (Core) >>> >>> dovecot 2.2.10 >>> >>> Build options: ioloop=epoll notify=inotify ipv6 openssl >>> io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox >>> cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite >>> Passdb: checkpassword ldap pam passwd passwd-file shadow sql >>> Us
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Thank again for the solution and for the explanation. Fran El 10/09/2015 a las 15:40, Matthias Lay escribió: > Hi Fran, > > > this is not a dovecot problem, thats a pure dns problem and can only > be fixed in your dns environment. > > > referrals are propagated in a "special" dns design in SRV records. > so the ldap client performs a dns lookup for this names and this is the > point of hanging (as in most "hanging cases", its dns). > > see: > https://technet.microsoft.com/en-us/library/cc978014.aspx > https://technet.microsoft.com/en-us/library/cc961719.aspx > http://www.mail-archive.com/cas@tp.its.yale.edu/msg00797.html > > for information. > > > Greetz Matze > > > > > On Thu, 10 Sep 2015 13:10:57 +0200 > Fran wrote: > >> Hi Matthias, >> >> thank you very much! that fixed the problem. >> >> I had workaround the problem by using "base = ou=, dc=dom", >> instead of "base = dc=dom" in the dovecot-ldap.conf.ext file, because >> that also worked (I don't know why, but the problem happen if you use >> as base just the domain, but not if you add a second level). But that >> forced to me to use several userdb/passdb blocks definitions, one for >> each OU in which I have users, so I think that your fix is better. >> >> I'm not able to understand the actual reason behind all this though... >> >> What's the technical explanation behind this behaviour?? I mean, it >> seems to be that the problem is that the Domain controller (DC) was >> sending a "referrals" answer and dovecot auth made a connection to >> these others DC but something wrong happened (dovecot can't deal >> correctly with that kind of answers?? I don't know). >> >> Anyways, as far as I know: >> >> 1) A referral answer should be done by a DC when it can't provide the >> object that the client are requesting >> 2) REFERRALS off in ldap.conf means that the client should not follow >> referrals returned by the DC >> >> So, if a referral answer is given from my DC, I think that is because >> such DC can't provide the object which the client is looking for, so, >> why works fine just by telling dovecot: "Don't follow referrals"? >> >> Regards >> >> >> >> El 09/09/2015 a las 17:22, Matthias Lay escribió: >>> hi, >>> >>> check your >>> >>> /etc/openldap/ldap.conf >>> >>> for >>> >>> REFERRALS off >>> >>> I had this errors with "referrals on" in misconfigured dns >>> environments. >>> >>> >>> you can debug the dns packets by strace-ing the auth process >>> >>> >>> >>> >>> On Tue, 8 Sep 2015 11:00:37 +0200
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Exactly, that's what I meant. El 16/09/2015 a las 15:37, Shawn Heisey escribió: > On 9/12/2015 12:31 AM, Mark Foley wrote: >> Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers >> indicated to me you might be talking about Windows Small Business Server >> 2003 or >> 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4 >> AD/DC >> on Linux. > The OP probably is referring to AD functional levels: > > https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx > > Thanks, > Shawn >
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
I'm sorry for the late response, I missed this mail. I'll answer your
questions below. I'm sending a BCC of this mail to your personal
address, but it seems to have some problem because your server bounces it:
El 12/09/2015 a las 8:31, Mark Foley escribió:
> Fran - thanks for your reply. I'm cc'ing you directly on this as well as
> posting
> to the list as I'm not sure how often you check the list and I'm down to
> hanging
> by my last fingernail on this project.
>
> I have some preliminary questions interspersed below.
>
> Thanks, --Mark
>
> -Original Message-
>> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>> against AD2008
>> To: dovecot@dovecot.org
>> From: Fran
>> Date: Thu, 10 Sep 2015 13:26:21 +0200
>>
>> Hi Mark,
>>
>> when I say AD 2003/8 I mean Active Directory 2003/8.
> Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers
> indicated to me you might be talking about Windows Small Business Server 2003
> or
> 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4
> AD/DC
> on Linux.
https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx
>> My configuration is attached.
> Thank you very much for that. If I make some headway, I'll likely have more
> questions on specifics.
>
>> I based my installation (dovecot+postfix) in the guides of this site:
>> http://www.linuxmail.info
>>
>> The LDAP part is this:
>> http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/
> If you were able to make sense out of these sites' tiny screen-shots and
> one-line
> descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If
> there was more detailed narrative somewhere I couldn't find it. Also, I don't
> have jXplorer on my system, so probably I couldn't get too far anyway.
You don't need jXplorer at all, in fact I didn't use it. If you need to
browser throught your LDAP directory you can use any LDAP browser.
The descriptions of that site are short, that's true, but it contains
the essential info to adapt it to any similar environment. Don't take it
like a step by step guide, unless you use exactly the same environment
and versions, you won't find same files in same places. Try to
understand how differents parts work and adapt it to your environment.
>
> BIG QUESTIONS:
>
> 1. Are you using MS Outlook IMAP clients in your environment? If so, how are
> you
> making them connect with LDAP? By checking the SPA checkbox?
There are Thunderbird, Roundcube, Outlook, IOS and Android clients on my
environment. All of them use standard IMAP connections. I don't
understand very well your question, the client doesn't need to connect
with LDAP, it's dovecot itself who connect with AD to validate the IMAP
user login.
>
> 2. The mail_gid/mail_uid as vmail confuses me. I see that setting a lot,
> including in your config. http://wiki2.dovecot.org/VirtualUsers says, "You
> can
> create, for example, one vmail user which owns all the mails, or you can
> assign
> a separate UID for each user." I have assigned a separte UID for each based on
> the UID returned by `wbinfo -u `. Does assigning separate UIDs mess
> up my ability to adapt your configuration?
I assigned one vmail user which owns all the mails. You can still use my
configuration for many other parts though.
>
> little questions:
>
> 3. I'm not planning on using quotas. Can I safely omit your mail_plugins = "
> quota"
> setting and all your plugin { quota_...} settings? I want to be as simple as
> possible to start.
You don't need that plugin if you don't plan to use it.
>
> 4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can
> I
> omit the namespace inbox {} setting?
I don't think so. This is my in /etc/dovecot/conf.d/10-mail.conf
mail_home = /home/vmail//%Lu
mail_location = maildir:~/Maildir
mail_uid = 1000
mail_gid = 1000
namespace inbox {
# Namespace type: private, shared or public
type = private
inbox = yes
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailb
[Dovecot] Help with vpopmail authentication
Hello, Currently I have a qmail server with vpopmail+courierImap. I want setup a new server in DMZ for proxy IMAP connections and I have a doubt with authentication method. I've read that dovecot can use a vpopmail driver for authentication. As my user database/password is stored by vpopmail, I think that this would be the best method for check the auth logins against dovecot. But I've read the docs and many examples availables on WWW and I haven't found any reference to validate against an *external* vpopmail server. The examples configuration doesn't contain any host/port, so I suppose that driver try to use a local vopomaild. In my case, I only want dovecot for proxying IMAP connections to my current mail server, without store mails or user/password info in dovecot server, because all that info is already stored in real mailserver. The ideal scenario would be this: user ---IMAPs> dovecot - IMAP ---> mailserver Any advice will be wellcome. Regards and thank you very much in advance
