date:20110205

[Dovecot] dovecot not delivering emails in the right folder

2011-02-05 Thread paulino

Hello everyone,

I'm having trouble getting postfix + dovecot to work correctly.
It seems like Postfix is receiving and delivering the emails correctly but
 dovecot is placing/looking for them in the wrong folder therefore the
clients aren't receiving any new emails.

I switched from courier and followed a tutorial found here:
http://library.linode.com/email/postfix/dovecot-mysql-debian-5-lenny

Dovecot's log:

deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: Module
loaded: /usr/lib/dovecot/modules/lda/lib90_cmusieve_plugin.so
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth
input: adomain.com/test/@adomain.com
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth
input: uid=5000
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth
input: gid=5000
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth
input: home=/home/vmail/adomain.com/adomain.com/test/
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: maildir:
data=/home/vmail/adomain.com/adomain.com/test/
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: maildir:
root=/home/vmail/adomain.com/adomain.com/test,
index=/home/vmail/adomain.com/adomain.com/test, control=, inbox=
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info:
cmusieve: Using sieve path: /home/vmail/globalsieverc
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info:
cmusieve: Executing script /home/vmail/globalsievercc
deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info:
msgid=aanlktimzi7pd2esfniphtms5hzvstk9uf6kjweyqy...@mail.gmail.com:
saved mail to INBOX

It seems like is using a wrong folder value since it should be using
/home/vmail/adomain.com/test. Another odd thing is that postfix is
replacing the email address with /folder/u...@adomain.com.

Postfix after receiving an email:

3:48:04 domain postfix/smtpd[29365]: 8FDC1A339:
client=mail-yx0-f169.google.com[209.85.213.169]
Feb 5 03:48:04 domain postfix/cleanup[29369]: 8FDC1A339:
message-id=aanlktimzi7pd2esfniphtms5hzvstk9uf6kjweyqy...@mail.gmail.com
Feb 5 03:48:04 domain postfix/qmgr[27253]: 8FDC1A339:
from=x...@gmail.com, size=1815, nrcpt=1 (queue active)
Feb 5 03:48:04 domain postfix/pipe[29370]: 8FDC1A339:
to=adomain.com/test/@adomain.com, orig_to=t...@adomain.com,
relay=dovecot, delay=0.21, delays=0.2/0.01/0/0.01, dsn=2.0.0, status=sent
(delivered via dovecot service)
Feb 5 03:48:04 domain postfix/qmgr[27253]: 8FDC1A339: removed

My config files:

main.cf
==
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
message_size_limit = 3072
mydestination = localhost, localhost.localdomain
myhostname = adomain.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps
$sender_canonical_maps $recipient_canonical_maps $relocated_maps
$transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_cert_file = /etc/postfix/cert.ca.crt
smtpd_tls_key_file = /etc/postfix/cert.ca.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

dovecot.conf:
==
protocols = imap imaps
log_timestamp = %Y-%m-%d %H:%M:%S 
mail_location = maildir:/home/vmail/%d/%n/Maildir
mail_debug = yes
disable_plaintext_auth = no
ssl_cert_file = /etc/postfix/cert.crt
ssl_key_file = /etc/postfix/cert.key

namespace private {
separator = .
prefix = INBOX.
inbox = yes
}

protocol lda {
log_path = /home/vmail/dovecot-deliver.log
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmas...@adomain.com
mail_plugins = cmusieve
global_script_path = /home/vmail/globalsieverc
}

protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}

auth default {
user = root
mechanisms = plain login
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}

userdb static {
args = uid=5000 gid=5000

Re: [Dovecot] Smart IMAP proxying with imapc storage

2011-02-05 Thread Mike Korizek

On 01/-10/-28163 08:59 PM, Timo Sirainen wrote:
 imapc settings have moved away from plugin {} section and mail_location.
 Now instead use:
 
 mail_location = imapc:
 
 imapc_host = imap.example.com
 #imapc_port = 143 # default
 
 #imapc_user = %u # default
 imapc_password = secret
 
 imapc_ssl = no # or imaps or starttls
 imapc_ssl_ca_dir = /etc/ssl/certs
 
 Note the imapc_password change also. If passdb/userdb returned
 userdb_pass/pass previously, return now instead
 userdb_imapc_password/imapc_password.
I get the following error in the log:
Feb  6 00:17:44 hostname dovecot: auth:
static(user.n...@domain.ch,127.0.0.1): No password
Feb  6 00:17:44 hostname dovecot: imap-login: Login:
user=user.n...@domain.ch, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
mpid=20283, secured
Feb  6 00:17:44 hostname dovecot: master: Error: service(imap): child
20283 killed with signal 11 (core dumps disabled)


dovecot -n
# 2.1.UNSTABLE (4e4c7f982fd5): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-27-generic i686 Ubuntu 10.04.1 LTS
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
debug_log_path = /home/local_user/dovecot.log
default_login_user = nobody
imapc_host = mail.domain.ch
mail_debug = yes
mail_gid = local_user
mail_home = /var/run/dovecot/empty
mail_location = imapc:
mail_plugins = mail_filter
mail_uid = local_user
passdb {
  args = nopassword=y userdb_imapc_password=%w
  driver = static
}
plugin {
  imapc_password = secret
  mail_filter = mail-filter %u
  mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
  mail_log_fields = uid box msgid size from subject
}
protocols = imap
service mail-filter {
  executable = script
/home/local_user/mydata/workspace_perl/sec_dovecot_filter/sec_dovecot_filter.pl
  unix_listener mail-filter {
mode = 0666
user = root
  }
  user = local_user
}
ssl = no
userdb {
  driver = prefetch
}

Andy idea how to resolve.
Thanks,
Mike

Re: [Dovecot] LDAP and GSSAPI problems

2011-02-05 Thread Jason Gunthorpe

On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
 On 02/02/2011 04:17 PM, Timo Sirainen wrote:
 
  It does set that, but only on first GSSAPI authentication. I guess it
  wouldn't hurt moving it to do it always. If that script helps you, I can
  do this change.
 It appears that the script you recommended doesn't do the trick. Does
 /usr/libexec/dovecot/auth clear the environment. Even doing it manually
 from the command line the openldap stuff doesn't seem to pick up the
 KRB5_KTNAME environment variable.

Isn't it called KRB5CCNAME?

Ie if you are using a AD type environment then I think the only way
this can work is if you do these steps:

# JGGL is the name of your machine in AD klist -k should tell
# you what it is, and you must have samba setup properly, the
# machine joined, and samba must be set to write the system keytab.
# See 'net ads keytab'
$ KRB5CCNAME=/tmp/machine kinit -k JGGL$

$ KRB5CCNAME=/tmp/machine klist 
Ticket cache: FILE:/tmp/machine
Default principal: JGGL$@ADS.ORCORP.CA

Valid starting ExpiresService principal
02/05/11 18:26:34  02/06/11 04:26:34
krbtgt/ads.orcorp...@ads.orcorp.ca
renew until 02/12/11 18:26:34
$ KRB5CCNAME=/tmp/machine ldapsearch
uid=jgg
SASL/GSSAPI authentication started
SASL username: JGGL$@ADS.ORCORP.CA
SASL SSF: 56
SASL data security layer installed.
[..]

Presumably if dovecot has SASL setup properly for Openldap then it
will work just fine if KRB5CCNAME is properly exported to it.

However! Be aware that the TGT must be refreshed periodically, that
is just how kerberos works.

 I can kinit on the command line and get auth to work, but the kinit
 doesn't hold over to the dovecot process (for good reasons I am sure).

Maybe dovecot isn't enabling SASL for openldap?

eg the python wrappers for openldap require this sequence:

conn = ldap.initialize(server);
auth_tokens = ldap.sasl.gssapi();
conn.sasl_interactive_bind_s(,auth_tokens);

Before they attempt gssapi - so this will also be true for the C
version.

The *ideal* world would be if dovecot supported an in-memory ticket
cache that it stored a TGT for a given UPN that it initializes using a
given keytab. This is what samba does internally and realistically is
required to use kerberos as a client.

IMHO, doing ldap without kerb is kinda sketchy unless you completely
trust your network - it is easy to spoof ldap replies, kerb fixes
that and has low overhead compared to ssl.

Jason

Re: [Dovecot] Samba AD and Dovecot

2011-02-05 Thread Jason Gunthorpe

On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote:
  There was a thread a month or so ago on how to do GSSAPI with AD and
  dovecot kerberos. It works great, and I highly recommend it for AD
  sites. Check the archives, it isn't really too hard.

 I am not finding this. Do you happen to remember the subject?

No, but it is pretty simple using latest everything (well, Debian
squeeze).. Basically from scratch.. Notice this also sets up NTLM,
which is supported by many roaming devices (ie phones).

1) Put this or similar in /etc/samba/smb.conf

[global]
workgroup = $NT_WORKGROUP$
realm = $REALM$
security = ads
kerberos method = secrets and keytab

2) Confirm that hostname gives an unqualified name and hostname -f
   gives a fully qualified name. Confirm you have DNS setup properly
   (eg dig -t SRV _kerberos._udp.$REALM$ works OK)

3) Join the machine to AD

$ net ads join -U 'user with AD privs'

$ kinit AD_USER
$ kvno host/`hostname -f`

4) Setup imap SPN:

$ net ads keytab add imap

$ net ads search cn=`hostname` | grep servicePrincipalName
$ klist -k
$ kvno imap/`hostname -f`
   
   The last three should report imap/`hostname -f` entries.

5) Setup dovecot..

Set these things in the config

auth_use_winbind = yes

  mechanisms = plain gssapi gss-spnego login ntlm

6) Setup exim..

$ net ads keytab add smtp

Use these in the dovecot config:

  client {
  path = /var/run/dovecot/auth-client
  mode = 0660
  group = Debian-exim
}
  }

And this at the end of the exim.conf:

dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id=PLAIN-${quote:$auth1}

dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id=NTLM-${quote:$auth1}

dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id=GSSAPI-${quote:$auth1}

dovecot_gssapi_spnego:
driver = dovecot
public_name = GSS-SPNEGO
server_socket = /var/run/dovecot/auth-client
server_set_id=GSS-SPNEGO-${quote:$auth1}

7) Setup openssh

in sshd_config

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes

Jason

Re: [Dovecot] Samba AD and Dovecot

2011-02-05 Thread Trever L. Adams

Thank you Jason for your answer. This has helped a great deal. I haven't
even gotten to the step of SSH yet. That will help me greatly.

On 02/05/2011 06:53 PM, Jason Gunthorpe wrote:

 5) Setup dovecot..

 Set these things in the config

 auth_use_winbind = yes

   mechanisms = plain gssapi gss-spnego login ntlm
Ok, I do this step differently as I use gssapi directly and not with
winbind.
 6) Setup exim..


I use postfix instead of exim. How do you know what user is valid and
what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and
dovecot deliver... I have to use LDAP for the aliases to be setup the
way they have been requested). I also don't see any mention of any other
user database.
 7) Setup openssh

 in sshd_config

 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes
 GSSAPIStrictAcceptorCheck yes

 Jason

Thank you much.

Trever




signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] LDAP and GSSAPI problems

2011-02-05 Thread Trever L. Adams

On 02/05/2011 06:35 PM, Jason Gunthorpe wrote:
 On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
 On 02/02/2011 04:17 PM, Timo Sirainen wrote:
 It does set that, but only on first GSSAPI authentication. I guess it
 wouldn't hurt moving it to do it always. If that script helps you, I can
 do this change.
 It appears that the script you recommended doesn't do the trick. Does
 /usr/libexec/dovecot/auth clear the environment. Even doing it manually
 from the command line the openldap stuff doesn't seem to pick up the
 KRB5_KTNAME environment variable.
 Isn't it called KRB5CCNAME?
Yes. Some things (Amanda, at least from the directions, I haven't done
it yet) actually still use service principals which are KRB5_KTNAME. For
credentials in most clients, yes, KRB5CCNAME and that does work.
 Presumably if dovecot has SASL setup properly for Openldap then it
 will work just fine if KRB5CCNAME is properly exported to it.

 However! Be aware that the TGT must be refreshed periodically, that
 is just how kerberos works.
Yes, this refresh is EXACTLY what I have been trying to avoid with
service principals. I am starting to wish that Samba 4 supported SASL
CRAM-MD5 or something so that I could just use that; no refresh.
 I can kinit on the command line and get auth to work, but the kinit
 doesn't hold over to the dovecot process (for good reasons I am sure).

 The *ideal* world would be if dovecot supported an in-memory ticket
 cache that it stored a TGT for a given UPN that it initializes using a
 given keytab. This is what samba does internally and realistically is
 required to use kerberos as a client.
I would prefer an SPN if it were at all possible. On reading that again,
I think we are saying about the same thing. This would be fantastic.
Heck, if I knew how to do that manually I could just script it, but,
being new to Kerberos and LDAP I am missing a lot as I read the
documentation, I am sure.
 IMHO, doing ldap without kerb is kinda sketchy unless you completely
 trust your network - it is easy to spoof ldap replies, kerb fixes
 that and has low overhead compared to ssl.

 Jason
Yes, this is exactly the reasons I am trying to get there. The problem
is the refresh. Somehow I need to get around having to refresh the CC or
use a keytab with SPNs.

Thank you for all your input. I am afraid this is the same problem I am
going to hit with Postfix (it does a similar setup to Dovecot, I am just
not running the recent version yet that supports it).

Timo, is it possible for you to add that import_environment
=KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc
(does this really need to be set over and over or can the master process
set it and have the environment inherited... it has been a long time
since I did any coding related to environment variables accross forks,
etc.)? This will solve all the problems (whether keytab or
credentialcache) other than the fact that OpenLDAP as a client won't
work with a keytab (SPN) and that Kerberos will require a refresh of the
credential cache.

Thank you Jason and Timo for helping me find a good solution,
Trever
-- 
All that is necessary for the triumph of evil is that enough good men
do nothing. -- Edmund Burke



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] Samba AD and Dovecot

2011-02-05 Thread Jason Gunthorpe

On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote:

  Set these things in the config
 
  auth_use_winbind = yes
 
mechanisms = plain gssapi gss-spnego login ntlm

 Ok, I do this step differently as I use gssapi directly and not with
 winbind.

This is also what this does. auth_use_winbind only affects gss-spnego
and ntlm which call out to the ntlm_auth helper to make it go. IMHO,
if you have AD you should set this up too.

 I use postfix instead of exim. How do you know what user is valid and
 what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and
 dovecot deliver... I have to use LDAP for the aliases to be setup the
 way they have been requested). I also don't see any mention of any other
 user database.

In my simple world everything rides on nss_winbind and winbindd. These
instructions are just how to setup kerberos for authentication
not the much sticker authorization..

Jason

Re: [Dovecot] LDAP and GSSAPI problems

2011-02-05 Thread Jason Gunthorpe

On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote:

  It appears that the script you recommended doesn't do the trick. Does
  /usr/libexec/dovecot/auth clear the environment. Even doing it manually
  from the command line the openldap stuff doesn't seem to pick up the
  KRB5_KTNAME environment variable.
  Isn't it called KRB5CCNAME?
 Yes. Some things (Amanda, at least from the directions, I haven't done
 it yet) actually still use service principals which are KRB5_KTNAME. For
 credentials in most clients, yes, KRB5CCNAME and that does work.

Amanda is doing what I described below internally. The keytab file
contains kerberos shared secrets so Amanda uses that to get a TGT. You
can't use kerberos without a TGT. The fact it is using a SPN or UPN
shared secret doesn't matter at the client.

  However! Be aware that the TGT must be refreshed periodically, that
  is just how kerberos works.
 Yes, this refresh is EXACTLY what I have been trying to avoid with
 service principals. I am starting to wish that Samba 4 supported SASL
 CRAM-MD5 or something so that I could just use that; no refresh.

Put the kinit -k line in a crontab. That command gets a fresh TGT for
the machine account.

Service principles just avoid having to create a new UPN in MIT
kerberos. In AD kerberos a SPN cannot get a TGT so that is
undoable. The machine account works in very similarly to how a SPN
would be used in MIT kerberos except that it is a UPN at the
KDC. Samba writes a keytab entry for the machine account that
contains the shared secret which lets kinit -k work.

 Thank you for all your input. I am afraid this is the same problem I am
 going to hit with Postfix (it does a similar setup to Dovecot, I am just
 not running the recent version yet that supports it).

Yes. Same answer, run it pointing to the same CC cache you setup for
dovecot.

Be aware that both the keytab and the creditial cache are 'password
equilvients' and must be protected.

Jason

[Dovecot] dovecot not delivering emails in the right folder

Re: [Dovecot] Smart IMAP proxying with imapc storage

Re: [Dovecot] LDAP and GSSAPI problems

Re: [Dovecot] Samba AD and Dovecot

Re: [Dovecot] Samba AD and Dovecot

Re: [Dovecot] LDAP and GSSAPI problems

Re: [Dovecot] Samba AD and Dovecot

Re: [Dovecot] LDAP and GSSAPI problems

8 matches

Site Navigation

Mail list logo

Footer information