Global sieve doesn't run and I don't know why
Hi Everyone, I have dovecot, postfix, roundcube and piegeonhole managesieve all working nicely together. Personal scripts defined in roundcube run without issue. I have configured the global sieve dir defined in 90-sieve.conf: sieve_global_dir = /var/lib/dovecot/sieve/global/ I pre-compiled the script in there: # ls -l /var/lib/dovecot/sieve/global/ total 8 -rw-r--r--. 1 root root 118 Sep 19 16:52 global.sieve -rw-r--r--. 1 root root 197 Sep 19 16:56 global.svbin But, in the logs for dovecot, I never see the script being run: https://www.pastiebin.com/5ba3faa8628c2 Users are from freeipa. Their home directories are symlinks to where the mail really lives. For example: lrwxrwxrwx. 1 ranbir virtual 42 May 25 2017 ranbir -> /var/spool/mail/domain.tld/ranbir/ And the contents of that dir: [root@mailhost conf.d]# ls -al /home/DOMAIN/ranbir/ total 64 drwxrwx---. 4 ranbir virtual 4096 Sep 18 17:40 . drwxrwx---+ 13 virtual virtual 4096 Jul 8 12:06 .. -rw---. 1 ranbir ranbir 17808 Sep 20 01:13 .bash_history -rw---. 1 ranbir ranbir 18 Dec 14 2015 .bash_logout -rw---. 1 ranbir ranbir193 Dec 14 2015 .bash_profile -rw---. 1 ranbir ranbir231 Dec 14 2015 .bashrc lrwxrwxrwx. 1 virtual virtual23 Feb 11 2018 .dovecot.sieve -> sieve/managesieve.sieve lrwxrwxrwx. 1 virtual virtual23 Sep 18 16:53 .dovecot.sieve.log -> sieve/dovecot.sieve.log -rw-rw. 1 virtual virtual 322 Sep 18 17:40 .dovecot.svbin -rw---. 1 ranbir ranbir 59 Jun 7 2016 .lesshst drwx--. 56 virtual virtual 4096 Sep 20 15:02 Maildir drwxrwx---. 3 ranbir virtual89 Sep 18 17:16 sieve -rw---. 1 ranbir ranbir 6415 Feb 11 2018 .viminfo Did I miss something in the configuration? Dovecot isn't throwing any errors. I can only conclude I haven't completed the setup for global sieve to work or that I've misunderstood what the "sieve_global_dir" paramater is for. Thanks! -- Ranbir
Re: Global sieve doesn't run and I don't know why
On Fri, 2018-09-21 at 09:15 +0300, Aki Tuomi wrote:
> 1.
>
> set mail_debug=yes, try again, and check logs
The output copied and linked to on pastiebin.com is with mail_debug=yes
set. I never see the global sieve script even read.
> 2.
>
> take one email (the whole email as source), store it as mail.eml and
> use
> sieve-test to find out if your script is broken.
I will do that. But, the global sieve is a verbatim copy of the filter
I had in my personal sieve file. I only have one filter in the global
sieve:
require ["fileinto"];
# rule:[Spam filter]
if header :contains "X-Spam-Flag" ["YES"]
{
fileinto "Spam";
stop;
}
I am perplexed!
--
Ranbir
Re: Global sieve doesn't run and I don't know why
On Thu, 2018-09-20 at 22:34 +0200, Stephan Bosch wrote: > https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration#Executing_Mu > ltiple_Scripts_Sequentially I've seen this suggested on this list and across the web. What I don't understand is why is this necessary when there is a config paramater to set a global sieve dir. It's not the order of filtering that is the problem, after all. My issue is that the sieve file in the global sieve dir isn't being used. My dovecot server is running on a fully updated CentOS 7 server. The dovecot version I'm running is 2.2.10. -- Ranbir
Re: Global sieve doesn't run and I don't know why
On Fri, 2018-09-21 at 23:09 +0300, Aki Tuomi wrote: > Did you forget the pastebin link? I had it in my first post. Here it is again: https://www.pastiebin.com/5ba3faa8628c2 > Also 2.2.10 is ancient. I totally understand, but it's what ships with "CentOS Linux release 7.5.1804 (Core)". -- Ranbir
Re: Global sieve doesn't run and I don't know why
On Fri, 2018-09-21 at 20:07 +, Larry Rosenman wrote: > Did you compile (sievec) the script? Yes, I mentioned this in my first post. Here are the contents of the global sieve dir: [root@mailhost global]# ls -al total 8 drwxr-xr-x. 2 root root 44 Sep 21 16:12 . drwxr-xr-x. 3 root root 19 Sep 11 12:04 .. -rw-r--r--. 1 root root 118 Sep 19 16:52 global.sieve -rw-r--r--. 1 root root 197 Sep 19 16:56 global.svbin That looks ok to me. Plus, sievec didn't complain when I ran it on global.sieve. -- Ranbir
Re: Global sieve doesn't run and I don't know why
On Fri, 2018-09-21 at 23:15 +0300, Aki Tuomi wrote: > You probably wanted to use sieve_before instead of sieve_global. > sieve_global is directory which is used when you refer to scripts > using :global tag, not scripts ran globally. Awesome! Thank you for clarifying it to me. I was pretty confident I was misunderstanding what the global_sieve_dir parameter was for. Thanks again! -- Ranbir
Re: Global sieve doesn't run and I don't know why
On Thu, 2018-09-20 at 22:34 +0200, Stephan Bosch wrote: > https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration#Executing_Mu > ltiple_Scripts_Sequentially You were right! Thanks. At least I knew I was probably using the global_sieve_dir parameter incorrectly. :) -- Ranbir
pam dovecot not working with authentication from roundcube
Hi Everyone,
I made some small changes in my dovecot setup to switch it from looking
up users and passwords from a mix of ldap (i.e. freeipa) and password
files. One of the changes was to switch from using one id for all
authentication to using individual ids)
It's working fine with Evolution. I have one account authenticating
with GSSAPI, which is my userid for logging into my desktop and for
email. The other account in Evolution is logging in using PLAIN and is
only used for email (it's shell is set to /sbin/nologin).
The problem is with roundcube: I can login with the second, email only
account, but my personal ID always errors out. I never use the domain
with either one.
auth worker: PASSV: pam_sss(dovecot:auth): authentication failure; logname=
uid=97 euid=97 tty=dovecot ruser=ranbir rhost=1.2.3.4 user=ranbir
auth worker: PASSV: pam_sss(dovecot:auth): received for user ranbir: 17
(Failure setting user credentials)
It doesn't matter what user or group I use for unix_listener. If I use
0777 for the mode, I still see the failure and dovecot goes to try the
name against the passwd-file, where it obviously fails.
This is the pam error:
auth-worker(4474): pam(ranbir,1.2.3.4,): pam_authenticate()
failed: Authentication failure (password mismatch?)
What have I misconfigured? Here's the "service auth" section:
service auth {
chroot =
client_limit = 0
drop_priv_before_exec = no
executable = auth
extra_groups =
group =
idle_kill = 0
inet_listener {
address = 9.8.7.5
haproxy = no
port = 17900
reuse_port = no
ssl = no
}
privileged_group =
process_limit = 1
process_min_avail = 0
protocol =
service_count = 0
type =
unix_listener auth-client {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-login {
group =
mode = 0600
user = $default_internal_user
}
unix_listener auth-master {
group =
mode = 0600
user =
}
unix_listener auth-userdb {
group =
mode = 0777
user = $default_internal_user
}
unix_listener login/login {
group =
mode = 0666
user =
}
unix_listener token-login/tokenlogin {
group =
mode = 0666
user =
}
user = $default_internal_user
vsz_limit = 18446744073709551615 B
}
Any guidance is appreciated.
--
Ranbir
Re: pam dovecot not working with authentication from roundcube
On Wed, 2020-09-16 at 23:03 -0400, Ranbir wrote: > auth worker: PASSV: pam_sss(dovecot:auth): authentication failure; > logname= uid=97 euid=97 tty=dovecot ruser=ranbir rhost=1.2.3.4 > user=ranbir > auth worker: PASSV: pam_sss(dovecot:auth): received for user ranbir: > 17 (Failure setting user credentials) > It doesn't matter what user or group I use for unix_listener. If I > use > 0777 for the mode, I still see the failure and dovecot goes to try > the > name against the passwd-file, where it obviously fails. > > This is the pam error: > > auth-worker(4474): pam(ranbir,1.2.3.4,): > pam_authenticate() failed: Authentication failure (password > mismatch?) Does anyone have any insight? I'm stumped. Why is Evolution working with both accounts and only one from roundcube? If I switch back to ldap lookups, all logins and lookups from roundcube and my phone start working again. -- Ranbir
Re: [solved] pam dovecot not working with authentication from roundcube
On 2020-09-17 20:20, Ranbir wrote: This is the pam error: auth-worker(4474): pam(ranbir,1.2.3.4,): pam_authenticate() failed: Authentication failure (password mismatch?) Replying to myself here... I managed to fix the pam problem once I realized that Roundcube didn't know what to do with the second factor auth dovecot (namely the pam module) was presenting to it. I removed the OTP requirement from the ID that couldn't login. Login still didn't work until I also modified the user's ldap entry directly to remove an extra attribute (krbExtraData). Here's the link to the post in the freeipa user list that explains the OTP removal problem and fix: https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedorahosted.org/thread/EN5TJCEAVH5NMGLOMF5IF2TXVFIDGOQY/ Now the user id is successfully looked up via dovecot and roundcube logins are working again. -- Ranbir
Public mailboxes and IPA (LDAP)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Everyone,
I have a working Dovecot server that is using my IPA domain to lookup
users and passwords. I also have a "public" namespace that has the
inboxes for public email accounts.
Everything is working for "regular" private email boxes. But, I can't
see new messages delivered to any of the public inboxes. Incoming
emails get delivered to the correct locations for the public inboxes: I
just don't see them in my email clients.
I'm not sure what the problem is since I don't see an error in the
dovecot logs.
I also don't want to use the home directory location as provided by the
IPA domain. I've worked around it by using file system symlinks, but
I'd much rather just ignore the IPA provided home directory. I'm
wondering if my workaround is the culprit behind new messages to the
public folders not being seen by the client.
Here's my config:
# 2.2.10: /etc/dovecot/dovecot.conf
auth_cache_negative_ttl = 0
auth_cache_size = 1 k
auth_debug = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/imap.keytab
auth_mechanisms = plain gssapi
auth_realms = SOME.REALM
auth_username_format = %Ln
auth_verbose = yes
first_valid_uid = 1000
hostname = server
listen = 1.1.1.1
mail_gid = virtual
mail_location = maildir:~/Maildir
mail_plugins = quota acl
mail_uid = virtual
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-
character vacation subaddress comparator-i;ascii-numeric relational
regex imap4flags copy include variables body enotify environment
mailbox date ihave
mbox_write_locks = fcntl
namespace {
location = maildir:/var/spool/mail/domain.tld/public
prefix = Public.
separator = .
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/conf.d/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile
quota = maildir:User quota
quota_rule = *:storage=500M
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster@%d
protocols = imap lmtp
service auth-worker {
user = $default_internal_user
}
service auth {
inet_listener {
address = 1.1.1.1
port = 17900
}
unix_listener auth-userdb {
group = virtual
mode = 0600
user = virtual
}
}
service imap-login {
process_min_avail = 2
service_count = 1
}
service lmtp {
inet_listener lmtp {
address = 1.1.1.1
port = 24
}
}
ssl = required
ssl_cert =
Re: Public mailboxes and IPA (LDAP)
On Thu, 2017-05-25 at 16:28 -0400, Ranbir wrote: > Everything is working for "regular" private email boxes. But, I can't > see new messages delivered to any of the public inboxes. Incoming > emails get delivered to the correct locations for the public inboxes: > I > just don't see them in my email clients. > > I'm not sure what the problem is since I don't see an error in the > dovecot logs. > > I also don't want to use the home directory location as provided by > the > IPA domain. I've worked around it by using file system symlinks, but > I'd much rather just ignore the IPA provided home directory. I'm > wondering if my workaround is the culprit behind new messages to the > public folders not being seen by the client. Answering my own question I ended up creating a second set of passdb and userdb lookups that use a passwd-file. The passwd-file only contains the "users" for the public mailboxes. The file returns the public mailboxes' home folders and the extra field, userdb_mail. Now I can see new emails arriving at the public mailboxes properly. Oh, I also removed from my IPA server the accounts for the public mailboxes. Maybe there's another way to do this. But, I tried a whole whack of stuff and this is the only method that has worked. :/ -- Ranbir
Dovecot SASL and GSSAPI (IPA)
Hi Everyone, I'm currently using dovecot SASL in postfix and passwd-file in dovecot for authenticating my users. I want to switch to using IPA instead. I have both the postfix (mailman01) and dovecot (mailman02) servers joined to the IPA domain. I have GSSAPI working in dovecot for IMAP. But, the SASL GSSAPI authentication in postfix fails with this error: warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed: This is what dovecot logs: Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected (pid=0) Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1 GSSAPI service=smtpnologin lip=10.200.9.14 rip=10.200.5.100secured resp= Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100): Obtaining credentials for s...@mailman02.theinside.rnr Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Wrong principal in request Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1 I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf file to "mailman02.theinside.rnr", but I get the same errors in dovecot and postfix. Right now the config in postfix looks like this: import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab" smtpd_sasl_local_domain = mailman01.theoutside.rnr Does what I'm trying to do make sense? If so, how do I fix it? Do I have to stop using dovecot sasl in postfix and switch to cyrus sasl? -- Ranbir
Re: Dovecot SASL and GSSAPI (IPA)
On Mon, 2015-12-14 at 09:10 -0600, Manuel Delgado wrote: > This is more a postfix question but I have done this configs before > in a > BETA-Lab and it's a real pain. I'll be glad to help if I can. > > I my environment I had postfix directly authenticating SASL with the > IPA > server (FreeIPA) using Cyrus SASL libs. In IPA the service most be > registered with principal smtp/HOSTNAME. I managed to get past the SASL GSSAPI errors in postfix and now I'm seeing this in dovecot whenever postfix tries to deliver a message via lmtp: Dec 14 17:24:49 mailman02 dovecot: auth: Debug: password( ran...@theinside.rnr,DESKTOP): passdb doesn't support credential lookups Dec 14 17:24:49 mailman02 dovecot: auth: Debug: password( ran...@theinside.rnr,DESKTOP): Credentials: Dec 14 17:24:49 mailman02 dovecot: auth: Debug: client passdb out: OK 1 user=ran...@theinside.rnr Dec 14 17:24:49 mailman02 dovecot: imap(ran...@theinside.rnr): Debug: acl vfile: file /var/spool/mail/thesandhufamily.ca/ranbir/Maildir/.Sent/dovecot-acl not found Dec 14 17:24:49 mailman02 dovecot: lmtp(15525): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt= Dec 14 17:24:49 mailman02 dovecot: lmtp(15525): Connect from POSTFIX Dec 14 17:24:49 mailman02 dovecot: auth: Debug: master in: USER 2 ran...@thesandhufamily.ca service=lmtplip=DOVEC OT lport=24rip=POSTFIX rport=56214 Dec 14 17:24:49 mailman02 dovecot: auth-worker(15521): Debug: passwd( ran...@thesandhufamily.ca,POSTFIX): lookup Dec 14 17:24:50 mailman02 dovecot: auth-worker(15521): passwd( ran...@thesandhufamily.ca,POSTFIX): unknown user Dec 14 17:24:50 mailman02 dovecot: auth: Debug: userdb out: NOTFOUND 2 Obviously postfix replies the with a "user doesn't exist" message. I've tried creating a ldap_aliases file (and I added the config in main.cf) which should allow postfix to do a bind to my freeipa box, but postfix appears to never even try the ldap lookup. A manual testworks OK, so I know the ldap_alises file was done correctly. Is it possible in Dovecot to translate the mail address lookup from postfix into just a "uid" search? If I could do that, Dovecot would find "ranbir" and report back to postfix the user exists. -- Ranbir signature.asc Description: This is a digitally signed message part
Re: Dovecot SASL and GSSAPI (IPA)
On Mon, 2015-12-14 at 17:53 -0500, Ranbir wrote: > Is it possible in Dovecot to translate the mail address lookup from > postfix into just a "uid" search? If I could do that, Dovecot would > find "ranbir" and report back to postfix the user exists. I sent this and then realized I could just strip the domain in Dovecot with "auth_username_format = %Ln". Doh! Anyway, I figured it all out. I now have my IPA joined Dovecot + Postfix system using GSSAPI and PLAIN. The passwd database is using pam (i.e. sss) and the user database is configured to use password-file. I stuck with the password-file for the userdb because it was simply much easier to add the mail location for my public imap folders to it than adding them to my IPA server which would have required me to extend the LDAP schema. I've struggled enough as it is! :P -- Ranbir signature.asc Description: This is a digitally signed message part
Slow auth
Hi Everyone, I'm running dovecot on a CentOS 7 box using PLAIN and GSSAPI auth. I need to use both because I have some clients that can't use GSSAPI. I haven't been able to get the userdb working properly without a password file and a userdb file. For example, I have to set the home default and change the username_format. I use FreeIPA and the dovecot server is joined properly to the realm. Authentication works (I don't have any passwords in the userdb file). The problem is authentication is slow. When I use Roundcube, the login takes longer than it should. In fact, every operation (changing folders, opening an email, replying, etc.) is just slow. The web server where Roundcube is running is barely loaded, the dovecot server isn't loaded and the FreeIPA server is basically sitting idle. When I watch /var/log/secure as I login to roundcube, I see this in the logs: http://pastebin.ca/3620032 Why is pam_unix being hit and then pam_sss? I'm thinking the pam_unix failures are the reason why the auth is slow. Here's the output from dovecot -n: http://pastebin.ca/3620029 I'm sure I haven't configured something correctly, hence the performance problems. Any help would be appreciated. -- Ranbir signature.asc Description: This is a digitally signed message part
Re: Slow auth
On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote: > You have Pam as your passdb driver. Yes, because I have to. How else would I get Dovecot to authenticate users against my FreeIPA server? -- Ranbir signature.asc Description: This is a digitally signed message part
Re: Slow auth [solved]
On Tue, 2016-06-07 at 11:24 -0700, Laz C. Peterson wrote: > Or, you can also try PAM using Kerberos, instead of WInbind (or > whatever you are using with PAM). Just a thought. So I did a tad bit more research because I didn't want to configure Dovecot to use LDAP. I wanted to use pam because the dovecot pam module would continue to be used. It's just easier that way! Anyway, I noticed this option for the pam driver in passdb: cache_key= I ended up adding this to the "args" list: cache_key=%u%n I also set these: auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 0 Now Roundcube is flying again, just like it was before I made Dovecot use FreeIPA. The slow auth issue is gone. Thanks for listening! -- Ranbir signature.asc Description: This is a digitally signed message part
Migrated from maildir to sdbox: questions
Hi Everyone,
I migrated my maildir mailboxes to sdbox without any show stopping
errors, but I did see this during the migration and now I'm also seeing
it in the log:
Warning: quota: Namespace '' is not Maildir, skipping for Maildir++ quota
I'm not quite sure why this is happening. Any ideas?
I am using a "public" namespace for several mailboxes to share emails:
# public namespace configuration
namespace {
type = public
# the default separator for Maildir is ".", so that is what should be
# used automatically.
separator = .
prefix = Public.
location = maildir:/var/spool/mail/thesandhufamily.ca/public
subscriptions = no
}
Under the "public" dir in the old maildir setup, I have folders
configured for various mail accounts. For example:
.Ads
.Junk
.Bills
etc.
These "users" are setup in a passwd file so that I can use a different
mail storage location for them than the one they get from ldap (same as
above).
Using dsync to migrate my other mailboxes was easy, but I don't know
how to migrate these public mailboxes. I looked through the wiki and
didn't see anything about how to do it. Could someone explain how I can
migrate the public mailboxes?
--
Ranbir
Re: Migrated from maildir to sdbox: questions
On Thu, 2019-06-13 at 13:05 +, Daniel Betz via dovecot wrote: > i think youre just using the wrong quota backend. > > https://wiki2.dovecot.org/Quota > > You should switch from "quota = maildir" to another one, like > dict. I switched to "quota = count:User quota" (as Aki suggested) and now the errors are gone. Thanks to the both of you! > Converting your Public mailbox you could try this ( no guarantee .. > just guessing. make backup ! ): > doveadm -o > mail_location="maildir:/var/spool/mail/thesandhufamily.ca/public" > sync sdbox:/target/folder Thanks for the pointer! This is what worked for me (no errors): doveadm -o mail_location="maildir:/var/spool/mail/thesandhufamily.ca/public" sync sdbox:/var/spool/mail/thesandhufamily.ca/public-mail/ I was using a "." as the separator in my private inbox and public namespaces when I was using maildir. I still have "." set and don't appear to be having any issues now that I've migrated to sdbox. However, when I try to switch the separator to "/", I get errors like this: Error: namespace configuration error: list=yes namespace missing I had changed the "list" parameter for both namespaces to "children" and "no", but I still got the same error. I also can't access my mailboxes after changing the separator to "/". Changing the config back to "." returns me to a working setup. What am I missing/not understanding? Thanks in advance! -- Ranbir
Dovecot and IPA
Hello, I'm trying to get Dovecot to use GSSAPI for authentication. I have an IPA server on CentOS 7 with a bunch of my servers attached to the IPA domain, including the server running Dovecot. I've followed official documentation from Red Hat and read numerous wiki articles on how to configure Dovecot to get it to use GSSAPI correctly. I don't think I've done anything incorrectly, but it refuses to work. This is the error I'm seeing: mailman02 dovecot: imap-login: Disconnected (tried to use unsupported auth mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS, session= I don't understand why no username is being passed. My mail client is Evolution 3.10.4. FYI, Dovecot does work fine using a user/password file. I'm just trying to switch it over to GSSAPI so that I can manage passwords from one system. Any help would be appreciated. Regards, Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Sun, 2015-09-06 at 17:41 -0400, Kanwar Ranbir Sandhu wrote: > I've followed official documentation from Red Hat and read numerous wiki > articles on how to configure Dovecot to get it to use GSSAPI correctly. > I don't think I've done anything incorrectly, but it refuses to work. > This is the error I'm seeing: > > mailman02 dovecot: imap-login: Disconnected (tried to use unsupported > auth mechanism): user=<>, method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, TLS, > session= > > I don't understand why no username is being passed. My mail client is > Evolution 3.10.4. Anyone? I could really use some help with trouble shooting my setup. Kerberos + Dovecot apparently works really well, but not for me...yet. :( Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Mon, 2015-09-07 at 09:14 -0600, Manuel Delgado wrote:
> Hi Ranbir
>
> I've worked with freeIPA a little, but without your doveconf or some other
> context information, it is difficult to identify the issue.
Crap...I meant to include that. Here's what it looks like when I enable
GSSAPI:
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-229.11.1.el7.x86_64 x86_64 CentOS Linux release 7.1.1503
(Core)
auth_default_realm = theinside.rnr
auth_gssapi_hostname = mailman02.theinside.rnr
auth_krb5_keytab = /etc/imap.keytab
auth_mechanisms = gssapi
auth_realms = theinside.rnr
hostname = imap.thesandhufamily.ca
listen = 1.1.0.0
mail_gid = virtual
mail_location = maildir:~/Maildir
mail_plugins = quota acl
mail_uid = virtual
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
mbox_write_locks = fcntl
namespace {
location = maildir:/var/spool/mail/thesandhufamily.ca/public
prefix = Public.
separator = .
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
plugin {
acl = vfile
quota = maildir:User quota
quota_rule = *:storage=500M
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmaster@%d
protocols = imap lmtp
service auth-worker {
user = $default_internal_user
}
service auth {
inet_listener {
address = 1.1.0.0
port = 17900
}
unix_listener auth-userdb {
group = virtual
mode = 0600
user = virtual
}
}
service imap-login {
process_min_avail = 5
}
service imap {
process_limit = 10
}
service lmtp {
inet_listener lmtp {
address = 1.1.0.0
port = 24
}
}
ssl = required
ssl_cert =
Re: Dovecot and IPA
On Mon, 2015-09-07 at 17:07 +0200, Benny Pedersen wrote: > Kanwar Ranbir Sandhu skrev den 2015-09-07 16:47: > > > Kerberos + Dovecot apparently works really well, but not for > > me...yet. :( > > you choiced to use a precompiled problem from redhat, no ? Yes. Well, not Red Hat directly - I'm using CentOS. > back to your problem, are you sure maintainer at redhat enabled kerberos > auth login ? Yes, I can see AUTH=GSSAPI when I telnet to the server and get a list of Dovecot's capabilities. > if need more help ask the maintainer for the rpm package, or still > convenced its a bug in dovecot show dovecot -n, i have lost if you > already have, but lets take it from there on I don't think it's a bug in Dovecot. I have feeling I have a misconfiguration, but I can't figure out what it is. I sent my config in a reply to another list member's message. Maybe the broken part will jump out now. Thanks, Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Mon, 2015-09-07 at 18:39 +0200, Benny Pedersen wrote: > Kanwar Ranbir Sandhu skrev den 2015-09-07 18:02: > > > args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/ > > uid and gid must be nummeric just like output from id > > id virtual > > make the args have same info That's never caused any issues before. In fact, in my normal configuration (i.e. no GSSAPI auth) it works just fine. Is GSSAPI auth the only auth method that needs a numeric ID? Regards, Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Mon, 2015-09-07 at 18:39 +0200, Benny Pedersen wrote: > Kanwar Ranbir Sandhu skrev den 2015-09-07 18:02: > > > args = uid=virtual gid=virtual home=/var/spool/mail/%d/%n/ > > uid and gid must be nummeric just like output from id > > id virtual > > make the args have same info I tried it for shits and giggles: no change. :( I'm still seeing the same problem. -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Mon, 2015-09-07 at 13:29 -0400, Kanwar Ranbir Sandhu wrote: > I tried it for shits and giggles: no change. :( I'm still seeing the > same problem. I forget to add some additional errors I've seen in the logs: http://pastebin.ca/3155329 -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Mon, 2015-09-07 at 20:37 +0300, Timo Sirainen wrote: > It says "tried to use unsupported auth mechanism". In your later mail > you say that telnet shows AUTH=GSSAPI in capabilities. So that would > mean that the client isn't using AUTHENTICATE GSSAPI but something > else. I'd been considering that perhaps my version of Evolution was too old, so I upgraded from Fedora 20 to Fedora 22: still doesn't work. :/ > Set auth_debug=yes and/or see what the client actually does by > enabling pre-login rawlog: http://wiki2.dovecot.org/Debugging/Rawlog Alright, I enabled it. I have some logs, but I'm not clear on what I should and shouldn't include here. Can I just copy and paste both in and out logs verbatim without inadvertently giving up my passwords or something?? Regards, Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Mon, 2015-09-07 at 23:15 +0200, Benny Pedersen wrote: > change password before debug logs > > then run debug > > change password > > paste it > > is safe Here's the in rawlog: 1441680001.046492 B1 AUTHENTICATE GSSAPI 1441680001.051720 YIICZQYJKoZIhvcSAQICAQBuggJUMIICUKADAgEFoQMCAQ6iBwMFACCjggFlYYIBYTC CAV2gAwIBBaEPGw1USEVJTlNJREUuUk5SoiowKKADAgEDoSEwHxsEaW1hcBsXbWFpbG1hbj AyLnRoZWluc2lkZS5ybnKjggEXMIIBE6ADAgESoQMCAQKiggEFBIIBAQc2ZO0LqkT03rNse kmt522hC/aiXw/TLsQmI687pJUmMCky/aeyFpOr4SL3fcvd7PD4FXh193hgo+XUfky8eoCc L8Ajd3ck/wg0qGd3sHmiwJAmrRNf/eCrENv6GbHqKjIq+S7fo9UesVWFuF+UgRVLWmOBZfM fX7oj6i4U4vBT5SwxHZ+YQtxf7oDl1cXPz7s+53AXe7rr9HoCheavTu7h682l2nPkw8+U1j ZiwXXstZtf5eG/K+wDe8omDzehDB5SaqeZ2nQNtr7CeRxgBGpDjtajVf5jkFf2GBDsZDeoG ABLAF++RcLxdyDQvVRFe0EeLs1qUXxX9ThNwTmnbCfRpIHRMIHOoAMCARKigcYEgcP4Mqy1 HrNRK79HY89oRG9tpP0FyDuWd38xXd/pKfqFl0NDkENdBHXUSsyOVKYsNFSncf1EIRL2s1s fWnV1Folk2HB/JvtEJD3eA1+f5wSXiT5pcmc/5tE+Bdf8n8wC0ExGx3RrM0cffjr/CgR7SE 6z9MHUn2UPGIFyoq7zDFrD5ILV5KyZd2zm86prr8tziEZ3wmYQbVsx3rEG1lJ193Z++S2yj 57+fGoJ7jA56GXNChfB/hFNx4xs2QSzCjccy0D+3RI= 1441680001.087279 1441680001.087982 BQQE/wAMFP2szwH///9yYW5iaXKB/Devj+/oz2utdNs= Here's the out rawlog: 144168.950204 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN -REFERRALS ID ENABLE IDLE LOGINDISABLED AUTH=GSSAPI] Dovecot ready. 1441680001.049592 + 1441680001.085562 + YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv03ycmqWKFL9 foDag8BqF5je64ekOG0UCpcDfT4v3ZwNLLhZL/Fo0THb+xD09LJcGM2AtTzRMFFV8V7YHSV L1q+/X9exo0mxU6tMeHmXhMDq71PDcqB5zKdCpTmhakqny5x/vLM47xlnzj+oqwgnY 1441680001.087338 + BQQF/wAMJbP26AH///8IAt4FH+6nauwY4Oc= 1441680001.096713 B1 NO [UNAVAILABLE] Temporary authentication failure. [mailman02.theinside.rnr:2015-09-08 02:40:01] 1441680001.096726 * OK Waiting for authentication process to respond.. Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Tue, 2015-09-08 at 13:11 +0300, Timo Sirainen wrote: > I guess it's now crashing with this: > > auth: Panic: file auth-request.c: line 733 > (auth_request_is_disabled_master_user): assertion failed: (request > ->requested_login_user != NULL) > > That's a bug in the Dovecot version you're using. Upgrade. That's just awesome. I saw that in the debug log before I posted to the list, but I was hoping it was being triggered by a bad configuration on my part. :/ Ima screwed until an update is release by the CentOS team and they'll be waiting until Red Hat does something about it. :: cries :: Thanks to everyone for the help! At least now I know it's not my fault. Regards, Ranbir -- Kanwar R.S. Sandhu
Re: Dovecot and IPA
On Tue, 2015-09-08 at 19:27 +0300, Timo Sirainen wrote:
> You can probably work around that by configuring something like:
>
> passdb {
> driver = passwd-file
> args = /etc/dovecot/passwd.master
> master = yes
> }
>
> The passwd.master file itself can be empty.
Where do I add this config: in auth-static.conf.ext?
I take it a master user isn't absolutely required, but to workaround
this bug, one must be configured?
Ranbir
--
Kanwar R.S. Sandhu
