Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> On Jun 28, 2016, at 10:32 PM, Mark Foleywrote: > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and > restarted. Now I > don't get that "Unknown authentication mechanism 'gssapi'" message in > maillog, and mail is > delivered successfully to the other domain users having PLAIN authentication. > That's a big > step. In examining my original config.log output I apparently did not have > --with-gssapi enabled. > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > cannot correctly > authenticate and retrieve mail. Here is the dovecot log for that host: > What does thunderbird tell you? > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Jun 28 22:44:05 auth: Debug: Read auth token secret from > /usr/local/var/run/dovecot/auth-token-secret.dat > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > initialization [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server hello A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key > exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > server done A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data > [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read > client certificate A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > client key exchange A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > certificate verify A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > session ticket A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > change cipher spec A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > finished A [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data > [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation > finished successfully [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] > Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): > user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= > > Does this tell you anything? `doveconf -n` and krb5.conf are configured as > shown in previous > messages below. > > Closer! --Mark > > -Original Message- > From: Mark Foley > Date: Tue, 28 Jun 2016 22:04:42 -0400 > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > Aki, you wrote: > >> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile >> it yourself? >> >> I'll try to check status of NTLM this week. > > I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. > > I do have the Dovecot sources and will peruse the possible options after I > send this. I am on > version 2.2.15 and I see that the current downloadable version is 2.2.24. > Should I upgrade? Do > you think that would help? (a perusal of the changes since 2.2.15 shows > nothing obvious > realated to gssapi) > > --Mark > > -Original Message- >> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) >> From: aki.tu...@dovecot.fi >> To: dovecot@dovecot.org >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> >>> On June 28, 2016 at 5:17 PM Mark Foley wrote: >>> >>> >>> Aki - made your suggested changes, but no joy :( >>> >>> My /etc/krb5.conf: >>> >>>
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled. HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host: Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous messages below. Closer! --Mark -Original Message- From: Mark FoleyDate: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile > it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -Original Message- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > --SNIP > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > >
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile > it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -Original Message- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foleywrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > --SNIP > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > --PINS--- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] > > section altogether. > > Question on [realms]Administrator: should that really be root or should it > > be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though > > everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > > responding, delayed sending initial response (greeting): user=<>, > > rip=192.168.0.54, lip=192.168.0.2, session= > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism > > 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup > > failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > > responding, delayed sending initial response (greeting): user=<>, > > rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > > > This looks pretty bad right off. Why "Unknown authentication mechanism > > 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed > > about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give > > up though! > > > > Suggestions? > > > > THX -- Mark > > > > -original Message- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > > example] > > > To: dovecot@dovecot.org > > > From: Aki Tuomi > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi > > > > wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on > > > >> Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > > > >> these on any Windows DC server (at least). > > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos > > > > and tested it with kinit > > > > and klist according to the instructions at > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > > > As to the the keytab (#5) I did the following: > > > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > > > which created the file. I made this owned and readable by group > > > > dovecot, per instructions at > > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k > > > > /etc/krb5.keytab` shows me > > > > configuration listing all the users and computers in the domain, mostly > > > > in triplicate. A > > > > partial list: > > > > > >
Re: dsync unstable? (other strange detail)
Timo Sirainen(Mi 29 Jun 2016 00:20:05 CEST): … > > Maybe, did you read my previous post with a similar subject? There I had > > an empty local destination and some nasty effects too. > > There was another mail with "highest than remote's UIDs" error. Do you mean > that one? I don't see others. That's also kind of strange. Dovecot had seen > mails that suddenly no longer existed on Cyrus side. It's as if you're > syncing to two different Cyrus servers that are somewhat out of sync > themselves. Is that possible? Yes, dsync(heiko): Warning: Deleting mailbox 'Trash': UID=18290 already exists locally for a different mail: highest than remote's UIDs (remote UIDNEXT=19588) This happend during a sync to an empty local destination The source (cyrus) is an active/passive cluster, the IP I'm connecting to should be on the same machine for the time the syncronisation runs. But I'll check this. Thank you for responding… It give me the hope that it *should* work. (Meanwhile I'm writing 'yet-another-imap2imap' sync tool, but using dsync would be the better choice, definitivly) Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature
Re: dsync unstable? (other strange detail)
On 29 Jun 2016, at 01:13, Heiko Schlittermannwrote: > > Timo Sirainen (Mi 29 Jun 2016 00:00:11 CEST): > … b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. >> It's still strange if Cyrus is doing that. It's generally a pretty well >> behaving IMAP server. What version is it? > > * OK srvlx Cyrus IMAP4 v2.2.12 server ready > > Maybe, did you read my previous post with a similar subject? There I had > an empty local destination and some nasty effects too. There was another mail with "highest than remote's UIDs" error. Do you mean that one? I don't see others. That's also kind of strange. Dovecot had seen mails that suddenly no longer existed on Cyrus side. It's as if you're syncing to two different Cyrus servers that are somewhat out of sync themselves. Is that possible? > In case it helps: > >mail_location = > maildir:~:INBOX=/volumes/dovecot/inbox/%2.256Nn/%n:INDEX=/volumes/dovecot/cache/%2.256Nn/%n > > which leads to > >/volumes/dovecot/{cache,home,inbox}// > > is used for the maildir storage. As I'm writing this, I'm not sure, if I > really purged the /var/vmail/cache/ hierarchy. But home/ and inbox/ > where clean as a baby. > > The storage is imported via NFS. But the other backends (we're using a > director/backend setup) are switched off, to really be sure the we don't have > concurrent access. An out-of-date index with Maildir shouldn't really matter since it should get automatically updated.
Re: dsync unstable? (other strange detail)
Timo Sirainen(Mi 29 Jun 2016 00:00:11 CEST): … > >> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there > >> earlier. This isn't allowed by IMAP standard. > It's still strange if Cyrus is doing that. It's generally a pretty well > behaving IMAP server. What version is it? * OK srvlx Cyrus IMAP4 v2.2.12 server ready Maybe, did you read my previous post with a similar subject? There I had an empty local destination and some nasty effects too. In case it helps: mail_location = maildir:~:INBOX=/volumes/dovecot/inbox/%2.256Nn/%n:INDEX=/volumes/dovecot/cache/%2.256Nn/%n which leads to /volumes/dovecot/{cache,home,inbox}// is used for the maildir storage. As I'm writing this, I'm not sure, if I really purged the /var/vmail/cache/ hierarchy. But home/ and inbox/ where clean as a baby. The storage is imported via NFS. But the other backends (we're using a director/backend setup) are switched off, to really be sure the we don't have concurrent access. -- Heiko signature.asc Description: Digital signature
Re: FTS search used / useful on an IMAP proxy?
On 28 Jun 2016, at 16:07, Luca Lesinigowrote: > > We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy > functionality is already working and I’m trying to understand if having the > FTS service configured on the dovecot *proxy* would be of any use. > > I do suspect it would be useless, I guess dovecot in imap proxy mode just > forwards any command to the backend and does not bother to do anything about > it, but I’m failing to find a definitive answer in the documentation. If I am > guessing correctly, an fts service would only be useful if configured and > working on the actual backend. > > Can anyone clarify my doubts? If you want to use doveadm fts optimize/rescan commands via doveadm proxy, you need to load fts plugin on the proxy to get the commands. But otherwise there's no reason for it.
Re: dsync unstable? (other strange detail)
On 29 Jun 2016, at 00:53, Heiko Schlittermannwrote: > > Hi, > Timo Sirainen (Di 28 Jun 2016 23:30:38 CEST): >>> >>> On successive runs of the above command I get: >>> >>> dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten >>> Anforderung': UID=16 GUID= is missing locally >> >> This means that on Dovecot side there are messages after UID=16, but either: >> a) UID=16 was expunged from Dovecot side or > > On the dovecot side nobody is accessing the mail system. > >> b) UID=16 suddenly appeared on Cyrus side even though it wasn't there >> earlier. This isn't allowed by IMAP standard. > > Hm, this seems to be a possible reason. > So, successive numbers? > > It seems to happen mostly on huuge mailboxes. It's still strange if Cyrus is doing that. It's generally a pretty well behaving IMAP server. What version is it?
Re: Disabling passdb pam in local.conf
* Timo Sirainen: > Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf: > > passdb { > driver = whatever you want for your real passdb > args = etc > result_failure = return > result_internalfail = return > } > > So even though pam is still in the config, it's just never actually called. I played with the idea to set result_failure and result_internalfail to pass it all through, too. But then things started to get nasty and I took the long road and began to edit more than local.conf. But thanks for taking the time to review and rethink this. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: dsync unstable? (other strange detail)
Hi, Timo Sirainen(Di 28 Jun 2016 23:30:38 CEST): > > > > On successive runs of the above command I get: > > > >dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten > > Anforderung': UID=16 GUID= is missing locally > > This means that on Dovecot side there are messages after UID=16, but either: > a) UID=16 was expunged from Dovecot side or On the dovecot side nobody is accessing the mail system. > b) UID=16 suddenly appeared on Cyrus side even though it wasn't there > earlier. This isn't allowed by IMAP standard. Hm, this seems to be a possible reason. So, successive numbers? It seems to happen mostly on huuge mailboxes. -- Heiko signature.asc Description: Digital signature
Re: Suggestion: Split login_trusted_networks
> On 29 Jun 2016, at 00:49, Timo Sirainenwrote: > > On 27 Jun 2016, at 15:46, Peter Mogensen wrote: >> >> Hi, >> >> For the upcoming 2.3 development, I'd like to re-suggest this: >> >> It seems the use of login_trusted_networks is overloaded. >> >> Example: >> * It's used for indicating which hosts you trust to provide XCLIENT remote >> IP's. (like a proxy) >> * It's used for indicating from which hosts you trust logins enough to >> disable auth penalty. (like in a webmail) >> >> Often these two uses cases have a different set of hosts. >> >> So you can't have one set of hosts which you trust for XCLIENT and another >> set of hosts you trust for not being the origin of brute force attacks. > > Hmm. I guess it's possible nowadays to remove that. The old behavior could > still be configured by adding a passdb that enables nodelay=yes for the > webmail's IP. For example: > > passdb { > driver = passwd-file > args = username_format=%{lip} /etc/dovecot/passdb %{rip} I meant. > } > > 127.0.0.1:::nodelay=yes So this could be e.g. 192.168.10.123 or something. > > So I'm thinking v2.3 could no longer send the no-penalty parameter at all > based on login_trusted_networks. > > Also related: Dovecot's auth penalty support isn't especially good. There's > now support for http://wiki2.dovecot.org/Authentication/Policy that can talk > to https://github.com/PowerDNS/weakforced to provide much better > possibilities for implementing auth penalty rules and especially cluster-wide.
Re: Suggestion: Split login_trusted_networks
On 27 Jun 2016, at 15:46, Peter Mogensenwrote: > > Hi, > > For the upcoming 2.3 development, I'd like to re-suggest this: > > It seems the use of login_trusted_networks is overloaded. > > Example: > * It's used for indicating which hosts you trust to provide XCLIENT remote > IP's. (like a proxy) > * It's used for indicating from which hosts you trust logins enough to > disable auth penalty. (like in a webmail) > > Often these two uses cases have a different set of hosts. > > So you can't have one set of hosts which you trust for XCLIENT and another > set of hosts you trust for not being the origin of brute force attacks. Hmm. I guess it's possible nowadays to remove that. The old behavior could still be configured by adding a passdb that enables nodelay=yes for the webmail's IP. For example: passdb { driver = passwd-file args = username_format=%{lip} /etc/dovecot/passdb } 127.0.0.1:::nodelay=yes So I'm thinking v2.3 could no longer send the no-penalty parameter at all based on login_trusted_networks. Also related: Dovecot's auth penalty support isn't especially good. There's now support for http://wiki2.dovecot.org/Authentication/Policy that can talk to https://github.com/PowerDNS/weakforced to provide much better possibilities for implementing auth penalty rules and especially cluster-wide.
Re: Disabling passdb pam in local.conf
On 22 Jun 2016, at 09:48, Patrick Ben Koetterwrote: > > * Patrick Ben Koetter : >> * Marcus Rueckert : What am I missing? >>> >>> That 10-auth.conf is actually meant to be edited. most distros should >>> have configuration file handling pretty much figured out by now. so >>> none of your changes to those files should get lost. also configuration >>> management comes to mind. >> >> As I repeatedly said none of those actions are an option in this project. >> I think we better stop this thread. > > For the books: > > It can't be done at the moment. That would require the passdb section to > become a named section, e.g. like this: > > passdb pam { >driver = pam > } > > Then one would be able to address this particular passdb namespace and do e.g. > something like this: > > passdb pam { >driver = pam >enabled = no > } Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf: passdb { driver = whatever you want for your real passdb args = etc result_failure = return result_internalfail = return } So even though pam is still in the config, it's just never actually called.
Re: exempt local auth-client UNIX socket from failed login penalty // add to login_trusted_networks ?
On 24 Jun 2016, at 13:33, Steffen Kaiserwrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > I'm using Dovecot v2.2 with unix_listener auth-client { > } to verify passwords for a different service. However, it looks like that > auth_failure_delay effects all connects going through that socket. > > I mean: > > connect /var/run/dovecot2.2/auth-client > attempt bad auth > 2s penalty > NO > disconnect > ==> Note, it's another connection almost immediately following each > connect /var/run/dovecot2.2/auth-client > attempt good auth > 2s penalty > OK > disconnect > > Can I disable auth_failure_delay for local UNIX sockets? > How do I add it to login_trusted_networks? If you add no-penalty parameter to the AUTH command you avoid the penalty.
Re: dsync unstable? (other strange detail)
On 27 Jun 2016, at 08:28, Heiko Schlittermannwrote: > > Hi, > > I'm trying to migrate from Cyrus (remote side) to Dovecot 2.2.24 (local). > On the local side the destinations folders, and indexes are empty. > > The command I'm using is > > doveadm \ >-o mail_plugins= \ >-o imapc_master_user= \ >-o imapc_password= \ >-o imapc_host= \ >\ >-o imapc_ssl_verify=no \ >-o imapc_ssl=imaps \ >-o imapc_port=993 \ >backup -f -u "heiko" -R imapc: \ >|| { >rc=$? >echo "EXIT: $rc" >&2 >exit $rc >} > > On successive runs of the above command I get: > >dsync(heiko): Warning: Deleting mailbox 'Serververwaltung.Mailinglisten > Anforderung': UID=16 GUID= is missing locally This means that on Dovecot side there are messages after UID=16, but either: a) UID=16 was expunged from Dovecot side or b) UID=16 suddenly appeared on Cyrus side even though it wasn't there earlier. This isn't allowed by IMAP standard. Dovecot can't insert UIDs, so it'll delete the folder and re-sync everything on the next run. > Any idea where to look next? Is 'doveadm backup' the wrong tool for such > migration? (I'd say with about 2.2.9 I had similar problems, but at > least it didn't stop at every subfolder.) If you allow local access already that can do modification, use doveadm sync -1 after that.
Re: External mail attachments storage cleanup
On 27 Jun 2016, at 16:11, Николай Мананковwrote: > > Hi, > > I have set up mdbox backend witch saving mail attachments to external files > option. Dovecot store attachments to external files but never delete them. You haven't run doveadm purge?
Re: chroot: Error: Temp file creation to /tmp
On 28 Jun 2016, at 10:55, bvrwrote: > > > Hello, > > We are using dovecot (2.2.10) and it's working great! When I enable chrooting > by appending /./ to the homedirs I'm getting errors like this: > > mail1 dovecot[47074]: imap(user): Error: Temp file creation to > /tmp/dovecot.imap.mail1.70079. failed: No such file or directory > > On the surface everything seems to be working fine and I have not been able > to produce the error myself. Sometimes Dovecot wants to create temporary files to avoid excessive memory usage. If it can't create the temp file it'll just keep the temporary data in memory. You can control the temporary file location with mail_temp_dir setting. But maybe the nicest solution would be to just create tmp/ director to everybody's home dir? I guess Dovecot could do this also automatically if it has permissions, but I'm not entirely sure if that's a good idea.
Re: mail-search backtrace
On 27/06/16 16:35, Aki Tuomi wrote: On 25.06.2016 08:25, Hugh Bragg wrote: On 22/05/16 05:17, Hugh Bragg wrote: On 13/04/16 06:41, Timo Sirainen wrote: On 09 Apr 2016, at 21:48, Hugh Braggwrote: I'm repeatedly getting this error: Apr 07 04:37:27 imap(mymail@address): Panic: file mail-search.c: line 84 (mail_search_arg_init): assertion failed: (arg->initialized.keywords == NULL) Apr 07 04:37:27 imap(mymail@address): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x827c2) [0x7fcb7f65e7c2] -> /usr/lib64/dovecot/libdovecot.so.0(+0x828ad) [0x7fcb7f65e8ad] -> /usr/lib64/dov ecot/libdovecot.so.0(i_fatal+0) [0x7fcb7f605b01] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7fcb7f91a328] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat e_flags+0x100) [0x7fcb7f98e470] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) [0x7fcb7f9983e2] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 ) [0x7fcb7f998bb5] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) [0x7fcb7f921222] -> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0xab3) [0x7fcb7e9f7313] -> /usr It's coming from virtual mailboxes. namespace virtual { location = virtual:/var/mail/vhosts/%d/%n/virtual prefix = virtual. separator = . } What do your dovecot-virtual files contain? I guess opening one of those virtual mailboxes crashes always. Related to searching keywords. It still happens once in a while. It just won't expunge old messages from unseen. There is no other trace or log message. I was hoping to isolate the cause, but all I could only say for sure that it happens sometime after Dovecot first starts up and I have to restart to fix it. dovecot-virtual files look like this: # cat virtual/all/dovecot-virtual * all # cat virtual/Unseen/dovecot-virtual virtual.all inthread refs unseen A fresh trace: May 21 00:28:08 imap(x@y): Panic: file mail-search.c: line 84 (mail_search_arg_init): assertion failed: (arg->initialized.keywords == NULL) May 21 00:28:08 imap(x@y): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x85c62) [0x7f4fd8915c62] -> /usr/lib64/dovecot/libdovecot.so.0(+0x85d4d) [0x7f4fd8915d4d] -> /usr/lib64/dov ecot/libdovecot.so.0(i_fatal+0) [0x7f4fd88ba5c1] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7f4fd8bd4b78] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_search_result_updat e_flags+0x100) [0x7f4fd8c49d00] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_sync_search_results_update+0x52) [0x7f4fd8c53ce2] -> /usr/lib64/dovecot/libdovecot-storage.so.0(index_mailbox_sync_deinit+0x185 ) [0x7f4fd8c544b5] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_deinit+0x32) [0x7f4fd8bdba82] -> /usr/lib64/dovecot/lib20_virtual_plugin.so(virtual_storage_sync_init+0x538) [0x7f4fd7caa428] -> /usr /lib64/dovecot/libdovecot-storage.so.0(mailbox_sync_init+0x3b) [0x7f4fd8bdb9fb] -> dovecot/imap(imap_sync_init+0x68) [0x56091d93b078] -> dovecot/imap(+0x1210e) [0x56091d92710e] -> dovecot/imap(+0x1234d) [0x56091 d92734d] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handle_timeouts+0xea) [0x7f4fd892984a] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_handler_run_internal+0xbb) [0x7f4fd892ae4b] -> /usr/lib64/dovecot/libdo vecot.so.0(io_loop_handler_run+0x25) [0x7f4fd8929a75] -> /usr/lib64/dovecot/libdovecot.so.0(io_loop_run+0x38) [0x7f4fd8929c18] -> /usr/lib64/dovecot/libdovecot.so.0(master_service_run+0x13) [0x7f4fd88c0123] -> d ovecot/imap(main+0x328) [0x56091d922a98] -> /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f4fd84ef580] -> dovecot/imap(_start+0x29) [0x56091d922c19] Still no clue on this even with debug set on. It's become so bad I need to restart it or new mail is no longer reported after a few days when the unseen has dozens of read mails. I've no idea why it would need the keyword when I haven't done a search but I suppose the virtual plugin works by using the mail-search. Still, this shouldn't cause an error even if it is null. I'm suppose it could be caused by the number of emails being so great. Perhaps something is corrupt but as given, my dovecot-virtual files are as recommended by the plugin doco and nothing else seems amiss. If there is a corrupt mail or something then I don't know how to trace it. Anything anyone? A fresh trace : Jun 25 15:10:30 imap(x@y.z): Panic: file mail-search.c: line 84 (mail_search_arg_init): assertion failed: (arg->initialized.keywords == NULL) Jun 25 15:10:30 imap(x@y.z): Error: Raw backtrace: /usr/lib64/dovecot/libdovecot.so.0(+0x87102) [0x7fcb73696102] -> /usr/lib64/dovecot/libdovecot.so.0(+0x871ed) [0x7fcb736961ed] -> /usr/lib64/dovecot/libdovecot.so.0(i_fatal+0) [0x7fcb736399e1] -> /usr/lib64/dovecot/libdovecot-storage.so.0(mail_search_arg_init+0x228) [0x7fcb73955cc8] ->
Re: FTS search used / useful on an IMAP proxy?
> > On June 28, 2016 at 7:07 AM Luca Lesinigowrote: > > We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy > functionality is already working and I’m trying to understand if having the > FTS service configured on the dovecot *proxy* would be of any use. > > I do suspect it would be useless, I guess dovecot in imap proxy mode just > forwards any command to the backend and does not bother to do anything about > it, but I’m failing to find a definitive answer in the documentation. If I am > guessing correctly, an fts service would only be useful if configured and > working on the actual backend. > FTS only makes sense on backend, where the search would be executed. michael
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> On June 28, 2016 at 5:17 PM Mark Foleywrote: > > > Aki - made your suggested changes, but no joy :( > > My /etc/krb5.conf: > > --SNIP > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > [libdefaults] > default_realm = HPRS.LOCAL > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > HPRS.LOCAL = { > default_domain = hprs.local > auth_to_local_names = { > Administrator = root > } > } > > [domain_realm] > hprs.local = HPRS.LOCAL > # this is not a mistake > .hprs.local = HPRS.LOCAL > --PINS--- > > you wrote: > > You can remove the krb4_ stuff > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] > section altogether. > Question on [realms]Administrator: should that really be root or should it be > my AD Administrator? > > my doveconf -n is exactly the same as posted below, but in particular: > > auth_krb5_keytab = /etc/krb5.keytab > auth_mechanisms = plain login gssapi > > When I reloaded dovecot no mail was delivered to anyone (even though everyone > was still using > plain/ssl, no one yet configured for gssapi). > > In /var/log/maillog I got (repeatedly): > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=192.168.0.54, lip=192.168.0.2, session= > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism > 'gssapi' > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup > failed, throttling for 60 secs > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > responding, delayed sending initial response (greeting): user=<>, > rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > This looks pretty bad right off. Why "Unknown authentication mechanism > 'gssapi'"? > > Do you have any idea from the configs I've posted? I'm rather depressed about > this. I thought I'd > finally able to get AD authentication going for Dovecot. Not ready to give up > though! > > Suggestions? > > THX -- Mark > > -original Message- > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > example] > > To: dovecot@dovecot.org > > From: Aki Tuomi > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > Aki, > > > > > > To review your 5 points: > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > > > > > >> 1. Functional AD or Kerberos environment > > >> 2. Time synced against your KDC (which is your Domain Controller on > > >> Windows) > > >> 3. /etc/krb5.conf configured > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > >> Reverse is only mandatory for servers, but having them right will work > > >> wonders. Most kerberos problems are about DNS problems. > > >> 5. You need a keytab. This keytab needs to hold entries like > > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > > >> these on any Windows DC server (at least). > > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos > > > and tested it with kinit > > > and klist according to the instructions at > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > > > As to the the keytab (#5) I did the following: > > > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > > > which created the file. I made this owned and readable by group dovecot, > > > per instructions at > > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k > > > /etc/krb5.keytab` shows me > > > configuration listing all the users and computers in the domain, mostly > > > in triplicate. A > > > partial list: > > > > > > Keytab name: FILE:/etc/krb5.keytab > > > KVNO Principal > > > > > > -- > > >18 COMMON$@HPRS.LOCAL > > >18 COMMON$@HPRS.LOCAL > > >18 COMMON$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 MAIL$@HPRS.LOCAL > > > 1 charmaine@HPRS.LOCAL > > > 1 charmaine@HPRS.LOCAL > > > 1 charmaine@HPRS.LOCAL > > > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really > > > understand the listing, > > > but am assuming it is OK. > > > > Strange that you do not have any host/ entries. Maybe it works without. > > > > >> setspn -q is helpful here, also setspn command in general. > > > I have no such command in my system. Is that a Windows thing? > > > > > > > Yes, but you can do those kind of things in Samba too. > > > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > > > [libdefaults] > > > default_realm =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: --SNIP [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } } [domain_realm] hprs.local = HPRS.LOCAL # this is not a mistake .hprs.local = HPRS.LOCAL --PINS--- you wrote: > You can remove the krb4_ stuff I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator? my doveconf -n is exactly the same as posted below, but in particular: auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi). In /var/log/maillog I got (repeatedly): Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though! Suggestions? THX -- Mark -original Message- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi> Date: Tue, 28 Jun 2016 15:13:11 +0300 > > On 28.06.2016 09:27, Mark Foley wrote: > > Aki, > > > > To review your 5 points: > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi wrote: > > > >> 1. Functional AD or Kerberos environment > >> 2. Time synced against your KDC (which is your Domain Controller on > >> Windows) > >> 3. /etc/krb5.conf configured > >> 4. Both forward / reverse DNS names correct for clients and servers. > >> Reverse is only mandatory for servers, but having them right will work > >> wonders. Most kerberos problems are about DNS problems. > >> 5. You need a keytab. This keytab needs to hold entries like > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > >> these on any Windows DC server (at least). > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and > > tested it with kinit > > and klist according to the instructions at > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > As to the the keytab (#5) I did the following: > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > which created the file. I made this owned and readable by group dovecot, > > per instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k > > /etc/krb5.keytab` shows me > > configuration listing all the users and computers in the domain, mostly in > > triplicate. A > > partial list: > > > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > > > -- > >18 COMMON$@HPRS.LOCAL > >18 COMMON$@HPRS.LOCAL > >18 COMMON$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really > > understand the listing, > > but am assuming it is OK. > > Strange that you do not have any host/ entries. Maybe it works without. > > >> setspn -q is helpful here, also setspn command in general. > > I have no such command in my system. Is that a Windows thing? > > > > Yes, but you can do those kind of things in Samba too. > > > As to the /etc/krb5.conf, the default one generated by samba is: > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > I'd like to modify that to your suggestions, but I need more help. You have > > (with my questions): > > > >> Here is a *SAMPLE* configuration: > >> > >> [libdefaults] > >> default_realm = YOUR.REALM > >> dns_lookup_kdc = true > >> krb4_config =
FTS search used / useful on an IMAP proxy?
We are preparing an IMAP proxy based on dovecot-2.2.22, basic proxy functionality is already working and I’m trying to understand if having the FTS service configured on the dovecot *proxy* would be of any use. I do suspect it would be useless, I guess dovecot in imap proxy mode just forwards any command to the backend and does not bother to do anything about it, but I’m failing to find a definitive answer in the documentation. If I am guessing correctly, an fts service would only be useful if configured and working on the actual backend. Can anyone clarify my doubts? thank you, -- Luca Lesinigo
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On 28.06.2016 09:27, Mark Foley wrote: Aki, To review your 5 points: On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomiwrote: 1. Functional AD or Kerberos environment 2. Time synced against your KDC (which is your Domain Controller on Windows) 3. /etc/krb5.conf configured 4. Both forward / reverse DNS names correct for clients and servers. Reverse is only mandatory for servers, but having them right will work wonders. Most kerberos problems are about DNS problems. 5. You need a keytab. This keytab needs to hold entries like IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. Strange that you do not have any host/ entries. Maybe it works without. setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? Yes, but you can do those kind of things in Samba too. As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): Here is a *SAMPLE* configuration: [libdefaults] default_realm = YOUR.REALM dns_lookup_kdc = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: You can remove the krb4_ stuff krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? You don't necessarely require that. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] YOUR.REALM = { default_domain = your.domain.name auth_to_local_names = { Administrator = root } } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) HPRS.LOCAL is your REALM, hprs.local is your domain name. [domain_realm] your.domain.name = YOUR.REALM # this is not a mistake .your.domain.name = YOUR.REALM [login] krb4_convert = true krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: Also, note that kerberos can only act as AUTHENTICATION system. It cannot act as USER DATABASE. For that you need to configure LDAP or something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = passwd driver is fine, yes, if you ensure that users can be found. Aki
chroot: Error: Temp file creation to /tmp
Hello, We are using dovecot (2.2.10) and it's working great! When I enable chrooting by appending /./ to the homedirs I'm getting errors like this: mail1 dovecot[47074]: imap(user): Error: Temp file creation to /tmp/dovecot.imap.mail1.70079. failed: No such file or directory On the surface everything seems to be working fine and I have not been able to produce the error myself. Any ideas? Thanks in advance, bvr.
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, To review your 5 points: On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomiwrote: > 1. Functional AD or Kerberos environment > 2. Time synced against your KDC (which is your Domain Controller on Windows) > 3. /etc/krb5.conf configured > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. > setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > Here is a *SAMPLE* configuration: > > [libdefaults] > default_realm = YOUR.REALM > dns_lookup_kdc = true > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > YOUR.REALM = { > default_domain = your.domain.name > auth_to_local_names = { > Administrator = root > } > } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) > [domain_realm] > your.domain.name = YOUR.REALM > # this is not a mistake > .your.domain.name = YOUR.REALM > [login] > krb4_convert = true > krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: > Also, note that kerberos can only act as AUTHENTICATION system. It > cannot act as USER DATABASE. For that you need to configure LDAP or > something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =