Re: kqueue crash on FreeBSD with 2.2.25
On 16-07-03 22:14:01, Edgar Pettijohn wrote: > On 16-07-03 03:30:36, Timo Sirainen wrote: > > On 02 Jul 2016, at 03:30, Adam Weinberger wrote: > > > > > >>> Jul 1 10:07:27 imap dovecot: master: Panic: kevent(EV_ADD, READ, 54) > > >>> failed: Bad file descriptor > > >>> > > >>> It's not dumping core, and I get the message even with "protocols =" > > >>> > > >>> Downgrading back to 2.2.24 fixes it. What info would be helpful for me > > >>> to provide here? > > >> > > >> gdb backtrace: http://dovecot.org/bugreport.html#coredumps > > >> > > > > > > Fuller logs attached. Thanks for your help, Timo. > > > > > > #6 0x2815b23a in i_panic (format=0x281ccf7a "kevent(EV_ADD, READ, %d) > > > failed: %m") at failures.c:275 > > > #7 0x28185e10 in io_loop_handle_add (io=0x288843a0) at ioloop-kqueue.c:67 > > > #8 0x281815a8 in io_add_file (fd=56, condition=IO_READ, > > > source_linenum=244, callback=0x2818a7d0 , context=0x0) at > > > ioloop.c:59 > > > #9 0x281813a6 in io_add (fd=56, condition=IO_READ, source_linenum=244, > > > callback=0x2818a7d0 , context=0x0) at ioloop.c:81 > > > #10 0x2818a666 in lib_signals_set_handler (signo=1, flags=3, > > > handler=0x804e6c0 , context=0x0) at lib-signals.c:243 > > > #11 0x0804e129 in main_init (set=0x2881d098) at main.c:518 > > > #12 0x0804d562 in main (argc=3, argv=0xae08) at main.c:890 > > > > Weird. I haven't touched anything even close to that. Also kqueue works on > > my OSX. The only thing that comes to my mind is > > https://github.com/dovecot/core/commit/fde7b8a03bf91cfa5bb7ca3e84545386243fa0d2 > > > > Does it happen to work if you use the attached patch? > > > > Still trying to learn git, but here is what happened when I tried applying > this diff. > > Sun Jul 03 10:12:32 ~/dovecot/core $ git reset --hard > 3fea4d5988de365503df44a9b067e3b181cac65c > HEAD is now at 3fea4d5 master: Stopping didn't close dead-pipes early enough. > Sun Jul 03 10:12:37 ~/dovecot/core $ git apply diff.patch > > error: patch failed: src/master/service-monitor.c:522 > error: src/master/service-monitor.c: patch does not apply > error: patch failed: src/master/service-monitor.c:452 > error: src/master/service-monitor.c: patch does not apply > error: patch failed: src/master/service-process.c:133 > error: src/master/service-process.c: patch does not apply > error: patch failed: src/master/service.c:283 > error: src/master/service.c: patch does not apply > error: patch failed: src/master/service.h:85 > error: src/master/service.h: patch does not apply > > Same thing happened before the reset --hard. > > -- > Edgar Pettijohn It was a misconfiguration problem on my part causing the issues on OpenBSD. Probably the same for FreeBSD. Had to make changes to /etc/login.conf to fix it. However, the following diff keeps it from panicing and logs enough info to help figure out the problem. -- Edgar Pettijohn diff --git a/src/lib/ioloop-kqueue.c b/src/lib/ioloop-kqueue.c index 881ce87..9c35202 100644 --- a/src/lib/ioloop-kqueue.c +++ b/src/lib/ioloop-kqueue.c @@ -63,12 +63,12 @@ void io_loop_handle_add(struct io_file *io) if ((io->io.condition & (IO_READ | IO_ERROR)) != 0) { MY_EV_SET(&ev, io->fd, EVFILT_READ, EV_ADD, 0, 0, io); - if (kevent(ctx->kq, &ev, 1, NULL, 0, NULL) < 0) + if (kevent(ctx->kq, &ev, 1, NULL, 0, NULL) == -1) i_panic("kevent(EV_ADD, READ, %d) failed: %m", io->fd); } if ((io->io.condition & IO_WRITE) != 0) { MY_EV_SET(&ev, io->fd, EVFILT_WRITE, EV_ADD, 0, 0, io); - if (kevent(ctx->kq, &ev, 1, NULL, 0, NULL) < 0) + if (kevent(ctx->kq, &ev, 1, NULL, 0, NULL) == -1) i_panic("kevent(EV_ADD, WRITE, %d) failed: %m", io->fd); }
is it possible to run a post-login script in a dovecot proxy with local auth?
We’re using dovecot v2.2.22, authenticating on a local database (passdb with sql driver), and then proxying the connections to the backend server returned by passdb (proxy=y and backend in “host” column). To support some legacy clients we should keep POP/IMAP-before-SMTP running for some time, but right know I don’t know how to hook up a successful authentication in the dovecot proxy. I did read from http://wiki2.dovecot.org/PostLoginScripting: “...it's not currently possible to run post-login scripts in proxies, because they're not actually logging in to the local Dovecot” Does that also holds true even if the proxy is authenticating users locally before proxying them? Failing that, any idea on how to get successful logins, other than parsing the log file? thank you, -- Luca Lesinigo
Feature Request
I would like to request an additional optional argument for queue-id to dovecot-lda. The intended use for this argument is to include in the logging. From what I can tell, the queue-id size is not consistent between the various MTAs and so would need to be allocated dynamically when read during initialization. This element in the log messages would make it easier to find the trace of a received email. Generally I can easily get the queue-id generated by postfix (or sendmail - I use both). One grep would then give me the whole picture rather than having to dig out the message-id and doing a secondary grep to obtain the lda log messages. — Doug I find it interesting that every submission to this list results in a quick response that says moderation is required since I "am not a member". However, I am a member...
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Brendan - yes, go ahead and send that doc directly to my email address. I've got Maildir folders going, but not nfs; and I'm curious about your load balance. THX --Mark -Original Message- > Date: Mon, 04 Jul 2016 10:40:06 -0400 > From: Brendan Kearney > To: dovecot@dovecot.org > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > > On 07/04/2016 03:30 AM, Mark Foley wrote: > > Actually, I see that you used host.domain.name further down. That's a good > > substitute for mail.hprs.local. > > > > Also, not to be a literary critic, but it might not hurt to show an example > > keytab beneath your > > "Make sure your keytab has entry for ...". Just in case people don't > > exactly know how to "make sure: > > > > $ klist -Kek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > > > -- > > 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name@MYREALM (arcfour-hmac) > > (0x9dae89a221dc374a39f560833 > > > > --Mark > > > > -Original Message- > > From: Mark Foley > > Date: Mon, 04 Jul 2016 03:23:30 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > > config] > > > > On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi wrote: > > > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >> It has been now updated. > > Excellent! That was quick! > > > > Although, you used my actual local domain in your example: mail.hprs.local. > > Not that I care, > > no one can get to that, but it might be clearer to those of us who > > uncomprehendingly > > monkey-type things from wiki's when we don't fully understand. Perhaps > > something more generic > > would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- > > something like that. > > Not sure what is best; just don't want to imply that they HAVE TO use > > mail.hprs.local. > > > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > > I'm going to give my brain a rest for a bit before I resume tilting at the > > NTML windmill! I'll > > check back with the list to see if you've come up with anything. > > > >> Aki > > Again, thanks for all your help. > > > > --Mark > > > > -Original Message- > >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > >> config] > >> To: dovecot@dovecot.org > >> From: Aki Tuomi > >> Organization: Dovecot Oy > >> Date: Mon, 4 Jul 2016 08:54:27 +0300 > >> On 04.07.2016 07:44, Mark Foley wrote: > >>> After a over a year and a half struggling to get Dovecot to do either > >>> NTLM or GSSAPI > >>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks > >>> to all those in this > >>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > >>> especially Aki Tuomi; > >>> and infinite thanks to Achim Gottinger on the SambaList for his patience > >>> in working this > >>> through with me. Although my purpose was for Dovecot to authenticate > >>> mail clients, the > >>> configuration settings needed were on the Samba side. I hope a variation > >>> of these instructions > >>> can eventually make it into: > >>> > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >>> > >>> > >> It has been now updated. > >> > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > >> > >> Aki > >> > i have a document that i had written, recording each of the changes > needed to each of the files to be modified, in order to have dovecot > authenticate against kerberos and authorize against ldap. in addition, > the use of nfs for maildir mailboxes and load balanced nuances are > covered. the doc is in odt format (libre office writer), and i have > attempted to post it to this mailing list, but it was quarantined. > > if there is any interest in the doc, reach out to me. i welcome input > and feedback on it. > > brendan >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 04.07.2016 17:40, Brendan Kearney wrote: On 07/04/2016 03:30 AM, Mark Foley wrote: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan I would very much like to have a copy, please. Aki
Re: v2.2.25 released
On 04/07/2016 12:44, Aki Tuomi wrote: On 04.07.2016 14:24, Juan C. Blanco wrote: On 01/07/2016 18:51, Timo Sirainen wrote: On 01 Jul 2016, at 19:09, Juan C. Blanco wrote: I Haven't had the time to check the sha1.h error with the new fixes but I've just done so after de 2.2.25 release was out and I'm having the same error: gcc -DHAVE_CONFIG_H -I. -I. -I../.. -std=gnu99 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/kerberos/include -c guid.c -fPIC -DPIC -o .libs/guid.o In file included from guid.c:6: sha1.h:80: error: static or type qualifiers in abstract declarator I thought this was fixed in 2.2.25.. In config.h you should have only: #define STATIC_ARRAY (not #define STATIC_ARRAY static) OK, my config.h contains: /* C99 static array */ #define STATIC_ARRAY static Regards. Operating System: CentOS 5.11 GCC Version: gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-55) We have four systems like this with dovecot 2.2.24 working fine. I would like to know if this platform will not be compatible anymore with dovecot and if we need to upgrade our systems prior to dovecot version since, besides this, I have the problem related to the openssl version for the lib-dcrypt library I recommend upgrading. We're considering not supporting older OSes anymore at all.. Hi! This problem is hopefully now fixed by https://github.com/dovecot/core/commit/d9c865ce774aae9f2f17b89e7e94c3cfca29dea7 Aki, I had a go mock building on CentOS5 and it appears that the test succeeds with this patch in place: configure:21182: checking if we can use C99 static in array sizes configure:21202: gcc -c -std=gnu99 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fno-strict-aliasing -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 conftest.c >&5 configure:21202: $? = 0 configure:21214: result: yes (confirmed was built using unsigned char array) In fact, after a cursory examination and some testing I suspect the CentOS5 gcc does nominally support static array sizes, and it's likely hitting a compiler bug on the build proper? All I can suggest is a manual configure flag toggle of the test, or that this bug is better placed against Redhat? I haven't been able to narrow down a reproducer on triggering the error message other than during build. -- Dave
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On 07/04/2016 03:30 AM, Mark Foley wrote: Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi wrote: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. Aki Again, thanks for all your help. --Mark -Original Message- Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] To: dovecot@dovecot.org From: Aki Tuomi Organization: Dovecot Oy Date: Mon, 4 Jul 2016 08:54:27 +0300 On 04.07.2016 07:44, Mark Foley wrote: After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos It has been now updated. I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. I have to set up some kind of test environment to find out why it bugs. Aki i have a document that i had written, recording each of the changes needed to each of the files to be modified, in order to have dovecot authenticate against kerberos and authorize against ldap. in addition, the use of nfs for maildir mailboxes and load balanced nuances are covered. the doc is in odt format (libre office writer), and i have attempted to post it to this mailing list, but it was quarantined. if there is any interest in the doc, reach out to me. i welcome input and feedback on it. brendan
Re: v2.2.25 released
On 04.07.2016 14:24, Juan C. Blanco wrote: > > > On 01/07/2016 18:51, Timo Sirainen wrote: >> On 01 Jul 2016, at 19:09, Juan C. Blanco wrote: >>> >>> I Haven't had the time to check the sha1.h error with the new fixes >>> but I've just done so after de 2.2.25 release was out and I'm having >>> the same error: >>> >>> gcc -DHAVE_CONFIG_H -I. -I. -I../.. -std=gnu99 -O2 -g -pipe -Wall >>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >>> --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -W >>> -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith >>> -Wchar-subscripts -Wformat=2 -Wbad-function-cast >>> -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/kerberos/include -c >>> guid.c -fPIC -DPIC -o .libs/guid.o >>> In file included from guid.c:6: >>> sha1.h:80: error: static or type qualifiers in abstract declarator >> >> I thought this was fixed in 2.2.25.. In config.h you should have only: >> >> #define STATIC_ARRAY >> >> (not #define STATIC_ARRAY static) > > OK, my config.h contains: > > /* C99 static array */ > #define STATIC_ARRAY static > > Regards. > >> >>> Operating System: CentOS 5.11 >>> GCC Version: gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-55) >>> >>> We have four systems like this with dovecot 2.2.24 working fine. I >>> would like to know if this platform will not be compatible anymore >>> with dovecot and if we need to upgrade our systems prior to dovecot >>> version since, besides this, I have the problem related to the >>> openssl version for the lib-dcrypt library >> >> I recommend upgrading. We're considering not supporting older OSes >> anymore at all.. >> > Hi! This problem is hopefully now fixed by https://github.com/dovecot/core/commit/d9c865ce774aae9f2f17b89e7e94c3cfca29dea7 Aki
Re: v2.2.25 released
On 01/07/2016 18:51, Timo Sirainen wrote: On 01 Jul 2016, at 19:09, Juan C. Blanco wrote: I Haven't had the time to check the sha1.h error with the new fixes but I've just done so after de 2.2.25 release was out and I'm having the same error: gcc -DHAVE_CONFIG_H -I. -I. -I../.. -std=gnu99 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I/usr/kerberos/include -c guid.c -fPIC -DPIC -o .libs/guid.o In file included from guid.c:6: sha1.h:80: error: static or type qualifiers in abstract declarator I thought this was fixed in 2.2.25.. In config.h you should have only: #define STATIC_ARRAY (not #define STATIC_ARRAY static) OK, my config.h contains: /* C99 static array */ #define STATIC_ARRAY static Regards. Operating System: CentOS 5.11 GCC Version: gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-55) We have four systems like this with dovecot 2.2.24 working fine. I would like to know if this platform will not be compatible anymore with dovecot and if we need to upgrade our systems prior to dovecot version since, besides this, I have the problem related to the openssl version for the lib-dcrypt library I recommend upgrading. We're considering not supporting older OSes anymore at all.. -- +---+ | Juan C. Blanco| | | | Centro de Calculo | | | E.T.S. Ingenieros Informáticos| E-mail: jcbla...@fi.upm.es | | Universidad Politécnica de Madrid | | | Campus de Montegancedo| | | Boadilla del Monte| Tel.:(+34) 91 336 7466 | | 28660 MADRID (Spain) | Fax :(+34) 91 336 6913 | +---+
Re: Dovecot 2.2.25 compiling error
On 02.07.2016 20:03, aki.tu...@dovecot.fi wrote: >> On July 2, 2016 at 7:58 PM aki.tu...@dovecot.fi wrote: >> >> >> >>> On July 2, 2016 at 6:56 PM Mart Pirita wrote: >>> >>> >>> Hello. >>> >>> I cant build 2.2.25, but I can build fine version 2.2.24 with same options: >>> >>> RedHat based customized distro, 2.6.28.10 kernel >>> >>> Build options: >>> Hi! This has been now fixed in master-2.2 with https://github.com/dovecot/core/commit/20e802d6bbf4ddad3a2140a2f7812d01de0ec2ef https://github.com/dovecot/core/commit/d9c865ce774aae9f2f17b89e7e94c3cfca29dea7 Our testings indicate that you can compile 2.2.25.1 on CentOS5 with these applied. --- Aki Tuomi Dovecot oy
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message- From: Mark Foley Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. > Aki Again, thanks for all your help. --Mark -Original Message- > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > To: dovecot@dovecot.org > From: Aki Tuomi > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300 > > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM > > or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > > all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > > especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in > > working this > > through with me. Although my purpose was for Dovecot to authenticate mail > > clients, the > > configuration settings needed were on the Samba side. I hope a variation > > of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. > Aki Again, thanks for all your help. --Mark -Original Message- > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > To: dovecot@dovecot.org > From: Aki Tuomi > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300 > > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM > > or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > > all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > > especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in > > working this > > through with me. Although my purpose was for Dovecot to authenticate mail > > clients, the > > configuration settings needed were on the Samba side. I hope a variation > > of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >