Re: ssh_dh?
Daniel, as of 2.3.x, you have to create a dh.pem parameter file unless you can convert an existing parameter file: https://wiki.archlinux.org/index.php/dovecot#Generate_DH_parame ters To generate a new DH parameters file (this will take very long): # openssl dhparam -out /etc/dovecot/dh.pem 4096 then add the file to /etc/dovecot/conf.d/10-ssl.conf ssl_dh = https://security.stackexchange.com/questions/45963/diffie-hellm an-key-exchange-in-plain-english https://security.stackexchange.com/questions/94390/whats-the-pu rpose-of-dh-parameters Yes it took a very long time, indeed five hours in my case. But now it works. I took a nap and listened to Messiah while it ground away... Enjoy... :-)
Re: Upgrade to 2.3.1 has failed
Tim, Daniel, Aki, all. Problem solved. Well, sort of: It is AppArmor. I disabled AppArmor based on another sufferer's experience, and I quote: https://forums.opensuse.org/showthread.php/531740-Unexpected-pe rmissions-issue-with-Dovecot I have made some progress on solving this and tracked down the problem to apparmor which is some sort of application based security system. (How I wish Linux followed KISS principals, this appears to be yet another security layer on top of the chmod/chown layer, and not an intuitive/obvious thing either...) So once again, a victim of political correctness. This was all more Scr ewtape distraction: There is nothing wrong with dovecot 3.2.1, there is nothing wrong with my "configuration", I am not being rude, but AppArmor got hosed by the OS upgrade. https://www.suse.com/documentation/sles11/book_security/data/se c_aaintro_enable.html Tomorrow is another day, I'll fight the AppArmor alligator then. In the meantime, on to that G&T! Woohoo! :-) Thanks again to all. Kind regards, Andy On Sun, 2018-12-16 at 18:41 +, Tim Dickson wrote: > permissions should be 644 or 444 owned by root. > if the permissions are too open, ssl/dovecot will refuse to load > them. > you may even see a message about it if you have verbose messages/ > check your sys logs. > I had this problem once with certs that checked out fine, correct < > in dovcot config but didn't load. > chmod 644 /etc/ssl/certs/dovecot.cert /etc/ssl/private/dovecot.key > fixed the problem > regards, Tim > > On 16/12/2018 14:33, C. Andrews Lavarre wrote: > > For what it's worth, this gives the server an A: > > https://www.ssllabs.com/ssltest/analyze.html?d=mail.privustech. > > com > > > > So there is no problem with the certificates and key... > > > > Thanks again. > > > > On Sun, 2018-12-16 at 09:19 -0500, C. Andrews Lavarre wrote: > > > So it's something else. >
Re: Upgrade to 2.3.1 has failed
For what it's worth, this gives the server an A: https://www.ssllabs.com/ssltest/analyze.html?d=mail.privustech. com So there is no problem with the certificates and key... Thanks again. On Sun, 2018-12-16 at 09:19 -0500, C. Andrews Lavarre wrote: > So it's something else.
Re: Upgrade to 2.3.1 has failed
Phil hi. Thank you for explaining what the symbol does... so it is like the BASH from symbol. OK.That is new information. So without it dovecot reads the path/to/file as if it were a hashed cert, which of course doesn't work. So with the symbol dovecot tries to follow the path to read the cert but for some reason cannot read it. Now, that is curious, since I can cat the path/to/file and read the cert or key... Now, while the /path/to/file permission is presently root:root 0777 (y es, I know 0777 is not good, but I was trying to eliminate any prevention to reading it) it is actually a soft link to yet another file. Let'sEncrypt has to be renewed every so often so the cert engine (certbot) recreates the softlink to the new cert so that we don't need to edit 10-ssl.conf. So I have entered the actual full path/to/file for the cert and key (not the softlinks) to eliminate that possibility, buty it didn't help. So it's something else. As you say, focus on the problem: Simply put, why can 2.3.1 not read a file while we can list and print out (ls, cat) the file? What changed in that regard from 2.2.x to 2.3.1? I'm very grateful for the time folks have spent on this, including my own time. I'm not being rude, just factual. This is what is happening. But "something is wrong with your configuration", while equally factual, is also equally ineffective. OTOH, in my experience factually describing an anomaly can lead to someone wondering why it might be, and if they are more knowledgeable of the inner workings of the system be better able to understand why that might be. For example, I didn't know anything about AppArmor before, now I do, have gone down that rabbit hole, and seem to be able to say, nope, that's not the problem. So now I can move on to checking out something else. Similarly, under BASH the path/to/files are all correct and I can read them from the command line. And 2.2.x didn't have any problem with them. So why might 2.3.1 not be able to read them? So we all need to leave this alone, for now. I'll work along, and when/if I figure it out shall return to report. I'm sure it's something simple: Easy when you know how. :-) Thanks again. Andy On Sun, 2018-12-16 at 07:41 -0500, Phil Turmel wrote: > Andy, > > This is just rude. You have been told multiple times that the less- > than > symbol is required to read the certificate from the file. Otherwise, > the filename is parsed as if it is the certificate itself. Which > yields > garbage. > > If dovecot can't read that file, it is *not* dovecot's fault. You > are > simply not going to succeed until *you* figure out what security > differences you have in your new installation. So dovecot can read > the > files. Every single attempt to connect via openssh depends on > dovecot > reading your certificate and key files. They are pointless exercises > until dovecot actually loads your files. Focus on the real problem > if > you wish to fix your service. > > On 12/15/18 5:12 PM, C. Andrews Lavarre wrote: > > > > Alexander, Thanks, as described before, if I include the "<" then > > Dovecot fails to start at all. > > > > Thank you again for your time. I have forwarded my latest to Aki to > > the > > group. > > Regards, > > Phil
[Fwd: Re: Upgrade to 2.3.1 has failed]
Alexander hi. Aki caught the STARTTLS issue as well, I corrected it, but it still doesn't work. Enjoy your weekend. I intend to enjoy mine! :-) Thanks again for your time. Andy Forwarded Message From: C. Andrews Lavarre To: Aki Tuomi Subject: Re: Upgrade to 2.3.1 has failed Date: Sat, 15 Dec 2018 15:08:58 -0500 Aki thank you again. If you and Alexander are stumped then surely I am too! I swear I didn't change anything, and indeed have tried going back to the backup of 10- ssl.conf, which worked under 2.2, but doesn't under 2.3 even after making the changes described in the upgrade documentation. All I did was change all the repositories to Leap 15.0 from Leap 42.3 and execute zypper dup. It took several hours to complete at which point everything works just fine, except that Dovecot was upgraded from 2.2.xxx? to 2.3.1 without my even agreeing to it... :-( This version 2.3.1 is the openSUSE repository offering for their Leap 15.0. I tried finding a rollback version yesterday—2.2.3, 2.2.9... I don't need all the bells and whistles, I just want it to work—but all had one kind of dependency hell or another... :-( What I've done in the meantime is to mount /home/alavarre/Maildir with sshfs, and then point KMail at it, so I can read and write email without dovecot, but it would be nice to fix it IDC... So maybe the right answer is to try the latest, perhaps in Tumbleweed... I'm usually allergic to self-compiling, I alway seem to find one dependency hell or another, but I'll go ahead and try anyhow. I'll let you know. In the meantime all the failed logins have put me in jail by the provider (Cox Cable) accusing me of being a spammer... :-( But for now I'll go have a gin and tonic and hit it again tomorrow... :-) Enjoy your weekend, and thank you again for your thoughts and time. Cheers, Andy On Sat, 2018-12-15 at 21:37 +0200, Aki Tuomi wrote: > There is still something wrong with your config. Btw if you are > compiling yourself you might want to use 2.3.4 > > We test the cert functionality in our ci tests so I am fairly > confident this is not a dovecot bug. > > Aki > >
Re: Upgrade to 2.3.1 has failed
Alexander, Thanks, as described before, if I include the "<" then Dovecot fails to start at all. Thank you again for your time. I have forwarded my latest to Aki to the group. Enjoy your weekend. Best regards, Andy On Sat, 2018-12-15 at 23:08 +0100, Alexander Dalloz wrote: > Am 15.12.2018 um 19:43 schrieb Aki Tuomi: > > > > > > > > I've posted te full output from dovecot -n to https://pastebin.co > > > m/F8Ra > > > C4bt > You again broke your setup. From your pastebin: > > ssl_cert = /etc/certbot/live/privustech.com/fullchain.pem > > That's missing the "<" in front of the path to the certificate file. > Proably the same mistake for the ssl_key parameter. > > Alexander >
Re: Upgrade to 2.3.1 has failed
The output of /var/log/mail for this login attempt is at https://pastebin.com/R1Bjkjm3 Thanks again. On Sat, 2018-12-15 at 13:02 -0500, C. Andrews Lavarre wrote: > Excellent, thank you again. > > The openssl command I have tried (that used to work with Dovecot 2.2) > is: > openssl s_client -connect mail.privustech.com:143 > I have also tried > openssl s_client -connect mail.privustech.com:143 -servername > mail.privustech.com > I've posted the full output from this to https://pastebin.com/eUSarQd > x > > I've posted te full output from dovecot -n to https://pastebin.com/F8 > RaC4bt > > Thank you again, Andy > > On Sat, 2018-12-15 at 17:27 +0100, Alexander Dalloz wrote: > > Am 15.12.2018 um 17:16 schrieb C. Andrews Lavarre: > > > > > > to /etc/apparmor.d/local/usr.lib.dovecot.imap-login but > > > still > > > cannot login with either the mail client or with explicit > > > openssl: it > > > complains > > > error:140770FC:SSL > > > routines:SSL23_GET_SERVER_HELLO:unknown > > > protocol:s23_clnt.c:794: > > Hi, > > > > that error above typically means to connect with SSL to STARTTLS or > > vice > > versa. > > > > Please provide the complete command you issue using "openssl > > s_client" > > together with the corresponding dovecot logging. As well the output > > of > > "doveconf -n" would be useful to help you further. > > > > Alexander > >
Re: Upgrade to 2.3.1 has failed
Excellent, thank you again. The openssl command I have tried (that used to work with Dovecot 2.2) is: openssl s_client -connect mail.privustech.com:143 I have also tried openssl s_client -connect mail.privustech.com:143 -servername mail.privustech.com I've posted the full output from this to https://pastebin.com/eUSarQdx I've posted te full output from dovecot -n to https://pastebin.com/F8Ra C4bt Thank you again, Andy On Sat, 2018-12-15 at 17:27 +0100, Alexander Dalloz wrote: > Am 15.12.2018 um 17:16 schrieb C. Andrews Lavarre: > > > > to /etc/apparmor.d/local/usr.lib.dovecot.imap-login but > > still > > cannot login with either the mail client or with explicit openssl: > > it > > complains > > error:140770FC:SSL > > routines:SSL23_GET_SERVER_HELLO:unknown > > protocol:s23_clnt.c:794: > Hi, > > that error above typically means to connect with SSL to STARTTLS or > vice > versa. > > Please provide the complete command you issue using "openssl > s_client" > together with the corresponding dovecot logging. As well the output > of > "doveconf -n" would be useful to help you further. > > Alexander >
Re: Upgrade to 2.3.1 has failed
Alexander good afternoon. Thank you. I have spent the day learning about AppArmor: • I've reviewed your link, found /etc/apparmor.d/ and its local/ directory. • I ran aa-logprof and it found the change in stat to old-stat that is discussed in the upgrade documentation. So I Allow (A) that. There are no other reports. • I followed the discussion on using yast to manage the profiles. I'm on ssh to the server so do not have the GUI yast, only the ncurses version and it does not contain editing, only adding, profiles. I tried creating a profile for imap-login with that method and scanned for any issues, there were none reported, but still cannot log in. • I followed the local/README to explicitly add /etc/certbot/live/privustech.com/* r, to /etc/apparmor.d/local/usr.lib.dovecot.imap-login but still cannot login with either the mail client or with explicit openssl: it complains error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: I check yast2 sw_single for the dovecot installation. Indeed the module dovecot23-xxx where xxx is anything that looks like "clnt" ( client?) does not exist. Is there a missing module in my installation? It lists only dovecot dovecot23 dovecot23-backend-mysql dovecot23-backend-pgsql dovecot23-backend-sqlite dovecot23-fts dovecot23-fts-squat I'll pursue this further. Thank you again. Kind regards, Andy On Fri, 2018-12-14 at 23:44 +0100, Alexander Dalloz wrote: > Am 14.12.2018 um 19:58 schrieb C. Andrews Lavarre: > > > > Thanks for the input. I've checked out your suggestions (details > > below) > > but unfortunately no joy. > > I also restored my backup 10-ssl.conf. It indeed has the "<" sign > > with > > a space before the explicit paths to the files: > > ssl_cert = > ssl_key = Hi, > > the syntax you see in the documentation is mandatory. Your issue is > really a permissions problem. > > Check your AppArmor setup. The path you use for storing the chained > certificate and the private key is certainly not known to AppArmor. > See > your /var/log/audit/audit.log for indications. > > https://doc.opensuse.org/documentation/leap/security/html/book.securi > ty/cha.apparmor.managing.html > > may help. > > Btw. permissions setting to 0777, especially for the cert and key, > is > awful, even for debugging issues. > > Alexander >
Re: Upgrade to 2.3.1 has failed
Aki hello, thank you. Hopefully excerpts and top posting are acceptable in the mailing list? On that assumption: Thanks for the input. I've checked out your suggestions (details below) but unfortunately no joy. I also restored my backup 10-ssl.conf. It indeed has the "<" sign with a space before the explicit paths to the files: ssl_cert = https://wiki2.dovecot.org/Upgrading/2.3 https://github.com/dovecot/core/blob/master/doc/example-config/conf .d/10-ssl.conf • Changed ssl_protocols to ssl_min_protocol = TLSv1 • Added ssl_dh = # PEM encoded X.509 SSL/TLS certificate and private key. They're > opened before > # dropping root privileges, so keep the key file unreadable by anyone > but > # root However if I remove the < then dovecot starts up correctly. I delete them one at a time, test, and it shows that file read, but then fails on the next. So carry on. After the ssl_cert and ssl_key < are removed dovecot runs (ssl_dh still has <): Dec 14 10:49:31 lavarre systemd[1]: Started Dovecot IMAP/POP3 email server. Dec 14 10:49:31 lavarre dovecot[14059]: master: Dovecot v2.3.1 (8e2f634) starting up for imap, pop3, lmtpBut then logging in imap fails: open(old-stats-user) failed: Permission denied The documentation for 2.3 says to remove stats from mail-plugin settings, but I do not find that in either dovecot.conf or 10-mail.conf. The mail system is working correctly. Mail is received and stored in /home/alavarre/Maildir/new I'm sure it's something simple, since it worked before the version upgrade. So maybe the answer is just go back to the older version... :-( Thanks again. Andy Here are the results of addressing your suggestions, thank you again: >You should set ssl_prefer_server_ciphers = yes Done. No change in status however... >>4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files. > Yes, this is probably indication that you are missing the files The files are not missing or corrupted. cat shows apparently properly hashed certificates and keys. >or are chrooting dovecot in unsupported way. Not including the < symbol will not help with this. M: https://wiki.archlinux.org/index.php/Chroot I did not intentionally or explicitly chroot dovecot. However, it is possible that yast2 may have done this to perform the upgrade from Leap 42.3 to 15.0 and didn't undo it? However, this does not seem to have happened: https://stackoverflow.com/questions/75182/detecting-a-chroot- jail-from-within stat indicates that root is indeed the normal root: stat -c %i / returns 2. (But thanks for the education! :-) I now know about chroot...) >You should use > ssl_cert =ssl_key > = ssl_dh =, rip=107.107.60.219, lip=70.186.159.22, session= Dec 14 11:24:22 lavarre dovecot[14062]: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate.: user=<>, rip=107.107.60.219, lip=70.186.159.22, session=I'm inclined to think that the "less than" symbol is the problem. The documentation says the > > > On 14 December 2018 at 02:12 "C. Andrews Lavarre" > > om> wrote: > > > > > > Problem: > > We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But > > we > > upgraded openSUSE to Leap 15.0. > > In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no > > longer > > works and I haven't figured out how to downgrade to the older > > working > > version. > > > > The key issue seems to be the change to requiring dh.pem and > > changing s > > sl_protocols to ssl_min_protocols. I think I've navigated both > > correctly, but it still doesn't work. > > The error is > > auth: Error: stats: open(old-stats-user) failed: > > Permission denied > > > > as a consequence of which we get > > imap-login: Error: Failed to initialize SSL server > > context: Can't > > load SSL certificate: There is no valid PEM certificate. > > > > We have followed the instructions at https://wiki.dovecot.o > > rg/S > > SL/DovecotConfiguration > > 1. We have created /etc/dovecot/dh.pem (yes it took five > > hours) > > > > 2. We have edited 10-ssl.conf as directed by the Wiki: > > ssl = yes > > ssl_cert = > > /etc/certbot/live/privustech.com/fullchain.pem > >
Upgrade to 2.3.1 has failed
Problem: We had Dovecot v2.2 working just fine under openSUSE Leap 42.3. But we upgraded openSUSE to Leap 15.0. In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer works and I haven't figured out how to downgrade to the older working version. The key issue seems to be the change to requiring dh.pem and changing s sl_protocols to ssl_min_protocols. I think I've navigated both correctly, but it still doesn't work. The error is auth: Error: stats: open(old-stats-user) failed: Permission denied as a consequence of which we get imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: There is no valid PEM certificate. We have followed the instructions at https://wiki.dovecot.org/S SL/DovecotConfiguration 1. We have created /etc/dovecot/dh.pem (yes it took five hours) 2. We have edited 10-ssl.conf as directed by the Wiki: ssl = yes ssl_cert = /etc/certbot/live/privustech.com/fullchain.pem ssl_key = /etc/certbot/live/privustech.com/privkey.pem ssl_dh = /etc/dovecot/dh.pem #(yes, it took five hours to create...) ssl_min_protocol = TLSv1 ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = no 3. We have checked 10-ssl.conf against the 2.3 default at https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf 4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files. 5. we have checked all the pem keys, certificates, and dh files with cat, they all exist and are in the expected hash format. 6. We have followed the instructions to set their permissions root:root 0444 and 0400 accordingly. 7. We have rebooted the host. Any help or clues would be most appreciated. Kind regards, Andy
Dovecot cannot find mailboxes
Edgar, thank you for your help:
I have solved gaining access from a client (Evolution) via IMAP to the
server: I can refresh, add folders, and delete folders. But I am still
confounded, as IMAP does not see any mailboxes. Neither we from the
command line (telnet, openssl, login, select) nor the system can find
the mailbox, despite following FindMailLocation:
telnet, openssl, login, then
b select inbox
* 0 EXISTS
* 0 RECENT
and postfix fails with
2016-07-23T21:22:37.312039-04:00 lavarre postfix/error[17088]: A8DA2C1BB2:
to=, orig_to=, relay
But the mailboxes do exist in /var/mail/vhosts/privustech.com/andy and
we point to them in /etc/dovecot/users.
doveconf -n is attached.
-
Two issues are:
1. file permissions and ownership
2. virtual versus system users
1. It appears that having the correct ownership and permissions on
various files is critical (of course), but those parameters must also
be included in the interior of the /etc/dovecot/user. So if you change
permissions you also must change that file.
For example, you said:
i also noticed your certificate chain is broken.
http://wiki2.dovecot.org/testinstallation
I worked through this link, thank you. Changing permissions for the
directories /var/mail/* to
root:mail ($UID:$GID = 1000:12)
and then changing /etc/dovecot/users correspondingly to
u...@privustech.com:{plain}actualpassword:1000:12
::/var/mail/vhosts/privustech.com/user
now allows a normal login. and we can create a new folder (e.g., work)
and delete it. However, this is at variance with
http://wiki2.dovecot.org/HowTo/SimpleVirtualInstall
which says to set the ownership to vmail:vmail ($UID:$GID = 100:
5000). Doing so breaks dovecot.
2. The various links suggest that having virtual users is preferable to
setting system users. The former do not require directories under /homebut they
do require a directory in the mail system, which I have provided under
/var/mail/vhosts. It also turns out that for virtual users you must include the
domain (a...@privustech.com). Making that change allowed the success reported
above. But despite that, we still cannot find the mailboxes on login.
Any thoughts on how to have IMAP find the mailboxes (beyond
FindMailLocation, which doesn't seem to work for me) would be most
appreciated.
Kind regards, Andy
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
# OS: Linux 4.1.27-27-default x86_64 openSUSE 42.1 (x86_64) ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
info_log_path = /var/log/dovecot-info.log
listen = *
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = was automatically rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
mail_max_userip_connections = 10
}
Re: Cannot connect to Dovecot IMAP or POP
> > Edgar, thank you for your help:
> >
> > i also noticed your certificate chain is broken.
> >
> > http://wiki2.dovecot.org/testinstallation
> >
> > i have worked through this link, thank you
> >
> > changing permissions for /var/mail/* to
> >
> > > > root:mail > > > > > > ($UID:$GID = 1000:12)
> >
> > and then changing /etc/dovecot/users correspondingly to
> >
> > > >u...@privustech.com:{plain}actualpassword:1000:12::/var/ma
> > il/vhosts/privustech/user
> >
> > now allows a normal login. and we can create a new folder (e.g.,
> > work) and delete it.
> >
> > If we set permissions to
> >
> > > > vmail:vmail> > > > 100:5000
> > > >
> > and update /etc/dovecot/users correspondingly it fails.
> >
> > Regardless, despite following FindMailLocation neither we nor the
> > system can find the mailbox:
> >
> > > > > > b select inbox
> > > > > > * 0 EXISTS
> > > > > > * 0 RECENT
> >
> > and postfix fails with
> > 2016-07-23T21:22:37.312039-04:00 lavarre postfix/error[17088]:
> > A8DA2C1BB2: to=, orig_to=, relay
> > =none, delay=278572, delays=278271/300/0/0.04, dsn=4.4.2,
> > status=deferred (delivery temporarily suspended: conversation with
> > mail.privustech.com[private/lmtp] timed out while receiving the
> > initial server greeting)
> >
> > lmtp may be the culprit...
> >
Re: Postfix/dovecot: user unrecognized, file permissions being misread
Hello all. Thanks to Edgar for the below, but we still have a
curiosity:
On Sun, 2016-07-03 at 17:31 -0500, Edgar Pettijohn wrote:
> On 16-07-03 18:17:48, C. Andrews Lavarre wrote:
> > On Sun, 2016-07-03 at 15:56 -0500, Edgar Pettijohn wrote:
> > > doveconf -n would be helpful
> Double check me, but I think you only want (1) passdb {} block.
> ...
> Same here (userdb {)
Agree on both, thank you. There are a huge number of files expressing p
assdb { and userdb { but most are commented out.
The undesirables were from conf.d/auth-system.conf.ext that I have now
entirely commented out, since we are not using system users.
> (and make sure driver = "passdb driver".
>
Presumably this means in auth-passwd-file.conf.ext:
> > userdb {
> > driver = passdb driver
This was commented out.
I changed it as you say, but it doesn't like it:
auth: Fatal: Unknown userdb driver 'passdb driver'
so I changed it back to
driver = passwd-file
Now we have no dovecot.log errors, except:
The reported error was "IMAP server said BYE: Disconnected:
Auth process broken
Tomorrow is another day.
I attach the
lavarre:/etc/dovecot # doveconf -n >lavarre-160705_conf.txt
Thank you again.
Kind regards, Andy
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
# OS: Linux 4.1.26-21-default x86_64 openSUSE 42.1 (x86_64) ext4
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
listen = *
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
driver = passwd-file
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = was automatically rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
mail_max_userip_connections = 10
}
Re: Postfix/dovecot: user unrecognized, file permissions being misread
Edgar hello. Thanks again.
Not sure of the protocol. Perhaps better to keep the entire thread
complete, so here again is doveconf -n with the precendents:
lavarre:/var/mail/vhosts/privustech.com # doveconf -n
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
# OS: Linux 4.1.26-21-default x86_64 openSUSE 42.1 (x86_64) ext4
auth_mechanisms = plain login
auth_verbose = yes
listen = *
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded
-character vacation subaddress comparator-i;ascii-numeric r
elational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
driver = passwd-file
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = was automatically
rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
mail_max_userip_connections = 10
}
On Sun, 2016-07-03 at 15:56 -0500, Edgar Pettijohn wrote:
> On 16-07-03 16:44:42, C. Andrews Lavarre wrote:
> > Hello all. Have spent several days following the excellent
> > tutorial:
> >
> > http://www.binarytides.com/install-postfix-dovecot-debian/
> >
> > but still fail to have the user recognized and am getting log
> > entries
> > that the mail directories are 0755 when I can clearly see that they
> > are
> > 0774.
> >
> > Very puzzling, any help would be deeply appreciated.
> >
> > Best regards, Andy
> > === Details ===
> > ??? I can add directories under IMAP, so my IMAP login and
> > permissions
> > must be correct.
> >
> > ??? I can create an outgoing message under IMAP, but clicking SEND
> > just
> > hangs. Logs do not indicate problem.
> >
> > ??? I clearly can send it a message with smtp. The message is
> > delivered
> > to postfix, but then dovecot fails to deliver it to a mailbox.
> > > > Log Entries --
> > ---
> > ---
> > > > # tail /var/log/mail
> > > > > > postfix/qmgr[16390]: 9D6E8C1A77: from=<
> > alava...@gmail.com>,
> > size=2794, nrcpt=1 (queue active)
> > > > > > > > Message has been received
> >
> > > > > > postfix/lmtp[16770]: C218DC197D: to=<
> > alava...@privustech.com>,
> > relay=mail.privustech.com[private/lmtp], delay=2560,
> > delays=2260/0.01/300/0, dsn=4.4.2, status=deferred (conversation
> > with
> > mail.privustech.com[private/lmtp] timed out while receiving the
> > initial
> > server greeting)
> > > > > > lmtp is not working
> > > >
> > > >
> > > >> > # tail /var/log/dovecot.log
> >
> > > > > > auth-worker(16612): Info:
> > pam(alava...@privustech.com,98.179.190.111): unknown user
>
> This could be a problem.
>
> >
> > > > > > imap-login: Info: Login: user=
> > ,
> > method=PLAIN, rip=98.179.190.111, lip=70.186.159.22, mpid=16615,
> > TLS,
> > session=
> >
> > > > > > imap(alava...@privustech.com): Error:
> > mkdir(/var/mail/vhosts/privustech.com/alavarre/cur) failed:
> > Permission
> > denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
> > /var/mail/vhosts/privustech.com/alavarre, dir owned by 0:0
> > mode=0755)
> > However, the mail directory
Re: Postfix/dovecot: user unrecognized, file permissions being misread
On Sun, 2016-07-03 at 15:56 -0500, Edgar Pettijohn wrote:
> doveconf -n would be helpful
Thank you:
lavarre:/var/mail/vhosts/privustech.com # doveconf -n
# 2.2.18: /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.8 (0c4ae064f307+)
# OS: Linux 4.1.26-21-default x86_64 openSUSE 42.1 (x86_64) ext4
auth_mechanisms = plain login
auth_verbose = yes
listen = *
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:/var/mail/vhosts/%d/%n
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded
-character vacation subaddress comparator-i;ascii-numeric r
elational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
passdb {
args = scheme=PLAIN username_format=%u /etc/dovecot/dovecot-users
driver = passwd-file
}
plugin {
sieve = ~/.dovecot.sieve
sieve_after = /var/mail/vmail/sieve-after
sieve_before = /var/mail/vmail/sieve-before
sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl = required
ssl_ca = was automatically
rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
mail_max_userip_connections = 10
}
Postfix/dovecot: user unrecognized, file permissions being misread
Hello all. Have spent several days following the excellent tutorial:
http://www.binarytides.com/install-postfix-dovecot-debian/
but still fail to have the user recognized and am getting log entries
that the mail directories are 0755 when I can clearly see that they are
0774.
Very puzzling, any help would be deeply appreciated.
Best regards, Andy
=== Details ===
• I can add directories under IMAP, so my IMAP login and permissions
must be correct.
• I can create an outgoing message under IMAP, but clicking SEND just
hangs. Logs do not indicate problem.
• I clearly can send it a message with smtp. The message is delivered
to postfix, but then dovecot fails to deliver it to a mailbox.
Log Entries -
---
# tail /var/log/mail
postfix/qmgr[16390]: 9D6E8C1A77: from=,
size=2794, nrcpt=1 (queue active)
Message has been received
postfix/lmtp[16770]: C218DC197D: to=,
relay=mail.privustech.com[private/lmtp], delay=2560,
delays=2260/0.01/300/0, dsn=4.4.2, status=deferred (conversation with
mail.privustech.com[private/lmtp] timed out while receiving the initial
server greeting)
lmtp is not working
# tail /var/log/dovecot.log
auth-worker(16612): Info:
pam(alava...@privustech.com,98.179.190.111): unknown user
imap-login: Info: Login: user=,
method=PLAIN, rip=98.179.190.111, lip=70.186.159.22, mpid=16615, TLS,
session=
imap(alava...@privustech.com): Error:
mkdir(/var/mail/vhosts/privustech.com/alavarre/cur) failed: Permission
denied (euid=5000(vmail) egid=5000(vmail) missing +w perm:
/var/mail/vhosts/privustech.com/alavarre, dir owned by 0:0 mode=0755)
However, the mail directory /var/mail/vhosts/privustech.com/alavarre is
-rwxrwxr-- vmail:vmail and I have restarted both postfix and dovecot.
=
System is openSUSE Leap 42.1 (64). postfix and dovecot with SASL
authentication, connecting through a Unix socket:
/etc/postfix/main.cf:
virtual_transport = lmtp:unix:private/lmtp
/etc/dovecot/conf.d/10-master.cf: service lmtp {
unix_listener /var/spool/postfix/private/lmtp {
mode = 0600
user = postfix
group = postfix
}
The lmtp socket is owned by postfix, while the mail system is owned by vmail,
per the tutorial.
--
I am using virtual users (not system users) defined in
/etc/dovecot/dovecot-users:
alava...@privustech.com:{plain}ksaj;flkasjd;ds;f
Thanks in advance, Andy
Re: Cannot connect to Dovecot IMAP or POP
auth-mechanisms plain login cram-md5 Adding cram-md5 today resolved the "Connection Refused" issue. Although it doesn't say so explicitly, my reading of http://wiki2.dovecot.org/Authentication/Mechanisms is that SSL/TLS puts a wrapper around plaintext passwords, so you don't need an encrypted database. However, obviously, you need a scheme to first decrypt the TLS envelope! So does cram-md5 do that? Seems to work. Thank you. Default settings are included but commented out. In particular, plaintext is by default disabled. So we uncomment and explicitly declare disable_plaintext_auth = no Restart: No change. Restore. /etc/dovecot/conf.d/10-ssl.conf contains explicit referral to the mail.privustech.com SSL files discussed above: ssl = required ssl_cert = Re-read the following: > > 1st > http://wiki2.dovecot.org/PasswordDatabase > > 2nd > http://wiki2.dovecot.org/Authentication/Mechanisms > > then edit /etc/dovecot/conf.d/10-auth.conf > auth_mechanisms = plain login > > On 05/04/16 19:00, C. Andrews Lavarre wrote: > > Hello all. Thank you for your service. > > > > Easy when you know how, but presently I do not. After literally > > months of research and experimentation we simply cannot log into > > our PAM / apache2 / postfix / dovecot pop3/imap STARTTLS email > > server with an ordinary email client, e.g., Evolution or > > Thunderbird. > > > > We can connect to the host server in a host of different ways (no > > pun intended)—http, https, ssh, vnc, telnet, openssl -sclient > > > > Similarly we can connect to postfix and dovecot in yet another > > number of ways—telnet, openssl -sclient—but cannot log in to the > > email server with a normal email client (either Evolution or > > Thunderbird) by either pop3 or imap. > > > > SSL certificates are in place, verified, and tested. > > > > Part of the problem is the many changes in all the involved > > operating systems and protocols (e.g., imaps and pop3s are > > deprecated, openSUSE has migrated to LEAP, etc.) so many of the > > docs from Google are no longer valid. Additionally, there simply > > are bugs: Leap 42.1 YAST does not work when it comes to setting up > > websites. Documented. But I digress. > > > > I'm sure it's something really simple, but it evades me. Research > > details below. Any help would be more than appreciated. > > > > Thanks in advance, Andy > > > > === Configuration testing details > > === > > > > System is: > > > > Linux openSUSE Leap 42.1 > > > > > > Dovecot --version 2.2.18, > > > > > > Postfix Version: 2.11.6-3.1 > > > > > > Apache2 Version: 2.4.16-9.1 > > > > Connections > > > > 1. Evolution or Thunderbird to pop3 or imap reports: > > > > > > The reported error was "Could not connect to > > mail.privustech.com: Connection refused". > > > > > > > > > > Both connect successfully to googlemail.com with the > > same protocol: > > > > > > > > Port 993 SSL on a dedicated port > > > > > > > > > > I have also tried > > > > > > > > > > Port 143 STARTTLS after connecting > > > > > > > > > > without success > > > > > >> > > > 2. openssl s_client -connect mail.privustech.com:xxx > > > > > > > > a. xxx=25, 110, 143 all return > > > > > > > > > > error:140770FC > > > > > > > > > > b. xxx=993, 995 return > > > > > > > > > > socket: Connection refused > > > > > > > > connect:errno=111 &g
Cannot connect to Dovecot IMAP or POP
Hello all. Thank you for your service.
Easy when you know how, but presently I do not. After literally months of
research and experimentation we simply cannot log into our PAM / apache2 /
postfix / dovecot pop3/imap STARTTLS email server with an ordinary email
client, e.g., Evolution or Thunderbird.
We can connect to the host server in a host of different ways (no pun
intended)—http, https, ssh, vnc, telnet, openssl -sclient
Similarly we can connect to postfix and dovecot in yet another number of
ways—telnet, openssl -sclient—but cannot log in to the email server with a
normal email client (either Evolution or Thunderbird) by either pop3 or imap.
SSL certificates are in place, verified, and tested.
Part of the problem is the many changes in all the involved operating systems
and protocols (e.g., imaps and pop3s are deprecated, openSUSE has migrated to
LEAP, etc.) so many of the docs from Google are no longer valid. Additionally,
there simply are bugs: Leap 42.1 YAST does not work when it comes to setting up
websites. Documented. But I digress.
I'm sure it's something really simple, but it evades me. Research details
below. Any help would be more than appreciated.
Thanks in advance, Andy
=== Configuration testing details ===
System is:
Linux openSUSE Leap 42.1
Dovecot --version 2.2.18,
Postfix Version: 2.11.6-3.1
Apache2 Version: 2.4.16-9.1
Connections
1. Evolution or Thunderbird to pop3 or imap reports:
The reported error was "Could not connect to
mail.privustech.com: Connection refused".
Both connect successfully to googlemail.com with the same
protocol:
Port 993 SSL on a dedicated port
I have also tried
Port 143 STARTTLS after connecting
without success
2. openssl s_client -connect mail.privustech.com:xxx
a. xxx=25, 110, 143 all return
error:140770FC
b. xxx=993, 995 return
socket: Connection refused
connect:errno=111
3.telnet to
a. smtp works.
b. pop3
andy@tm2t:~> telnet 70.186.159.22 110
...
+OK POP3 2007e.104 server ready
<48fa.572a0...@privustech.com>
...
user andy
-ERR Unknown AUTHORIZATION state command
c. imap connects but does not allow login, and should not.
http://marc.info/?l=imap&m=118775891829506&w=2
The most simple answer is "you
cannot TELNET to a modern, correctly-configured,
IMAP server and log in to it."
andy@tm2t:~> telnet 70.186.159.22 143
...
* OK [...] privustech.com IMAP4rev1 2007e.404 at Wed, 4
May 2016 10:26:28
-0400 (EDT)
... A NO Invalid login credentials
Modules
• Apache2 works just fine. The server is up and answering. ping works
just fine. We have http and https to all vhost sites (privustech,
mailprivustech, nptbeyond, gvhl, truthcourage, and their www. subsites).
• Postfix reports no errors. We can log in on localhost, send a message
to ourselves and see the message.
• Dovecot:
a. Logging is enabled in 10-logging.conf to
/var/log/dovecot.conf but no logging has occurred there.
b. doveconf -n throws no errors.
Checks and tests completed
1. /etc/hosts is just fine.
2. Firewall is open for telnet, postfix, dovecot.
3. Added andy to dovecot, postfix groups, in addition to mail, reset
password to ANDYbbs14@.
4. We tried enabling imaps, pop3s, but this command returns errors
about these protocols being obsolete.
https://tools.ietf.org/html/rfc2595
Use of these ports is discouraged in favor of the
STARTTLS or STLS
commands.
5. Reviewed doveconf -n:
a. Note, there are no Dovecot users established other than
user postfix
group postfix
service auth {
unix_listener auth-userdb {
group = postfix
user = postfix
}
}
i. postfi
