[Dovecot] dovecot not delivering emails in the right folder
Hello everyone, I'm having trouble getting postfix + dovecot to work correctly. It seems like Postfix is receiving and delivering the emails correctly but dovecot is placing/looking for them in the wrong folder therefore the clients aren't receiving any new emails. I switched from courier and followed a tutorial found here: http://library.linode.com/email/postfix/dovecot-mysql-debian-5-lenny Dovecot's log: deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: Module loaded: /usr/lib/dovecot/modules/lda/lib90_cmusieve_plugin.so deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth input: adomain.com/test/@adomain.com deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth input: uid=5000 deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth input: gid=5000 deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: auth input: home=/home/vmail/adomain.com/adomain.com/test/ deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: maildir: data=/home/vmail/adomain.com/adomain.com/test/ deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: maildir: root=/home/vmail/adomain.com/adomain.com/test, index=/home/vmail/adomain.com/adomain.com/test, control=, inbox= deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: cmusieve: Using sieve path: /home/vmail/globalsieverc deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: cmusieve: Executing script /home/vmail/globalsievercc deliver(adomain.com/test/@adomain.com): 2011-02-04 21:48:04 Info: msgid=aanlktimzi7pd2esfniphtms5hzvstk9uf6kjweyqy...@mail.gmail.com: saved mail to INBOX It seems like is using a wrong folder value since it should be using /home/vmail/adomain.com/test. Another odd thing is that postfix is replacing the email address with /folder/u...@adomain.com. Postfix after receiving an email: 3:48:04 domain postfix/smtpd[29365]: 8FDC1A339: client=mail-yx0-f169.google.com[209.85.213.169] Feb 5 03:48:04 domain postfix/cleanup[29369]: 8FDC1A339: message-id=aanlktimzi7pd2esfniphtms5hzvstk9uf6kjweyqy...@mail.gmail.com Feb 5 03:48:04 domain postfix/qmgr[27253]: 8FDC1A339: from=x...@gmail.com, size=1815, nrcpt=1 (queue active) Feb 5 03:48:04 domain postfix/pipe[29370]: 8FDC1A339: to=adomain.com/test/@adomain.com, orig_to=t...@adomain.com, relay=dovecot, delay=0.21, delays=0.2/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service) Feb 5 03:48:04 domain postfix/qmgr[27253]: 8FDC1A339: removed My config files: main.cf == alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 message_size_limit = 3072 mydestination = localhost, localhost.localdomain myhostname = adomain.com mynetworks = 127.0.0.0/8 myorigin = /etc/mailname proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_tls_cert_file = /etc/postfix/cert.ca.crt smtpd_tls_key_file = /etc/postfix/cert.ca.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000 dovecot.conf: == protocols = imap imaps log_timestamp = %Y-%m-%d %H:%M:%S mail_location = maildir:/home/vmail/%d/%n/Maildir mail_debug = yes disable_plaintext_auth = no ssl_cert_file = /etc/postfix/cert.crt ssl_key_file = /etc/postfix/cert.key namespace private { separator = . prefix = INBOX. inbox = yes } protocol lda { log_path = /home/vmail/dovecot-deliver.log auth_socket_path = /var/run/dovecot/auth-master postmaster_address = postmas...@adomain.com mail_plugins = cmusieve global_script_path = /home/vmail/globalsieverc } protocol pop3 { pop3_uidl_format = %08Xu%08Xv } auth default { user = root mechanisms = plain login passdb sql { args = /etc/dovecot/dovecot-sql.conf } userdb static { args = uid=5000 gid=5000
Re: [Dovecot] Smart IMAP proxying with imapc storage
On 01/-10/-28163 08:59 PM, Timo Sirainen wrote: imapc settings have moved away from plugin {} section and mail_location. Now instead use: mail_location = imapc: imapc_host = imap.example.com #imapc_port = 143 # default #imapc_user = %u # default imapc_password = secret imapc_ssl = no # or imaps or starttls imapc_ssl_ca_dir = /etc/ssl/certs Note the imapc_password change also. If passdb/userdb returned userdb_pass/pass previously, return now instead userdb_imapc_password/imapc_password. I get the following error in the log: Feb 6 00:17:44 hostname dovecot: auth: static(user.n...@domain.ch,127.0.0.1): No password Feb 6 00:17:44 hostname dovecot: imap-login: Login: user=user.n...@domain.ch, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=20283, secured Feb 6 00:17:44 hostname dovecot: master: Error: service(imap): child 20283 killed with signal 11 (core dumps disabled) dovecot -n # 2.1.UNSTABLE (4e4c7f982fd5): /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.32-27-generic i686 Ubuntu 10.04.1 LTS auth_debug = yes auth_debug_passwords = yes auth_verbose = yes debug_log_path = /home/local_user/dovecot.log default_login_user = nobody imapc_host = mail.domain.ch mail_debug = yes mail_gid = local_user mail_home = /var/run/dovecot/empty mail_location = imapc: mail_plugins = mail_filter mail_uid = local_user passdb { args = nopassword=y userdb_imapc_password=%w driver = static } plugin { imapc_password = secret mail_filter = mail-filter %u mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size from subject } protocols = imap service mail-filter { executable = script /home/local_user/mydata/workspace_perl/sec_dovecot_filter/sec_dovecot_filter.pl unix_listener mail-filter { mode = 0666 user = root } user = local_user } ssl = no userdb { driver = prefetch } Andy idea how to resolve. Thanks, Mike
Re: [Dovecot] LDAP and GSSAPI problems
On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote: On 02/02/2011 04:17 PM, Timo Sirainen wrote: It does set that, but only on first GSSAPI authentication. I guess it wouldn't hurt moving it to do it always. If that script helps you, I can do this change. It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. Isn't it called KRB5CCNAME? Ie if you are using a AD type environment then I think the only way this can work is if you do these steps: # JGGL is the name of your machine in AD klist -k should tell # you what it is, and you must have samba setup properly, the # machine joined, and samba must be set to write the system keytab. # See 'net ads keytab' $ KRB5CCNAME=/tmp/machine kinit -k JGGL$ $ KRB5CCNAME=/tmp/machine klist Ticket cache: FILE:/tmp/machine Default principal: JGGL$@ADS.ORCORP.CA Valid starting ExpiresService principal 02/05/11 18:26:34 02/06/11 04:26:34 krbtgt/ads.orcorp...@ads.orcorp.ca renew until 02/12/11 18:26:34 $ KRB5CCNAME=/tmp/machine ldapsearch uid=jgg SASL/GSSAPI authentication started SASL username: JGGL$@ADS.ORCORP.CA SASL SSF: 56 SASL data security layer installed. [..] Presumably if dovecot has SASL setup properly for Openldap then it will work just fine if KRB5CCNAME is properly exported to it. However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works. I can kinit on the command line and get auth to work, but the kinit doesn't hold over to the dovecot process (for good reasons I am sure). Maybe dovecot isn't enabling SASL for openldap? eg the python wrappers for openldap require this sequence: conn = ldap.initialize(server); auth_tokens = ldap.sasl.gssapi(); conn.sasl_interactive_bind_s(,auth_tokens); Before they attempt gssapi - so this will also be true for the C version. The *ideal* world would be if dovecot supported an in-memory ticket cache that it stored a TGT for a given UPN that it initializes using a given keytab. This is what samba does internally and realistically is required to use kerberos as a client. IMHO, doing ldap without kerb is kinda sketchy unless you completely trust your network - it is easy to spoof ldap replies, kerb fixes that and has low overhead compared to ssl. Jason
Re: [Dovecot] Samba AD and Dovecot
On Fri, Feb 04, 2011 at 01:47:31PM -0700, Trever L. Adams wrote: There was a thread a month or so ago on how to do GSSAPI with AD and dovecot kerberos. It works great, and I highly recommend it for AD sites. Check the archives, it isn't really too hard. I am not finding this. Do you happen to remember the subject? No, but it is pretty simple using latest everything (well, Debian squeeze).. Basically from scratch.. Notice this also sets up NTLM, which is supported by many roaming devices (ie phones). 1) Put this or similar in /etc/samba/smb.conf [global] workgroup = $NT_WORKGROUP$ realm = $REALM$ security = ads kerberos method = secrets and keytab 2) Confirm that hostname gives an unqualified name and hostname -f gives a fully qualified name. Confirm you have DNS setup properly (eg dig -t SRV _kerberos._udp.$REALM$ works OK) 3) Join the machine to AD $ net ads join -U 'user with AD privs' $ kinit AD_USER $ kvno host/`hostname -f` 4) Setup imap SPN: $ net ads keytab add imap $ net ads search cn=`hostname` | grep servicePrincipalName $ klist -k $ kvno imap/`hostname -f` The last three should report imap/`hostname -f` entries. 5) Setup dovecot.. Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm 6) Setup exim.. $ net ads keytab add smtp Use these in the dovecot config: client { path = /var/run/dovecot/auth-client mode = 0660 group = Debian-exim } } And this at the end of the exim.conf: dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id=PLAIN-${quote:$auth1} dovecot_ntlm: driver = dovecot public_name = NTLM server_socket = /var/run/dovecot/auth-client server_set_id=NTLM-${quote:$auth1} dovecot_gssapi: driver = dovecot public_name = GSSAPI server_socket = /var/run/dovecot/auth-client server_set_id=GSSAPI-${quote:$auth1} dovecot_gssapi_spnego: driver = dovecot public_name = GSS-SPNEGO server_socket = /var/run/dovecot/auth-client server_set_id=GSS-SPNEGO-${quote:$auth1} 7) Setup openssh in sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes Jason
Re: [Dovecot] Samba AD and Dovecot
Thank you Jason for your answer. This has helped a great deal. I haven't even gotten to the step of SSH yet. That will help me greatly. On 02/05/2011 06:53 PM, Jason Gunthorpe wrote: 5) Setup dovecot.. Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm Ok, I do this step differently as I use gssapi directly and not with winbind. 6) Setup exim.. I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database. 7) Setup openssh in sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck yes Jason Thank you much. Trever signature.asc Description: OpenPGP digital signature
Re: [Dovecot] LDAP and GSSAPI problems
On 02/05/2011 06:35 PM, Jason Gunthorpe wrote: On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote: On 02/02/2011 04:17 PM, Timo Sirainen wrote: It does set that, but only on first GSSAPI authentication. I guess it wouldn't hurt moving it to do it always. If that script helps you, I can do this change. It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. Presumably if dovecot has SASL setup properly for Openldap then it will work just fine if KRB5CCNAME is properly exported to it. However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh. I can kinit on the command line and get auth to work, but the kinit doesn't hold over to the dovecot process (for good reasons I am sure). The *ideal* world would be if dovecot supported an in-memory ticket cache that it stored a TGT for a given UPN that it initializes using a given keytab. This is what samba does internally and realistically is required to use kerberos as a client. I would prefer an SPN if it were at all possible. On reading that again, I think we are saying about the same thing. This would be fantastic. Heck, if I knew how to do that manually I could just script it, but, being new to Kerberos and LDAP I am missing a lot as I read the documentation, I am sure. IMHO, doing ldap without kerb is kinda sketchy unless you completely trust your network - it is easy to spoof ldap replies, kerb fixes that and has low overhead compared to ssl. Jason Yes, this is exactly the reasons I am trying to get there. The problem is the refresh. Somehow I need to get around having to refresh the CC or use a keytab with SPNs. Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it). Timo, is it possible for you to add that import_environment =KRB5_KTNAME=/etc/dovecot/krb5.keytab KRB5CCNAME =/etc/dovecot/krb5.cc (does this really need to be set over and over or can the master process set it and have the environment inherited... it has been a long time since I did any coding related to environment variables accross forks, etc.)? This will solve all the problems (whether keytab or credentialcache) other than the fact that OpenLDAP as a client won't work with a keytab (SPN) and that Kerberos will require a refresh of the credential cache. Thank you Jason and Timo for helping me find a good solution, Trever -- All that is necessary for the triumph of evil is that enough good men do nothing. -- Edmund Burke signature.asc Description: OpenPGP digital signature
Re: [Dovecot] Samba AD and Dovecot
On Sat, Feb 05, 2011 at 08:39:37PM -0700, Trever L. Adams wrote: Set these things in the config auth_use_winbind = yes mechanisms = plain gssapi gss-spnego login ntlm Ok, I do this step differently as I use gssapi directly and not with winbind. This is also what this does. auth_use_winbind only affects gss-spnego and ntlm which call out to the ntlm_auth helper to make it go. IMHO, if you have AD you should set this up too. I use postfix instead of exim. How do you know what user is valid and what isn't in exim. I don't see any LDAP. I use LDAP (both postfix and dovecot deliver... I have to use LDAP for the aliases to be setup the way they have been requested). I also don't see any mention of any other user database. In my simple world everything rides on nss_winbind and winbindd. These instructions are just how to setup kerberos for authentication not the much sticker authorization.. Jason
Re: [Dovecot] LDAP and GSSAPI problems
On Sat, Feb 05, 2011 at 08:49:21PM -0700, Trever L. Adams wrote: It appears that the script you recommended doesn't do the trick. Does /usr/libexec/dovecot/auth clear the environment. Even doing it manually from the command line the openldap stuff doesn't seem to pick up the KRB5_KTNAME environment variable. Isn't it called KRB5CCNAME? Yes. Some things (Amanda, at least from the directions, I haven't done it yet) actually still use service principals which are KRB5_KTNAME. For credentials in most clients, yes, KRB5CCNAME and that does work. Amanda is doing what I described below internally. The keytab file contains kerberos shared secrets so Amanda uses that to get a TGT. You can't use kerberos without a TGT. The fact it is using a SPN or UPN shared secret doesn't matter at the client. However! Be aware that the TGT must be refreshed periodically, that is just how kerberos works. Yes, this refresh is EXACTLY what I have been trying to avoid with service principals. I am starting to wish that Samba 4 supported SASL CRAM-MD5 or something so that I could just use that; no refresh. Put the kinit -k line in a crontab. That command gets a fresh TGT for the machine account. Service principles just avoid having to create a new UPN in MIT kerberos. In AD kerberos a SPN cannot get a TGT so that is undoable. The machine account works in very similarly to how a SPN would be used in MIT kerberos except that it is a UPN at the KDC. Samba writes a keytab entry for the machine account that contains the shared secret which lets kinit -k work. Thank you for all your input. I am afraid this is the same problem I am going to hit with Postfix (it does a similar setup to Dovecot, I am just not running the recent version yet that supports it). Yes. Same answer, run it pointing to the same CC cache you setup for dovecot. Be aware that both the keytab and the creditial cache are 'password equilvients' and must be protected. Jason