Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Edgar Pettijohn]

> On Jun 28, 2016, at 10:32 PM, Mark Foley  wrote:
> 
> Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and 
> restarted. Now I
> don't get that "Unknown authentication mechanism 'gssapi'" message in 
> maillog, and mail is
> delivered successfully to the other domain users having PLAIN authentication. 
> That's a big
> step. In examining my original config.log output I apparently did not have 
> --with-gssapi enabled.
> 
> HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
> cannot correctly
> authenticate and retrieve mail. Here is the dovecot log for that host:
> 
What does thunderbird tell you?


> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
> /usr/local/lib/dovecot/auth
> Jun 28 22:44:05 auth: Debug: Read auth token secret from 
> /usr/local/var/run/dovecot/auth-token-secret.dat
> Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> initialization [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server hello A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
> exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server done A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
> [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client certificate A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client key exchange A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> certificate verify A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> session ticket A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> change cipher spec A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> finished A [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
> [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
> finished successfully [192.168.0.58]
> Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
> finished successfully [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
> Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): 
> user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=
> 
> Does this tell you anything? `doveconf -n` and krb5.conf are configured as 
> shown in previous
> messages below.
> 
> Closer! --Mark
> 
> -Original Message-
> From: Mark Foley 
> Date: Tue, 28 Jun 2016 22:04:42 -0400
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> 
> Aki, you wrote:
> 
>> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
>> it yourself?
>> 
>> I'll try to check status of NTLM this week.
> 
> I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.
> 
> I do have the Dovecot sources and will peruse the possible options after I 
> send this.  I am on
> version 2.2.15 and I see that the current downloadable version is 2.2.24.  
> Should I upgrade? Do
> you think that would help? (a perusal of the changes since 2.2.15 shows 
> nothing obvious
> realated to gssapi)
> 
> --Mark
> 
> -Original Message-
>> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
>> From: aki.tu...@dovecot.fi
>> To: dovecot@dovecot.org
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>> 
>>> On June 28, 2016 at 5:17 PM Mark Foley  wrote:
>>> 
>>> 
>>> Aki - made your suggested changes, but no joy :(
>>> 
>>> My /etc/krb5.conf:
>>> 
>>> 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and 
restarted. Now I
don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, 
and mail is
delivered successfully to the other domain users having PLAIN authentication. 
That's a big
step. In examining my original config.log output I apparently did not have 
--with-gssapi enabled.

HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
cannot correctly
authenticate and retrieve mail. Here is the dovecot log for that host:

Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 22:44:05 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
done A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
key exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
certificate verify A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
session ticket A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change 
cipher spec A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
finished successfully [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): 
user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=

Does this tell you anything? `doveconf -n` and krb5.conf are configured as 
shown in previous
messages below.

Closer! --Mark

-Original Message-
From: Mark Foley 
Date: Tue, 28 Jun 2016 22:04:42 -0400
To: dovecot@dovecot.org
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
> it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send 
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing 
obvious
realated to gssapi)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley  wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > --SNIP
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
> it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send 
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing 
obvious
realated to gssapi)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley  wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > --SNIP
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> > 
> > [realms]
> >   HPRS.LOCAL = {
> > default_domain = hprs.local
> > auth_to_local_names = {
> > Administrator = root
> >   }
> > }
> > 
> > [domain_realm]
> > hprs.local = HPRS.LOCAL
> > # this is not a mistake
> > .hprs.local = HPRS.LOCAL
> > --PINS---
> > 
> > you wrote:
> > > You can remove the krb4_ stuff
> > 
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
> > section altogether.
> > Question on [realms]Administrator: should that really be root or should it 
> > be my AD Administrator?
> > 
> > my doveconf -n is exactly the same as posted below, but in particular:
> > 
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > 
> > When I reloaded dovecot no mail was delivered to anyone (even though 
> > everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> > 
> > In /var/log/maillog I got (repeatedly):
> > 
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not 
> > responding, delayed sending initial response (greeting): user=<>, 
> > rip=192.168.0.54, lip=192.168.0.2, session=
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
> > 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
> > failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not 
> > responding, delayed sending initial response (greeting): user=<>, 
> > rip=166.170.27.161, lip=98.102.63.107, TLS, session=
> > 
> > This looks pretty bad right off. Why "Unknown authentication mechanism 
> > 'gssapi'"?
> > 
> > Do you have any idea from the configs I've posted? I'm rather depressed 
> > about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to give 
> > up though!
> > 
> > Suggestions?
> > 
> > THX -- Mark
> > 
> > -original Message-
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > > example]
> > > To: dovecot@dovecot.org
> > > From: Aki Tuomi 
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  
> > > > wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain Controller on 
> > > >> Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > > >> Reverse is only mandatory for servers, but having them right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries like
> > > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> > > >> these on any Windows DC server (at least).
> > > > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos 
> > > > and tested it with kinit
> > > > and klist according to the instructions at
> > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > > >
> > > > As to the the keytab (#5) I did the following:
> > > >
> > > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > > >
> > > > which created the file.  I made this owned and readable by group 
> > > > dovecot, per instructions at
> > > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
> > > > /etc/krb5.keytab` shows me
> > > > configuration listing all the users and computers in the domain, mostly 
> > > > in triplicate.  A
> > > > partial list:
> > > >
> > 

Re: dsync unstable? (other strange detail)

[Heiko Schlittermann]

Timo Sirainen  (Mi 29 Jun 2016 00:20:05 CEST):
…
> > Maybe, did you read my previous post with a similar subject? There I had
> > an empty local destination and some nasty effects too.
> 
> There was another mail with "highest than remote's UIDs" error. Do you mean 
> that one? I don't see others. That's also kind of strange. Dovecot had seen 
> mails that suddenly no longer existed on Cyrus side. It's as if you're 
> syncing to two different Cyrus servers that are somewhat out of sync 
> themselves. Is that possible?

Yes, 
dsync(heiko): Warning: Deleting mailbox 'Trash': UID=18290 already exists 
locally for a different mail: highest than remote's UIDs (remote UIDNEXT=19588)
This happend during a sync to an empty local destination

The source (cyrus) is an active/passive cluster, the IP I'm connecting
to should be on the same machine for the time the syncronisation runs.
But I'll check this. 

Thank you for responding…  It give me the hope that it *should* work.
(Meanwhile I'm writing 'yet-another-imap2imap' sync tool, but using
dsync would be the better choice, definitivly)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Re: dsync unstable? (other strange detail)

[Timo Sirainen]

On 29 Jun 2016, at 01:13, Heiko Schlittermann  wrote:
> 
> Timo Sirainen  (Mi 29 Jun 2016 00:00:11 CEST):
> …
 b) UID=16 suddenly appeared on Cyrus side even though it wasn't there 
 earlier. This isn't allowed by IMAP standard.
>> It's still strange if Cyrus is doing that. It's generally a pretty well 
>> behaving IMAP server. What version is it?
> 
> * OK srvlx Cyrus IMAP4 v2.2.12 server ready
> 
> Maybe, did you read my previous post with a similar subject? There I had
> an empty local destination and some nasty effects too.

There was another mail with "highest than remote's UIDs" error. Do you mean 
that one? I don't see others. That's also kind of strange. Dovecot had seen 
mails that suddenly no longer existed on Cyrus side. It's as if you're syncing 
to two different Cyrus servers that are somewhat out of sync themselves. Is 
that possible?

> In case it helps:
> 
>mail_location = 
> maildir:~:INBOX=/volumes/dovecot/inbox/%2.256Nn/%n:INDEX=/volumes/dovecot/cache/%2.256Nn/%n
> 
> which leads to
> 
>/volumes/dovecot/{cache,home,inbox}//
> 
> is used for the maildir storage. As I'm writing this, I'm not sure, if I
> really purged the /var/vmail/cache/ hierarchy. But home/ and inbox/
> where clean as a baby.
> 
> The storage is imported via NFS. But the other backends (we're using a
> director/backend setup) are switched off, to really be sure the we don't have 
> concurrent access.

An out-of-date index with Maildir shouldn't really matter since it should get 
automatically updated.

Re: dsync unstable? (other strange detail)

[Heiko Schlittermann]

Timo Sirainen  (Mi 29 Jun 2016 00:00:11 CEST):
…
> >> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there 
> >> earlier. This isn't allowed by IMAP standard.
> It's still strange if Cyrus is doing that. It's generally a pretty well 
> behaving IMAP server. What version is it?

* OK srvlx Cyrus IMAP4 v2.2.12 server ready

Maybe, did you read my previous post with a similar subject? There I had
an empty local destination and some nasty effects too.

In case it helps:

mail_location = 
maildir:~:INBOX=/volumes/dovecot/inbox/%2.256Nn/%n:INDEX=/volumes/dovecot/cache/%2.256Nn/%n

which leads to

/volumes/dovecot/{cache,home,inbox}//

is used for the maildir storage. As I'm writing this, I'm not sure, if I
really purged the /var/vmail/cache/ hierarchy. But home/ and inbox/
where clean as a baby.

The storage is imported via NFS. But the other backends (we're using a
director/backend setup) are switched off, to really be sure the we don't have 
concurrent access.

-- 
Heiko


signature.asc
Description: Digital signature

Re: FTS search used / useful on an IMAP proxy?

[Timo Sirainen]

On 28 Jun 2016, at 16:07, Luca Lesinigo  wrote:
> 
> We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy 
> functionality is already working and I’m trying to understand if having the 
> FTS service configured on the dovecot *proxy* would be of any use.
> 
> I do suspect it would be useless, I guess dovecot in imap proxy mode just 
> forwards any command to the backend and does not bother to do anything about 
> it, but I’m failing to find a definitive answer in the documentation. If I am 
> guessing correctly, an fts service would only be useful if configured and 
> working on the actual backend.
> 
> Can anyone clarify my doubts?

If you want to use doveadm fts optimize/rescan commands via doveadm proxy, you 
need to load fts plugin on the proxy to get the commands. But otherwise there's 
no reason for it.

Re: dsync unstable? (other strange detail)

[Timo Sirainen]

On 29 Jun 2016, at 00:53, Heiko Schlittermann  wrote:
> 
> Hi,
> Timo Sirainen  (Di 28 Jun 2016 23:30:38 CEST):
>>> 
>>> On successive runs of the above command I get:
>>> 
>>>   dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten 
>>> Anforderung': UID=16 GUID= is missing locally
>> 
>> This means that on Dovecot side there are messages after UID=16, but either:
>> a) UID=16 was expunged from Dovecot side or
> 
> On the dovecot side nobody is accessing the mail system.
> 
>> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there 
>> earlier. This isn't allowed by IMAP standard.
> 
> Hm, this seems to be a possible reason.
> So, successive numbers?
> 
> It seems to happen mostly on huuge mailboxes.

It's still strange if Cyrus is doing that. It's generally a pretty well 
behaving IMAP server. What version is it?

Re: Disabling passdb pam in local.conf

[Patrick Ben Koetter]

* Timo Sirainen :
> Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf:
> 
> passdb {
>   driver = whatever you want for your real passdb
>   args = etc
>   result_failure = return
>   result_internalfail = return
> }
> 
> So even though pam is still in the config, it's just never actually called.

I played with the idea to set result_failure and result_internalfail to pass
it all through, too. But then things started to get nasty and I took the long
road and began to edit more than local.conf.

But thanks for taking the time to review and rethink this.

p@rick



-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 

Re: dsync unstable? (other strange detail)

[Heiko Schlittermann]

Hi,
Timo Sirainen  (Di 28 Jun 2016 23:30:38 CEST):
> > 
> > On successive runs of the above command I get:
> > 
> >dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten 
> > Anforderung': UID=16 GUID= is missing locally
> 
> This means that on Dovecot side there are messages after UID=16, but either:
> a) UID=16 was expunged from Dovecot side or

On the dovecot side nobody is accessing the mail system.

> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there 
> earlier. This isn't allowed by IMAP standard.

Hm, this seems to be a possible reason.
So, successive numbers?

It seems to happen mostly on huuge mailboxes.
-- 
Heiko


signature.asc
Description: Digital signature

Re: Suggestion: Split login_trusted_networks

[Timo Sirainen]

> On 29 Jun 2016, at 00:49, Timo Sirainen  wrote:
> 
> On 27 Jun 2016, at 15:46, Peter Mogensen  wrote:
>> 
>> Hi,
>> 
>> For the upcoming 2.3 development, I'd like to re-suggest this:
>> 
>> It seems the use of login_trusted_networks is overloaded.
>> 
>> Example:
>> * It's used for indicating which hosts you trust to provide XCLIENT remote 
>> IP's. (like a proxy)
>> * It's used for indicating from which hosts you trust logins enough to 
>> disable auth penalty. (like in a webmail)
>> 
>> Often these two uses cases have a different set of hosts.
>> 
>> So you can't have one set of hosts which you trust for XCLIENT and another 
>> set of hosts you trust for not being the origin of brute force attacks.
> 
> Hmm. I guess it's possible nowadays to remove that. The old behavior could 
> still be configured by adding a passdb that enables nodelay=yes for the 
> webmail's IP. For example:
> 
> passdb {
>  driver = passwd-file
>  args = username_format=%{lip} /etc/dovecot/passdb

%{rip} I meant.

> }
> 
> 127.0.0.1:::nodelay=yes

So this could be e.g. 192.168.10.123 or something.

> 
> So I'm thinking v2.3 could no longer send the no-penalty parameter at all 
> based on login_trusted_networks.
> 
> Also related: Dovecot's auth penalty support isn't especially good. There's 
> now support for http://wiki2.dovecot.org/Authentication/Policy that can talk 
> to https://github.com/PowerDNS/weakforced to provide much better 
> possibilities for implementing auth penalty rules and especially cluster-wide.

Re: Suggestion: Split login_trusted_networks

[Timo Sirainen]

On 27 Jun 2016, at 15:46, Peter Mogensen  wrote:
> 
> Hi,
> 
> For the upcoming 2.3 development, I'd like to re-suggest this:
> 
> It seems the use of login_trusted_networks is overloaded.
> 
> Example:
> * It's used for indicating which hosts you trust to provide XCLIENT remote 
> IP's. (like a proxy)
> * It's used for indicating from which hosts you trust logins enough to 
> disable auth penalty. (like in a webmail)
> 
> Often these two uses cases have a different set of hosts.
> 
> So you can't have one set of hosts which you trust for XCLIENT and another 
> set of hosts you trust for not being the origin of brute force attacks.

Hmm. I guess it's possible nowadays to remove that. The old behavior could 
still be configured by adding a passdb that enables nodelay=yes for the 
webmail's IP. For example:

passdb {
  driver = passwd-file
  args = username_format=%{lip} /etc/dovecot/passdb
}

127.0.0.1:::nodelay=yes

So I'm thinking v2.3 could no longer send the no-penalty parameter at all based 
on login_trusted_networks.

Also related: Dovecot's auth penalty support isn't especially good. There's now 
support for http://wiki2.dovecot.org/Authentication/Policy that can talk to 
https://github.com/PowerDNS/weakforced to provide much better possibilities for 
implementing auth penalty rules and especially cluster-wide.

Re: Disabling passdb pam in local.conf

[Timo Sirainen]

On 22 Jun 2016, at 09:48, Patrick Ben Koetter  wrote:
> 
> * Patrick Ben Koetter :
>> * Marcus Rueckert :
 What am I missing?
>>> 
>>> That 10-auth.conf is actually meant to be edited. most distros should
>>> have configuration file handling pretty much figured out by now. so
>>> none of your changes to those files should get lost. also configuration
>>> management comes to mind.
>> 
>> As I repeatedly said none of those actions are an option in this project.
>> I think we better stop this thread.
> 
> For the books:
> 
> It can't be done at the moment. That would require the passdb section to
> become a named section, e.g. like this:
> 
> passdb pam {
>driver = pam
> }
> 
> Then one would be able to address this particular passdb namespace and do e.g.
> something like this:
> 
> passdb pam {
>driver = pam
>enabled = no
> }

Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf:

passdb {
  driver = whatever you want for your real passdb
  args = etc
  result_failure = return
  result_internalfail = return
}

So even though pam is still in the config, it's just never actually called.

Re: exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ?

[Timo Sirainen]

On 24 Jun 2016, at 13:33, Steffen Kaiser  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi,
> 
> I'm using Dovecot v2.2 with  unix_listener auth-client {
> } to verify passwords for a different service. However, it looks like that 
> auth_failure_delay effects all connects going through that socket.
> 
> I mean:
> 
> connect /var/run/dovecot2.2/auth-client
> attempt bad auth
> 2s penalty
> NO
> disconnect
> ==> Note, it's another connection almost immediately following each
> connect /var/run/dovecot2.2/auth-client
> attempt good auth
> 2s penalty
> OK
> disconnect
> 
> Can I disable auth_failure_delay for local UNIX sockets?
> How do I add it to login_trusted_networks?

If you add no-penalty parameter to the AUTH command you avoid the penalty.

Re: dsync unstable? (other strange detail)

[Timo Sirainen]

On 27 Jun 2016, at 08:28, Heiko Schlittermann  wrote:
> 
> Hi,
> 
> I'm trying to migrate from Cyrus (remote side) to Dovecot 2.2.24 (local).
> On the local side the destinations folders, and indexes are empty.
> 
> The command I'm using is
> 
> doveadm \
>-o mail_plugins= \
>-o imapc_master_user= \
>-o imapc_password= \
>-o imapc_host= \
>\
>-o imapc_ssl_verify=no \
>-o imapc_ssl=imaps \
>-o imapc_port=993 \
>backup -f -u "heiko" -R imapc: \
>|| {
>rc=$?
>echo "EXIT: $rc" >&2
>exit $rc
>}
> 
> On successive runs of the above command I get:
> 
>dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten 
> Anforderung': UID=16 GUID= is missing locally

This means that on Dovecot side there are messages after UID=16, but either:

a) UID=16 was expunged from Dovecot side or

b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. 
This isn't allowed by IMAP standard.

Dovecot can't insert UIDs, so it'll delete the folder and re-sync everything on 
the next run.

> Any idea where to look next? Is 'doveadm backup' the wrong tool for such
> migration? (I'd say with about 2.2.9 I had similar problems, but at
> least it didn't stop at every subfolder.)

If you allow local access already that can do modification, use doveadm sync -1 
after that.

Re: External mail attachments storage cleanup

[Timo Sirainen]

On 27 Jun 2016, at 16:11, Николай Мананков  wrote:
> 
> Hi,
> 
> I have set up mdbox backend witch saving mail attachments to external files 
> option. Dovecot store attachments to external files but never delete them.

You haven't run doveadm purge?

Re: chroot: Error: Temp file creation to /tmp

[Timo Sirainen]

On 28 Jun 2016, at 10:55, bvr  wrote:
> 
> 
> Hello,
> 
> We are using dovecot (2.2.10) and it's working great! When I enable chrooting 
> by appending /./ to the homedirs I'm getting errors like this:
> 
> mail1 dovecot[47074]: imap(user): Error: Temp file creation to 
> /tmp/dovecot.imap.mail1.70079. failed: No such file or directory
> 
> On the surface everything seems to be working fine and I have not been able 
> to produce the error myself.

Sometimes Dovecot wants to create temporary files to avoid excessive memory 
usage. If it can't create the temp file it'll just keep the temporary data in 
memory. You can control the temporary file location with mail_temp_dir setting. 
But maybe the nicest solution would be to just create tmp/ director to 
everybody's home dir? I guess Dovecot could do this also automatically if it 
has permissions, but I'm not entirely sure if that's a good idea.

Re: mail-search backtrace

[Hugh Bragg]

On 27/06/16 16:35, Aki Tuomi wrote:


On 25.06.2016 08:25, Hugh Bragg wrote:

On 22/05/16 05:17, Hugh Bragg wrote:


On 13/04/16 06:41, Timo Sirainen wrote:

On 09 Apr 2016, at 21:48, Hugh Bragg  wrote:

I'm repeatedly getting this error:

Apr 07 04:37:27 imap(mymail@address): Panic: file mail-search.c:
line 84 (mail_search_arg_init): assertion failed:
(arg->initialized.keywords == NULL)
Apr 07 04:37:27 imap(mymail@address): Error: Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(+0x827c2) [0x7fcb7f65e7c2] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x828ad) [0x7fcb7f65e8ad] ->
/usr/lib64/dov
ecot/libdovecot.so.0(i_fatal+0) [0x7fcb7f605b01] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228)
[0x7fcb7f91a328] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat
e_flags+0x100) [0x7fcb7f98e470] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52)
[0x7fcb7f9983e2] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185
) [0x7fcb7f998bb5] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) 
[0x7fcb7f921222]
->
/usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0xab3)
[0x7fcb7e9f7313] -> /usr

It's coming from virtual mailboxes.


namespace virtual {
   location = virtual:/var/mail/vhosts/%d/%n/virtual
   prefix = virtual.
   separator = .
}

What do your dovecot-virtual files contain? I guess opening one of
those virtual mailboxes crashes always. Related to searching keywords.

It still happens once in a while. It just won't expunge old messages
from unseen. There is no other trace or log message.
I was hoping to isolate the cause, but all I could only say for sure
that it happens sometime after Dovecot first starts up and I have to
restart to fix it.
dovecot-virtual files look like this:
# cat virtual/all/dovecot-virtual
*
   all
# cat virtual/Unseen/dovecot-virtual
virtual.all
   inthread refs unseen


A fresh trace:

May 21 00:28:08 imap(x@y): Panic: file mail-search.c: line 84
(mail_search_arg_init): assertion failed: (arg->initialized.keywords
== NULL)
May 21 00:28:08 imap(x@y): Error: Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(+0x85c62) [0x7f4fd8915c62] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x85d4d) [0x7f4fd8915d4d] ->
/usr/lib64/dov
ecot/libdovecot.so.0(i_fatal+0) [0x7f4fd88ba5c1] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) 
[0x7f4fd8bd4b78]
-> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat
e_flags+0x100) [0x7f4fd8c49d00] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52)
[0x7f4fd8c53ce2] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185
) [0x7f4fd8c544b5] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32)
[0x7f4fd8bdba82] ->
/usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538)
[0x7f4fd7caa428] -> /usr
/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b)
[0x7f4fd8bdb9fb] -> dovecot/imap(imap_sync_init+0x68)
[0x56091d93b078] -> dovecot/imap(+0x1210e) [0x56091d92710e] ->
dovecot/imap(+0x1234d) [0x56091
d92734d] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea)
[0x7f4fd892984a] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb)
[0x7f4fd892ae4b] -> /usr/lib64/dovecot/libdo
vecot.so.0(io_loop_handler_run+0x25) [0x7f4fd8929a75] ->
/usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f4fd8929c18]
-> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13)
[0x7f4fd88c0123] -> d
ovecot/imap(main+0x328) [0x56091d922a98] ->
/lib64/libc.so.6(__libc_start_main+0xf0) [0x7f4fd84ef580] ->
dovecot/imap(_start+0x29) [0x56091d922c19]

Still no clue on this even with debug set on. It's become so bad I
need to restart it or new mail is no longer reported after a few days
when the unseen has dozens of read mails.
I've no idea why it would need the keyword when I haven't done a
search but I suppose the virtual plugin works by using the
mail-search. Still, this shouldn't cause an error even if it is null.
I'm suppose it could be caused by the number of emails being so great.
Perhaps something is corrupt but as given, my dovecot-virtual files
are as recommended by the plugin doco and nothing else seems amiss. If
there is a corrupt mail or something then I don't know how to trace it.

Anything anyone?


A fresh trace :
Jun 25 15:10:30 imap(x@y.z): Panic: file mail-search.c: line 84
(mail_search_arg_init): assertion failed: (arg->initialized.keywords
== NULL)
Jun 25 15:10:30 imap(x@y.z): Error: Raw backtrace:
/usr/lib64/dovecot/libdovecot.so.0(+0x87102) [0x7fcb73696102] ->
/usr/lib64/dovecot/libdovecot.so.0(+0x871ed) [0x7fcb736961ed] ->
/usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7fcb736399e1] ->
/usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228)
[0x7fcb73955cc8] ->

Re: FTS search used / useful on an IMAP proxy?

[Michael Slusarz]

> 
> On June 28, 2016 at 7:07 AM Luca Lesinigo  wrote:
> 
> We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy 
> functionality is already working and I’m trying to understand if having the 
> FTS service configured on the dovecot *proxy* would be of any use.
> 
> I do suspect it would be useless, I guess dovecot in imap proxy mode just 
> forwards any command to the backend and does not bother to do anything about 
> it, but I’m failing to find a definitive answer in the documentation. If I am 
> guessing correctly, an fts service would only be useful if configured and 
> working on the actual backend.
> 

FTS only makes sense on backend, where the search would be executed.

michael

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[aki . tuomi]

> On June 28, 2016 at 5:17 PM Mark Foley  wrote:
> 
> 
> Aki - made your suggested changes, but no joy :(
> 
> My /etc/krb5.conf:
> 
> --SNIP
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
> 
> [libdefaults]
>   default_realm = HPRS.LOCAL
>   dns_lookup_kdc = true
>   kdc_timesync = 1
>   ccache_type = 4
>   forwardable = true
>   proxiable = true
>   fcc-mit-ticketflags = true
> 
> [realms]
>   HPRS.LOCAL = {
> default_domain = hprs.local
> auth_to_local_names = {
> Administrator = root
>   }
> }
> 
> [domain_realm]
> hprs.local = HPRS.LOCAL
> # this is not a mistake
> .hprs.local = HPRS.LOCAL
> --PINS---
> 
> you wrote:
> > You can remove the krb4_ stuff
> 
> I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
> section altogether.
> Question on [realms]Administrator: should that really be root or should it be 
> my AD Administrator?
> 
> my doveconf -n is exactly the same as posted below, but in particular:
> 
> auth_krb5_keytab = /etc/krb5.keytab
> auth_mechanisms = plain login gssapi
> 
> When I reloaded dovecot no mail was delivered to anyone (even though everyone 
> was still using
> plain/ssl, no one yet configured for gssapi).
> 
> In /var/log/maillog I got (repeatedly):
> 
> Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not 
> responding, delayed sending initial response (greeting): user=<>, 
> rip=192.168.0.54, lip=192.168.0.2, session=
> Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
> 'gssapi'
> Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
> failed, throttling for 60 secs
> Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not 
> responding, delayed sending initial response (greeting): user=<>, 
> rip=166.170.27.161, lip=98.102.63.107, TLS, session=
> 
> This looks pretty bad right off. Why "Unknown authentication mechanism 
> 'gssapi'"?
> 
> Do you have any idea from the configs I've posted? I'm rather depressed about 
> this. I thought I'd
> finally able to get AD authentication going for Dovecot. Not ready to give up 
> though!
> 
> Suggestions?
> 
> THX -- Mark
> 
> -original Message-
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > example]
> > To: dovecot@dovecot.org
> > From: Aki Tuomi 
> > Date: Tue, 28 Jun 2016 15:13:11 +0300
> >
> > On 28.06.2016 09:27, Mark Foley wrote:
> > > Aki,
> > >
> > > To review your 5 points:
> > >
> > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:
> > >
> > >> 1. Functional AD or Kerberos environment
> > >> 2. Time synced against your KDC (which is your Domain Controller on 
> > >> Windows)
> > >> 3. /etc/krb5.conf configured
> > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > >> Reverse is only mandatory for servers, but having them right will work
> > >> wonders. Most kerberos problems are about DNS problems.
> > >> 5. You need a keytab. This keytab needs to hold entries like
> > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> > >> these on any Windows DC server (at least).
> > > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos 
> > > and tested it with kinit
> > > and klist according to the instructions at
> > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> > >
> > > As to the the keytab (#5) I did the following:
> > >
> > > $ samba-tool domain exportkeytab /etc/krb5.keytab
> > >
> > > which created the file.  I made this owned and readable by group dovecot, 
> > > per instructions at
> > > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
> > > /etc/krb5.keytab` shows me
> > > configuration listing all the users and computers in the domain, mostly 
> > > in triplicate.  A
> > > partial list:
> > >
> > > Keytab name: FILE:/etc/krb5.keytab
> > > KVNO Principal
> > >  
> > > --
> > >18 COMMON$@HPRS.LOCAL
> > >18 COMMON$@HPRS.LOCAL
> > >18 COMMON$@HPRS.LOCAL
> > > 1 MAIL$@HPRS.LOCAL
> > > 1 MAIL$@HPRS.LOCAL
> > > 1 MAIL$@HPRS.LOCAL
> > > 1 charmaine@HPRS.LOCAL
> > > 1 charmaine@HPRS.LOCAL
> > > 1 charmaine@HPRS.LOCAL
> > >
> > > where COMMON and MAIL are hosts and charmaine is a user. I don't really 
> > > understand the listing,
> > > but am assuming it is OK.
> >
> > Strange that you do not have any host/ entries. Maybe it works without.
> >
> > >> setspn -q is helpful here, also setspn command in general.
> > > I have no such command in my system. Is that a Windows thing?
> > >
> >
> > Yes, but you can do those kind of things in Samba too.
> >
> > > As to the /etc/krb5.conf, the default one generated by samba is:
> > >
> > > [libdefaults]
> > >  default_realm = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - made your suggested changes, but no joy :(

My /etc/krb5.conf:

--SNIP
[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_kdc = true
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  fcc-mit-ticketflags = true

[realms]
  HPRS.LOCAL = {
default_domain = hprs.local
auth_to_local_names = {
Administrator = root
  }
}

[domain_realm]
hprs.local = HPRS.LOCAL
# this is not a mistake
.hprs.local = HPRS.LOCAL
--PINS---

you wrote:
> You can remove the krb4_ stuff

I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
section altogether.
Question on [realms]Administrator: should that really be root or should it be 
my AD Administrator?

my doveconf -n is exactly the same as posted below, but in particular:

auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi

When I reloaded dovecot no mail was delivered to anyone (even though everyone 
was still using
plain/ssl, no one yet configured for gssapi).

In /var/log/maillog I got (repeatedly):

Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, 
delayed sending initial response (greeting): user=<>, rip=192.168.0.54, 
lip=192.168.0.2, session=
Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
'gssapi'
Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
failed, throttling for 60 secs
Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, 
delayed sending initial response (greeting): user=<>, rip=166.170.27.161, 
lip=98.102.63.107, TLS, session=

This looks pretty bad right off. Why "Unknown authentication mechanism 
'gssapi'"?

Do you have any idea from the configs I've posted? I'm rather depressed about 
this. I thought I'd
finally able to get AD authentication going for Dovecot. Not ready to give up 
though!

Suggestions?

THX -- Mark

-original Message-
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi 
> Date: Tue, 28 Jun 2016 15:13:11 +0300
>
> On 28.06.2016 09:27, Mark Foley wrote:
> > Aki,
> >
> > To review your 5 points:
> >
> > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:
> >
> >> 1. Functional AD or Kerberos environment
> >> 2. Time synced against your KDC (which is your Domain Controller on 
> >> Windows)
> >> 3. /etc/krb5.conf configured
> >> 4. Both forward / reverse DNS names correct for clients and servers.
> >> Reverse is only mandatory for servers, but having them right will work
> >> wonders. Most kerberos problems are about DNS problems.
> >> 5. You need a keytab. This keytab needs to hold entries like
> >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> >> these on any Windows DC server (at least).
> > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
> > tested it with kinit
> > and klist according to the instructions at
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > As to the the keytab (#5) I did the following:
> >
> > $ samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > which created the file.  I made this owned and readable by group dovecot, 
> > per instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
> > /etc/krb5.keytab` shows me
> > configuration listing all the users and computers in the domain, mostly in 
> > triplicate.  A
> > partial list:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> >  
> > --
> >18 COMMON$@HPRS.LOCAL
> >18 COMMON$@HPRS.LOCAL
> >18 COMMON$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> >
> > where COMMON and MAIL are hosts and charmaine is a user. I don't really 
> > understand the listing,
> > but am assuming it is OK.
>
> Strange that you do not have any host/ entries. Maybe it works without.
>
> >> setspn -q is helpful here, also setspn command in general.
> > I have no such command in my system. Is that a Windows thing?
> >
>
> Yes, but you can do those kind of things in Samba too.
>
> > As to the /etc/krb5.conf, the default one generated by samba is:
> >
> > [libdefaults]
> >  default_realm = HPRS.LOCAL
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = true
> >
> > I'd like to modify that to your suggestions, but I need more help. You have 
> > (with my questions):
> >
> >> Here is a *SAMPLE* configuration:
> >>
> >> [libdefaults]
> >>  default_realm = YOUR.REALM
> >>  dns_lookup_kdc = true
> >>  krb4_config = 

FTS search used / useful on an IMAP proxy?

[Luca Lesinigo]

We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy 
functionality is already working and I’m trying to understand if having the FTS 
service configured on the dovecot *proxy* would be of any use.

I do suspect it would be useless, I guess dovecot in imap proxy mode just 
forwards any command to the backend and does not bother to do anything about 
it, but I’m failing to find a definitive answer in the documentation. If I am 
guessing correctly, an fts service would only be useful if configured and 
working on the actual backend.

Can anyone clarify my doubts?

thank you,
--
Luca Lesinigo

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Aki Tuomi]

On 28.06.2016 09:27, Mark Foley wrote:

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:


1. Functional AD or Kerberos environment
2. Time synced against your KDC (which is your Domain Controller on Windows)
3. /etc/krb5.conf configured
4. Both forward / reverse DNS names correct for clients and servers.
Reverse is only mandatory for servers, but having them right will work
wonders. Most kerberos problems are about DNS problems.
5. You need a keytab. This keytab needs to hold entries like
IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per 
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in 
triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   18 COMMON$@HPRS.LOCAL
   18 COMMON$@HPRS.LOCAL
   18 COMMON$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 MAIL$@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
1 charmaine@HPRS.LOCAL
1 charmaine@HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really 
understand the listing,
but am assuming it is OK.


Strange that you do not have any host/ entries. Maybe it works without.


setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?



Yes, but you can do those kind of things in Samba too.


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
 default_realm = HPRS.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have 
(with my questions):


Here is a *SAMPLE* configuration:

[libdefaults]
 default_realm = YOUR.REALM
 dns_lookup_kdc = true
 krb4_config = /etc/krb.conf
 krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I 
rather have:


You can remove the krb4_ stuff


krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in 
there?

You don't necessarely require that.


 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 fcc-mit-ticketflags = true

[realms]
 YOUR.REALM = {
 default_domain = your.domain.name
 auth_to_local_names = {
 Administrator = root
 }
 }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my 
FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)


HPRS.LOCAL is your REALM, hprs.local is your domain name.



[domain_realm]
   your.domain.name = YOUR.REALM
# this is not a mistake
   .your.domain.name = YOUR.REALM
[login]
 krb4_convert = true
 krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:


Also, note that kerberos can only act as AUTHENTICATION system. It
cannot act as USER DATABASE. For that you need to configure LDAP or
something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
   driver = shadow
}
protocols = imap
ssl_cert = 
passwd driver is fine, yes, if you ensure that users can be found.

Aki

chroot: Error: Temp file creation to /tmp

[bvr]

Hello,

We are using dovecot (2.2.10) and it's working great! When I enable 
chrooting by appending /./ to the homedirs I'm getting errors like this:


mail1 dovecot[47074]: imap(user): Error: Temp file creation to 
/tmp/dovecot.imap.mail1.70079. failed: No such file or directory


On the surface everything seems to be working fine and I have not been 
able to produce the error myself.


Any ideas?

Thanks in advance,
bvr.

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:

> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per 
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in 
triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really 
understand the listing,
but am assuming it is OK.

> setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have 
(with my questions):

> Here is a *SAMPLE* configuration:
>
> [libdefaults]
> default_realm = YOUR.REALM
> dns_lookup_kdc = true
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I 
rather have:

krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in 
there?

> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
>
> [realms]
> YOUR.REALM = {
> default_domain = your.domain.name
> auth_to_local_names = {
> Administrator = root
> }
> }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my 
FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)

> [domain_realm]
>   your.domain.name = YOUR.REALM
> # this is not a mistake
>   .your.domain.name = YOUR.REALM
> [login]
> krb4_convert = true
> krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:

> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert =