Re: Is it possible to setup ntlm authentication then proxy it to the mail server ?
Maybe use Wireshark to get an independent check on what the logs are saying? On 4/18/24 20:27, karl.l--- via dovecot wrote: Hi, This is my dovecot version: ``` root@freebsdsvr:~ # dovecot --version 2.3.21 (47349e2482) ``` I'm having trouble in making dovecot as proxy to the mail server when using ntlm authentication. My setup looks like this: email client --> dovecot (will act as proxy) ---> mail server so basically the email client will connect to dovecot but dovecot will forward it to the mail server. Proxying using auth_mechanism as PLAIN is working but if I use ntlm authentication it just connects into the dovecot server and dovecot server does not proxy to to the mail server. I tried using passdb driver = sql, passdb driver = static, passdb driver = lua and all of them are working when the email client connects using plain auth, once dovecot authenticates the user it will proxy it to the mail server but when I use ntlm authentication it just connects to dovecot and does not do a proxy to the mail server. I switched on all the debugs and I found out in the log that when I connect using PLAIN auth it calls the passdb and gets my default_fields or my proxy fields ```proxy=y``` and ```host=mailserver_domain``` which causes dovecot to proxy into the host(my mail server). but when I connect using NTLM auth it calls the passdb but it does not return my default fields for proxying (when it uses the sql passdb driver it just connects to the database and does not run the password_query) and I think it uses the output from the ```ntlm_auth``` of samba that dovecot uses because it retunrs the field user=username and original_user=username@domain This is the example logs that I recieved once I connect using ntlm and it does not proxy it to my mail server ``` Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: mysql(192.168.254.131): Connecting Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12268) Apr 18 03:37:29 freebsdsvr dovecot[12084]: auth: Debug: auth client connected (pid=12270) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: AUTH 1 NTLMservice=imapsession=Js8TT04WcMnAqP5/lip=192.168.254.131 rip=192.168.254.127 lport=143 rport=51568 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAABB4IIAAA= (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: CONT 1 TlRMTVNTUAACFAAUADgFgooC57WwKq2q4U8sdAAFwAXABMBgEAAAasdasdasd9FAFMAQwAuAE4ARQBUAC4AQQBVAAIAFABFAFMAQwAuAE4ARQBUACad4AQdsQBVAAEasAFABFAFMAQwAuAE4AdaRQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEA Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client in: CONT 1 TlRMTVNTUAADGAAYAFwAAACIAIgAdeABABgAGAEAWABYARgAABYIIAHMAcwAzAFcATwBSAEsAUwBUAEEAVABJAE8ATgBXKrBA2vF7fMicRiasLK/IyI3fbM46rQ7JHcti/0TU02AqasdasdasdhceI+BaeqMjrAQEAAACAL88ampDaARzhirKymxxcAAIAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAEAFABFAFMAQwAuAE4ARQBUAC4AQQBVAAQDABQAZQBzAGMALgBuAGUAdAAuAGEAdQAHAAgA/h8T7O2Q2gEA (previous base64 data may contain sensitive data) Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: auth(userName,192.168.254.127,): Auth request finished Apr 18 03:37:30 freebsdsvr dovecot[12084]: auth: Debug: client passdb out: OK 1 user=userNameoriginal_user=userName@FREEBSD-TEST ``` Here's the logs that I get when I connect via Plain Auth and it does the proxy to my mail server ``` Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Connecting Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Server accepted connection (fd=15) Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): Sending version handshake Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: Handling PASSV request Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,): Performing passdb lookup Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>: sql(ss3,192.168.254.127,): query: SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName'; Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: mysql(192.168.254.131): Finished query 'SELECT destuser, password, host, 'Y' as proxy FROM proxy WHERE user = 'userName';' in 0 msecs Apr 18 03:27:39 freebsdsvr dovecot[12084]: auth-worker(12138): Debug: conn unix:auth-worker (uid=0): auth-worker<1>:
Pound on Dovecot with mailer.nim script
For testing mail programs (postfix and dovecot), it is reasonable to use a scripted client application on a separate machine. Scripting started with unix shell scripts, but got a big boost with Sol Libes' tcl/expect. From those early days, we now have 'puppet', 'chef', 'fabric', 'ansible', ... to test and manage complex multi-machine systems. A relatively new scripting entry is 'nimscript'. The underlying code is 'nim' and nimscript shares the same syntax as nim. (Not necessary to learn a separate language such as ruby, python or tcl). Nim and Nimscript have a number of explicit parallel operators in an asyncdispatch library. newAsyncSmtp and 'await' are some of the features used in this script. The script can be used as a library module for a custom application or it can be run as a standalone sample script. The phrase 'when isMainModule:' detects when it is run as a standalone. Being based on Nim - means that it works on Windows-MacOS-Linux-(and 20+ other OS), so no portability problems. Nim is a compiled language with GC and is as fast as 'C'. Take a look at https://christine.website/blog/how-send-email-nim-2019-08-28 for more information. And there is 'nim-lang.org' too.
Re: submission configuration issues
service submission-login {
inet_listener submissions {
haproxy = no
port = 465
reuse_port = no
ssl = yes
}
}
Shouldn't the port be 587 here?
My config file looks like:
service submission-login {
inet_listener submission {
#port = 587
}
}
The # comment must also mean something..
On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:
Le 27 juil. 2019 à 14:30, Stephan Bosch > a écrit :
On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,
I'm having trouble configuring the submission proxy.
I have configured the submission service as follow:
submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
Le 27 juil. 2019 à 14:30, Stephan Bosch > a écrit :
On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,
I'm having trouble configuring the submission proxy.
I have configured the submission service as follow:
submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes
My main issue is that until I login, dovecot-submission won't
connect to the backend and query the capabilities and so won't
report the right capabilities.
That mean that the first EHLO message don't get the right
capabilities list.
"
EHLO example.com
250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"
This list don't contains VRFY, DNS, and SIZE is not specified (all
of these is present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly
reported. The raw log shows that unlike what the documentation says,
dovecot don't try to connect to the backend until the user is
properly logged.
In my raw log I show that after I logged in dovecot-submission, the
later open a connection to the backend and send a X-CLIENT command.
Now, if I try to force the capabilities by using:
submission_backend_capabilities = VRFY 8BITMIME DSN
dovecot properly reports all SMTP capabilities in the first EHLO
response, but it completely stops emitting X-CLIENT command to the
backend
and try to simply forward the command without authentication, which
result in postfix rejecting the command with an unauthorized user error.
What is wrong with my configuration ?
Thanks.
Can you send us your complete configuration (output from `dovecot -n`)?
Yes (see below).
Some additional information:
===
When I connect directly to dovecot-submission using nc and send an
EHLO command, I got the following result (the SIZE is configured in
dovecot config, that’s why it is properly announced), but no raw_log
are generated at all.
$ nc smtp.example.com 587
220 smtp.example.com Dovecot ready.
EHLO mydomain.com
250-smtp.example.com
250-8BITMIME
250-AUTH
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE 41943040
250-STARTTLS
250 PIPELINING
QUIT
221 2.0.0 Bye
===
Ditto if I use openssl s_client -starttls smtp -crlf -connect
smtp.example.com:587 and send the EHLO
after STARTTLS.
===
For the record, here is the result of a direct connect to postfix:
$ nc 127.0.0.1 8587
220 smtp.example.com ESMTP Postfix
EHLO example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
===
And here is the content of the row logs when a mail is sent.
rawlog.in
1564258521.813430 220 smtp.example.com ESMTP
Postfix
1564258521.814206 250-smtp.example.com
1564258521.814206 250-PIPELINING
1564258521.814206 250-SIZE 41943040
1564258521.814206 250-VRFY
1564258521.814206 250-ETRN
1564258521.814206 250-STARTTLS
1564258521.814206 250-AUTH PLAIN LOGIN
1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT
LOGIN DESTADDR DESTPORT
1564258521.814206 250-ENHANCEDSTATUSCODES
1564258521.814206 250-8BITMIME
1564258521.814206 250-DSN
1564258521.814206 250 SMTPUTF8
1564258521.848159 220 smtp.example.com ESMTP
Postfix
1564258521.849506 250-smtp.example.com
1564258521.849506 250-PIPELINING
1564258521.849506 250-SIZE 41943040
1564258521.849506 250-VRFY
1564258521.849506 250-ETRN
1564258521.849506 250-STARTTLS
1564258521.849506 250-AUTH PLAIN LOGIN
1564258521.849506 250-XCLIENT NAME ADDR
Re: “doveadm mailbox” command fails with UTF-8 mailboxes
A tool to determine the encoding of a file is 'file -bi ' This command is not perfect though. On 3/12/19 2:20 PM, Felipe Gasper via dovecot wrote: Hello, I’ve got a strange misconfiguration where the following command: doveadm -f pager mailbox status -u spamutf8 'messages vsize guid' INBOX 'INBOX.*' … fails with error code 68, saying that it can’t find one of the mailboxes. (It lists the user’s other mailboxes.) The name of the mailbox in question is saved to disk in UTF-8 rather than mUTF-7, but strace shows that doveadm is stat()ing the mUTF-7 path; the failure of that stat() is, assumedly, what causes doveadm to report the error status. I’ve tried to paw through the source code to see what might be causing this but haven’t made much headway. Can someone here point out where the misconfiguration might be that is causing doveadm to stat() the mUTF-7 path rather than UTF-8? Or perhaps offer any tips as to how I might diagnose what’s going on? What causes doveadm to stat() one path or the other? Thank you! -Felipe Gasper Mississauga, ON
Re: dovecot Buch 2014 vs 2016
Using translate.google.com Hello, Op 22-2-2019 om 13:08 schreef Heiko Schlittermann via dovecot: Moin, It's about the Dovecot book. I assume that at least one, who knows, reads: Is there a difference between language and price? The first (and only?) German edition of 2014 and the English Edition of 2016? Unfortunately, only English is spoken here. You can try this question again there: dove...@listen.jpberlin.de. This is also the correct address for questions about the Dovecot book. Greeting, Stephan. On 2/22/19 6:39 AM, Stephan Bosch via dovecot wrote: Hallo, Op 22-2-2019 om 13:08 schreef Heiko Schlittermann via dovecot: Moin, Es geht um das Dovecot-Buch. Ich nehme an, daß hier mindestens einer, der sich auskennt, mitliest: Gibt es - außer der Sprache und dem Preis - einen Unterschied zwischen der ersten (und einzigen?) deutschen Auflage von 2014 und der englischen Auflage von 2016? Hier wird leider nur Englisch gesprochen. Sie können diese Frage dort nochmal versuchen: dove...@listen.jpberlin.de. Das ist auch die korrekte Adresse für Fragen über das Dovecot Buch. Gruß, Stephan.
