Authenticating with checkpassword
I am trying to use the checkpassword authentication (https://wiki.dovecot.org/AuthDatabase/CheckPassword) I do have a working checkpassword program. The protocol expects to received on fd 3 the following: usernamepasswordoptionalstuff I find that this works properly and the program can authenticate if the client is using PLAIN LOGIN. Both username and password are sent on fd3. But, if the client has specified kerberos/gssapi authentication then only the username is passed to checkpassword. The following is a debug dump from checkpassword showing the input read on fd 3 (12 bytes): len 12: 636861726d61696e6500 charmaine... User: [charmaine], PW: [] Without a password, checkpassword returns failure. I am running dovecot in a Samba4 Active Directory. I have some email clients that use kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook). All users, however, are active directory domain users and all could potentially authenticate with AD credentials. I was hoping to use checkpassword for this. Otherwise, every user who cannot authenticate via kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the same ID/PW as their AD credentials, which become a bit of a pain when the user changes his domain password. Why does not dovecot pass to checkpassword the user's password? When I tried this a few years ago I thought it did. If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism? Is there a solution to this? THX --Mark
Re: Need to authenticate Outlook and NTLM
On Tue, 19 Feb 2019 08:53:13 +0200 Aki Tuomi wrote: > > On 19.2.2019 4.48, Mark Foley via dovecot wrote: > > On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote: > >> On 2019-02-13, Mark Foley via dovecot wrote: > >>> Is it possible that no one on this list is authenticating Outlook with > >>> Dovecot and NTLM? > >> Yes, it's possible, the outdated instructions you found on the wiki > >> suggests it's an uncommon configiration. > > Hmmm, really? And yet Windows/Outlook is still the predominant email client > > out there > > (unfortunately). Maybe everyone is going to outlook.com? > > > >> No actual answers from me, but it might give you some clues: > >> > >>> More on this ... > >>> > >>> I short-sheeted ntlm_auth to see what was being passed to it. It is > >>> getting as arg1: > >>> > >>> --helper-protocol=squid-2.5-ntlmssp > >>> > >>> I tried running ntlm_auth at the command line as: > >>> > >>> ntlm_auth --username=user --password=password > >>> --helper-protocol=squid-2.5-ntlmssp > >>> > >>> It did nothing, just hung there. The ntlm_auth man page says: > >>> > >>> --helper-protocol=PROTO > >>> Operate as a stdio-based helper. Valid helper protocols are: > >> The squid auth helpers are stdio-based, they run in a loop, reading from > >> stdin, checking authentication, and return results on stdout. This avoids > >> both > >> passing sensitive data on the command line (visible to ps, at least > >> briefly) > >> and the need to keep forking and initialising a new process. > >> > >> So it's normal that it would just sit waiting for input. > >> > >> Dovecot is just reusing the same protocol that squid uses. > > If --username and --password are passed on the command line, what is it > > waiting for on stdin? > > Normally, ntlm_auth, with id and pw passed on the command line prints, > > "NT_STATUS_OK: The > > operation completed successfully. (0x0)" to stdout. There is no further > > stdin input needed. > > > > Is there a way to disable the --helper-protocol in Dovecot? > > > >>> After more searching I came across this post, > >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 > >>> which, in summary, said that ntlm_auth had to run as root. So, I added > >>> the following to my > >>> dovecot config per that post's suggestion: > >>> > >>> service auth { > >>> user = root > >>> } > >>> > >>> After restarting and trying again to connect from Outlook I got the > >>> message: > >>> > >>> auth: Info: ntlm(?,192.168.0.58,): user not > >>> authenticated: NT_STATUS_NO_MEMORY > >> I don't know the full details of how samba/ntlm works, but this seems like > >> an error coming from the server you're attempting to authenticate against. > >> I think you should start debugging on the samba side - make sure tools > >> like wbinfo are working, if not then debug those with samba, then move > >> on to Dovecot after you have that working. > > Samba has been running for years (with updates) and everything like wbinfo > > works. Dovecot can > > authenticate with kerberos/GSSAPI, and other applications can authenticate > > with ntlm_auth. My > > suspicion here is that the "user not authenticated" problem is perhaps > > because dovecot cannot > > run the auth service as root? The dovecot user is dovenull, so why would it > > be permitted to run > > as root in any case? > > > > I think the problem is in invoking ntlm_auth. I tried simply returning zero > > from my "fake" > > ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from > > ntlm_auth_helper. > > > > --Mark > > Hi, > > try > > > service auth { > > user = root > > } Aki - yes, I did try that. It was in my original post but has been edited out of the email chain since. Things I've tried since: I installed squid -- it wasn't installed before. Now, with the NTLM mechanism and: auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth I get: ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL This link: https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html, suggests that I need to make /var/lib/samba/winbindd_privileged writable by, I assume, dovecot. Which I did. T
Re: Need to authenticate Outlook and NTLM
On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote: > > On 2019-02-13, Mark Foley via dovecot wrote: > > Is it possible that no one on this list is authenticating Outlook with > > Dovecot and NTLM? > > Yes, it's possible, the outdated instructions you found on the wiki > suggests it's an uncommon configiration. Hmmm, really? And yet Windows/Outlook is still the predominant email client out there (unfortunately). Maybe everyone is going to outlook.com? > No actual answers from me, but it might give you some clues: > > > More on this ... > > > > I short-sheeted ntlm_auth to see what was being passed to it. It is getting > > as arg1: > > > > --helper-protocol=squid-2.5-ntlmssp > > > > I tried running ntlm_auth at the command line as: > > > > ntlm_auth --username=user --password=password > > --helper-protocol=squid-2.5-ntlmssp > > > > It did nothing, just hung there. The ntlm_auth man page says: > > > > --helper-protocol=PROTO > > Operate as a stdio-based helper. Valid helper protocols are: > > The squid auth helpers are stdio-based, they run in a loop, reading from > stdin, checking authentication, and return results on stdout. This avoids both > passing sensitive data on the command line (visible to ps, at least briefly) > and the need to keep forking and initialising a new process. > > So it's normal that it would just sit waiting for input. > > Dovecot is just reusing the same protocol that squid uses. If --username and --password are passed on the command line, what is it waiting for on stdin? Normally, ntlm_auth, with id and pw passed on the command line prints, "NT_STATUS_OK: The operation completed successfully. (0x0)" to stdout. There is no further stdin input needed. Is there a way to disable the --helper-protocol in Dovecot? > > > After more searching I came across this post, > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 > > which, in summary, said that ntlm_auth had to run as root. So, I added the > > following to my > > dovecot config per that post's suggestion: > > > > service auth { > > user = root > > } > > > > After restarting and trying again to connect from Outlook I got the message: > > > > auth: Info: ntlm(?,192.168.0.58,): user not > > authenticated: NT_STATUS_NO_MEMORY > > I don't know the full details of how samba/ntlm works, but this seems like > an error coming from the server you're attempting to authenticate against. > I think you should start debugging on the samba side - make sure tools > like wbinfo are working, if not then debug those with samba, then move > on to Dovecot after you have that working. Samba has been running for years (with updates) and everything like wbinfo works. Dovecot can authenticate with kerberos/GSSAPI, and other applications can authenticate with ntlm_auth. My suspicion here is that the "user not authenticated" problem is perhaps because dovecot cannot run the auth service as root? The dovecot user is dovenull, so why would it be permitted to run as root in any case? I think the problem is in invoking ntlm_auth. I tried simply returning zero from my "fake" ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from ntlm_auth_helper. --Mark
Re: Need to authenticate Outlook and NTLM
Is it possible that no one on this list is authenticating Outlook with Dovecot and NTLM? --Mark -Original Message- Date: Fri, 08 Feb 2019 00:51:01 -0500 To: dovecot@dovecot.org Subject: Re: Need to authenticate Outlook and NTLM From: Mark Foley via dovecot More on this ... I short-sheeted ntlm_auth to see what was being passed to it. It is getting as arg1: --helper-protocol=squid-2.5-ntlmssp I tried running ntlm_auth at the command line as: ntlm_auth --username=user --password=password --helper-protocol=squid-2.5-ntlmssp It did nothing, just hung there. The ntlm_auth man page says: --helper-protocol=PROTO Operate as a stdio-based helper. Valid helper protocols are: squid-2.5-ntlmssp Server-side helper for use with Squid 2.5's NTLMSSP authentication. Requires access to the directory winbindd_privileged in $LOCKDIR. The protocol used is described here: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the YR command. (Thus avoiding loss of information in the protocol exchange). Squid NTLM authentication? As far as I know, I don't have Squid. If I leave off the --helper-protocol bit on the ntlm_auth command line, it returns an OK status. Is there a way to NOT pass "--helper-protocol=squid-2.5-ntlmssp"? Would this help? --Mark -Original Message- Date: Fri, 08 Feb 2019 00:19:19 -0500 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Need to authenticate Outlook and NTLM I've posted questions on this before, but now I really, really need a solution. Using Dovecot 2.2.33.2 We've been using Dovecot as IMAP server for several years on a Linux host which is also the Active Directory / Domain Controller. We have both Thunderbird and Outlook clients. The Thunderbird clients authenticate w/o problem with AD credentials using Kerberos/GSSAPI. I've never been able to get the Outlook clients to authenticate using domain credentials, so I've also hard-coded user and password into /etc/passwd and let the Dovecot authenticate via PLAIN LOGIN. Now, however, I am mandated to switch all users to Outlook, so I need an AD credential solution. I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those instructions. The first problem I ran into was in Step 3 where it said to put the following line in the config: auth_ntlm_use_winbind = yes This gave me an error when I restarted Dovecot: Restarting Dovecotdoveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting: auth_ntlm_use_winbind googling this error indicated that this was a version 1.x directive and 2.x used only auth_use_winbind. I removed the auth_ntlm_use_winbind and Dovecot restart. If this is true, the wiki should be updated since it purports to be a version 2.x wiki. I followed the rest of the instructions on that wiki and my modified config is: $ doveconf -n # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.157 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi ntlm auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = ): ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 which, in summary, said that ntlm_auth had to run as root. So, I added the following to my dovecot config per that post's suggestion: service auth { user = root } After restarting and trying again to connect from Outlook I got the message: auth: Info: ntlm(?,192.168.0.58,): user not authenticated: NT_STATUS_NO_MEMORY At this point I've been unable to find a solution to this error. I've listed the entire dovecot log output for this last attempt to connect from Outlook below. Has anyone in the Universe successfully connected from Outlook using active domain credentials? If so, what's the secret? What am I not doing correctly? Thanks for any and all help! --Mark dovecot log: Feb 07 23:39:40 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Feb 07 23:39:40 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Feb 07 23:39:40 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357) Feb 07 23:39:40 auth: Debug: client in: AUTH1 NTLMservice=imap session=SCINjFqBKcXAqAA6lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50
Need to authenticate Outlook and NTLM
I've posted questions on this before, but now I really, really need a solution. Using Dovecot 2.2.33.2 We've been using Dovecot as IMAP server for several years on a Linux host which is also the Active Directory / Domain Controller. We have both Thunderbird and Outlook clients. The Thunderbird clients authenticate w/o problem with AD credentials using Kerberos/GSSAPI. I've never been able to get the Outlook clients to authenticate using domain credentials, so I've also hard-coded user and password into /etc/passwd and let the Dovecot authenticate via PLAIN LOGIN. Now, however, I am mandated to switch all users to Outlook, so I need an AD credential solution. I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those instructions. The first problem I ran into was in Step 3 where it said to put the following line in the config: auth_ntlm_use_winbind = yes This gave me an error when I restarted Dovecot: Restarting Dovecotdoveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting: auth_ntlm_use_winbind googling this error indicated that this was a version 1.x directive and 2.x used only auth_use_winbind. I removed the auth_ntlm_use_winbind and Dovecot restart. If this is true, the wiki should be updated since it purports to be a version 2.x wiki. I followed the rest of the instructions on that wiki and my modified config is: $ doveconf -n # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.157 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi ntlm auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = ): ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL After more searching I came across this post, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263 which, in summary, said that ntlm_auth had to run as root. So, I added the following to my dovecot config per that post's suggestion: service auth { user = root } After restarting and trying again to connect from Outlook I got the message: auth: Info: ntlm(?,192.168.0.58,): user not authenticated: NT_STATUS_NO_MEMORY At this point I've been unable to find a solution to this error. I've listed the entire dovecot log output for this last attempt to connect from Outlook below. Has anyone in the Universe successfully connected from Outlook using active domain credentials? If so, what's the secret? What am I not doing correctly? Thanks for any and all help! --Mark dovecot log: Feb 07 23:39:40 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Feb 07 23:39:40 auth: Debug: Module loaded: /usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so Feb 07 23:39:40 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357) Feb 07 23:39:40 auth: Debug: client in: AUTH1 NTLMservice=imap session=SCINjFqBKcXAqAA6lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50473 Feb 07 23:39:40 auth: Debug: client passdb out: CONT1 Feb 07 23:39:40 auth: Debug: client in: CONT1 TlRMTVNTUAABB4IIogAGAbEdDw== (previous base64 data may contain sensitive data) Feb 07 23:39:40 auth: Debug: client passdb out: CONT1 TlRMTVNTUAACCAAIADgFgomifTyOI3AwfogAAGIAYgBABgEAAA9IAFAAUgBTAAIACABIAFAAUgBTAAEACABNAEEASQBMAAQAFABoAHAAcgBzAC4AbABvAGMAYQBsAAMAHgBtAGEAaQBsAC4AaABwAHIAcwAuAGwAbwBjAGEAbAAHAAgAVIrLTWi/1AEA Feb 07 23:39:40 auth: Debug: client in: CONT1 TlRMTVNTUAADGAAYAGwAAAD8APwAhABYCAAIAFgMAAwAYACAAQAABYKIogYBsR0PEulY2h+wL/nnNAXbmMSVx20AYQByAGsAQwBPAE0ATQBPAE4A5+rNhVU1odt5650z/pNVpQEBVIrLTWi/1AFg5+W08PtmxQACAAgASABQAFIAUwABAAgATQBBAEkATAAEABQAaABwAHIAcwAuAGwAbwBjAGEAbAADAB4AbQBhAGkAbAAuAGgAcAByAHMALgBsAG8AYwBhAGwABwAIAFSKy01ov9QBBgAEAAIIADAAMAABACAAAOity40ZG1J9BpqGn4TwBjP02UByQ6D/OUD6DrRDhg+3CgAQAAAJABIAaQBtAGEAcAAvAG0AYQBpAGwA (previous base64 data may contain sensitive data) Feb 07 23:39:40 auth: Info: ntlm(?,192.168.0.58,): user not authenticated: NT_STATUS_NO_MEMORY Feb 07 23:39:42 auth: Debug: client passdb out: FAIL1
email not visible in users mail client
I have an odd issue. One user has an email in her Maildir/cur folder named: 1545229920.27374_0.mail:2,. She cannot see this message in her mail client (Thunderbird). All other emails have 'S' and 'W' components to the name, e.g. 1488471573.M167365P19808.mail,S=41356,W=42118:2,RS, but this one does not. Would that somehow make a difference in it being visible to the mail client? Why would this message have been saved without the 'S' and 'W' bits? In fact, there are two such message with this abbreviated file name, both from the same sender. Is there possibly something about the message that affects naming? Dovecot version 2.2.33.2 THX --Mark
Re: Need to convert mbox to Maildir
On Tue, 2 Oct 2018 21:17:20 +0300 Sami Ketola wrote: > > > On 2 Oct 2018, at 21.05, Mark Foley wrote: > > > > I have a mbox file of emails. I want to convert this to Maildir giving me > > individual message > > files per email. I've looked at dsync, but as far as I can tell this wants > > a specific target > > user and it appears that it will "distribute" the converted messages into > > that user's INBOX. > > > > I don't want to put these mbox messages into any particular user's Maildir > > hierarchy, just > > export to file-per-message format to a destination directory of my > > choosing. > > > > Is this possible? > > > Yes. > > [root@ketola /]# mkdir /test > [root@ketola /]# chown vmail /test > [root@ketola /]# doveadm backup -u sami Maildir:/test/ > > done. > > Sami Excellent! Thank you. I'll give that a try. I also found: mb2md.pl downloadable from https://wiki.dovecot.org/Migration/MailFormat. --Mark
Need to convert mbox to Maildir
I have a mbox file of emails. I want to convert this to Maildir giving me individual message files per email. I've looked at dsync, but as far as I can tell this wants a specific target user and it appears that it will "distribute" the converted messages into that user's INBOX. I don't want to put these mbox messages into any particular user's Maildir hierarchy, just export to file-per-message format to a destination directory of my choosing. Is this possible? THX --Mark
Re: folders not visible on copied mail folders
Shortly after this post, I found a solution here: http://forums.mozillazine.org/viewtopic.php?t=1097725 In order to see the .Dennis\ Email.Dennis\ Inbox sub-folder you have to collapse and re-expand the folder list in Thunderbird. It's that simple ... AND that annoyingly obscure! Thanks for your help! --Mark -Original Message- From: Mark Foley Date: Thu, 19 Jul 2018 21:21:34 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: folders not visible on copied mail folders On Thu, 19 Jul 2018 08:11:40 +0200 Steffen Kaiser wrote: > > On Thu, 19 Jul 2018, Mark Foley wrote: > > On Wed, 18 Jul 2018 07:23:06 +0200 Steffen Kaiser > > wrote: > >> > >> On Tue, 17 Jul 2018, Mark Foley wrote: > >>> On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser > >>> wrote: > >>>> > >>>> On Mon, 16 Jul 2018, Mark Foley wrote: > >>>> > >>>>> We had a user quit recently. Three days ago I copied his entire > >>>>> Maildir folder to another user > >>>>> to that user's Maildir/.JoesEmail. I changed ownership and made the > >>>>> permission 'chmod -R > >>>>> og-rwx .', just like all the other files/directories of the new owner. > >>>>> This didn't work to show > >>>>> the new folder. Today, in his Thunderbird client, I subscribed to the > >>>>> 'JoesEmail' folder. I > >>>>> restarted dovecot and restarted Thunderbird. > >>>>> > >>>>> In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and > >>>>> shows none of the > >>>>> subordinate mail folders. I ran 'doveadm index -u newowner JoesEmail' > >>>>> and > >>>>> 'doveadm force-resync -u newowner JoesEmail'. This didn't help. > >>>>> > >>>>> I did this once before with a previous user who quit and only changed > >>>>> ownership, no > >>>>> subscribing, no doveadm, and that worked. > >>>>> > >>>>> What am I doing wrong? > >>>> > >>>> Your description might be interpreted one way or another, esp. "copied > >>>> his > >>>> entire Maildir folder ... to that user's Maildir/.JoesEmail". > >>>> > >>>> Also, it depends on how you have configured mail_location. > >>>> > >>>> If this means that you have: > >>>> Maildir/.JoesEmail/{new,cur,tmp} > >>>> Maildir/.JoesEmail/.mailbox/{new,cur,tmp} > >>>> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp} > >>>> now, that will clash with the standard Maildir format: > >>>> https://wiki2.dovecot.org/MailboxFormat/Maildir > >>>> > >>>> You would need to move the subfolders with a leading dot of .JoesEmail > >>>> into: > >>>> Maildir/.JoesEmail/{new,cur,tmp} > >>>> Maildir/.JoesEmail.mailbox/{new,cur,tmp} > >>>> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp} > >>>> > >>>> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail > >>>> > >>>> Subscription is needed only, if the mail client "displays subscribed > >>>> folders only" or does not "display all folders". The meaning of the > >>>> setting varies from client to client. > >>>> > >>>> Another way would to keep the other account and share it via ACLs: > >>>> https://wiki2.dovecot.org/SharedMailboxes/Shared > >>>> > >>>> Steffen Kaiser > >>> > >>> Steffen, thanks for your reply. I did have the copied folders as shown in > >>> your first example. I > >>> changed that to what you show as the remedy. The target user's Maildir > >>> folder now has: > >>> > >>> drwx-- 5 mpress domusers 4096 2017-06-28 20:07 .Deleted\ > >>> Messages.Junk/ > >>> drwx-- 5 mpress domusers 4096 2018-07-16 23:22 .Delta\ Dental/ > >>> drwx-- 21 mpress domusers 4096 2018-07-17 16:48 .Dennis\ Email/ > >>> drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ > >>> Email.Deleted\ Items/ > >>> drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ > >>> Email.Deleted\ Items.Sent/ > >>> drwx-- 5 mpress domusers 4096 2018-07-17 17:02 .Drafts/ > >>
Re: folders not visible on copied mail folders
On Thu, 19 Jul 2018 08:11:40 +0200 Steffen Kaiser wrote: > > On Thu, 19 Jul 2018, Mark Foley wrote: > > On Wed, 18 Jul 2018 07:23:06 +0200 Steffen Kaiser > > wrote: > >> > >> On Tue, 17 Jul 2018, Mark Foley wrote: > >>> On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser > >>> wrote: > >>>> > >>>> On Mon, 16 Jul 2018, Mark Foley wrote: > >>>> > >>>>> We had a user quit recently. Three days ago I copied his entire > >>>>> Maildir folder to another user > >>>>> to that user's Maildir/.JoesEmail. I changed ownership and made the > >>>>> permission 'chmod -R > >>>>> og-rwx .', just like all the other files/directories of the new owner. > >>>>> This didn't work to show > >>>>> the new folder. Today, in his Thunderbird client, I subscribed to the > >>>>> 'JoesEmail' folder. I > >>>>> restarted dovecot and restarted Thunderbird. > >>>>> > >>>>> In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and > >>>>> shows none of the > >>>>> subordinate mail folders. I ran 'doveadm index -u newowner JoesEmail' > >>>>> and > >>>>> 'doveadm force-resync -u newowner JoesEmail'. This didn't help. > >>>>> > >>>>> I did this once before with a previous user who quit and only changed > >>>>> ownership, no > >>>>> subscribing, no doveadm, and that worked. > >>>>> > >>>>> What am I doing wrong? > >>>> > >>>> Your description might be interpreted one way or another, esp. "copied > >>>> his > >>>> entire Maildir folder ... to that user's Maildir/.JoesEmail". > >>>> > >>>> Also, it depends on how you have configured mail_location. > >>>> > >>>> If this means that you have: > >>>> Maildir/.JoesEmail/{new,cur,tmp} > >>>> Maildir/.JoesEmail/.mailbox/{new,cur,tmp} > >>>> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp} > >>>> now, that will clash with the standard Maildir format: > >>>> https://wiki2.dovecot.org/MailboxFormat/Maildir > >>>> > >>>> You would need to move the subfolders with a leading dot of .JoesEmail > >>>> into: > >>>> Maildir/.JoesEmail/{new,cur,tmp} > >>>> Maildir/.JoesEmail.mailbox/{new,cur,tmp} > >>>> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp} > >>>> > >>>> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail > >>>> > >>>> Subscription is needed only, if the mail client "displays subscribed > >>>> folders only" or does not "display all folders". The meaning of the > >>>> setting varies from client to client. > >>>> > >>>> Another way would to keep the other account and share it via ACLs: > >>>> https://wiki2.dovecot.org/SharedMailboxes/Shared > >>>> > >>>> Steffen Kaiser > >>> > >>> Steffen, thanks for your reply. I did have the copied folders as shown in > >>> your first example. I > >>> changed that to what you show as the remedy. The target user's Maildir > >>> folder now has: > >>> > >>> drwx-- 5 mpress domusers 4096 2017-06-28 20:07 .Deleted\ > >>> Messages.Junk/ > >>> drwx-- 5 mpress domusers 4096 2018-07-16 23:22 .Delta\ Dental/ > >>> drwx-- 21 mpress domusers 4096 2018-07-17 16:48 .Dennis\ Email/ > >>> drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ > >>> Email.Deleted\ Items/ > >>> drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ > >>> Email.Deleted\ Items.Sent/ > >>> drwx-- 5 mpress domusers 4096 2018-07-17 17:02 .Drafts/ > >>> drwx-- 5 mpress domusers 4096 2018-07-17 16:35 .ESI/ > >>> > >>> Where '.Dennis Email' is the folder for the old user. I copied the old > >>> user's 'Maildir/.Deleted Items' > >>> and 'Maildir/.Deleted Items/Sent' to the target user's 'Maildir/.Dennis > >>> Email.Deleted Items' > >>> and 'Maildir/.Deleted Items/Sent, respective. That how I understood what > >>> you advised. There are > >>> more such subfolders, but I th
Re: folders not visible on copied mail folders
On Wed, 18 Jul 2018 07:23:06 +0200 Steffen Kaiser wrote: > > On Tue, 17 Jul 2018, Mark Foley wrote: > > On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser > > wrote: > >> > >> On Mon, 16 Jul 2018, Mark Foley wrote: > >> > >>> We had a user quit recently. Three days ago I copied his entire Maildir > >>> folder to another user > >>> to that user's Maildir/.JoesEmail. I changed ownership and made the > >>> permission 'chmod -R > >>> og-rwx .', just like all the other files/directories of the new owner. > >>> This didn't work to show > >>> the new folder. Today, in his Thunderbird client, I subscribed to the > >>> 'JoesEmail' folder. I > >>> restarted dovecot and restarted Thunderbird. > >>> > >>> In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and > >>> shows none of the > >>> subordinate mail folders. I ran 'doveadm index -u newowner JoesEmail' and > >>> 'doveadm force-resync -u newowner JoesEmail'. This didn't help. > >>> > >>> I did this once before with a previous user who quit and only changed > >>> ownership, no > >>> subscribing, no doveadm, and that worked. > >>> > >>> What am I doing wrong? > >> > >> Your description might be interpreted one way or another, esp. "copied his > >> entire Maildir folder ... to that user's Maildir/.JoesEmail". > >> > >> Also, it depends on how you have configured mail_location. > >> > >> If this means that you have: > >> Maildir/.JoesEmail/{new,cur,tmp} > >> Maildir/.JoesEmail/.mailbox/{new,cur,tmp} > >> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp} > >> now, that will clash with the standard Maildir format: > >> https://wiki2.dovecot.org/MailboxFormat/Maildir > >> > >> You would need to move the subfolders with a leading dot of .JoesEmail > >> into: > >> Maildir/.JoesEmail/{new,cur,tmp} > >> Maildir/.JoesEmail.mailbox/{new,cur,tmp} > >> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp} > >> > >> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail > >> > >> Subscription is needed only, if the mail client "displays subscribed > >> folders only" or does not "display all folders". The meaning of the > >> setting varies from client to client. > >> > >> Another way would to keep the other account and share it via ACLs: > >> https://wiki2.dovecot.org/SharedMailboxes/Shared > >> > >> Steffen Kaiser > > > > Steffen, thanks for your reply. I did have the copied folders as shown in > > your first example. I > > changed that to what you show as the remedy. The target user's Maildir > > folder now has: > > > > drwx-- 5 mpress domusers 4096 2017-06-28 20:07 .Deleted\ > > Messages.Junk/ > > drwx-- 5 mpress domusers 4096 2018-07-16 23:22 .Delta\ Dental/ > > drwx-- 21 mpress domusers 4096 2018-07-17 16:48 .Dennis\ Email/ > > drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ > > Email.Deleted\ Items/ > > drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ > > Email.Deleted\ Items.Sent/ > > drwx-- 5 mpress domusers 4096 2018-07-17 17:02 .Drafts/ > > drwx-- 5 mpress domusers 4096 2018-07-17 16:35 .ESI/ > > > > Where '.Dennis Email' is the folder for the old user. I copied the old > > user's 'Maildir/.Deleted Items' > > and 'Maildir/.Deleted Items/Sent' to the target user's 'Maildir/.Dennis > > Email.Deleted Items' > > and 'Maildir/.Deleted Items/Sent, respective. That how I understood what > > you advised. There are > > more such subfolders, but I thought I'd try this one first. > > > However, still only the "Dennis Email" folder shows in the mail client, > > empty, no sub-folders > > even though "Deleted Items.Sent/cur" has plenty of mail files (1522). > > > > I did try running 'doveadm index -u mpress "Dennis Email"', again; and > > restarting dovecot and > > thunderbird again, but still nothing. > > First check if Dovecot thinks the folders are there: > > doveadm mailbox list -u "mpress" | grep Dennis yes: # doveadm mailbox list -u "mpress" | grep Dennis Dennis Email Dennis Email.Deleted Items Dennis Email.Deleted Items.Sent > Then make sure that each of the three folders contain the cur, new, tmp > subfolders. They do: drwx---
Re: folders not visible on copied mail folders
On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser wrote: > > On Mon, 16 Jul 2018, Mark Foley wrote: > > > We had a user quit recently. Three days ago I copied his entire Maildir > > folder to another user > > to that user's Maildir/.JoesEmail. I changed ownership and made the > > permission 'chmod -R > > og-rwx .', just like all the other files/directories of the new owner. > > This didn't work to show > > the new folder. Today, in his Thunderbird client, I subscribed to the > > 'JoesEmail' folder. I > > restarted dovecot and restarted Thunderbird. > > > > In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and shows > > none of the > > subordinate mail folders. I ran 'doveadm index -u newowner JoesEmail' and > > 'doveadm force-resync -u newowner JoesEmail'. This didn't help. > > > > I did this once before with a previous user who quit and only changed > > ownership, no > > subscribing, no doveadm, and that worked. > > > > What am I doing wrong? > > Your description might be interpreted one way or another, esp. "copied his > entire Maildir folder ... to that user's Maildir/.JoesEmail". > > Also, it depends on how you have configured mail_location. > > If this means that you have: > Maildir/.JoesEmail/{new,cur,tmp} > Maildir/.JoesEmail/.mailbox/{new,cur,tmp} > Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp} > now, that will clash with the standard Maildir format: > https://wiki2.dovecot.org/MailboxFormat/Maildir > > You would need to move the subfolders with a leading dot of .JoesEmail > into: > Maildir/.JoesEmail/{new,cur,tmp} > Maildir/.JoesEmail.mailbox/{new,cur,tmp} > Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp} > > If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail > > Subscription is needed only, if the mail client "displays subscribed > folders only" or does not "display all folders". The meaning of the > setting varies from client to client. > > Another way would to keep the other account and share it via ACLs: > https://wiki2.dovecot.org/SharedMailboxes/Shared > > Steffen Kaiser Steffen, thanks for your reply. I did have the copied folders as shown in your first example. I changed that to what you show as the remedy. The target user's Maildir folder now has: drwx-- 5 mpress domusers 4096 2017-06-28 20:07 .Deleted\ Messages.Junk/ drwx-- 5 mpress domusers 4096 2018-07-16 23:22 .Delta\ Dental/ drwx-- 21 mpress domusers 4096 2018-07-17 16:48 .Dennis\ Email/ drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ Email.Deleted\ Items/ drwx-- 5 mpress domusers 4096 2018-07-16 23:15 .Dennis\ Email.Deleted\ Items.Sent/ drwx-- 5 mpress domusers 4096 2018-07-17 17:02 .Drafts/ drwx-- 5 mpress domusers 4096 2018-07-17 16:35 .ESI/ Where '.Dennis Email' is the folder for the old user. I copied the old user's 'Maildir/.Deleted Items' and 'Maildir/.Deleted Items/Sent' to the target user's 'Maildir/.Dennis Email.Deleted Items' and 'Maildir/.Deleted Items/Sent, respective. That how I understood what you advised. There are more such subfolders, but I thought I'd try this one first. However, still only the "Dennis Email" folder shows in the mail client, empty, no sub-folders even though "Deleted Items.Sent/cur" has plenty of mail files (1522). I did try running 'doveadm index -u mpress "Dennis Email"', again; and restarting dovecot and thunderbird again, but still nothing. What else can I try? THX --Mark
folders not visible on copied mail folders
We had a user quit recently. Three days ago I copied his entire Maildir folder to another user to that user's Maildir/.JoesEmail. I changed ownership and made the permission 'chmod -R og-rwx .', just like all the other files/directories of the new owner. This didn't work to show the new folder. Today, in his Thunderbird client, I subscribed to the 'JoesEmail' folder. I restarted dovecot and restarted Thunderbird. In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and shows none of the subordinate mail folders. I ran 'doveadm index -u newowner JoesEmail' and 'doveadm force-resync -u newowner JoesEmail'. This didn't help. I did this once before with a previous user who quit and only changed ownership, no subscribing, no doveadm, and that worked. What am I doing wrong? THX --Mark
Re: AuthDatabase CheckPassword broken?
Script didn't run: File "/root/tmp/checkpwtest.py", line 8 o?= with os.fdopen(DOVECOT_PW_FD, 'r') as s: ^ SyntaxError: invalid syntax --Mark -Original Message----- From: Mark Foley <mfo...@ohprs.org> Date: Thu, 01 Feb 2018 15:34:15 -0500 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: AuthDatabase CheckPassword broken? On Thu, 1 Feb 2018 10:02:10 +0200 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > On 01.02.2018 08:00, Mark Foley wrote: > > I had been using the CheckPassword authentication interface with dovecot > > 2.2.15, > > https://wiki2.dovecot.org/AuthDatabase/CheckPassword, and it was working. > > > > After upgrading to 2.2.33.2 CheckPassword no longer works. The referenced > > wiki page says, > > > > Checkpassword Interface > > > > Read NUL NUL from fd 3. > > > > I've checked the information read from fd 3 with 2.2.33.2 and I get > > followed by 3 > > nulls. I'm guessing the 2nd null is supposed to be the password. > > > > Why is this no longer working? How can I fix it? > > > > THX --Mark > Our CI has test > > #!/usr/bin/env python > # -*- coding: utf-8 -*- > import os, sys > > DOVECOT_PW_FD = 3 > > def checkPassword(): > with os.fdopen(DOVECOT_PW_FD, 'r') as s: > data = s.read().split("\0") > if data[0] != "testuser" or data[1] != "pass": > return False > os.environ["USER"] = data[0] > os.environ["EXTRA"] = "userdb_uid=vmail userdb_gid=vmail" > return True > > if __name__ == "__main__": > if not checkPassword(): > sys.exit(1) > os.execv(sys.argv[1], sys.argv[1:]) > > And it seems to work. > > Aki Thanks for the script. I'm testing this on a production system, so I'll have to wait until after business hours to test. Meanwhile, not being a python wizard, I have a couple of questions. I have to run this script as my passdb { args } parameter, right? On the line where it is checking for "testuser" and password "test", I assume that if I want to use a configured user I can just change these, right? Likewise with "userdb_uid=vmail userdb_gid=vmail", what are these? UID/GID of the user? Is there a way in python to output the values in data[0] and data[1] to a file so I can see what's actually received? If after the 'split' line I added: f = open("/tmp/checkpassword.log","a") f.write("Name: " + data[0] + ", PW: " + data[1]) f.close() Would that work? --THX Mark
Re: AuthDatabase CheckPassword broken?
On Thu, 1 Feb 2018 10:02:10 +0200 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > On 01.02.2018 08:00, Mark Foley wrote: > > I had been using the CheckPassword authentication interface with dovecot > > 2.2.15, > > https://wiki2.dovecot.org/AuthDatabase/CheckPassword, and it was working. > > > > After upgrading to 2.2.33.2 CheckPassword no longer works. The referenced > > wiki page says, > > > > Checkpassword Interface > > > > Read NUL NUL from fd 3. > > > > I've checked the information read from fd 3 with 2.2.33.2 and I get > > followed by 3 > > nulls. I'm guessing the 2nd null is supposed to be the password. > > > > Why is this no longer working? How can I fix it? > > > > THX --Mark > Our CI has test > > #!/usr/bin/env python > # -*- coding: utf-8 -*- > import os, sys > > DOVECOT_PW_FD = 3 > > def checkPassword(): > with os.fdopen(DOVECOT_PW_FD, 'r') as s: > data = s.read().split("\0") > if data[0] != "testuser" or data[1] != "pass": > return False > os.environ["USER"] = data[0] > os.environ["EXTRA"] = "userdb_uid=vmail userdb_gid=vmail" > return True > > if __name__ == "__main__": > if not checkPassword(): > sys.exit(1) > os.execv(sys.argv[1], sys.argv[1:]) > > And it seems to work. > > Aki Thanks for the script. I'm testing this on a production system, so I'll have to wait until after business hours to test. Meanwhile, not being a python wizard, I have a couple of questions. I have to run this script as my passdb { args } parameter, right? On the line where it is checking for "testuser" and password "test", I assume that if I want to use a configured user I can just change these, right? Likewise with "userdb_uid=vmail userdb_gid=vmail", what are these? UID/GID of the user? Is there a way in python to output the values in data[0] and data[1] to a file so I can see what's actually received? If after the 'split' line I added: f = open("/tmp/checkpassword.log","a") f.write("Name: " + data[0] + ", PW: " + data[1]) f.close() Would that work? --THX Mark
AuthDatabase CheckPassword broken?
I had been using the CheckPassword authentication interface with dovecot 2.2.15, https://wiki2.dovecot.org/AuthDatabase/CheckPassword, and it was working. After upgrading to 2.2.33.2 CheckPassword no longer works. The referenced wiki page says, Checkpassword Interface Read NUL NUL from fd 3. I've checked the information read from fd 3 with 2.2.33.2 and I get followed by 3 nulls. I'm guessing the 2nd null is supposed to be the password. Why is this no longer working? How can I fix it? THX --Mark
Re: Howto authenticate smartPhone via Active Directory
On Tue, 5 Dec 2017 16:42:15 +0100 mj <li...@merit.unu.edu> wrote: > Hi, > > Not much time to reply now. > > On 12/05/2017 05:21 AM, Mark Foley wrote: > > mj - thanks! That the first useful example I've received from any > > forum/list. I'm getting ready > > to try my config (have to do so after hours), but I have some probably > > simple-minded questions: > > Well, that looks as if you are testing/trying out on your production > machine. Why not setup a seperate (virtual?) test server to play with..? > Use the same os version, with the same dovecot version. > Or clone your production machine, so you can test as much as you like, > without time pressure, at any given time. I've been playing with this ldap authentication for a couple of years off and on. Time isn't a problem. The issue with setting up a test environment is that I really need the domain workstations and external smartphone attempting to connect when I make a change so I can follow what's going on in the Dovecot log and maillog. It's rather simple to test a change, then put things back. I'll likely not go the test platform route for now, but thanks for the input. > > Your example is not the complete dovecot-ldap.conf.ext file, right? Have > > you just given me > > differences in your config from the "original"? You've kept the hosts, > > base, ldap_version, > > scope, deref, debug_level, and auth_bind_userdn settings in your config, > > right? > Not the complete file, no. I just provided the essentials. > [deleted] Ok, here's what I've come up with for dovecot-ldap.conf.ext hosts = mail.hprs.local base = dc=mail, dc=hprs, dc=local ldap_version = 3 scope = subtree deref = never debug_level = -1 auth_bind = yes auth_bind_userdn = %n@dom dn = cn=Administrator,cn=users,dc=hprs,dc=local dnpass = *** user_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) pass_filter = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) I've enabled auth-ldap.conf.ext in 10-auth.conf. My doveconf is listed at bottom. Unfortuntately, this doesn't work. My remote devices are not even showing as trying to connect. For internal domain LAN users I get: Dec 06 01:08:10 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 30 secs): user=<>, rip=192.168.0.52, lip=192.168.0.2, session=<3/ZyxaVfE8PAqAA0> I do see ldap listening on 389, imap[s] (Dovecot) listening on 143 and 993, these last two are opened externally through the firewall. > For the rest: my advise is that you *really* need to pay around with > this much more. Get yourself a test environment, and play and test. > > Plus: read some dovecot/ad howto's, and try things in your own environment. > > Quick google returns: > https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x > I know my level of sophistication on this must sound like I've glibly posted a question hoping someone will do the work for me without my having to do any thinking myself, but believe me, I've been reading and experimenting with this for a very long time. I've got internal AD authentication working with GSSAPI and I've got a rather complex checkpassword program able to do authentication, so I don't think I'm a complete moron, although this project makes me feel that way. Now, I just want smartphones to authenticate with their owners' domain credentials and get them out of /etc/passwd. I believe I've read all the Dovecot wikis on ldap plus things from many other sites. I've been to that howtoforge site before. It mostly deals with setting up Postfix, which I'm not using. The dovecot bits make more sense in light of your feedback. I've tried that ldapsearch example: ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com' with the domain user I specified in my dovecot-ldap.conf.ext with my host and dc info and I get the error ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. I've seen confusing postings on this error having to do with port 636 and LDAPS -- no idea what they're talking about. My user is the Samba/domain administrator and has a pretty complex password. None of the sites I've visited on this error indicate it has anything to do with the actual password's complexity. Perhaps I'm just thick-skulled with all this. If you or anyone can see something obviously wrong with my conf, or have any suggestion at all on a baby step I can take to incm me forward, please let me know. Thanks, --Mark doveconf -n: # 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_ho
Can passdb be bypassed for non-plaintext authentication mechanisms
I am using Active directory authentication via gssapi for most users. In dovecot.conf I have: auth_mechanisms = plain login gssapi auth_use_winbind = yes I also have passdb { driver = shadow } userdb { driver = passwd } for those few users who are NOT AD users. Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot ALWAYS first looks them up in shadow, which ALWAYS fails. The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases can't be used with non-plaintext authentication mechanisms." Is there a way to bypass checking passdb (and userdb?) for these mechanism? --Mark
Re: Howto authenticate smartPhone via Active Directory
mj - thanks! That the first useful example I've received from any forum/list. I'm getting ready to try my config (have to do so after hours), but I have some probably simple-minded questions: Your example is not the complete dovecot-ldap.conf.ext file, right? Have you just given me differences in your config from the "original"? You've kept the hosts, base, ldap_version, scope, deref, debug_level, and auth_bind_userdn settings in your config, right? Your dn is: dn = cn=search_dovecit,cn=users,dc=company,dc=com Mine (original) is: dn = cn=user_for_bind,cn=Users,dc=dom Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that something I need in order to make this work? Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs here, or is that litterally what you have there? My dnpass (original) is: dnpass = your example is: dnpass = top_secret Again, are the assigned values meta-syntax (meta-syntax in configs is not obvious to me unless it is bold, underlined, italicized and colored ... or uses brackets or some other convention)? If meta, what is actually supposed to go there? With your "this user/passwd filter". Can you tell me why you have "userAccountControl=514"? Is that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* different from my installed original. You don't mention the user_attrs/pass_attrs settings. Is this because you use the originals or because you have commented them out? My current settings are: user_attrs = quotaFieldAD=quota_rule=*:storage=%$MB pass_attrs = userPassword=password My auth_mechanisms are: auth_mechanisms = plain login gssapi Is this sufficient for ldap? Thanks for your help --Mark btw - I have been running Dovecot with AD for years, but for local Domain users authenticating via GSSAPI. Remote users (e.g. smartPhones) don't have that mechanism that I'm aware of. Currently they are authenticated via shadow, but I'd like to remove AD users from /etc/passwd. On Mon, 4 Dec 2017 09:04:57 +0100 mj <li...@merit.unu.edu> wrote > > Hi Mark, > > Just to let you know that we are running dovecot with AD. (and I guess: > *many* people are running that combination) > > It worked without issues, we are using in dovecot-ldap.conf.ext: > > > auth_bind = yes > > this user/passwd filter: > > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514))) > > > dn = cn=search_dovecit,cn=users,dc=company,dc=com > > dnpass = top_secret > > And not the 3268 port, but regular 389. > > Hope that helps. > > MJ > > > > On 12/04/2017 01:38 AM, Mark Foley wrote: > > Unfortunately, I tried for weeks to figure out passdb ldap without success. > > I guess I'm just > > not knowledgeable enough about how to use ldap and Active Directory. The > > dovecot wiki > > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it > > says is: > > > > Active Directory > > > > When connecting to AD, you may need to use port 3268. Then again, not all > > LDAP fields are > > available in port 3268. Use whatever works. > > http://technet.microsoft.com/en-us/library/cc978012.aspx > > > > I have not been able to find an example of someone using Dovecot and ldap > > with AD. > > > > However, I have had some success with CheckPassword > > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I > > wrote to do > > ntlm_auth, I am able to authenticate the smartPhone user and pass the > > required parameters back > > to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except > > pointing to my > > checkpassword executable. > > > > passdb { > > driver = checkpassword > > args = /user/util/bin/checkpassword > > } > > userdb { > > driver = prefetch > > } > > > > The one issue I have with this at the moment is that dovecot runs > > checkpassword for every user, > > smartphone or otherwise: > > > > Dec 03 18:56:32 auth-worker(14903): Info: > > shadow(charmaine,192.168.0.52,): unknown user - trying > > the next passdb > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,): execute: > > /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,): Received input: > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,): exit_status=1 > > Dec 03 18:56:32 auth: Debug: > > checkpassword(charmaine,192.168.0.52,): Credentials
Re: Howto authenticate smartPhone via Active Directory
Unfortunately, I tried for weeks to figure out passdb ldap without success. I guess I'm just not knowledgeable enough about how to use ldap and Active Directory. The dovecot wiki https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says is: Active Directory When connecting to AD, you may need to use port 3268. Then again, not all LDAP fields are available in port 3268. Use whatever works. http://technet.microsoft.com/en-us/library/cc978012.aspx I have not been able to find an example of someone using Dovecot and ldap with AD. However, I have had some success with CheckPassword (https://wiki2.dovecot.org/AuthDatabase/CheckPassword). Using a program I wrote to do ntlm_auth, I am able to authenticate the smartPhone user and pass the required parameters back to Dovecot. My auth-checkpasswd.conf.ext is the as-shipped standard except pointing to my checkpassword executable. passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch } The one issue I have with this at the moment is that dovecot runs checkpassword for every user, smartphone or otherwise: Dec 03 18:56:32 auth-worker(14903): Info: shadow(charmaine,192.168.0.52,): unknown user - trying the next passdb Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): Received input: Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): exit_status=1 Dec 03 18:56:32 auth: Debug: checkpassword(charmaine,192.168.0.52,): Credentials: Dec 03 18:56:32 auth: Debug: client passdb out: OK 1 user=charmaine original_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001 14902 1 586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,): lookup Dec 03 18:56:32 auth-worker(14903): Debug: passwd(charmaine,192.168.0.52,): username changed charmaine -> HPRS\charmaine Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001 HPRS\charmaine system_groups_user=HPRS\charmaineuid=10003gid=1 home=/home/HPRS/charmaine auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 auth_user=charmaine@HPRS.LOCAL Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session= Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913) Notice after the "shadow" auth fails it says, "unknown user - trying the next passdb", which is checkpassword (which apparently succeeds), then it goes on to gssapi which also succeeds. Is there a way to only have it do checkpassword if all shadow and gssapi fail? My mechanisms are: auth_mechanisms = plain login gssapi THX, --Mark --Mark -Original Message- Date: Sun, 03 Dec 2017 22:28:53 +0200 Subject: Re: Howto authenticate smartPhone via Active Directory From: Aki Tuomi <aki.tu...@dovecot.fi> To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org with passdb ldap i guess. ---Aki Tuomi Dovecot oy ---- Original message From: Mark Foley <mfo...@ohprs.org> Date: 03/12/2017 21:18 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: Howto authenticate smartPhone via Active Directory Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -Original Message- > Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tu...@dovecot.fi> > To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from > shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > Original message > From: Mark Foley <mfo...@ohprs.org> > Date: 03/12/2017 06:03 (GMT+02:00) > To: dovecot@dovecot.org > Subject: Howto authenticate smartPhone via Active Directory > I have a Samba4 Active Directory server. Dovecot authenticates AD Users with > domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt > authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot
Re: Howto authenticate smartPhone via Active Directory
Yes, you are right. This link: https://www.redips.net/linux/android-email-postfix-auth/#section2 shows: passdb pam { } used for authenticating Android. Problem #1 is that Slackware does not ship with PAM and the AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but I'm not sure I should try configuring PAM on the AD/DC. Is there some otherway I can get authentication using domain credentials besides pam? the phone can send user and password. --Mark -Original Message- > Date: Sun, 03 Dec 2017 15:22:56 +0200 > Subject: Re: Howto authenticate smartPhone via Active Directory > From: Aki Tuomi <aki.tu...@dovecot.fi> > To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org > > Actually you are authenticating gssapi clients from ad and everyone else from > shadow. maybe you need to configure pam module? > ---Aki TuomiDovecot oy > > ---- Original message > From: Mark Foley <mfo...@ohprs.org> > Date: 03/12/2017 06:03 (GMT+02:00) > To: dovecot@dovecot.org > Subject: Howto authenticate smartPhone via Active Directory > I have a Samba4 Active Directory server. Dovecot authenticates AD Users with > domain credentials > using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt > authentication via > shadow first and. failing that, it does authenticate via GSSAPI. > > Smartphones connect to Dovecot via port 143 and SSL. They are not domain > members so if the > shadow authentication fails, no other methods are tried and no connection is > made. > > What can I do with my dovecot config to fix this? > > > doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 4.4.88 x86_64 Slackware 14.2 > auth_debug = yes > auth_debug_passwords = yes > auth_gssapi_hostname = $ALL > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = plain login gssapi > auth_use_winbind = yes > auth_username_format = %n > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = > ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > Thanks, Mark
Re: Upgrade to 2.2.32 from 2.2.15 failed
On Sat, 25 Nov 2017 10:13:58 +0200 (EET) Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > On November 25, 2017 at 7:04 AM Mark Foley <mfo...@ohprs.org> wrote: > > > > I have a problem. I have been running Dovecot 2.2.15 and I'd like to > > upgrade. My distro > > (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, > > but it didn't work. > > No one was able to get messages from the dovecot server on their > > workstations. The following is > > the entire dovecot log file from startup to the last message generated. No > > more messages went > > into the logfile after line 76, even with clients trying to connect. The > > 174.233.134.88 IP is > > from an external user connecting from his iPhone. The normal successful > > message from this user > > are shown at bottom. > > > > I'm suspecting something to do with line 18 where is says "Auth process > > broken." If anyone has > > any insight I'd deeply appreciate it as I'd love to upgrade. > > > > THX -- Mark > > > > Can you try adding > > service auth { > executable = strace -o /tmp/auth.trace /usr/libexec/dovecot/auth > } > > and see if it gives any insight why it dies? > > Aki > The problem was that I did an install from sbopkg which downloads and installs the package in the SlackBuilds repository. This mechanism does not easily allow setting options. I needed to have the --with-gssapi=yes option set. So, I just downloaded directly from http://www.dovecot.org/releases/2.2/dovecot-2.2.33.2.tar.gz and did: ./configure --with-gssapi=yes make make install and everything appears to be working fine! --Mark
Howto authenticate smartPhone via Active Directory
I have a Samba4 Active Directory server. Dovecot authenticates AD Users with domain credentials using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt authentication via shadow first and. failing that, it does authenticate via GSSAPI. Smartphones connect to Dovecot via port 143 and SSL. They are not domain members so if the shadow authentication fails, no other methods are tried and no connection is made. What can I do with my dovecot config to fix this? > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
iPhone no longer authenticating
I've switched a user to being an active directory user. That user's email client authorizes just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. In the dovecot log file I get: Dec 01 14:27:28 auth: Debug: client in: AUTH1 PLAIN service=imap secured session=q4n3W0xfggBiZj9slip=98.102.63.107 rip=98.102.63.108 lport=993 rport=49538 resp=AG1wcmVzcwBEaW5va3JvbndhbGw0NQ== (previous base64 data may contain sensitive data) Dec 01 14:27:32 auth-worker(5988): Debug: shadow(mpress,98.102.xx.yyy): lookup Dec 01 14:27:32 auth-worker(5988): Info: shadow(mpress,98.102.xx.yyy): unknown user (given password: ***) Dec 01 14:27:34 auth: Debug: client passdb out: FAIL1 user=mpress Dec 01 14:27:34 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 secs): user=, method=PLAIN, rip=98.102.xx.yyy, lip=98.102.63.107, TLS, session= Dec 01 14:27:34 imap-login: Debug: SSL alert: close notify [98.102.xx.yyy] This same user will authenticate OK from his local domain workstation: Dec 01 14:28:52 auth: Debug: master userdb out: USER1948516353 mpress system_groups_user=HPRS\mpress uid=10005gid=1 home=/home/HPRS/mpress auth_token=ce3050035718ed0996af698400c4de1be453ec06 auth_user=mpress@HPRS.LOCAL Dec 01 14:28:52 imap-login: Info: Login: user=, method=GSSAPI, rip=192.168.0.54, lip=192.168.0.2, mpid=9755, TLS, session=<6MT1YExftwDAqAA2> I'm pretty sure the reason has to do with Active Directory authenication locally, but of course his iPhone is not a member of the domain, and he is no longer in /etc/passwd/shadow. So, what is the best way to get the iPhone to authenticate? Here's my current config: > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.88 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
Unable to build sieve plugin
I'm wanting to experiment with sieve processing for the first time. Having some trouble getting started. I googled to page, https://wiki2.dovecot.org/Pigeonhole/Sieve, went to the "Download and Installation" link, then the "Pigeonhole download page" link and downloaded dovecot-2.2-pigeonhole-0.4.21.tar.gz (I have Dovecot version 2.2.15). I untarred, ran ./configure (which appeared to run OK), then `make` and got the following erro: make[4]: Entering directory '/user/util/src/dovecot/dovecot-2.2-pigeonhole-0.4.21/src/lib-sieve/util' /bin/sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../.. -I/usr/local/include/dovecot -DMODULEDIR=\""/usr/local/lib/dovecot"\" -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I../../.. -MT edit-mail.lo -MD -MP -MF .deps/edit-mail.Tpo -c -o edit-mail.lo edit-mail.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../.. -I/usr/local/include/dovecot -DMODULEDIR=\"/usr/local/lib/dovecot\" -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -I../../.. -MT edit-mail.lo -MD -MP -MF .deps/edit-mail.Tpo -c edit-mail.c -fPIC -DPIC -o .libs/edit-mail.o edit-mail.c: In function 'edit_mail_get_special': edit-mail.c:1592:8: error: 'MAIL_FETCH_STORAGE_ID' undeclared (first use in this function) case MAIL_FETCH_STORAGE_ID: ^ edit-mail.c:1592:8: note: each undeclared identifier is reported only once for each function it appears in This was followed by several more errors and the make failed. What did I do wrong? --Mark
Re: Mark message as read when moved to Trash
See: https://forum.kde.org/viewtopic.php?f=215=55940 --Mark Felix Rubio Dalmauwrote: > Hi all, > > When I send a message to trash, without previously reading it (just > with the subject is enough to say I do not want to read it), it remains as > "unread". Then, clients (I am using Kmail) report there are unread message, > when all of them are in Trash. The question, then is: Is there any way to > automatically mark a message as read, when that message is moved to Trash? > > Thank you! > Felix
Re: Upgrade to 2.2.32 from 2.2.15 failed
No, is that something that would make a difference between 2.2.15 and 2.2.32? --Mark On Fri, 24 Nov 2017 21:37:47 -0800 Garywrote: > Out of curiosity, do you do a !SSLv3 in the conf file? > > > Original Message >> From: mfo...@ohprs.org >> Sent: November 24, 2017 9:04 PM >> To: dovecot@dovecot.org >> Subject: Upgrade to 2.2.32 from 2.2.15 failed >> >> I have a problem. I have been running Dovecot 2.2.15 and I'd like to >> upgrade. My distro >> (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, >> but it didn't work. >> No one was able to get messages from the dovecot server on their >> workstations. The following is >> the entire dovecot log file from startup to the last message generated. No >> more messages went >> into the logfile after line 76, even with clients trying to connect. The >> 174.233.134.88 IP is >> from an external user connecting from his iPhone. The normal successful >> message from this user >> are shown at bottom. >> >> I'm suspecting something to do with line 18 where is says "Auth process >> broken." If anyone has >> any insight I'd deeply appreciate it as I'd love to upgrade. >> >> THX -- Mark >> >> 1 Nov 24 19:22:24 master: Info: Dovecot v2.2.32 (dfbe293d4) starting up for >> imap (core dumps disabled) >> 2 Nov 24 19:22:24 ssl-params: Info: Generating SSL parameters >> 3 Nov 24 19:22:26 ssl-params: Info: SSL parameters regeneration completed >> 4 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept >> initialization [174.233.134.88] >> 5 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: >> before/accept initialization [174.233.134.88] >> 6 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> client hello A [174.233.134.88] >> 7 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> server hello A [174.233.134.88] >> 8 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> certificate A [174.233.134.88] >> 9 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> key exchange A [174.233.134.88] >> 10 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> server done A [174.233.134.88] >> 11 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush >> data [174.233.134.88] >> 12 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> client certificate A [174.233.134.88] >> 13 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read >> client key exchange A [174.233.134.88] >> 14 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read >> client key exchange A [174.233.134.88] >> 15 Nov 24 19:23:02 auth: Debug: Loading modules from directory: >> /usr/lib64/dovecot/auth >> 16 Nov 24 19:23:02 auth: Debug: Module loaded: >> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so >> 17 Nov 24 19:23:02 auth: Debug: Loading modules from directory: >> /usr/lib64/dovecot/auth >> 18 Nov 24 19:23:02 imap-login: Info: Disconnected: Auth process broken >> (disconnected before auth was ready, waited 0 secs): user=<>, >> rip=174.233.134.88, lip=98.102.63.107, TLS handshaking, >> session= >> 19 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept >> initialization [174.233.134.88] >> 20 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: >> before/accept initialization [174.233.134.88] >> 21 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> client hello A [174.233.134.88] >> 22 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> server hello A [174.233.134.88] >> 23 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> certificate A [174.233.134.88] >> 24 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> key exchange A [174.233.134.88] >> 25 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write >> server done A [174.233.134.88] >> 26 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush >> data [174.233.134.88] >> 27 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> client certificate A [174.233.134.88] >> 28 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read >> client key exchange A [174.233.134.88] >> 29 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read >> client key exchange A [174.233.134.88] >> 30 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> client key exchange A [174.233.134.88] >> 31 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> certificate verify A [174.233.134.88] >> 32 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read >> finished A [174.233.134.88] >> 33 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read >> finished A
Upgrade to 2.2.32 from 2.2.15 failed
I have a problem. I have been running Dovecot 2.2.15 and I'd like to upgrade. My distro (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, but it didn't work. No one was able to get messages from the dovecot server on their workstations. The following is the entire dovecot log file from startup to the last message generated. No more messages went into the logfile after line 76, even with clients trying to connect. The 174.233.134.88 IP is from an external user connecting from his iPhone. The normal successful message from this user are shown at bottom. I'm suspecting something to do with line 18 where is says "Auth process broken." If anyone has any insight I'd deeply appreciate it as I'd love to upgrade. THX -- Mark 1 Nov 24 19:22:24 master: Info: Dovecot v2.2.32 (dfbe293d4) starting up for imap (core dumps disabled) 2 Nov 24 19:22:24 ssl-params: Info: Generating SSL parameters 3 Nov 24 19:22:26 ssl-params: Info: SSL parameters regeneration completed 4 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [174.233.134.88] 5 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [174.233.134.88] 6 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [174.233.134.88] 7 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [174.233.134.88] 8 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [174.233.134.88] 9 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [174.233.134.88] 10 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [174.233.134.88] 11 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [174.233.134.88] 12 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [174.233.134.88] 13 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [174.233.134.88] 14 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [174.233.134.88] 15 Nov 24 19:23:02 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth 16 Nov 24 19:23:02 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so 17 Nov 24 19:23:02 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth 18 Nov 24 19:23:02 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=174.233.134.88, lip=98.102.63.107, TLS handshaking, session= 19 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [174.233.134.88] 20 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [174.233.134.88] 21 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [174.233.134.88] 22 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [174.233.134.88] 23 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [174.233.134.88] 24 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [174.233.134.88] 25 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [174.233.134.88] 26 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [174.233.134.88] 27 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [174.233.134.88] 28 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [174.233.134.88] 29 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [174.233.134.88] 30 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [174.233.134.88] 31 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [174.233.134.88] 32 Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read finished A [174.233.134.88] 33 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [174.233.134.88] 34 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [174.233.134.88] 35 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [174.233.134.88] 36 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [174.233.134.88] 37 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [174.233.134.88] 38 Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [174.233.134.88] 39 Nov 24 19:23:04 auth: Debug: Loading modules from directory:
stopped being able to kerberos/GSSAPI authenticate with new email accounts
I've been running with Dovecot 2.2.15 on my mail server and Thunderbird on workstations with Kerberos/GSSAPI authentication. This has been working for over a year for 10 users. The other day, I replaced a user's workstation and set up this user with a Thunderbird client. Unfortunately, I got the error: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server ... please check that you are logged into the Kerberos/GSSAPI realm." Doing more experimentation I've found that I cannot set up *any* existing user with a new account without getting that same message. Interestingly, all existing users can still connect just fine from their Tbird clients on their current workstations which were set up over a year ago, I just can't create an account for them on a different workstation. I'm at a loss as to where to start on this. My config is: $ dovconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 4.4.38 x86_64 Slackware 14.2 auth_debug = yes auth_debug_passwords = yes auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi auth_use_winbind = yes auth_username_format = %n auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = ): Credentials: Jul 11 17:28:31 auth: Debug: client passdb out: OK 1 user=mark original_user=mark@HPRS.LOCAL Jul 11 17:28:31 auth: Debug: master in: REQUEST 3872522241 64211 46614c53fd96efa48a94b889ad2405d3 session_pid=6429 request_auth_token Jul 11 17:28:31 auth-worker(5858): Debug: shadow(mark,192.168.0.99): lookup Jul 11 17:28:31 auth-worker(5858): Debug: shadow(mark,192.168.0.99): username changed mark -> HPRS\mark Jul 11 17:28:31 auth: Debug: master userdb out: USER3872522241 mark system_groups_user=HPRS\mark uid=10001gid=1 home=/home/HPRS/markauth_token=4959011413324b3d5d2d6f77c0adf2629551d91d auth_user=mark@HPRS.LOCAL Jul 11 17:28:31 imap-login: Info: Login: user=, method=GSSAPI, rip=192.168.0.99, lip=192.168.0.2, mpid=6429, TLS, session= Here is that same user set up on a new client computer, with all the same settings (as far as I can tell. This one apparently doesn't even try kerberos. Jul 11 18:08:25 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jul 11 18:08:25 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jul 11 18:08:25 auth: Debug: auth client connected (pid=1055) Jul 11 18:08:25 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.57] Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.57] Jul 11 18:08:25 auth: Debug: client in: AUTH1 GSSAPI service=imap secured
Unable to Kerberos/GSSAPI an existing user on new workstation
My last message probably contained too much information. This one is more succient. I have a user, 'mark', who has been running a Thunderbird client on Windows to Dovecot server with Kerberos/GSSAPI authentication for over a year. I created a new Tbird account on a new Linux workstation for 'mark', also with Kerberos/GSSAPI and that worked just fine. I have another user, 'dsmith', who has been running a Thunderbird client on Windows to Dovecot server with Kerberos/GSSAPI authentication for over a year as well, no problems. I created a new Tbird account on the same new Linux workstation as above for 'dsmith', also with KerberosGSSAPI and that DID NOT WORK! I get the message in Thunderbird: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server ... please check that you are logged into the Kerberos/GSSAPI realm." I created/recreated the smith account numerous time with slightly different settings hoping something will work, but I always get the same message. Why? I need to figure this out ASAP. Here is the dovecot log when user dsmith attempts to connect to dovecot from the Tbird client: Jul 11 19:29:43 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jul 11 19:29:43 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jul 11 19:29:43 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 11 19:29:43 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jul 11 19:29:43 auth: Debug: auth client connected (pid=1578) Jul 11 19:29:46 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.57] Jul 11 19:29:46 imap-login: Debug: SSL alert: close notify [192.168.0.57] Jul 11 19:29:46 imap-login: Info: Disconnected (no auth attempts in 3 secs): user=<>, rip=192.168.0.57, lip=192.168.0.2, TLS, session= Jul 11 19:30:17 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jul 11 19:30:17 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jul 11 19:30:17 auth: Debug: auth client connected (pid=3148) Jul 11 19:30:17 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.57] Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.57] Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.57] Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.57] Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.57] Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.57] Jul 11 19:30:17 imap-login: Debug: SSL:
Re: Apparent Maildir permission issue
On Wed, 25 Jan 2017 08:01:00 +0100 (CET) Steffen Kaiser <skdove...@smail.inf.fh-brs.de> wrote: > 1) Why does both UIDs 326 and 10001 translate back to HPRS\mark ? > What HPRS\mark translates to? > > > Permission on that folder are: > > > > $ ls -ld /home/HPRS/mark/Maildir > > drwx-- 17 HPRS\mark domusers 4096 Dec 7 23:07 /home/HPRS/mark/Maildir/ > > 2) I guess this HPRS\mark is 10001 ? (And not 326) > > > Permissions are unchanged since before the backup. > > "backup"? You've restored the Maildir's from somewhere else? What was the > _numerical_ UID within the backup and what is it now? "backup" meaning I looked at the permissions on an older routine, backup. No, I did not restore anything. BUT ... I found the problem. I upgraded Samba4 10 days ago from version 4.2.12 to 4.4.8 and, in the course of researching this problem, I found that the A/D authentication was broken: with 4.2.12 on AD/DC: $ getent passwd mark HPRS\mark:*:10001:1:Mark Foley:/home/HPRS/mark:/bin/false With 4.4.8 on AD/DC: $ getent passwd mark HPRS\mark:*:326:100:Mark Foley:/home/HPRS/mark:/bin/bash The new version of Samba is giving me this bogus UID:GID. I've no idea why. I have posted messages on the Samba List asking for help on this. Email clients authenticate with Dovecot via Kerberos/GSSAPI and Dovecot was therefore trying to use 326:100 to access Maildir files/directories created with owner 10001:1. I've done a workaround by added the correct UID, GID for this user to /etc/passwd, although one is not suppose to have AD users in /etc/passwd. However, that is working for the time being. If anyone on this list has had this experience and knows what needs to be fixed, please let me know! Thanks -- Mark
Re: Apparent Maildir permission issue
On Tue, 17 Jan 2017 12:25:27 +0200 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > opendir(/home/HPRS/mark/Maildir) failed: Permission denied > (euid=326(HPRS\mark) egid=100(users) missing +r perm: > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > > Just wanted to point out that you have at different UID for the folder > than your EUID (gotten from userdb/passdb). > > Aki > Yes, very puzzling. I'm restoring some older dovecot logs now to see if that was true e.g. in 2016. Perhaps an upgrade of some other software caused a problem. On the other hand, the other user I mentioned in my Jan 24 17:15 message, shay, also shows this UID/EUID discrepancy, but that does not prevent her from getting mail and there is no permission denied error on her messages. More when I know more --Mark > On 16.01.2017 23:09, Mark Foley wrote: > > More info ... > > > > This is the only user having this permission problem. All other > > Thunderbird/dovecot users are > > getting mail file. They all have the same permissions set on their Maildir > > folder. > > > > --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Mon, 16 Jan 2017 13:21:31 -0500 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Apparent Maildir permission issue > > > > I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with > > dovecot -- it's the > > same version that was running before the upgrade. However, now I'm getting > > a permission error: > > > > /var/log/maillog: > > > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > opendir(/home/HPRS/mark/Maildir) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +r perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:44 mail last message repeated 4 times > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +x perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +x perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > opendir(/home/HPRS/mark/Maildir) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +r perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:45 mail last message repeated 11 times > > > > Permission on that folder are: > > > > $ ls -ld /home/HPRS/mark/Maildir > > drwx-- 17 HPRS\mark domusers 4096 Dec 7 23:07 /home/HPRS/mark/Maildir/ > > > > Permissions are unchanged since before the backup. > > > > What do I do to fix this? > > > > THX --Mark >
Re: Apparent Maildir permission issue
On Mon, 16 Jan 2017 17:51:48 -0500 Bill Shirley <b...@knoxvillechristian.org> wrote: > > I've gotten errors like this when it was actually a selinux denial. If you're > running > selinux, check those logs too. > OK, this is getting serious -- mail not getting delivered. No, I am not running selinux. Here is the error I get in the maillog: Jan 24 16:42:49 mail dovecot: imap(mark): Error: stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +x perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Permission are: $ ls -l /home/HPRS/mark/Maildir/ total 200 drwx-- 2 HPRS\mark domusers 45056 Dec 19 08:13 cur/ -rw--- 1 HPRS\mark domusers 131 Jul 1 2016 dovecot-keywords -rw--- 1 HPRS\mark domusers 5249 Dec 7 23:06 dovecot-uidlist -rw--- 1 HPRS\mark domusers 8 Jul 7 2016 dovecot-uidvalidity -r--r--r-- 1 HPRS\mark domusers 0 Jan 16 2015 dovecot-uidvalidity.54b9def3 -rw--- 1 HPRS\mark domusers 4080 Nov 27 23:28 dovecot.index -rw--- 1 HPRS\mark domusers 88612 Dec 7 23:07 dovecot.index.cache -rw--- 1 HPRS\mark domusers 8748 Dec 7 23:07 dovecot.index.log -rw--- 1 HPRS\mark domusers 2016 Jul 7 2016 dovecot.mailbox.log drwx-- 2 HPRS\mark domusers 12288 Jan 13 12:10 new/ -rw--- 1 HPRS\mark domusers 137 Jul 7 2016 subscriptions drwx-- 2 HPRS\mark domusers 12288 Jan 13 12:10 tmp/ Permission on the Maildir folder for another user who is NOT having this problem: $ ls -l /home/HPRS/shay/Maildir/ total 88 drwx-- 2 HPRS\shay domusers 12288 Jan 24 15:50 cur/ -rw--- 1 HPRS\shay domusers41 Sep 13 11:59 dovecot-keywords -rw--- 1 HPRS\shay users 1442 Jan 24 15:48 dovecot-uidlist -rw--- 1 HPRS\shay domusers 8 Jan 18 15:13 dovecot-uidvalidity -r--r--r-- 1 HPRS\shay domusers 0 Jul 15 2016 dovecot-uidvalidity.5789a8ca -rw--- 1 HPRS\shay users 1408 Jan 20 08:18 dovecot.index -rw--- 1 HPRS\shay users12928 Jan 24 15:50 dovecot.index.cache -rw--- 1 HPRS\shay users20844 Jan 24 15:51 dovecot.index.log -rw--- 1 HPRS\shay domusers 2856 Jan 18 15:13 dovecot.mailbox.log drwx-- 2 HPRS\shay domusers 4096 Jan 24 15:48 new/ -rw--- 1 HPRS\shay users 2906 Jan 18 15:13 subscriptions drwx-- 2 HPRS\shay domusers 4096 Jan 24 15:48 tmp/ You can see that the tmp/ folders for both users are set exactly the same, yet user 'mark' is getting the permission error. mark's mail is not getting delivered; shay's mail is. Why? > On 1/16/2017 4:09 PM, Mark Foley wrote: > > More info ... > > > > This is the only user having this permission problem. All other > > Thunderbird/dovecot users are > > getting mail file. They all have the same permissions set on their Maildir > > folder. > > > > --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Mon, 16 Jan 2017 13:21:31 -0500 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Apparent Maildir permission issue > > > > I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with > > dovecot -- it's the > > same version that was running before the upgrade. However, now I'm getting > > a permission error: > > > > /var/log/maillog: > > > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > opendir(/home/HPRS/mark/Maildir) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +r perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:44 mail last message repeated 4 times > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +x perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +x perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:44 mail dovecot: imap(mark): Error: > > opendir(/home/HPRS/mark/Maildir) failed: Permission denied > > (euid=326(HPRS\mark) egid=100(users) missing +r perm: > > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) > > Jan 16 13:09:45 mail last message repeated 11 times > > > > Permission on that folder are: > > > > $ ls -ld /home/HPRS/mark/Maildir > > drwx-- 17 HPRS\mark domusers 4096 Dec 7 23:07 /home/HPRS/mark/Maildir/ > > > > Permissions are unchanged since before the backup. > > > > What do I do to fix this? > > > > THX --Mark >
Re: Apparent Maildir permission issue
More info ... This is the only user having this permission problem. All other Thunderbird/dovecot users are getting mail file. They all have the same permissions set on their Maildir folder. --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 16 Jan 2017 13:21:31 -0500 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Apparent Maildir permission issue I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with dovecot -- it's the same version that was running before the upgrade. However, now I'm getting a permission error: /var/log/maillog: Jan 16 13:09:44 mail dovecot: imap(mark): Error: opendir(/home/HPRS/mark/Maildir) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +r perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:44 mail last message repeated 4 times Jan 16 13:09:44 mail dovecot: imap(mark): Error: stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +x perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:44 mail dovecot: imap(mark): Error: stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +x perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:44 mail dovecot: imap(mark): Error: opendir(/home/HPRS/mark/Maildir) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +r perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:45 mail last message repeated 11 times Permission on that folder are: $ ls -ld /home/HPRS/mark/Maildir drwx-- 17 HPRS\mark domusers 4096 Dec 7 23:07 /home/HPRS/mark/Maildir/ Permissions are unchanged since before the backup. What do I do to fix this? THX --Mark
Apparent Maildir permission issue
I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with dovecot -- it's the same version that was running before the upgrade. However, now I'm getting a permission error: /var/log/maillog: Jan 16 13:09:44 mail dovecot: imap(mark): Error: opendir(/home/HPRS/mark/Maildir) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +r perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:44 mail last message repeated 4 times Jan 16 13:09:44 mail dovecot: imap(mark): Error: stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +x perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:44 mail dovecot: imap(mark): Error: stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +x perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:44 mail dovecot: imap(mark): Error: opendir(/home/HPRS/mark/Maildir) failed: Permission denied (euid=326(HPRS\mark) egid=100(users) missing +r perm: /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark)) Jan 16 13:09:45 mail last message repeated 11 times Permission on that folder are: $ ls -ld /home/HPRS/mark/Maildir drwx-- 17 HPRS\mark domusers 4096 Dec 7 23:07 /home/HPRS/mark/Maildir/ Permissions are unchanged since before the backup. What do I do to fix this? THX --Mark
Re: IMAP flags and dovecot-keywords not working as expected
will need some revising based on my recent experimentation, but should be a rather simple bash exercise in any case. Note that the Outlook messages are also the same MAPI files, only the client used (Outlook versus Thunderbird) are different. Outlook does not set IMAP flags to designate categories. Categories are apparently stored in the user's .pst file. CUT-- Public Sub ListOutlookFolders() Dim olApp As Outlook.Application Dim olNamespace As Outlook.Namespace Dim olFolder As Outlook.MAPIFolder Set olApp = New Outlook.Application Set olNamespace = olApp.GetNamespace("MAPI") For Each olFolder In olNamespace.Folders Debug.Print olFolder.Name; ":", olFolder.Description ListFolders olFolder, 1 Next Set olFolder = Nothing Set olNamespace = Nothing Set olApp = Nothing End Sub Sub ListFolders(myFolder As Outlook.MAPIFolder, Level As Integer) Dim olFolder As Outlook.MAPIFolder ' go through each email scanFolder myFolder ' Now we'll check for subfolders For Each olFolder In myFolder.Folders 'Debug.Print ":"; String(Level * 2, "-"); olFolder.Name 'go through each email scanFolder olFolder If olFolder.Folders.Count > 0 Then ListFolders olFolder, Level + 1 End If Next End Sub Sub scanFolder(sFolder As Outlook.MAPIFolder) Dim src As Folder Dim oItem As Object Dim propertyAccessor As Outlook.propertyAccessor Set src = sFolder Dim strHeader As String For Each oItem In src.Items If TypeOf oItem Is Outlook.MailItem And oItem.Categories <> "" Then 'Debug.Print "Cat: " + oItem.Categories Set propertyAccessor = oItem.propertyAccessor header = propertyAccessor.GetProperty("http://schemas.microsoft.com/mapi/proptag/0x007D001E;) Dim headerLines() As String headerLines() = Split(header, vbCrLf) Dim thisHeader As Variant For Each thisHeader In headerLines If InStr(thisHeader, "Message-ID:") > 0 Then Debug.Print thisHeader + "~" + oItem.Categories Exit For End If Next End If Next End Sub --CUT- Example of resulting output: Message-ID: <201109011105.p81b5666028...@webserver.ohprs.org>~Red Category Hopefully someone finds this useful. THX --Mark -Original Message- > Subject: Re: IMAP flags and dovecot-keywords not working as expected > To: dovecot@dovecot.org > From: Peter Chiochetti <p...@myzel.net> > Date: Sat, 30 Jul 2016 11:26:09 +0200 > > Am 2016-07-30 um 08:00 schrieb Mark Foley: > ? > > > > However, none of the tags show up correctly in Thunderbird. If I manually > > set a message to > > have a tag of 0, the corresponding IMAP file gets a flag of 'm', not 'a' > > and the following is > > added to the dovecot-keywords files: > > > > 12 $label1 > > > > How can I fix this? Where is "$label1" text defined? Why did Thunderbird > > not snag the text for > > '0' from the dovecot-keywords file and give the IMAP file a tag of 'a'? > > Thunderbird flags are stored in the users prefs.js, eg: > - user_pref("mailnews.tags.$label1.tag", "Important"); > - user_pref("mailnews.tags.$label1.color", "#FF"); > > A kind of key->value assignment. The "$label[1-9]" keys are special, > where the number magically corresponds to the keyboard shorcut to tag > messages, 0 meaning clear all tags. > > There can be more than nine tags, but they wont have a shortcut then: > - user_pref("mailnews.tags.ten.tag", "ten"); > > 1) The server will only ever see the key. The user will only ever see > the value. > > 2) If you rename a label in TB, then only the value will change and the > server will still see the same key as before. > > 3) If you rename a key in dovecot, TB will not create a label for it and > the affected messages will no longer appear tagged, if TB does not know > about the key. > > 4) Dovecot adds to the keywords as it receives requests from clients: > Very likely there is a limit of 26 (letters of the alphabet) per > account; a-d=0-3 are already taken for internal use, so 22 remain. > > > > My current theory is that the "Default" Thunderbird Tags corresponding to > > IMAP flags are not > > changeable and if new tags are create in Tbird, they get new flag letters. > > That would, of > > course, mean that if a user changes Thunderbird tag name, they would lose > > all tag settings on > > existing message. That doesn't seem right and I hope my theory is wrong. > > I think you are mostly wrong: as long as you only use TB to work and as > long as you do not exceed the limit you should be save. > > Notice that tags are a scarce resource: any key you ever created counts > toward the limit - reusing old tags requires you to text-edit both > dovecot-keywords and TB prefs.js. > > -- > peter >
IMAP flags and dovecot-keywords not working as expected
I've converted most of our users from Outlook to Thunderbird. One important feature of Thunderbird is that it pays attention to the IMAP non-standard message flags via the 'tags' feature (see http://wiki2.dovecot.org/MailboxFormat/Maildir). This is important because 2 users make extensive use of Outlook categories (Tags, in Thunderbird). I found that when I set a message to the 1st Tbird tag 0 (Important), the corresponding IMAP file got an 'a' suffix. Likewise, if I manually added an 'a' suffix to an IMAP file the corresponding tag was set displayed in Thunderbird. This made it easy for me to exports Outlook Categories and set IMAP messages flags accordingly. This worked perfectly on the user I was experimenting with (me). Recently, I converted one of these Outlook 'categories' users to Thunderbird. I added the appropriate flag letters to their IMAP messages, changed their tag names in Thunderbird, and created the following dovecot-keywords file as: 0 Board_and_Committee 1 Completed 2 Health_Care_meetings 3 Notifications 4 OSHP-DAS 5 personal_or_To_Do 6 Retirement_exits 7 $label5 8 Junk 9 $Forwarded 10 $MDNSent 11 $label2 However, none of the tags show up correctly in Thunderbird. If I manually set a message to have a tag of 0, the corresponding IMAP file gets a flag of 'm', not 'a' and the following is added to the dovecot-keywords files: 12 $label1 How can I fix this? Where is "$label1" text defined? Why did Thunderbird not snag the text for '0' from the dovecot-keywords file and give the IMAP file a tag of 'a'? My current theory is that the "Default" Thunderbird Tags corresponding to IMAP flags are not changeable and if new tags are create in Tbird, they get new flag letters. That would, of course, mean that if a user changes Thunderbird tag name, they would lose all tag settings on existing message. That doesn't seem right and I hope my theory is wrong. Any insight would be appreciated. --Mark
Re: Moving Maildir folders
On Date: Sun, 17 Jul 2016 12:24:04 +0200 Luigi Rosawrote: > > Peter Chiochetti wrote on 17/07/2016 11:01: > > > With Maildir and path separator "." one can have incomplete paths: eg. > > bpatterson.INBOX.2011 will say that there is 2011 within INBOX within > > bpatterson > > -- while it is possible, that both bpatterson and bpatterson.INBOX do not > > exist! > > Thunderbird will render the missing folders gray in the UI, you probably > > cannot > > subscribe to those, even from the subscribe dialogue. You should be able to > > create them though. > > That is correct. > > If you want to create the "path" Somename/Foo/Bar/Baz (as seen by the IMAP > client), even if only Somename and Baz contains messages, you must have the > entire "path", that is tour mailbox directory must contain the directories: > > .Somename > .Somename.Foo > .Somename.Foo.Bar > .Somename.Foo.Bar.Baz > > Of course each of the directories will contain cur, tmp, new and Dovecot files > > Ciao, > luigi That was probably my problem. While I moved the entire Maildir structure from the old user's Maildir hierarchy, I just created .bpatterson.Foo.Bar/ .bpatterson.Foo.raB/ etc I never did create .bpatterson/ .bpatterson.Foo/ etc. Good to know. I'll sort that out better next time. Meanwhile, before reading this message, I created a new folder in Tbird, then dragged the folders out of the .bpatterson hierarchy to the new folder. That worked, but was a bit time consuming. I supposed I was thrown off because the destination user's Maildir has no .INBOX/ directory, only: .INBOX.this/ .INBOX.that/ but, I suppose INBOX is a special case since the rest of the top-level folders (Drafts, Templates, Sent Items, ...) do have directories. Next time! Thanks --Mark
Re: Moving Maildir folders
On Sun, 17 Jul 2016 03:44:05 +0200 Achim Gottinger <ac...@ag-web.biz> wrote: Am 17.07.2016 um 02:36 schrieb Mark Foley: > Not quite there yet. The folders show up, but I cannot see the mail inside > the folders unless > (in the Thunderbird client) I uncheck the setting "Show only subscribed > folders". Still, the > top-level folder is shown as grayed-out/italics as well as the the sub-folder > INBOX. All other > sub-folder at the same level as INBOX are not grayed-out, nor are folders > subordinate to INBOX: > > u...@mydom.org <-- topmost "real" account folder >+Inbox >Drafts >Templates >send Items >Junk E-mail >Deleted Items >+bpatterson <-- added Maildir folders from former user, grayed-out, > italics > +INBOX <-- grayed out, italic >Payabled <-- not grayed >Health Care <-- not grayed >: >: > Sent <-- not grayed > Sent Items <-- not grayed > Templates <-- not grayed > Trash <-- not grayed > > Mozilla has a reference to this phenomenon > http://kb.mozillazine.org/Grey_italic_folders, but > this seems to have to do with GMAIL accounts. Mine is a local IMAP server and > the link has no > apparent remedy. > > Furthermore, if I attempt to delete e.g. "Trash" I get an error, presumably > from Dovecot: "The > current command did not succeed. The mail server for account u...@mydom.org > responded: > [ALREADYEXISTS] Target mailbox already exists." Seem like an odd error when > trying to delete. > > My theory is that if I can designated these folders as 'subcribed' everything > would work > normally. I don't know if that's true. I've tried added these folders to the > 'subscriptions' > file in the user's Maildir folder, an excerpt of which: > > INBOX.Directed Brokerage > INBOX.Directed Brokerage.Abel Noser > INBOX.Investments-Active.Kayne > INBOX.Pending - Open Projects > Deleted Items.Oath > INBOX.Board Info.New Trustee-Oath of Office > INBOX.Rule Filing-Rule Changes > bpatterson.INBOX.2011 Investment Confirmation Responses > bpatterson.INBOX.2011 and 2012 KCR Audit > bpatterson.INBOX.2012 Investment Confirmation Responses > bpatterson.INBOX.2013 Health Care Changes - Information > bpatterson.INBOX.2013 Investment Confirmation Responses > > where the 1st 7 listed are part of the user's existing list and the next ones > are what I added > for the former user's mail folders. This did not work. > > Ideas? > > --Mark Hi Mark, Try to subscribe in thundebird via your accounts right click context menu. The greyed out folders may not contain mails (missing .cur etc. suubfolders). Sometimes it is neccessary to clean the ImapMail folder in the thunderbird user profile (as an last resort). achim~ > From dovecot-boun...@dovecot.org Sat Jul 16 21:44:27 2016 > X-Virus-Status: Clean > X-Virus-Scanned: clamav-milter 0.98.6 at mail > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.20__ (2011-06-06) on > mail.hprs.local > X-Spam-Level: > X-Spam-Status: No, score=-102.7 required=3.0 tests=LOCAL_FROM_WORDS5, > USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=no > version=3.3.2-_revision__1.20__ > X-Original-To: dovecot@dovecot.org > Delivered-To: dovecot@dovecot.org > Subject: Re: Moving Maildir folders > To: dovecot@dovecot.org > From: Achim Gottinger <ac...@ag-web.biz> > Date: Sun, 17 Jul 2016 03:44:05 +0200 > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 > Icedove/45.1.0 > Content-Type: text/plain; charset=windows-1252; format=flowed > X-Authenticated-Sender: ac...@ag-web.biz > X-Virus-Scanned: Clear (ClamAV 0.99.2/21916/Sun Jul 17 00:49:18 2016) > X-BeenThere: dovecot@dovecot.org > X-Mailman-Version: 2.1.17 > Precedence: list > Reply-To: Dovecot Mailing List <dovecot@dovecot.org> > List-Id: Dovecot Mailing List > List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, > <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe> > List-Archive: <http://dovecot.org/pipermail/dovecot/> > List-Post: <mailto:dovecot@dovecot.org> > List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help> > List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, > <mailto:dovecot-requ...@dovecot.org?subject=subscribe> > Errors-To: dovecot-boun...@dovecot.org > Sender: "dovecot" <dovecot-boun...@dovecot.org> > X-Spam-Report: > * -100 USER_IN_WHITELIST From: address is in the user's white-list > * 3.3 LOCAL_FROM_WORDS5 From contains words in reject list
Re: an e-mail client for dovecot ?
Hmmm, one thing to perhaps try first is upgrading your software. You mentioned that your dovecot is version 1.2.17. I'm running 2.2.15 (which is also older. Current version is 2.2.25). I know there were major changes between version 1.x and 2.x. Your Ubuntu is 14.04 which is 2 released old, now at 16.04 (I'm running 15.10). I do have 16.04 booting with x86, but I haven't yet installed it. You didn't mention your Thunderbird version, but I'm guessing they are similarly dated. My Ubuntu Tbird is 38.8.0 and my Win7 is 45.2.0. It could be your older versions of things don't support what you want. My dovecot server is Slackware64 14.1. One of the users has over 1400 mail folders and 7.2G of IMAP space. She has had no problems with Thunderbird. All of our WIN7 workstations are x64, so perhaps there are issues with x86 version of dovecot/Thunderbird. --Mark -Original Message- > Subject: Re: an e-mail client for dovecot ? > To: dovecot@dovecot.org > From: Kenneth Porter <sh...@sewingwitch.com> > Date: Sat, 16 Jul 2016 16:52:08 -0700 > On 7/16/2016 10:22 AM, Mark Foley wrote: > > I concur with Charles Marcus' query: can you elaborate on how Thunderbird > > is failing for you? > > I run Thunderbird and Mulberry side-by-side, as there are features in > Mulberry I don't want to give up, even though it's old and buggy. I've > noticed that Mulberry finds folders in my huge hierarchy (100's of > folders) that Tbird misses. Notably my SpamAssassin folder, and it's > consistent across several accounts I monitor. Both programs are set to > scan all IMAP folders. It's not just because the SA folder is flagged as > an additional Junk folder. I've got other folders that Tbird misses. > Most receive automated server mail from Linux services (such as > logwatch). I haven't been able to find a pattern. >
Re: Moving Maildir folders
Not quite there yet. The folders show up, but I cannot see the mail inside the folders unless (in the Thunderbird client) I uncheck the setting "Show only subscribed folders". Still, the top-level folder is shown as grayed-out/italics as well as the the sub-folder INBOX. All other sub-folder at the same level as INBOX are not grayed-out, nor are folders subordinate to INBOX: u...@mydom.org <-- topmost "real" account folder +Inbox Drafts Templates send Items Junk E-mail Deleted Items +bpatterson <-- added Maildir folders from former user, grayed-out, italics +INBOX <-- grayed out, italic Payabled <-- not grayed Health Care <-- not grayed : : Sent <-- not grayed Sent Items <-- not grayed Templates <-- not grayed Trash <-- not grayed Mozilla has a reference to this phenomenon http://kb.mozillazine.org/Grey_italic_folders, but this seems to have to do with GMAIL accounts. Mine is a local IMAP server and the link has no apparent remedy. Furthermore, if I attempt to delete e.g. "Trash" I get an error, presumably from Dovecot: "The current command did not succeed. The mail server for account u...@mydom.org responded: [ALREADYEXISTS] Target mailbox already exists." Seem like an odd error when trying to delete. My theory is that if I can designated these folders as 'subcribed' everything would work normally. I don't know if that's true. I've tried added these folders to the 'subscriptions' file in the user's Maildir folder, an excerpt of which: INBOX.Directed Brokerage INBOX.Directed Brokerage.Abel Noser INBOX.Investments-Active.Kayne INBOX.Pending - Open Projects Deleted Items.Oath INBOX.Board Info.New Trustee-Oath of Office INBOX.Rule Filing-Rule Changes bpatterson.INBOX.2011 Investment Confirmation Responses bpatterson.INBOX.2011 and 2012 KCR Audit bpatterson.INBOX.2012 Investment Confirmation Responses bpatterson.INBOX.2013 Health Care Changes - Information bpatterson.INBOX.2013 Investment Confirmation Responses where the 1st 7 listed are part of the user's existing list and the next ones are what I added for the former user's mail folders. This did not work. Ideas? --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Sat, 16 Jul 2016 15:05:33 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Moving Maildir folders Hey!! It is now showing the former users' folders at the top level of the current user. Great! Perhaps dovecot just needed time to "index" the new messages? Anyway, Luigi's suggestion on moving and renaming the folders apparently worked. Thanks --Mark -Original Message- > Subject: Re: Moving Maildir folders > From: Frank-Ulrich Sommer <f-...@gmx.net> > Date: Sat, 16 Jul 2016 20:41:10 +0200 > To: dovecot@dovecot.org > How did you verify that dovecot doesn't show these folders? Couldn't this be > a client problem? In Thunderbird e.g. it might be necessary to update the > list of displayed folders. > > Am 16. Juli 2016 19:07:39 MESZ, schrieb Mark Foley <mfo...@ohprs.org>: > >On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa <li...@luigirosa.com> > >wrote: > >> > >> Mark Foley wrote on 16/07/2016 07:43: > >> > Our office had a user leave. Another user is taking over her > >duties and needs reference to the > >> > departing user's email. I've copied that entire departed user's > >Maildir structure to the current > >> > user: > >> > > >> > mv olduser/Maildir/.* curuser/Maildir/.olduser > >> > > >> > I did change permission and ownership on curuser/Maildir/.olduser > >to be the target user. I did > >> > not bring over the olduser/Maildir/dovecot* files (indexes, > >subscriptions, etc.) as I thought > >> > that would be bad. > >> > >> Maildir has no nested folders. > >> > >> If you want a subtree structure in maildir you must create each > >folder at the > >> first level > >> > >> in the new user you must have something like: > >> > >> .olduser.INBOX > >> .olduser.Sent > >> .olduser.Trash > >> .olduser.Drafts > >> .olduser.whatever > >> > >> Each directory with tmp, newm cur subdirs only (ad dovecot files, of > >course) > >> > >> > >> > >> -- > >> > >> > >> Ciao, > >> luigi > >> > >> / > >> +--[Luigi Rosa]-- > >> \ > >> > >> Understanding is a three-edged sword. > >> --Kosh, "Deathwalker" > > > >OK, I believe I'v
Re: Moving Maildir folders
Hey!! It is now showing the former users' folders at the top level of the current user. Great! Perhaps dovecot just needed time to "index" the new messages? Anyway, Luigi's suggestion on moving and renaming the folders apparently worked. Thanks --Mark -Original Message- > Subject: Re: Moving Maildir folders > From: Frank-Ulrich Sommer <f-...@gmx.net> > Date: Sat, 16 Jul 2016 20:41:10 +0200 > To: dovecot@dovecot.org > How did you verify that dovecot doesn't show these folders? Couldn't this be > a client problem? In Thunderbird e.g. it might be necessary to update the > list of displayed folders. > > Am 16. Juli 2016 19:07:39 MESZ, schrieb Mark Foley <mfo...@ohprs.org>: > >On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa <li...@luigirosa.com> > >wrote: > >> > >> Mark Foley wrote on 16/07/2016 07:43: > >> > Our office had a user leave. Another user is taking over her > >duties and needs reference to the > >> > departing user's email. I've copied that entire departed user's > >Maildir structure to the current > >> > user: > >> > > >> > mv olduser/Maildir/.* curuser/Maildir/.olduser > >> > > >> > I did change permission and ownership on curuser/Maildir/.olduser > >to be the target user. I did > >> > not bring over the olduser/Maildir/dovecot* files (indexes, > >subscriptions, etc.) as I thought > >> > that would be bad. > >> > >> Maildir has no nested folders. > >> > >> If you want a subtree structure in maildir you must create each > >folder at the > >> first level > >> > >> in the new user you must have something like: > >> > >> .olduser.INBOX > >> .olduser.Sent > >> .olduser.Trash > >> .olduser.Drafts > >> .olduser.whatever > >> > >> Each directory with tmp, newm cur subdirs only (ad dovecot files, of > >course) > >> > >> > >> > >> -- > >> > >> > >> Ciao, > >> luigi > >> > >> / > >> +--[Luigi Rosa]-- > >> \ > >> > >> Understanding is a three-edged sword. > >> --Kosh, "Deathwalker" > > > >OK, I believe I've done as you suggested, but still nothing showing on > >the target users mail > >client. Here's what part of the Maildir looks like with the 1st set of > >folders belonging to the > >target user and those beginning with .bpatterson from the old user. > >Does this look right as > >you've advised? Perhaps I need to do something else? > > > >.INBOX.Travel/ > >.INBOX.UPS/ > >.INBOX.US\ Bank/ > >.INBOX.United\ Health\ Care-Employee/ > >.INBOX.VRC/ > >.INBOX.Website/ > >.INBOX.Website.Mouse\ Pad\ Insert/ > >.INBOX.iLink/ > >.Junk\ E-mail/ > >.Sent\ Items/ > >.Templates/ > >.bpatterson.Deleted\ Items/ > >.bpatterson.Drafts/ > >.bpatterson.INBOX.2011\ Investment\ Confirmation\ Responses/ > >.bpatterson.INBOX.2011\ and\ 2012\ KCR\ Audit/ > >.bpatterson.INBOX.2012\ Investment\ Confirmation\ Responses/ > >.bpatterson.INBOX.2013\ Health\ Care\ Changes\ -\ Information/ > >.bpatterson.INBOX.2013\ Investment\ Confirmation\ Responses/ > > > >At the top level, the target user has (in email client): > > > >Inbox > >Drafts > >Templates > >Sent Items > >Junk E-mail > >Deleted Items > > > >I'm expecting to see "bpatterson" appear in that list. > > > >Thanks --Mark > > -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. >
Re: an e-mail client for dovecot ?
Wow! That's interesting. Our office of 10+ Windows 7 *and* Ubuntu workstations have been moving from Outlook to Thunderbird over the past year. Our users find it WAY BETTER than Outlook. Have you actually tried Outlook 2013 and later? The suckiness of 2013 was what drove us to look elsewere in the first place. We tried a number of clients including Evolution and emClient and Tbird proved the best in my testing. Thunderbird runs on both Windows and Ubuntu, can do AD authentication and basically has all the features of Outlook including color categories which our director could not live without; and can be configured to have a very similar look-and-feel as Outlook. In over a year of running Thunderbird (currently at 38.8.0 Ubuntu, 45.2.0 Window) it has performed flawlessly. I concur with Charles Marcus' query: can you elaborate on how Thunderbird is failing for you? --Mark -Original Message- > Date: Sat, 16 Jul 2016 08:02:33 + (UTC) > From: Spyros Tsiolis> To: Dovecot > Subject: an e-mail client for dovecot ? > > Hello all, > > For some years now, I've been using Thunderbird for dovecot. > I am not very satisfied with t/b so I thought of using m/s outlook > but then I thought that I want to distance my clients from office > products. > > I have a newly created dovecot installation on a very small site. > Three nodes, all x86 Windows 7 professional with an ubuntu v14.04 > server (x86 again) running dovecot 1.2.17. > > The clients there use dovecot as an imap server, so they have a > real-world e-mail account each and whatever they want to keep , they > store by gradding-and-dropping to the imap (local / archive) account. > > Since I have quite some experiece with thunderbird, I know most of > its shortcomings; So I thought if there's an alternative (better?) > imap mail client for x86 windows 7 systems than t/b. > > Even better if there's an alternative client that is also supporeted under > linux . > > Any ideas are welcome, > > TIA, > > s.t. >
Re: Moving Maildir folders
On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa <li...@luigirosa.com> wrote: > > Mark Foley wrote on 16/07/2016 07:43: > > Our office had a user leave. Another user is taking over her duties and > > needs reference to the > > departing user's email. I've copied that entire departed user's Maildir > > structure to the current > > user: > > > > mv olduser/Maildir/.* curuser/Maildir/.olduser > > > > I did change permission and ownership on curuser/Maildir/.olduser to be the > > target user. I did > > not bring over the olduser/Maildir/dovecot* files (indexes, subscriptions, > > etc.) as I thought > > that would be bad. > > Maildir has no nested folders. > > If you want a subtree structure in maildir you must create each folder at the > first level > > in the new user you must have something like: > > .olduser.INBOX > .olduser.Sent > .olduser.Trash > .olduser.Drafts > .olduser.whatever > > Each directory with tmp, newm cur subdirs only (ad dovecot files, of course) > > > > -- > > > Ciao, > luigi > > / > +--[Luigi Rosa]-- > \ > > Understanding is a three-edged sword. > --Kosh, "Deathwalker" OK, I believe I've done as you suggested, but still nothing showing on the target users mail client. Here's what part of the Maildir looks like with the 1st set of folders belonging to the target user and those beginning with .bpatterson from the old user. Does this look right as you've advised? Perhaps I need to do something else? .INBOX.Travel/ .INBOX.UPS/ .INBOX.US\ Bank/ .INBOX.United\ Health\ Care-Employee/ .INBOX.VRC/ .INBOX.Website/ .INBOX.Website.Mouse\ Pad\ Insert/ .INBOX.iLink/ .Junk\ E-mail/ .Sent\ Items/ .Templates/ .bpatterson.Deleted\ Items/ .bpatterson.Drafts/ .bpatterson.INBOX.2011\ Investment\ Confirmation\ Responses/ .bpatterson.INBOX.2011\ and\ 2012\ KCR\ Audit/ .bpatterson.INBOX.2012\ Investment\ Confirmation\ Responses/ .bpatterson.INBOX.2013\ Health\ Care\ Changes\ -\ Information/ .bpatterson.INBOX.2013\ Investment\ Confirmation\ Responses/ At the top level, the target user has (in email client): Inbox Drafts Templates Sent Items Junk E-mail Deleted Items I'm expecting to see "bpatterson" appear in that list. Thanks --Mark
Moving Maildir folders
Our office had a user leave. Another user is taking over her duties and needs reference to the departing user's email. I've copied that entire departed user's Maildir structure to the current user: mv olduser/Maildir/.* curuser/Maildir/.olduser I did change permission and ownership on curuser/Maildir/.olduser to be the target user. I did not bring over the olduser/Maildir/dovecot* files (indexes, subscriptions, etc.) as I thought that would be bad. Nevertheless, the curuser cannot see this new olduser folder (which should be at the same level as Inbox, Junk Mail, etc.). I did manually add olduser to the curuser/Maildir/subscriptions file, but still nothing. So, what did I do wrong and how do I fix it? THX -- Mark
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Brendan - yes, go ahead and send that doc directly to my email address. I've got Maildir folders going, but not nfs; and I'm curious about your load balance. THX --Mark -Original Message- > Date: Mon, 04 Jul 2016 10:40:06 -0400 > From: Brendan Kearney <bpk...@gmail.com> > To: dovecot@dovecot.org > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > > On 07/04/2016 03:30 AM, Mark Foley wrote: > > Actually, I see that you used host.domain.name further down. That's a good > > substitute for mail.hprs.local. > > > > Also, not to be a literary critic, but it might not hurt to show an example > > keytab beneath your > > "Make sure your keytab has entry for ...". Just in case people don't > > exactly know how to "make sure: > > > > $ klist -Kek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > > > -- > > 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) > > 1 imap/host.domain.name@MYREALM (arcfour-hmac) > > (0x9dae89a221dc374a39f560833 > > > > --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Mon, 04 Jul 2016 03:23:30 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > > config] > > > > On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >> It has been now updated. > > Excellent! That was quick! > > > > Although, you used my actual local domain in your example: mail.hprs.local. > > Not that I care, > > no one can get to that, but it might be clearer to those of us who > > uncomprehendingly > > monkey-type things from wiki's when we don't fully understand. Perhaps > > something more generic > > would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- > > something like that. > > Not sure what is best; just don't want to imply that they HAVE TO use > > mail.hprs.local. > > > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > > I'm going to give my brain a rest for a bit before I resume tilting at the > > NTML windmill! I'll > > check back with the list to see if you've come up with anything. > > > >> Aki > > Again, thanks for all your help. > > > > --Mark > > > > -Original Message- > >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > >> config] > >> To: dovecot@dovecot.org > >> From: Aki Tuomi <aki.tu...@dovecot.fi> > >> Organization: Dovecot Oy > >> Date: Mon, 4 Jul 2016 08:54:27 +0300 > >> On 04.07.2016 07:44, Mark Foley wrote: > >>> After a over a year and a half struggling to get Dovecot to do either > >>> NTLM or GSSAPI > >>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks > >>> to all those in this > >>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > >>> especially Aki Tuomi; > >>> and infinite thanks to Achim Gottinger on the SambaList for his patience > >>> in working this > >>> through with me. Although my purpose was for Dovecot to authenticate > >>> mail clients, the > >>> configuration settings needed were on the Samba side. I hope a variation > >>> of these instructions > >>> can eventually make it into: > >>> > >>> http://wiki2.dovecot.org/Authentication/Kerberos > >>> > >>> > >> It has been now updated. > >> > >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > >> I have to set up some kind of test environment to find out why it bugs. > >> > >> Aki > >> > i have a document that i had written, recording each of the changes > needed to each of the files to be modified, in order to have dovecot > authenticate against kerberos and authorize against ldap. in addition, > the use of nfs for maildir mailboxes and load balanced nuances are > covered. the doc is in odt format (libre office writer), and i have > attempted to post it to this mailing list, but it was quarantined. > > if there is any interest in the doc, reach out to me. i welcome input > and feedback on it. > > brendan >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
Actually, I see that you used host.domain.name further down. That's a good substitute for mail.hprs.local. Also, not to be a literary critic, but it might not hurt to show an example keytab beneath your "Make sure your keytab has entry for ...". Just in case people don't exactly know how to "make sure: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/host.domain.name@MYREALM (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/host.domain.name@MYREALM (arcfour-hmac) (0x9dae89a221dc374a39f560833 --Mark -Original Message----- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 04 Jul 2016 03:23:30 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config] On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. > Aki Again, thanks for all your help. --Mark -Original Message- > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300 > > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM > > or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > > all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > > especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in > > working this > > through with me. Although my purpose was for Dovecot to authenticate mail > > clients, the > > configuration settings needed were on the Samba side. I hope a variation > > of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >
Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > http://wiki2.dovecot.org/Authentication/Kerberos > > It has been now updated. Excellent! That was quick! Although, you used my actual local domain in your example: mail.hprs.local. Not that I care, no one can get to that, but it might be clearer to those of us who uncomprehendingly monkey-type things from wiki's when we don't fully understand. Perhaps something more generic would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- something like that. Not sure what is best; just don't want to imply that they HAVE TO use mail.hprs.local. > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. I'm going to give my brain a rest for a bit before I resume tilting at the NTML windmill! I'll check back with the list to see if you've come up with anything. > Aki Again, thanks for all your help. --Mark -Original Message- > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI > config] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 4 Jul 2016 08:54:27 +0300 > > On 04.07.2016 07:44, Mark Foley wrote: > > After a over a year and a half struggling to get Dovecot to do either NTLM > > or GSSAPI > > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to > > all those in this > > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey > > especially Aki Tuomi; > > and infinite thanks to Achim Gottinger on the SambaList for his patience in > > working this > > through with me. Although my purpose was for Dovecot to authenticate mail > > clients, the > > configuration settings needed were on the Samba side. I hope a variation > > of these instructions > > can eventually make it into: > > > > http://wiki2.dovecot.org/Authentication/Kerberos > > > > > > It has been now updated. > > I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2. > I have to set up some kind of test environment to find out why it bugs. > > Aki >
Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]
After a over a year and a half struggling to get Dovecot to do either NTLM or GSSAPI authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all those in this list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey especially Aki Tuomi; and infinite thanks to Achim Gottinger on the SambaList for his patience in working this through with me. Although my purpose was for Dovecot to authenticate mail clients, the configuration settings needed were on the Samba side. I hope a variation of these instructions can eventually make it into: http://wiki2.dovecot.org/Authentication/Kerberos What is essentially missing from the wiki is how to set up the proper Service Principal Names and the subsequent creation of a dovecot useable kerberos keytab file. The wiki comment on "k5principals passdb" was not helpful and largely unintelligble to me. Perhaps like many of you, I have switched from Microsoft SBS and Exchange to Samaba4 and Dovecot/IMAP. The transition was completely transparent to my users, except they needed a separate password for email authentication in the absence of NTLM or GSSAPI working with Dovecot. A mild inconvenience, but I have been on a "quest" to fill that gap. This solution finally takes care of that last piece. The following describes how to create the SPNs and krb5 keytab files using Samba4 which has its own built-in (Heimdal) kerberos. The procedures are probably similar for other facilities such as setspn for Windows, but I've not used those so I won't attempt to discuss those mechanism here. You do need kerberos as the Samba built-in kerberos does not have needed commands like `klist`. My distro (Slackware 14.1) does not come with kerberos (nor, I think, does Ubuntu), but is easily found at: https://slackbuilds.org/repository/14.1/network/krb5/ Ubuntu/Debian: apt-get install krb5-config libpam-krb5 krb5-user ssh-krb5 (perhaps more) After provisioning Samba4, copy the krb5.conf template to /etc/krb5.conf. (Note: the actual docs advise symlinking: ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf but I prefer making a copy in case I need to modify things). I've set The /etc/krb5.conf file to world readable. It's default contents are (and these do not need to be changed): [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true where HPRS.LOCAL is my realm, of course use your own. Now, we need a samba user in order to create the necessary SPNs (Server Principal Names): $ samba-tool user create dovecot New Password: Retype Password: User 'dovecot' created successfully Next, add the SPN(s), and create the keytab: $ samba-tool spn add imap/mail.hprs.local dovecot $ samba-tool domain exportkeytab --principal imap/mail.hprs.local /etc/dovecot/dovecot.keytab Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it did I'd have to create another SPN for smtp: $ samba-tool spn add smtp/mail.hprs.local dovecot $ samba-tool domain exportkeytab --principal smtp/mail.hprs.local /etc/dovecot/dovecot.keytab Dovecot needs to be able to read the keytab file: $ chgrp dovecot /etc/dovecot/dovecot.keytab $ chmod g+r /etc/dovecot/dovecot.keytab my new keytab: $ klist -Kek /etc/dovecot/dovecot.keytab Keytab name: FILE:/etc/dovecot/dovecot.keytab KVNO Principal -- 1 imap/mail.hprs.local@HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) 1 imap/mail.hprs.local@HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) 1 imap/mail.hprs.local@HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) (and if I also created the spn for smtp I would also have these:) 1 smtp/mail.hprs.local@HPRS.LOCAL (des-cbc-crc) (0x232616c2a4fd08f7) 1 smtp/mail.hprs.local@HPRS.LOCAL (des-cbc-md5) (0x232616c2a4fd08f7) 1 smtp/mail.hprs.local@HPRS.LOCAL (arcfour-hmac) (0x9dae89a221dc374a39f560833352f60f) DOVECOT SETTINGS: My version: 2.2.15 Of crucial importance is to build dovecot with GSSAPI! That is NOT one of the default settings. In the dovecot build directory: ./configure --with-gssapi=yes Other than that serious build gotcha, settings are pretty simple. Add the following 3 settings to 10-auth.conf: auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = plain login gssapi The auth_gssapi_hostname is supposedly not required according to some of the above-listed commentors, but my 10-auth.conf template implies differently, so it can't hurt. gssapi does not require a passdb. Use whatever userdb you want. The dovecot wiki doc has some suggestions, not of which I've tried. I use the 'driver = passwd' for my userdb for unrelated reasons. I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot server, but that just may have been me not stopping/starting Samba and Dovecot in the right sequence (or,
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - comments interspersed below ... --Mark -Original Message- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Fri, 1 Jul 2016 10:10:43 +0300 > > The distinction is that kerberos principals are in form > > /@ > > the hostname bit *must* match to the host you are connecting to, exactly > and verbatim. It can differ in case, I guess. > > The service is what service you are connecting to. These have special > meanings and can be case sensitive (like http won't always work, it has > to be HTTP). The current IMAP "Principle" in my keytab is: imap/mail.hprs.local@HPRS.LOCAL Explicitly, are you saying it needs to look like: IMAP/mail@HPRS.LOCAL Meaning, capitalized "IMAP" and just hostname, no FDQN? > host/ is always needed in at least system keytab. Not sure if it's > needed now in the service tab. But I suspect that you need to have IMAP > and not imap. Also make sure and double-check that the hostname is correct. Confused. What do you mean by "host/"? Can you give an example using my host and domain names? I don't know where "host/" goes. I assume this is not a synonym for "/"? This is the first I've head of a system keytab versus a service tab. What are they? Do I need both? > Once you've done the keytab you'll want to grab a cup of coffee and > local newspaper or something and read it thru before trying, because it > might take some time for it to work. Really? I can reboot this evening. > Also, your client *and* host needs to be able to access KDC (all of > them) on 88/tcp. There should be no problem with the intra-LAN firewall. Everything is permitted, but I'll double-check on the WIN7 workstation I'm testing from. Is there a way to know for sure my dovecot is enabled for gssapi? > Aki > > On 01.07.2016 09:42, Mark Foley wrote: > > My keytab now has: > > > > ktutil: read_kt /etc/dovecot/dovecot.keytab > > ktutil: list > > slot KVNO Principal > > > > - > >11 smtp/mail.hprs.local@HPRS.LOCAL > >21 imap/mail.hprs.local@HPRS.LOCAL > > > > I added these in ktutil with: > > > > addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac > > > > Aki wrote: > > > >> I think the problem still is that your keytab file has no entry > >> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > >> you also have no host/hostname@DOMAIN > > Not sure how to interpret your template. Are you suggesting I should ... > > > > addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > > addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac > > > > (one IMAP uppercase and one lowercase?) > > > > I don't get your distinction between host and hostname in your 3rd example: > > host/hostname@DOMAIN > > > > Meanwhile ... > > > > Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi > > is enabled in my > > dovecot. I did rebuild and reinstall using `./configure > > --with-gssapi=yes`, but if I only > > enable gssapi authentication, I get "No authenticators available" (mail > > client). How can I > > verify gssapi is really available? dovecot --build-options shows: > > > > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 > > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail > > SQL drivers: > > Passdb: checkpassword passwd passwd-file shadow > > Userdb: checkpassword nss passwd prefetch passwd-file > > > > should I see authentication methods there? > > > > --Mark > > > > -Original Message- > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > example] > > To: dovecot@dovecot.org > > From: Aki Tuomi <aki.tu...@dovecot.fi> > > Organization: Dovecot Oy > > Date: Thu, 30 Jun 2016 09:58:14 +0300 > > > > I think the problem still is that your keytab file has no entry > > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > > > > you also have no host/hostname@DOMAIN > > > > Aki > > > > On 29.06.2016 18:40, Mark Foley wrote: > >> Yes, I think that's exactly correct. I just made a similar reply to Edgar > >> Pettijohn about that. > >> The Thunderbird message is: > >> > >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > >> m
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
My keytab now has: ktutil: read_kt /etc/dovecot/dovecot.keytab ktutil: list slot KVNO Principal - 11 smtp/mail.hprs.local@HPRS.LOCAL 21 imap/mail.hprs.local@HPRS.LOCAL I added these in ktutil with: addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac Aki wrote: > I think the problem still is that your keytab file has no entry > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN > you also have no host/hostname@DOMAIN Not sure how to interpret your template. Are you suggesting I should ... addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac (one IMAP uppercase and one lowercase?) I don't get your distinction between host and hostname in your 3rd example: host/hostname@DOMAIN Meanwhile ... Tried a bunch of things. No go so far. In fact, I'm questioning if gssapi is enabled in my dovecot. I did rebuild and reinstall using `./configure --with-gssapi=yes`, but if I only enable gssapi authentication, I get "No authenticators available" (mail client). How can I verify gssapi is really available? dovecot --build-options shows: Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail SQL drivers: Passdb: checkpassword passwd passwd-file shadow Userdb: checkpassword nss passwd prefetch passwd-file should I see authentication methods there? --Mark -Original Message- Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] To: dovecot@dovecot.org From: Aki Tuomi <aki.tu...@dovecot.fi> Organization: Dovecot Oy Date: Thu, 30 Jun 2016 09:58:14 +0300 I think the problem still is that your keytab file has no entry imap/hostname@DOMAIN and IMAP/hostname@DOMAIN you also have no host/hostname@DOMAIN Aki On 29.06.2016 18:40, Mark Foley wrote: > Yes, I think that's exactly correct. I just made a similar reply to Edgar > Pettijohn about that. > The Thunderbird message is: > > "The Kerberos/GSSAPI ticket was not accepted by the IMAP server > m...@ohprs.org. Please check > that you are logged in to the Kerberos/GSSAPI realm." > > I made further comments in that message that I won't clutter the list by > repeating here. Check > out that message and see what you think could be wrong. > > Thanks for your help! I'm sure this is solvable! > > --Mark > > -Original Message- >> Date: Wed, 29 Jun 2016 08:03:14 -0400 >> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] >> From: brendan kearney <bpk...@gmail.com> >> To: Mark Foley <mfo...@ohprs.org> >> Cc: dovecot@dovecot.org >> >> The last log line shows "user=<>". This indicates no credentials were >> presented. If the rip field matches the client ip you tested from, I would >> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not >> pulled for the authentication. >> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: > [deleted]
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Yes, I think that's exactly correct. I just made a similar reply to Edgar Pettijohn about that. The Thunderbird message is: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." I made further comments in that message that I won't clutter the list by repeating here. Check out that message and see what you think could be wrong. Thanks for your help! I'm sure this is solvable! --Mark -Original Message- > Date: Wed, 29 Jun 2016 08:03:14 -0400 > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > From: brendan kearney <bpk...@gmail.com> > To: Mark Foley <mfo...@ohprs.org> > Cc: dovecot@dovecot.org > > The last log line shows "user=<>". This indicates no credentials were > presented. If the rip field matches the client ip you tested from, I would > bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not > pulled for the authentication. > On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote: [deleted]
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <ed...@pettijohn-web.com> wrote: > What does thunderbird tell you? Good question. I saw Tbird's message after sending my last email. When Tbird starts I get a message box in the lower right saying: "The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. Please check that you are logged in to the Kerberos/GSSAPI realm." The interesting bit, to me, is that the IMAP server's hostname is not m...@ohprs.org. It should be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the actual local domain/realm name, not the public FQDN. I'm suspecting there is something wrong with the kerberos config. To further confuse. There *is* a WIN7 workstation 'mark' in the domain, though not the workstation from which this testing is being done (this workstation is named 'common') and host 'mark' is not reachable as m...@ohprs.org. Furthermore, the Thunderbird account/user for this testing is also 'mark', not to be confused with the host 'mark' (though I think that's exactly what's being confused). Where is this m...@ohprs.org coming from? The Thunderbird Account Name is m...@ohprs.org, which is this user's email address. Perhaps Thunderbird simply has a badly worded error message and didn't really mean "IMAP server m...@ohprs.org", or perhapd kerberos is not configured correctly. My /etc/krb5.conf is shown below. Any ideas on what might be wrong? > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_realm = false > >>> dns_lookup_kdc = true > >>> > >>> [libdefaults] > >>> default_realm = HPRS.LOCAL > >>> dns_lookup_kdc = true > >>> kdc_timesync = 1 > >>> ccache_type = 4 > >>> forwardable = true > >>> proxiable = true > >>> fcc-mit-ticketflags = true > >>> > >>> [realms] > >>> HPRS.LOCAL = { > >>>default_domain = hprs.local > >>>auth_to_local_names = { > >>>Administrator = root > >>> } > >>> } > >>> > >>> [domain_realm] > >>>hprs.local = HPRS.LOCAL > >>> # this is not a mistake > >>>.hprs.local = HPRS.LOCAL Thanks, --Mark -Original Message- > From: Edgar Pettijohn <ed...@pettijohn-web.com> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > Date: Tue, 28 Jun 2016 22:52:25 -0500 > To: Mark Foley <mfo...@ohprs.org> > > > > > On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote: > > > > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, > > and restarted. Now I > > don't get that "Unknown authentication mechanism 'gssapi'" message in > > maillog, and mail is > > delivered successfully to the other domain users having PLAIN > > authentication. That's a big > > step. In examining my original config.log output I apparently did not have > > --with-gssapi enabled. > > > > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still > > cannot correctly > > authenticate and retrieve mail. Here is the dovecot log for that host: > > > What does thunderbird tell you? > > > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 28 22:44:05 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Jun 28 22:44:05 auth: Debug: Read auth token secret from > > /usr/local/var/run/dovecot/auth-token-secret.dat > > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept > > initialization [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept > > initialization [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read > > client hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read > > client hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > > server hello A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > > certificate A [192.168.0.58] > > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write > > key exchange A [192.168.0.58] >
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and restarted. Now I don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, and mail is delivered successfully to the other domain users having PLAIN authentication. That's a big step. In examining my original config.log output I apparently did not have --with-gssapi enabled. HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still cannot correctly authenticate and retrieve mail. Here is the dovecot log for that host: Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 22:44:05 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 22:44:05 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076) Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58] Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session= Does this tell you anything? `doveconf -n` and krb5.conf are configured as shown in previous messages below. Closer! --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Tue, 28 Jun 2016 22:04:42 -0400 To: dovecot@dovecot.org Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile > it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -Original Message- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > --SNIP > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, you wrote: > Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile > it yourself? > > I'll try to check status of NTLM this week. I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1. I do have the Dovecot sources and will peruse the possible options after I send this. I am on version 2.2.15 and I see that the current downloadable version is 2.2.24. Should I upgrade? Do you think that would help? (a perusal of the changes since 2.2.15 shows nothing obvious realated to gssapi) --Mark -Original Message- > Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > Aki - made your suggested changes, but no joy :( > > > > My /etc/krb5.conf: > > > > --SNIP > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > [libdefaults] > > default_realm = HPRS.LOCAL > > dns_lookup_kdc = true > > kdc_timesync = 1 > > ccache_type = 4 > > forwardable = true > > proxiable = true > > fcc-mit-ticketflags = true > > > > [realms] > > HPRS.LOCAL = { > > default_domain = hprs.local > > auth_to_local_names = { > > Administrator = root > > } > > } > > > > [domain_realm] > > hprs.local = HPRS.LOCAL > > # this is not a mistake > > .hprs.local = HPRS.LOCAL > > --PINS--- > > > > you wrote: > > > You can remove the krb4_ stuff > > > > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] > > section altogether. > > Question on [realms]Administrator: should that really be root or should it > > be my AD Administrator? > > > > my doveconf -n is exactly the same as posted below, but in particular: > > > > auth_krb5_keytab = /etc/krb5.keytab > > auth_mechanisms = plain login gssapi > > > > When I reloaded dovecot no mail was delivered to anyone (even though > > everyone was still using > > plain/ssl, no one yet configured for gssapi). > > > > In /var/log/maillog I got (repeatedly): > > > > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not > > responding, delayed sending initial response (greeting): user=<>, > > rip=192.168.0.54, lip=192.168.0.2, session= > > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism > > 'gssapi' > > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup > > failed, throttling for 60 secs > > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not > > responding, delayed sending initial response (greeting): user=<>, > > rip=166.170.27.161, lip=98.102.63.107, TLS, session= > > > > This looks pretty bad right off. Why "Unknown authentication mechanism > > 'gssapi'"? > > > > Do you have any idea from the configs I've posted? I'm rather depressed > > about this. I thought I'd > > finally able to get AD authentication going for Dovecot. Not ready to give > > up though! > > > > Suggestions? > > > > THX -- Mark > > > > -original Message- > > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config > > > example] > > > To: dovecot@dovecot.org > > > From: Aki Tuomi <aki.tu...@dovecot.fi> > > > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > > > > > On 28.06.2016 09:27, Mark Foley wrote: > > > > Aki, > > > > > > > > To review your 5 points: > > > > > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> > > > > wrote: > > > > > > > >> 1. Functional AD or Kerberos environment > > > >> 2. Time synced against your KDC (which is your Domain Controller on > > > >> Windows) > > > >> 3. /etc/krb5.conf configured > > > >> 4. Both forward / reverse DNS names correct for clients and servers. > > > >> Reverse is only mandatory for servers, but having them right will work > > > >> wonders. Most kerberos problems are about DNS problems. > > > >> 5. You need a keytab. This keytab needs to hold entries like > > > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki - made your suggested changes, but no joy :( My /etc/krb5.conf: --SNIP [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [libdefaults] default_realm = HPRS.LOCAL dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true fcc-mit-ticketflags = true [realms] HPRS.LOCAL = { default_domain = hprs.local auth_to_local_names = { Administrator = root } } [domain_realm] hprs.local = HPRS.LOCAL # this is not a mistake .hprs.local = HPRS.LOCAL --PINS--- you wrote: > You can remove the krb4_ stuff I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] section altogether. Question on [realms]Administrator: should that really be root or should it be my AD Administrator? my doveconf -n is exactly the same as posted below, but in particular: auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi When I reloaded dovecot no mail was delivered to anyone (even though everyone was still using plain/ssl, no one yet configured for gssapi). In /var/log/maillog I got (repeatedly): Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=192.168.0.54, lip=192.168.0.2, session= Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 'gssapi' Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup failed, throttling for 60 secs Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=166.170.27.161, lip=98.102.63.107, TLS, session= This looks pretty bad right off. Why "Unknown authentication mechanism 'gssapi'"? Do you have any idea from the configs I've posted? I'm rather depressed about this. I thought I'd finally able to get AD authentication going for Dovecot. Not ready to give up though! Suggestions? THX -- Mark -original Message- > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Date: Tue, 28 Jun 2016 15:13:11 +0300 > > On 28.06.2016 09:27, Mark Foley wrote: > > Aki, > > > > To review your 5 points: > > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > >> 1. Functional AD or Kerberos environment > >> 2. Time synced against your KDC (which is your Domain Controller on > >> Windows) > >> 3. /etc/krb5.conf configured > >> 4. Both forward / reverse DNS names correct for clients and servers. > >> Reverse is only mandatory for servers, but having them right will work > >> wonders. Most kerberos problems are about DNS problems. > >> 5. You need a keytab. This keytab needs to hold entries like > >> IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > >> these on any Windows DC server (at least). > > I believe I am good on 1,2 and 4. I downloaded and installed kerberos and > > tested it with kinit > > and klist according to the instructions at > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > > > > As to the the keytab (#5) I did the following: > > > > $ samba-tool domain exportkeytab /etc/krb5.keytab > > > > which created the file. I made this owned and readable by group dovecot, > > per instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k > > /etc/krb5.keytab` shows me > > configuration listing all the users and computers in the domain, mostly in > > triplicate. A > > partial list: > > > > Keytab name: FILE:/etc/krb5.keytab > > KVNO Principal > > > > -- > >18 COMMON$@HPRS.LOCAL > >18 COMMON$@HPRS.LOCAL > >18 COMMON$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 MAIL$@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > 1 charmaine@HPRS.LOCAL > > > > where COMMON and MAIL are hosts and charmaine is a user. I don't really > > understand the listing, > > but am assuming it is OK. > > Strange that you do not have any host/ entries. Maybe it works without. > > >> setspn -q is helpful here, also setspn command in general. > > I have no such command in my system. Is that a Windows thing? > > > > Yes, but you can do those kind of things in Samba too. > > > As to the /etc/krb5.conf, the default one generated by s
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, To review your 5 points: On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomiwrote: > 1. Functional AD or Kerberos environment > 2. Time synced against your KDC (which is your Domain Controller on Windows) > 3. /etc/krb5.conf configured > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > these on any Windows DC server (at least). I believe I am good on 1,2 and 4. I downloaded and installed kerberos and tested it with kinit and klist according to the instructions at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos As to the the keytab (#5) I did the following: $ samba-tool domain exportkeytab /etc/krb5.keytab which created the file. I made this owned and readable by group dovecot, per instructions at http://wiki2.dovecot.org/Authentication/Kerberos. Running `klist -k /etc/krb5.keytab` shows me configuration listing all the users and computers in the domain, mostly in triplicate. A partial list: Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 18 COMMON$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 MAIL$@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL 1 charmaine@HPRS.LOCAL where COMMON and MAIL are hosts and charmaine is a user. I don't really understand the listing, but am assuming it is OK. > setspn -q is helpful here, also setspn command in general. I have no such command in my system. Is that a Windows thing? As to the /etc/krb5.conf, the default one generated by samba is: [libdefaults] default_realm = HPRS.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I'd like to modify that to your suggestions, but I need more help. You have (with my questions): > Here is a *SAMPLE* configuration: > > [libdefaults] > default_realm = YOUR.REALM > dns_lookup_kdc = true > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I rather have: krb5_config = /etc/krb5.conf Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in there? > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > fcc-mit-ticketflags = true > > [realms] > YOUR.REALM = { > default_domain = your.domain.name > auth_to_local_names = { > Administrator = root > } > } I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my FQDN for my AD server: mail.hprs.local, or is it just hprs.local? (or something else!) > [domain_realm] > your.domain.name = YOUR.REALM > # this is not a mistake > .your.domain.name = YOUR.REALM > [login] > krb4_convert = true > krb4_get_tickets = false Likewise here a question on the whole krb4 versus krb5 thing. Your closing comment: > Also, note that kerberos can only act as AUTHENTICATION system. It > cannot act as USER DATABASE. For that you need to configure LDAP or > something else. With Active Directory LDAP is probably a damn good idea. I have the following doveconf -n: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_krb5_keytab = /etc/krb5.keytab auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
aki.tu...@dovecot.fi wrote: > As mentioned before, you can use ldap as userdb instead of static userdb. > Username matching in AD environment should be done against userPrincipalName > attribute. Do you see any problem with my continuing to use: userdb { driver = passwd } ... with gssapi? (providing I get other configs correct) --Mark -Original Message- > Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > > > On June 28, 2016 at 12:02 AM Jan Jurkuswrote: > > > > > > Hi, > > > > I'm not entirely happy with the static userdb, because of the > > limitations with kerberos/pam, but this can of course be changed rather > > easily. The hardest part is to get the SSO working. > > One of the limitiations is stated here: > > http://wiki.dovecot.org/UserDatabase/Static > > > > Postfix SMTP auth is using LMTP, reading from my notes. > > > > I hope you can get a clearer picture with this rather long and chaotic > > reply. > > > > As mentioned before, you can use ldap as userdb instead of static userdb. > Username matching in AD environment should be done against userPrincipalName > attribute. > > This should let you get rid of pam as well. > > --- > Aki Tuomi > Dovecot oy > > > -- > > Jan Jurkus | ICT Beheerder | GCE cad-service B.V. > > Postbus 12, 3220 AA Hellevoetsluis > > Daltonweg 9, 3225 LR Hellevoetsluis > > tel: 0181-336955 | fax: 0181-311899 > > j.jur...@gcecad-service.nl | www.gcecad-service.nl
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Jan, thanks for your helpful reply. You wrote: > With Dovecot I got the SSO working with Kerberos, and this part is > working great. Other parts (shared mailboxes, that sort of stuff) aren't > working for me yet. ... I'm the opposite. My mailbox setup has been working great for a year and a half, though I've not bothered with shared mailboxes yet. I've attempted to follow your instructions, but still having problems. First, my errors: Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= Now, your instructions: > One of the tricky bits is you need a kerberos keytab with two services. > I used ktutil: > # ktutil >ktutil: read_kt mail-imap.keytab >ktutil: read_kt mail-smtp.keytab >ktutil: write_kt mail.keytab >ktutil: quit > > I'm using a windows 2003 r2 server as domain controller, to create a > keytab file you need the windows 2003 support tools. > > ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab > > ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL > -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 > -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt mail-smtp.keytab" returned: No such file or directory while reading keytab "mail-imap.keytab" Perhaps your subsequent ktpass commands are meant to create those. I do not have a ktpass command. I therefore do not have these files. I suppose that could be part of my problem. Can you share the actual contents of these file? I could create them by-hand. Does Dovecot and/or kerberos know where to look for these? > On the dovecot server I had to install a kerberos package: Likewise, I installed kerberos for slackware. It tested OK. I was able to do a kinit and klist per the instruction at https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos > My kerberos configuration: > # vi /etc/krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log I added the [logging] section. Of note, these log file do not exists after multiple attempts with my gssapi connection. Probably a bad sign. > [libdefaults] > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > default_realm = GCECAD-SERVICE.LOCAL > default_keytab_file = /etc/krb5.keytab > default_ccache_name = KEYRING:persistent:%{uid} > allow_weak_crypto = true > default_tkt_enctypes = arcfour-hmac-md5 > default_tgs_enctypes = arcfour-hmac-md5 > permitted_enctypes = arcfour-hmac-md5 I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL > [appdefaults] > pam = { >debug = false >ticket_lifetime = 24h >renew_lifetime = 7d >forwardable = true >krb4_convert = false > } I also added this [appdefaults] section. > > [realms] > GCECAD-SERVICE.LOCAL = { >kdc = this.is.the.dns.name.of.your.kdc >admin_server = this.is.the.dns.name.of.your.kdc > } I tried with and without this section. Not sure what this.is.the.dns.name.of.your.kdc is supposed to be. I changed mine to the domain FDQN of the server: [realms] HPRS.LOCAL = { kdc = mail.hprs.local admin_server = mail.hprs.local } > > [domain_realm] > .gcecad-service.local = GCECAD-SERVICE.LOCAL > gcecad-service.local = GCECAD-SERVICE.LOCAL > .gcecad-service.nl = GCECAD-SERVICE.LOCAL > gcecad-service.nl = GCECAD-SERVICE.LOCAL > I also tried with and without this section. Again, not sure what should go there. I tried: [domain_realm] .hprs.local = HPRS.LOCAL hprs.local = HPRS.LOCAL .hprs.nl = HPRS.LOCAL hprs.nl = HPRS.LOCAL I'm a bit skeptical on the above as .nl your public top level domain. In fact, after adding these sections I got no error logged in dovecot_log, but did get a message pop up on Thunderbird saying, "Could not connect to mail server m...@ohprs.org; the connection was refused." > Dovecot config, the needed parts: > In /etc/dovecot/conf.d/10-auth.conf : > auth_krb5_keytab = /etc/dovecot/mail.keytab > auth_mechanisms = plain gssapi I added those. > In /etc/dovecot/conf.d/auth-system.conf.ext : > passdb { >driver =
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Aki, again, thanks A LOT for your reply. Concerning your checklist: > 1. Functional AD or Kerberos environment Check! > 2. Time synced against your KDC (which is your Domain Controller on Windows) Check! (needed for AD/DC anyway) > 3. /etc/krb5.conf configured NO > 4. Both forward / reverse DNS names correct for clients and servers. > Reverse is only mandatory for servers, but having them right will work > wonders. Most kerberos problems are about DNS problems. Check! > 5. You need a keytab. This keytab needs to hold entries like > IMAP/your.host.name@REALM and IMAP/$HOSTNAME@REALM. You can generate > these on any Windows DC server (at least). NO So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 uses Heimdal Kerberos and when I provisioned my domain apparently none of these needed kerberos files were set up. I can, however, kerberos authenticate from domain workstations both WIN7 and Linux. I will (and have already) contacted the Samba list to see what needs to be done. I'll post back what I find. Maybe I can finally get to the bottom of this problem. Thanks again -- Mark -Original Message > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example] > To: dovecot@dovecot.org > From: Aki Tuomi <aki.tu...@dovecot.fi> > Organization: Dovecot Oy > Date: Mon, 27 Jun 2016 09:18:54 +0300 > > On 27.06.2016 07:31, Mark Foley wrote: > > Thanks for the reply. When you say it [NTLM] "should" work, I understand > > you to be implying > > you've not actually tried NTLM yourself, right? I've never gotten a > > response from someone > > saying they have or are actually using it. Your subsequent messages about > > NTLM v[1|2] may be > > the problem, but email clients I've tried (Outlook, Thunderbird) don't > > really give a choice. > > > > That's OK, I'd be glad to try something different that would work!!! I am > > trying your advice > > for gssapi. I've followed the instructions at > > http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I > > changed the > > auth_mechanism line to: > > > > auth_mechanisms = plain login gssapi > > > > Which is only different from before with the addition of "gssapi". That's > > all I've done. I'm > > using the same userdb as before which is /etc/passwd. My doveconf -n is: > > > > --SNIP > >> doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login gssapi > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > protocols = imap > > ssl_cert = > > > ssl_key = > userdb { > > driver = passwd > > } > > verbose_ssl = yes > > PINS- > > > > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a > > Slackware 14.1 AD/DC. I > > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When > > trying the connection I > > got the following in my Dovecot log: > > > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be > > used for ECDH and ECDHE key exchanges > > Jun 27 00:04:54 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Jun 27 00:04:54 auth: Debug: Loading modules from directory: > > /usr/local/lib/dovecot/auth > > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken > > (disconnected before auth was ready, waited 0 secs): user=<>, > > rip=192.168.0.99, lip=98.102.63.107, session= > > > > So, any idea why this is not working? I'll say up-front that I do not have > > the auth_krb5_keytab > > configured in 10-auth.conf. I could find no such file on the host running > > Dovecot. Is that file > > needed? If so, I've got a message in to the Samba4 folks asking where it is > > located. > > > > I'm also using Dovecot 2.2.15. Too old? > > > > Do you think auth_krb5_keytab is my problem or something deeper? > > > > THX --Mark > > > > You need to set up keytab. I'll assume you know nothing about kerberos, > so please if you already knew all this, sorry. > > For kerberos to work PROPERLY you nee
Re: Looking for NTLM config example
While continuing to test gssapi, I thought I check out your suggestion on NTLM v1. I did set Thunderbird to NTLM v1 and modified the Dovecot config: auth_debug_passwords = yes auth_mechanisms = plain login ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = , rip=192.168.0.54, lip=192.168.0.2, session= Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 8 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session= Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges This looks quite similar to the output I got with the gssapi test. It seems there is nothing I can do to get AD authentication working with Dovecot. Do you (or anyone) have any ideas? What does "disconnected before auth was ready" mean? Has anyone on Planet Earth actually used either NTLM or GSSAPI successfully with Dovecot? Please speak up! Let me know you exist! --Mark -Original Message- > Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org, Mark Foley <mfo...@ohprs.org> > Subject: Re: Looking for NTLM config example > > Also it seems we lack support for NTLMv2. If you want to use NTLM you need to > permit use of NTLM(v1), which is usually not enabled by default. > > Aki > > > On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > I've asked this several times over the past year with essentially zero > > responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to > > conclude that no one > > has actually tried this authentication method and it therefore does not > > work. > > > > Thanks, --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, > > > I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my > > > Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM > > > authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to > > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with > > > "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > > > NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what > > > the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells > > > you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to > > > configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server > > > and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even > > > know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample > > > 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly > > > for well over a year > > > now, are: > > > > > > $ dovecot -n > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > > auth_debug_passwords = yes > > > auth_mechanisms = plain login > > > auth_verbose = yes > > > auth_verbose_passwords = plain > > >
Re: Looking for GSSAPI config [was: Looking for NTLM config example]
Thanks for the reply. When you say it [NTLM] "should" work, I understand you to be implying you've not actually tried NTLM yourself, right? I've never gotten a response from someone saying they have or are actually using it. Your subsequent messages about NTLM v[1|2] may be the problem, but email clients I've tried (Outlook, Thunderbird) don't really give a choice. That's OK, I'd be glad to try something different that would work!!! I am trying your advice for gssapi. I've followed the instructions at http://wiki2.dovecot.org/Authentication/Kerberos. In my 10-auth.conf I changed the auth_mechanism line to: auth_mechanisms = plain login gssapi Which is only different from before with the addition of "gssapi". That's all I've done. I'm using the same userdb as before which is /etc/passwd. My doveconf -n is: --SNIP > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login gssapi auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = , rip=192.168.0.99, lip=98.102.63.107, session= So, any idea why this is not working? I'll say up-front that I do not have the auth_krb5_keytab configured in 10-auth.conf. I could find no such file on the host running Dovecot. Is that file needed? If so, I've got a message in to the Samba4 folks asking where it is located. I'm also using Dovecot 2.2.15. Too old? Do you think auth_krb5_keytab is my problem or something deeper? THX --Mark -Original Message- > Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST) > From: aki.tu...@dovecot.fi > To: dovecot@dovecot.org > Subject: Re: Looking for NTLM config example > > It should work. Although if you are using linux server you might want to use > gssapi instead. > > > On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote: > > > > > > I've asked this several times over the past year with essentially zero > > responses. I'll keep it simple: > > > > Does NTLM authentication work in Dovecot? > > > > I'll post this one last time. If I still have no responses I'll have to > > conclude that no one > > has actually tried this authentication method and it therefore does not > > work. > > > > Thanks, --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Fri, 22 Apr 2016 02:07:24 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: Looking for NTLM config example > > > > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, > > > I'd like to take > > > another run at setting up NTLM authentication from Thunderbird to my > > > Samba4 AC/DC. > > > > > > With the help of the samba maillist folks I was able to set up NTLM > > > authentication for domain > > > user login. I should be able to do the same for email! > > > > > > But, I need help. I went to > > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > > > lost immediately. Are "authenticaion submethods" synonymous with > > > "password schemes"? The 7th > > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > > > NTLMv2.", but in the > > > referenced link I found no reference to "NTLM password scheme". > > > > > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what > > > the 4 NTLM > > > authentication submethods are, tells you what password schemes are, tells > > > you what the NTLM > > > client/server handshake is, but doesn't actually tell you how to > > > configure dovecot config > > > files. I'm much more interested in the "how to" than in: "NTLMv2: server > > > and client nonce, > > > MITM can't force downgrade" ... whatever that means. > > > > > > Anyway, probably it's my lack of understanding terminology. I don't even > > > know what a "nonce" > > > is. But, I learn well from examples! Can somone please give me a sample > > > 10-auth.conf for NTML > > > and any other supporting settings or configs I need? > > > > > > My current/working dovecot settings, which have been running perfectly > > > for well over a year > > > now
Re: Looking for NTLM config example
I've asked this several times over the past year with essentially zero responses. I'll keep it simple: Does NTLM authentication work in Dovecot? I'll post this one last time. If I still have no responses I'll have to conclude that no one has actually tried this authentication method and it therefore does not work. Thanks, --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Fri, 22 Apr 2016 02:07:24 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Looking for NTLM config example > Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd > like to take > another run at setting up NTLM authentication from Thunderbird to my Samba4 > AC/DC. > > With the help of the samba maillist folks I was able to set up NTLM > authentication for domain > user login. I should be able to do the same for email! > > But, I need help. I went to > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got > lost immediately. Are "authenticaion submethods" synonymous with "password > schemes"? The 7th > line down says, "NTLM password scheme is required for NTLM, NTLM2 and > NTLMv2.", but in the > referenced link I found no reference to "NTLM password scheme". > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 > NTLM > authentication submethods are, tells you what password schemes are, tells you > what the NTLM > client/server handshake is, but doesn't actually tell you how to configure > dovecot config > files. I'm much more interested in the "how to" than in: "NTLMv2: server and > client nonce, > MITM can't force downgrade" ... whatever that means. > > Anyway, probably it's my lack of understanding terminology. I don't even > know what a "nonce" > is. But, I learn well from examples! Can somone please give me a sample > 10-auth.conf for NTML > and any other supporting settings or configs I need? > > My current/working dovecot settings, which have been running perfectly for > well over a year > now, are: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = > ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > > Here's what I've tried so far as 10-auth.conf: > > disable_plaintext_auth = no > auth_use_winbind = yes > info_log_path = /var/log/dovecot_info > auth_verbose = yes > auth_debug_passwords = yes > auth_verbose_passwords= plain > auth_winbind_helper_path = /usr/bin/ntlm_auth > > auth_mechanisms = ntlm plain login > > userdb { > driver = passwd > args = username_format=%n allow_all_users=yes > > } > > > Which gives me a dovecot -n of: > > $ dovecot -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = ntlm plain login > auth_use_winbind = yes > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > protocols = imap > ssl_cert = > ssl_key = userdb { > args = username_format=%n allow_all_users=yes > driver = passwd > } > verbose_ssl = yes > > > I configured Thunderbird for NTLM authentication, then tried sending a > message, I got the > following in /var/log/dovecot_info: > > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used > for ECDH and ECDHE key exchanges > Apr 22 01:37:57 auth: Debug: Loading modules from directory: > /usr/local/lib/dovecot/auth > Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken > (disconnected before auth was ready, waited 0 secs): user=<>, > rip=192.168.0.58, lip=98.102.63.107, session= > > > On Thunderbird I got the error, "Sending of the message failed. The > Outlgoing server (SMTP) > my.server.name does not support the selected authentication method. Please > change the > 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." > > Clearly, something is configured wrong, but I've no clue what.
Looking for NTLM config example
Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd like to take another run at setting up NTLM authentication from Thunderbird to my Samba4 AC/DC. With the help of the samba maillist folks I was able to set up NTLM authentication for domain user login. I should be able to do the same for email! But, I need help. I went to http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got lost immediately. Are "authenticaion submethods" synonymous with "password schemes"? The 7th line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", but in the referenced link I found no reference to "NTLM password scheme". The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 NTLM authentication submethods are, tells you what password schemes are, tells you what the NTLM client/server handshake is, but doesn't actually tell you how to configure dovecot config files. I'm much more interested in the "how to" than in: "NTLMv2: server and client nonce, MITM can't force downgrade" ... whatever that means. Anyway, probably it's my lack of understanding terminology. I don't even know what a "nonce" is. But, I learn well from examples! Can somone please give me a sample 10-auth.conf for NTML and any other supporting settings or configs I need? My current/working dovecot settings, which have been running perfectly for well over a year now, are: $ dovecot -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = , rip=192.168.0.58, lip=98.102.63.107, session= On Thunderbird I got the error, "Sending of the message failed. The Outlgoing server (SMTP) my.server.name does not support the selected authentication method. Please change the 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'." Clearly, something is configured wrong, but I've no clue what. Can I get some advice? THX --Mark
Interpreting keywords
I've marked several messages in Thunderbird using tags. Tags used are: 0 Important 1 Work 2 To Do 3 Personal 4 Later The messages so tagged appear to have the flag fields set in the IMAP Maildir: cur/1449002162.8993_0.mail:2,Sb cur/1449001929.28087_0.mail:2,Sad I've looked in dovecot-keywords and find: $ more dovecot-keywords 0 $label1 1 $label2 2 $label3 3 $label4 I assume these "$label" values are macros that possibly refer to "Important", "Work", etc., but where are these $label's defined? Are they defined in the dovecot configs somewhere or does the mail client just "know" what these correspond to? --Mark
Re: How to Restore emails
On Fri, 13 Nov 2015 09:08:55 CET Steffen Kaiser wrote: > a problem will arise, if Dovecot indexes the directory when the file is > not fully restorred, hence, changes later. > > Therefore, either prevent any access in Dovecot (deliver and retrieval) or > use Heiko's approach, because mv is atomic on the same filesystem (rename > instead of copy). I did shut down Dovecot before restoring the files. > The next problem comes with duplicates, because Maildir saves flags, > keywords and status in the filename. Good point. I was only restoring the ".Deleted Items" mail folder and sub-folder, so I wasn't too concerned with the flags since they shouldn't really be changing much for deleted messages. Still, you are right, it is possible that the user could have altered the flags on some of his deleted messages (since he's keeping these around for months essentially as another email archive). I did a tar restore of that mail folder with the end-of-October full backup, and again with the incremental backup from the previous day. The user reported all message were restored OK. If he had changed flags he'd certainly end up with duplicates. Next time I will restore to a temp directory and check the flags and not restore files with the same name but different flags. --Mark -Original Message- > Date: Fri, 13 Nov 2015 09:08:55 +0100 (CET) > From: Steffen Kaiser <skdove...@smail.inf.fh-brs.de> > To: Mark Foley <mfo...@ohprs.org> > Subject: Re: How to Restore emails > Cc: dovecot@dovecot.org > > On Thu, 12 Nov 2015, Mark Foley wrote: > > >> About the 'cur' I'd not be too sure. > > > > Well, I'm just restoring to .Deleted Items, so it shouldn't be a problem. > > The tar restore > > should preserve names, permission, etc. I'll backup the current Maildir, > > the try the restore > > and see what happens. I'll report back. > > a problem will arise, if Dovecot indexes the directory when the file is > not fully restorred, hence, changes later. > > Therefore, either prevent any access in Dovecot (deliver and retrieval) or > use Heiko's approach, because mv is atomic on the same filesystem (rename > instead of copy). > > The next problem comes with duplicates, because Maildir saves flags, > keywords and status in the filename. > > I, therefore, copy a backup to another subdir, say "tmp2", then run fdupes > (or similiar program) over cur, new and tmp2 to find duplicates, delete > them in tmp2, and finally "mv -i " (you never know ;-) ) the remaining > files from tmp2 to cur or new. > > > -Original Message- > >> Date: Thu, 12 Nov 2015 23:36:52 +0100 > >> From: Heiko Schlittermann <h...@schlittermann.de> > >> To: dovecot@dovecot.org > >> Subject: Re: How to Restore emails > >> > >> Hi, > >> > >> Mark Foley <mfo...@ohprs.org> (Do 12 Nov 2015 23:31:39 CET): > >>> According to a message to this list from Oli Schacher, > >>> http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to > >>> do is copy the deleted > >>> emails to their original folder and dovecot will take care of it: > >>> > >> ??? > >>>> exactly, just copy the mail from your backup back into the users > >>>> maildir (usually into 'cur'). Make sure the permissions of the restored > >>>> file are correct. No need to synchronize anything, dovecot automatically > >>>> detects the added message. > >> > >> About the 'cur' I'd not be too sure. If you *mv* the files there from a > >> directory on the same filesystem, you should be fine, but if copy the > >> files, I'd be careful. Probably you want to mimic the maildir behaviour: > >> > >> copy the files to tmp/ > >> mv the files to cur/ (not sure, if new/ would be fine to, > >> because new/ is the natural place after > >> tmp/. I'm not sure, what this does to the > >> message state the client sees.) > >> > >> Best regards from Dresden/Germany > >> Viele Grüße aus Dresden > >> Heiko Schlittermann > >> -- > >> SCHLITTERMANN.de internet & unix support - > >> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > >> gnupg encrypted messages are welcome --- key ID: F69376CE - > >> ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - > > > > - -- > Steffen Kaiser
How to Restore emails
I have a user who accidentially deleted a large number of emails prior to a certain date. He wants them back. I do have a tarfile backup of these messages. Is there a good way to restore them? Can I simply restore them to the appropriate Maildir directory and dovecot will just "figure it out"? Thanks, --Mark
Re: How to Restore emails
According to a message to this list from Oli Schacher, http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to do is copy the deleted emails to their original folder and dovecot will take care of it: On Tue Jun 7 08:43:54 EEST 2011 Oli Schacher wrote: >> OK, but if I want to restore a particular mail from backups, what're >> the steps involved? What I mean is do I just copy and paste that mail >> file from backups to the user account maildir folder and what program >> should I run to synchronize it. > > > exactly, just copy the mail from your backup back into the users > maildir (usually into 'cur'). Make sure the permissions of the restored > file are correct. No need to synchronize anything, dovecot automatically > detects the added message. Unless someone out there advises me against doing this, I'm going to try it. I've also seen `dovadm import` as a possible suggestion, though if a simple copy works I don't see why anyone would use `dovadm import`. --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Thu, 12 Nov 2015 17:13:50 -0500 To: dovecot@dovecot.org Subject: How to Restore emails I have a user who accidentially deleted a large number of emails prior to a certain date. He wants them back. I do have a tarfile backup of these messages. Is there a good way to restore them? Can I simply restore them to the appropriate Maildir directory and dovecot will just "figure it out"? Thanks, --Mark
Re: How to Restore emails
Thanks for the reply Heiko > About the 'cur' I'd not be too sure. Well, I'm just restoring to .Deleted Items, so it shouldn't be a problem. The tar restore should preserve names, permission, etc. I'll backup the current Maildir, the try the restore and see what happens. I'll report back. --Mark -Original Message- > Date: Thu, 12 Nov 2015 23:36:52 +0100 > From: Heiko Schlittermann <h...@schlittermann.de> > To: dovecot@dovecot.org > Subject: Re: How to Restore emails > > Hi, > > Mark Foley <mfo...@ohprs.org> (Do 12 Nov 2015 23:31:39 CET): > > According to a message to this list from Oli Schacher, > > http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to do > > is copy the deleted > > emails to their original folder and dovecot will take care of it: > > > ??? > > > exactly, just copy the mail from your backup back into the users > > > maildir (usually into 'cur'). Make sure the permissions of the restored > > > file are correct. No need to synchronize anything, dovecot automatically > > > detects the added message. > > About the 'cur' I'd not be too sure. If you *mv* the files there from a > directory on the same filesystem, you should be fine, but if copy the > files, I'd be careful. Probably you want to mimic the maildir behaviour: > > copy the files to tmp/ > mv the files to cur/ (not sure, if new/ would be fine to, > because new/ is the natural place after > tmp/. I'm not sure, what this does to the > message state the client sees.) > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --- key ID: F69376CE - > ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
MAPI Properties?
I'm using Dovceot/IMAP on Linux and Outlook clients on WIN7 workstations. Mail on Linux is stored in Maildir format. I'm searching for where Outook keeps its information on color categories in IMAP. According to Diane Poremsky at slipstick.com, "Outlook stores it in the mapi properties of each message. If you use MFCMAPI to viuw the messages, you'll see the properties." MAPI is a Windows thing and the recommended MFCMAPI is for viewing these properties in Exchange. Not what I can use. Outlook must be storing these properties somewhere in the Dovecot/IMAP system as color categories can be set from Outlook. Can someone tell me where to look for these properties? THX - Mark
Re: How to "Windows Authenticate"
Love your "ASCII Ribbon Campaign" signature! I still use mailx myself. I'll have to check out that "access denied" message for the email to mfo...@ohprs.org. I haven't seen that before. FreeBSD.org is not blocked in my access.db. Hmmm ... Anyway, yes, I've been through those instructions over and over and they certainly do "suggest" it should work, but I haven't yet found anyone that has actually got it working. I assume you have not either, right? The platform these instructions are targeted to are not quite my setup as the Dovecot host is also the AD/DC using Samba4, so the DC/join instructions don't apply, nor does the Kerberos: "Please note that you do not need to install or configure any other Kerberos KDC for Samba to work. Samba includes a AD-compatible KDC, currently based on an included copy of the Heimdal project." https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos Also, the instruction in the link you reference must be a bit out of date because the suggested userdb: userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes } gives an error with my dovecot 2.2.15. The word "static" has to go inside the curly-braces as "driver static" and the "allow_all_users" has to be added to the 'args' string. Otherwise, Dovecot won't run the config as shown in the link. Otherwise and with the above changes to the userdb, I believe I've followed all applicable instructions in that link. The error I get with my config in the Dovecot log is: Sep 13 00:53:12 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6> Any idea what would generate this message? --Mark -Original Message- > Subject: Re: How to "Windows Authenticate" > From: Remko Lodder <re...@freebsd.org> > Date: Wed, 16 Sep 2015 19:38:08 +0200 > To: Mark Foley <mfo...@ohprs.org> > Cc: dovecot@dovecot.org > > > On 16 Sep 2015, at 19:10, Mark Foley <mfo...@ohprs.org> wrote: > > > > Does the Dovecot NTLM mechanism work with MS Outlook? > > > > [ ] YES > > [ ] NO > > > > Please check one ... anybody. > > > > ???Mark > > > > The URL on the wiki, which had probably been shared before with you; > > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > > suggests it does. > > The URL quotes: > > Step 5. Passwordless authentication > > If you have logged on from Windows to the AD domain, try leaving the password > field, on the account, on the MUA, blank. The username / password, from the > initial logon to the Windows machine, are seamlessly picked up and supplied > to the challenge-response process between the MUA, Dovecot and AD. Employing > this way of authentication we achieve single sign-on and we don't need to > maintain MUA local passwords. > > Did you follow the suggestions that are on that page? (all of them). > > Thank you, > Remko > > -- > /"\ Best regards, | re...@freebsd.org > \ / Remko Lodder | remko@EFnet > Xhttp://www.evilcoder.org/ | > / \ ASCII Ribbon Campaign | Against HTML Mail and News >
Re: How to "Windows Authenticate"
Does the Dovecot NTLM mechanism work with MS Outlook? [ ] YES [ ] NO Please check one ... anybody. --Mark -Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Sun, 13 Sep 2015 01:10:57 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate" I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the Active Directory/Domain Controller on the same host as Dovecot. Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the client MTU used to connect with Dovecot to read mail on the Users' WIN7 workstations. I believe I have confirmed that MS Outlook will either ... 1) send the userid and password configured in the Outlook settings to Dovecot for authorizing. This mechanism has been working fine for months. or ... 2) Use NTML authorization if "Require login using Secure Password Authentication (SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication Those, I believe, are the only two choices with Outlook (other than Exchange). Therefore, in order not to configure a Domain-distinct password in Outlook, I need to use the NTLM auth_mechanism for AD "Windows Authentication" with Dovecot. I've tried the settings below (just trying one user at the moment): $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = , rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6> Can someone tell me what this means and how to fix it? Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over and over, so simply referring me to that link will not help. Thanks, Mark
Re: How to "Windows Authenticate"
I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the Active Directory/Domain Controller on the same host as Dovecot. Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the client MTU used to connect with Dovecot to read mail on the Users' WIN7 workstations. I believe I have confirmed that MS Outlook will either ... 1) send the userid and password configured in the Outlook settings to Dovecot for authorizing. This mechanism has been working fine for months. or ... 2) Use NTML authorization if "Require login using Secure Password Authentication (SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication Those, I believe, are the only two choices with Outlook (other than Exchange). Therefore, in order not to configure a Domain-distinct password in Outlook, I need to use the NTLM auth_mechanism for AD "Windows Authentication" with Dovecot. I've tried the settings below (just trying one user at the moment): $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir protocols = imap ssl_cert = , rip=192.168.0.58, lip=98.102.63.107, session=<2PnkuZkfqADAqAA6> Can someone tell me what this means and how to fix it? Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over and over, so simply referring me to that link will not help. Thanks, Mark
Re: Need help on checkpassword userdb/passdb
I figured out how to make checkpassword work. There is a problem with the documentation. http://wiki2.dovecot.org/AuthDatabase/CheckPassword, under 'Security' says, "a. If possible, change the checkpassword to return userdb_uid and userdb_gid extra fields instead of using setuid() and setgid(). This also improves the performance." And, under 'Checkpassword Interface' it says, "Return the user's UNIX UID and GID using userdb_uid and userdb_gid environments and add them to the EXTRA environment ..." I did all of this and it didn't work. However, when I added the userdb_home environment variable and added that to the EXTRA environment variable, it worked. I tried this because I happened upon http://wiki2.dovecot.org/UserDatabase/Prefetch which mentioned userdb_home. The http://wiki2.dovecot.org/AuthDatabase/CheckPassword needs to have this bit of information added in the appropriate place(s) or the developer/hackster will waste days trying to get checkpassword working until he/she stumbles across the userdb_home comment elsewhere. Nevertheless, checkpassword turns out not to be the solution to my original problem, so I will keep on keepin' on ... --Mark -Original Message----- From: Mark Foley <mfo...@ohprs.org> Date: Fri, 11 Sep 2015 21:57:40 -0400 To: dovecot@dovecot.org Subject: Re: Need help on checkpassword userdb/passdb [grumpy bit deleted] To follow up on my previous posting in this thread, I'm trying to get checkpassword to work. I have confirmed that it is setting the environment variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). My debug output of env variables sent to checkpassword-reply: $USER=mark userdb_uid=326 userdb_gid=100 INSECURE_SETUID=1 EXTRA=userdb_uid userdb_gid I have confirmed that my checkpassword program returns 0 authenticating the user with the AD: fork pid = 4239, ntlm_auth status: 0 The pid listed above is the pid of the forked /usr/local/libexec/dovecot/checkpassword-reply program. For testing purposes, I've replaced that with a stub of my own that shows the set environment variables so I know checkpassword-reply is getting them (listed above). Notice in the log messages below that everything looks correct. It has the correct username, UID, GID, client passdb out: OK. No error in the log that I can see. I believe I've done everything exactly as documented in the wiki, but it doesn't work I get the Outlook message "Your IMAP server closed the connection ... Error Code: 0x800CCCDD". Finally, I tried setting: chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply chmod g+s /usr/local/libexec/dovecot/checkpassword-reply As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same error. Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but that makes no different. Same error. I believe I've done everything exactly according to the documentation. Does checkpassword actually work with Dovecot version 2.2.15? If not, could someone please tell me so I can stop wasting my time. If it does work, can someone please help me figure out why it does not for me? Thanks -- Mark My dovecot log: Sep 11 21:18:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 11 21:18:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234) Sep 11 21:18:22 auth: Debug: client in: AUTH1 PLAIN service=imap session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data) Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): exit_status=0 Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): Received input: userdb_uid=326 userdb_gid=100 Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 42341 c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240 request_auth_token Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,): success Sep 11 21:18:22 auth: Debug: master userdb out: USER1794375681 mark uid=326 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4 Sep 11 21:18:22 imap-login: Info: Login: user=, method=PLAIN, rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session= -----Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Thu, 10 Sep 2015 23:05:18 -0400 To: dovecot@dovecot.org Subject: Need help on checkpassword userdb/passdb I'm experimenting with checkpassword as an auth method for usedb and passdb (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Fran - thanks for your reply. I'm cc'ing you directly on this as well as posting to the list as I'm not sure how often you check the list and I'm down to hanging by my last fingernail on this project. I have some preliminary questions interspersed below. Thanks, --Mark -Original Message- > Subject: Re: My dovecot works fine against Active Directory 2003, but not > against AD2008 > To: dovecot@dovecot.org > From: Fran <cumc-436...@chguadalquivir.es> > Date: Thu, 10 Sep 2015 13:26:21 +0200 > > Hi Mark, > > when I say AD 2003/8 I mean Active Directory 2003/8. Hmmm, I've not heard of "Active Directory 2003" or 2008. The year numbers indicated to me you might be talking about Windows Small Business Server 2003 or 2008. Is your AD Server Windows? Linux? Something else? I'm using Samba4 AD/DC on Linux. > > My configuration is attached. Thank you very much for that. If I make some headway, I'll likely have more questions on specifics. > > I based my installation (dovecot+postfix) in the guides of this site: > http://www.linuxmail.info > > The LDAP part is this: > http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/ If you were able to make sense out of these sites' tiny screen-shots and one-line descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If there was more detailed narrative somewhere I couldn't find it. Also, I don't have jXplorer on my system, so probably I couldn't get too far anyway. BIG QUESTIONS: 1. Are you using MS Outlook IMAP clients in your environment? If so, how are you making them connect with LDAP? By checking the SPA checkbox? 2. The mail_gid/mail_uid as vmail confuses me. I see that setting a lot, including in your config. http://wiki2.dovecot.org/VirtualUsers says, "You can create, for example, one vmail user which owns all the mails, or you can assign a separate UID for each user." I have assigned a separte UID for each based on the UID returned by `wbinfo -u `. Does assigning separate UIDs mess up my ability to adapt your configuration? little questions: 3. I'm not planning on using quotas. Can I safely omit your mail_plugins = " quota" setting and all your plugin { quota_...} settings? I want to be as simple as possible to start. 4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can I omit the namespace inbox {} setting? These may seem like amaturish questions, but little details have foiled me a lot on this Dovecot project. If I feel confident with the answers you provide here, I'll move on to trying some things. Thanks a lot for your help!!! --Mark > > You can also use PAM to connect to AD > (http://www.linuxmail.info/active-directory-dovecot-pam-authentication/) > but that way doesn't allow to retrieve custom fields from the AD (ex. a > field to set quota per user), so I'm using the standard LDAP method. > > Regards > > El 10/09/2015 a las 4:51, Mark Foley escribió: > > Fran and/or Matthias, > > > > Could you publish your doveconf -n? I can't get dovecot to authenticate > > with my > > AD. Maybe you have a solution I could try. > > > > What mail client(s) are you using? I assume by "AD 2003/8" You mean > > SBS2003/8 > > and are therefore using Outlook? > > > > --Mark > > > > -Original Message- [deleted]
Re: Need help on checkpassword userdb/passdb
Not to be grumpy, but I've posted a dozen or more message to this list in the past week about what I think might be relatively common/easy issues and have had zero response except from Rick Romero who is trying, but hasn't actually done what I need himself. I'm sure someone has. Perhaps these problem are too mundane compared to CalDAV, sieve filtering and IPA to excite List interest? Come on Dovecotters! Let's step up to the plate! To follow up on my previous posting in this thread, I'm trying to get checkpassword to work. I have confirmed that it is setting the environment variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). My debug output of env variables sent to checkpassword-reply: $USER=mark userdb_uid=326 userdb_gid=100 INSECURE_SETUID=1 EXTRA=userdb_uid userdb_gid I have confirmed that my checkpassword program returns 0 authenticating the user with the AD: fork pid = 4239, ntlm_auth status: 0 The pid listed above is the pid of the forked /usr/local/libexec/dovecot/checkpassword-reply program. For testing purposes, I've replaced that with a stub of my own that shows the set environment variables so I know checkpassword-reply is getting them (listed above). Notice in the log messages below that everything looks correct. It has the correct username, UID, GID, client passdb out: OK. No error in the log that I can see. I believe I've done everything exactly as documented in the wiki, but it doesn't work I get the Outlook message "Your IMAP server closed the connection ... Error Code: 0x800CCCDD". Finally, I tried setting: chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply chmod g+s /usr/local/libexec/dovecot/checkpassword-reply As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same error. Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but that makes no different. Same error. I believe I've done everything exactly according to the documentation. Does checkpassword actually work with Dovecot version 2.2.15? If not, could someone please tell me so I can stop wasting my time. If it does work, can someone please help me figure out why it does not for me? Thanks -- Mark My dovecot log: Sep 11 21:18:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 11 21:18:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234) Sep 11 21:18:22 auth: Debug: client in: AUTH1 PLAIN service=imap session=tHPCm4IftgDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data) Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): exit_status=0 Sep 11 21:18:22 auth: Debug: checkpassword(mark,192.168.0.58,): Received input: userdb_uid=326 userdb_gid=100 Sep 11 21:18:22 auth: Debug: client passdb out: OK 1 user=mark Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681 42341 c2551b70ccf5e2f8e022869663bf6a70 session_pid=4240 request_auth_token Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,): success Sep 11 21:18:22 auth: Debug: master userdb out: USER1794375681 mark uid=326 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4 Sep 11 21:18:22 imap-login: Info: Login: user=, method=PLAIN, rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session= -Original Message----- From: Mark Foley <mfo...@ohprs.org> Date: Thu, 10 Sep 2015 23:05:18 -0400 To: dovecot@dovecot.org Subject: Need help on checkpassword userdb/passdb I'm experimenting with checkpassword as an auth method for usedb and passdb (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb and passdb *exactly* as the wiki suggests as the "standard way": passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch } I've created a checkpassword program that does receive the correct user and password from dovecot. And I am successfully authenticating with ntlm_auth and exiting with status 0. My debug output: AUTHORIZED: (null) USER: (null) userdb_uid: (null) userdb_gid: (null) arg1=/usr/local/libexec/dovecot/checkpassword-reply CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass' ntlm_auth status: 0 Now, the wiki says 2 things that have me stumped: 1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment set when performing a userdb lookup. The script must acknowledge this by changing the environment to AUTHORIZED=2, otherwise the lookup fails." As you can see from my program log, "AUTHORIZED" is not set. Why? N
Need help on checkpassword userdb/passdb
I'm experimenting with checkpassword as an auth method for usedb and passdb (http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb and passdb *exactly* as the wiki suggests as the "standard way": passdb { driver = checkpassword args = /user/util/bin/checkpassword } userdb { driver = prefetch } I've created a checkpassword program that does receive the correct user and password from dovecot. And I am successfully authenticating with ntlm_auth and exiting with status 0. My debug output: AUTHORIZED: (null) USER: (null) userdb_uid: (null) userdb_gid: (null) arg1=/usr/local/libexec/dovecot/checkpassword-reply CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass' ntlm_auth status: 0 Now, the wiki says 2 things that have me stumped: 1. It says that, "Dovecot calls the script with AUTHORIZED=1 environment set when performing a userdb lookup. The script must acknowledge this by changing the environment to AUTHORIZED=2, otherwise the lookup fails." As you can see from my program log, "AUTHORIZED" is not set. Why? Nor are any of the other environment variables mentioned in the wiki. I've listed all the environment variables that *are* passed to the program at the bottom of this message. 2. The wiki says, "Your program received a path to checkpassword-reply binary as the first parameter. Execute it." I did so as a fork() and then execve("/usr/local/libexec/dovecot/checkpassword-reply") How do I know it worked ... or failed? What am I doing wrong? Dovecot log entries: Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748) Sep 10 22:54:04 auth: Debug: client in: AUTH1 PLAIN service=imap session=AkYg1G8f8QDAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data may contain sensitive data) Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,): execute: /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,): exit_status=0 Sep 10 22:54:04 auth: Debug: checkpassword(mark,192.168.0.58,): Received input: Sep 10 22:54:06 auth: Debug: client passdb out: FAIL1 user=mark temp ENV variables passed to the checkpassword program: DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR DOVECOT_CHILD_PROCESS=1 CONFIG_FILE=/usr/local/var/run/dovecot/config CLIENT_LIMIT=1000 PROCESS_LIMIT=1 PROCESS_MIN_AVAIL=0 IDLE_KILL=60 GENERATION=2991 DOVECOT_HOSTNAME=mail DOVECOT_HOSTDOMAIN=mail.hprs.local DOVECOT_VERSION=2.2.15 LOG_SERVICE=1 SOCKET_COUNT=6 SSL_SOCKET_COUNT=0 SOCKET_NAMES=login tokenlogin auth-login auth-client auth-userdb auth-master PROTO=TCP ORIG_UID=151 SERVICE=imap TCPLOCALIP=192.168.0.2 LOCAL_IP=192.168.0.2 TCPREMOTEIP=192.168.0.58 REMOTE_IP=192.168.0.58 TCPLOCALPORT=143 TCPREMOTEPORT=49649 AUTH_USER=mark AUTH_USERNAME=mark AUTH_SERVICE=imap AUTH_LIP=192.168.0.2 AUTH_RIP=192.168.0.58 AUTH_PID=14748 AUTH_MECH=PLAIN AUTH_SECURED= AUTH_LPORT=143 AUTH_RPORT=49649 AUTH_CERT= AUTH_SESSION=AkYg1G8f8QDAqAA6 AUTH_REAL_LIP=192.168.0.2 AUTH_REAL_RIP=192.168.0.58 AUTH_REAL_LPORT=143 AUTH_REAL_RPORT=49649 AUTH_ORIG_USER=mark AUTH_ORIG_USERNAME=mark --Mark
Re: How to "Windows Authenticate"
As to your suggested links, Samba4 uses Heimdal Kerberos which is part of the Samba4 installation: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Installation, so I don't know if the krb5 configs discussed in your link will apply. I'll revisit this if other things I'm trying don't work out. If that http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm link were on paper I've have worn out the pages by now. I did see your original message to me on that, tried what I could and posted my results to the list dated Sat, 05 Sep 2015 17:12:50 -0400. Didn't work, probably because I don't know what I'm doing, although I don't think I've spent longer on any other software package without mastering it! The userdb syntax shown on that site had errors with my dovecot 2.2.15. Instructions for an older version (dates on wikis would be nice)? Check out my Sep 5 posting if you missed it and see if I'm doing something stupidly obviously wrong. I'll have to also say the the wiki docs are pretty, but very difficult to comprehend. There's an awful lot of assumed knowledge and terminology in there and even though I have decades of Unix sysadmin experience, I get lost very quickly. A lot of things seem overcomplicated. For example, I'm now trying the checkpassword auth method. Seems pretty simple at first: it gets the username and password and returns 0 if OK or 1 if not. Simple right? But no, the Dovecot implmentation wants you to also set environment variables (which don't appear to be there) and execute programs from within programs, and of course, it doesn't "just work". Why the complexity? Why not return a simple 0 or 1 and go with that? Oh well, I'm going to have to abandon this soon. Workplace indulgence is wearing thin. --Mark -Original Message- > Date: Thu, 10 Sep 2015 08:27:15 -0500 > From: Rick Romero <r...@havokmon.com> > To: dovecot@dovecot.org > Cc: mfo...@ohprs.org > Subject: Re: How to "Windows Authenticate" > > Quoting Mark Foley <mfo...@ohprs.org>: > > > Rick, > > > > Samba4 AD/DC and Dovecot work perfectly for everything including access > > from > > SmartPhones. I've got roaming domain logins, redirected folders, > > calendars and > > contacts work just fine with Outlook and WebDav for sharing calendars; > > don't > > need them in Dovecot. > > > > Do you have that documented somewhere? I would love to see how that's > done. > > > For the most part, Outlook users can't tell they are not > > still on Exchange ... except they have to maintain their Outlook > password > > distinct from their Windows password. Which is their one HUGE issue. > > > > My absolutely LAST issue with totally duplicating SBS/Exchange > > functionality on > > Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients > > using > > Windows Authentication which, as I understand things, can supposedly be > > done > > with NTLM. I just can't get it to work. I think a heck of a lot if > > Windows > > [SB]Server shops would convert to Samba4/Dovecot if someone figured out > > how to > > do this. > > > > My Dovecot log messages make it look close to working: > > > > Sep 05 16:45:19 auth-worker(5498): Debug: > > shadow(mark@hprs,192.168.0.58): lookup > > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): > > unknown user > > > > Dovecot gets the user as" mark@hprs" instead of "mark" and therefore > > can't find > > it in the userdb. > > > > I can find no Dovecot wiki on this. If Dovecot just can't authenticate > > this way > > can someone (Timo?) tell me so and I'll cease my 8 month quest. > > These are two > > http://wiki2.dovecot.org/Authentication/Kerberos > http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm > > As I understand it, NTLM is a layer above Kerberos. I don't see either > referenced similarly to either wiki pages in the pasted config... > > > Otherwise, what should I have for a userdb? What should I have for a > > passdb? Can > > I parse the "@hprs" bit off the userId received by Dovecot? These seem > > to be my > > hang-ups. At this point, I'm open to guesses. > > > > Just for the heck of it, here's one of the doveconf's I tested with, > > reproduced > > here because it's burried in the messages below: > > > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain ntlm login > > auth_use_winbind = yes > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth =
Re: How to "Windows Authenticate"
Rick, I extremely dislike Exchange as well. I have a long list of problems: near impossibility to monitor logs for trouble, poor configurable spam checking, no good way to archive and review emails ... I could go on for paragraphs, but the main reason we recently migrated away from SBS/Exchange is that Microsoft no longer sells Small Business Server and its replacement, Server Essentials, does not support Exchange! Exchange has to run on Server 2012, but MS would prefer you to use Server Essentials with your email in the cloud. We're not gonna do that. Samba4 AD/DC and Dovecot work perfectly for everything including access from SmartPhones. I've got roaming domain logins, redirected folders, calendars and contacts work just fine with Outlook and WebDav for sharing calendars; don't need them in Dovecot. For the most part, Outlook users can't tell they are not still on Exchange ... except they have to maintain their Outlook password distinct from their Windows password. Which is their one HUGE issue. My absolutely LAST issue with totally duplicating SBS/Exchange functionality on Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using Windows Authentication which, as I understand things, can supposedly be done with NTLM. I just can't get it to work. I think a heck of a lot if Windows [SB]Server shops would convert to Samba4/Dovecot if someone figured out how to do this. My Dovecot log messages make it look close to working: Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find it in the userdb. I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way can someone (Timo?) tell me so and I'll cease my 8 month quest. Otherwise, what should I have for a userdb? What should I have for a passdb? Can I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my hang-ups. At this point, I'm open to guesses. Just for the heck of it, here's one of the doveconf's I tested with, reproduced here because it's burried in the messages below: # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = It also won't look up /etc/shadow - Samba is doing the AD->Unix UID > mapping. Your AD users shouldn't be in there when all is said and > done. If not there, where? Humor me. Give me ONE suggestion to try! --Mark -Original Message- > Date: Tue, 08 Sep 2015 21:21:13 -0500 > From: Rick Romero <r...@havokmon.com> > To: dovecot@dovecot.org > Subject: Re: How to "Windows Authenticate" > > If I had time I would be all over this - but IMHO the main problem is that > Dovecot != Exchange. Even in small environments - unless I'm out of date, > there's no calendar, tasks or contact lists within Dovecot. > > Your next best best is to use something like Horde that would allow you to > auth via ActiveSync (on Outlook 2013 clients) and manage everything else > that the users will want, with Dovecot as the mail backend. > Though I believe there could be licensing issues if you're looking to do it > for free. I think, by license, you still need CALs for each ActiveSync > client (if you're in the US). > > Auth-Wise it'd be a whole different animal. I'm not sure if there's > anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba > would accept the username via GSSAPI and I suppose you could pass that to > HordeAuth. > > I hate Exchange - I have a nagging 45 second delay on OWA logins ever since > I had to setup multiple NICs to get Outlook to stop complaining about > certs, and today while trying to fix that issue, AD decided to stop > replicating one of my trusted domains (and began rejecting auths for linked > mailboxes from that domain) and in short I really just hate that > environment with every fiber of my being and would love to see a decent > free Exchange replacement on *nix. > > Rick > > Quoting Mark Foley <mfo...@ohprs.org>: > > > More experimentation ... > > > > I tried removing userdb and passdb from the dovecot NTLM config. That > > didn't > > work. I then tried adding a static userdb as follows: > > > > userdb { > > driver = static > > # allow_all_users = yes > > args = gid=100 home=/home/HPRS/%n > > } > > > > (Interestingly, when I uncommented "allow_all_users&q
Re: My dovecot works fine against Active Directory 2003, but not against AD2008
Fran and/or Matthias, Could you publish your doveconf -n? I can't get dovecot to authenticate with my AD. Maybe you have a solution I could try. What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8 and are therefore using Outlook? --Mark -Original Message- > Date: Wed, 9 Sep 2015 17:22:34 +0200 > From: Matthias Lay> To: Dovecot Mailing List > Subject: Re: My dovecot works fine against Active Directory 2003, but not > against AD2008 > > > hi, > > check your > > /etc/openldap/ldap.conf > > for > > REFERRALS off > > I had this errors with "referrals on" in misconfigured dns environments. > > > you can debug the dns packets by strace-ing the auth process > > > > > On Tue, 8 Sep 2015 11:00:37 +0200 > Fran wrote: > > > Hello, > > > > my dovecot installation has been working fine against AD till we > > upgrade from AD 2003 to AD 2008. As > > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to > > connect AD through 389 port. The port 3268 works fine though. > > > > (...) > > Sep 7 19:02:05 dovecot: imap-login: Error: > > master(imap): Auth request timed out (received 0/12 bytes) > > Sep 7 19:02:05 dovecot: imap-login: Internal login > > failure (pid=4846 id=1) (internal failure, 1 successful auths): > > user=<>, method=PLAIN, rip=, > > lip=, TLS, session= > > (...) > > Sep 7 19:02:06 dovecot: auth: Error: > > ldap(,,): Connection appears > > to be hanging, reconnecting > > Sep 7 19:02:06 dovecot: auth: Error: > > ldap(,, ): LDAP search > > returned multiple entries > > (...) > > > > Is there a technical reason for this problem? Does it exist any > > workaround? > > > > The use of Global Catalog (port 3268) is not a solution for me, since > > it misses many attributes. (ex. I use the field "initials" to set the > > quota and this field is not available through port 3268). > > > > I also noticed that, now, it uses any DC available in the domain, it > > doesn't care what I configured in "hosts = " parameter. > > > > This is using "hosts = dc03.domain:389": > > --- > > > > [root@ ~]# netstat -anp | grep dovecot | grep auth > > tcp 22 0 :55217 > > :389 ESTABLISHED 4872/dovecot/auth > > tcp 22 0 :57645 > > :389ESTABLISHED 4872/dovecot/auth > > tcp0 0 :55216 > > :389 ESTABLISHED 4872/dovecot/auth > > > > It looks like it does a look up for other domains controller (I don't > > know how nor why) and it connect aleatory to any DC in my domain (in > > this case dc06.domain, but it changes any time), additionally to the > > configured one (dc03.domain). > > > > This is using "hosts = dc03.domain:3268": > > > > [root@ ~]# netstat -anp | grep dovecot | grep auth > > tcp0 0 :58485 > > :3268 ESTABLISHED 4982/dovecot/auth > > > > In this case, only the configured server in host parameter is used (I > > think this is the right behaviour) > > > > > > Aditional info: > > --- > > CentOS Linux release 7.0.1406 (Core) > > > > dovecot 2.2.10 > > > > Build options: ioloop=epoll notify=inotify ipv6 openssl > > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox > > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite > > Passdb: checkpassword ldap pam passwd passwd-file shadow sql > > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql > > > > > > My /etc/dovecot/dovecot-ldap.conf.ext > > -- > > #hosts = dc03.domain:3268 > > hosts = dc03.domain:389 > > #uris = ldap://dc03.domain > > base = DC=domain > > #tls = yes > > tls = no > > ldap_version = 3 > > auth_bind = yes > > auth_bind_userdn = %u@domain > > #auth_bind_userdn = DOMAIN\%u > > dn = cn=,cn=Users,dc=domain > > dnpass = > > > > #scope = subtree > > #deref = never > > > > user_filter = > > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > > pass_filter = > > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@))) > > pass_attrs = userPassword=password > > user_attrs = Initials=quota_rule=*:storage=%$MB > > --- > > > > > > -- > > Log trace using PORT 389: > > -- > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > where=0x10, ret=1: before/accept initialization [] > > Sep 7 19:00:35 dovecot: imap-login: Debug: SSL: > > where=0x2001, ret=1: before/accept initialization
Re: How to "Windows Authenticate"
More experimentation ... I tried removing userdb and passdb from the dovecot NTLM config. That didn't work. I then tried adding a static userdb as follows: userdb { driver = static # allow_all_users = yes args = gid=100 home=/home/HPRS/%n } (Interestingly, when I uncommented "allow_all_users" I got an "unsupported setting" [or something like that], even though that was in there from the beginning and is shown in the example wiki http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm) Anyway, in both tests my error messages were the same: Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758) Sep 08 18:38:16 auth: Debug: client in: AUTH1 NTLMservice=imap session=vPWqBUQfeADAqAA6 lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=56184 Sep 08 18:38:16 auth: Debug: client passdb out: CONT1 Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,): user not authenticated: NT_STATUS_LOGON_FAILURE Sep 08 18:38:18 auth: Debug: client passdb out: FAIL1 Notice that my userid (mark or mark@ohprs) is nowhere to be found. Whereas when I specified the userdb passwd at least it had a user id in the error log. From my previous test with userdb passwd amd passdb shadow: Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark@hprs original_user=mark@HPRS Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND 998899713 The "Info: ntml" log entry has ntlm(?,192.168.0.58,), whereas the previous test "Info shadow" log entry has Info: shadow(mark@hprs,192.168.0.58). Of course I have no passdb specified which is right for NTML ... or is it? I feel like this should be obvious to someone familiar with Dovecot. Once again, it's difficult for me to believe no on on planet Earth (who also happens to subscribe to this list) had ever done Dovecot/ntlm from Outlook before. Help!!! If I can't get this last bit sorted out I'll be forced back to Server 2012 and Exchange. Thanks, --Mark -----Original Message- From: Mark Foley <mfo...@ohprs.org> Date: Mon, 07 Sep 2015 21:28:23 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate" Comments interspersed with yours ... --Mark -Original Message- > Date: Sun, 06 Sep 2015 20:00:11 -0500 > From: Rick Romero <r...@havokmon.com> > To: dovecot@dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hmm. I would expect to see 'm...@hprs.com'. Whatever your full domain > name is. Full user@domain would be mark@hprs.local > It also won't look up /etc/shadow - Samba is doing the AD->Unix UID > mapping. Your AD users shouldn't be in there when all is said and done. I was thinking this too. I don't know why NTLM would need a userdb at all. It should just use something like ntlm_auth (which is configured in auth_winbind_helper). What if I simply removed the userdb? What would you recommend for userdb, passdb? > Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 > member, and there were no AD users in the local unix passwd files. > > What does wbinfo -u provide? It should list all your users - especially > because it's an DC. Whatever wbinfo -u shows, you may need to adjust > another config file to match waht Dovecot is receiving. $ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh These are all the AD users (most obfuscated for a bit of security). I am testing with user mark. > > I assume /etc/nsswitch.conf has been modified to use Samba? > Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes. Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level. My /etc/nsswitch.conf is: passwd: compat group: compat hosts: files dns networks: files services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files bootparams: files automount: files aliases:files > Sorry I haven't done this, but it doesn't seem like anyone else has either > - so I'm just shooting in the
Re: How to "Windows Authenticate"
Comments interspersed with yours ... --Mark -Original Message- > Date: Sun, 06 Sep 2015 20:00:11 -0500 > From: Rick Romero <r...@havokmon.com> > To: dovecot@dovecot.org > Subject: Re: How to "Windows Authenticate" > > Hmm. I would expect to see 'm...@hprs.com'. Whatever your full domain > name is. Full user@domain would be mark@hprs.local > It also won't look up /etc/shadow - Samba is doing the AD->Unix UID > mapping. Your AD users shouldn't be in there when all is said and done. I was thinking this too. I don't know why NTLM would need a userdb at all. It should just use something like ntlm_auth (which is configured in auth_winbind_helper). What if I simply removed the userdb? What would you recommend for userdb, passdb? > Well, at when I did a Samba4 install as a DC it still behaved like a Samba3 > member, and there were no AD users in the local unix passwd files. > > What does wbinfo -u provide? It should list all your users - especially > because it's an DC. Whatever wbinfo -u shows, you may need to adjust > another config file to match waht Dovecot is receiving. $ wbinfo -u Administrator Guest krbtgt dns-mail mark sogo **arr **ress **mith **nee **ris **atterson **armaine **tkeson **mmitoh These are all the AD users (most obfuscated for a bit of security). I am testing with user mark. > > I assume /etc/nsswitch.conf has been modified to use Samba? > Unless the Samba provision did something to nnswitch, I've done nothing; nor have I seen anything in the Samba or dovecot wikis suggesting changes. Remember also that the Samba4 AD/DC works perfectly with redirected folders and users logging on to any Windows workstations, and works perfectly with things wanting "Windows Authentication" like SQLserver, so the "Windows Authentication" does work at some level. My /etc/nsswitch.conf is: passwd: compat group: compat hosts: files dns networks: files services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files bootparams: files automount: files aliases:files > Sorry I haven't done this, but it doesn't seem like anyone else has either > - so I'm just shooting in the dark here trying to get you steered in the > right direction... > > Rick Yeah, I can't seem to find a soul on the planet who has actually done this. If I get it figured out I'll post with a suggestion to Timo to wiki-ize it. I'm a bit puzzled that no one appears to have done this. I would think that a Samba4 AD/DC in a office environment with lots of Windows workstations running Outlook would be about the most common environment there is; especially now that Small Business Server is no longer sold and Server Essentials does not support Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping along with SBS2008/11, or putting their email in Outlook.com? Seems like the Samba4/dovecot/Outlook combo would be an ideal migration. I appreciate your help. > > Quoting Mark Foley <mfo...@ohprs.org>: > > > More info ... > > > > My dovecot error log shows: > > > > Sep 05 16:45:19 auth: Debug: client in: AUTH 1 NTLM > > service=imap > > Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 > > user=mark@hprs original_user=mark@HPRS > > Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 > 10219 > > 1 f56352c207cb8f6dea4d264b2c0f8dc1 > session_pid=10220 > > request_auth_token > > Sep 05 16:45:19 auth-worker(5498): Debug: > > shadow(mark@hprs,192.168.0.58): lookup > > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): > > unknown user > > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND > 998899713 > > > > whereas the successful 'plain login' config'ed mechanism (before adding > > NTLM > > config) have: > > > > Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): > > lookup > > > > The failed ntlm look-up is looking up user mark@hprs in shadow, which it > > doesn't > > find. Is there a way to strip the "@hprs" bit from the user so it can > > find the > > correct entry in /etc/shadow? That might fix the problem. > > > > --Mark > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Sat, 05 Sep 2015 17:12:50 -0400 > > To: dovecot@dovecot.org > > Subject: Re: How to "Windows Authenticate" > > > > Rick et al, > > > > The link you gave was a start, but is targeted for Samba3 and is > > assuming a > > probably Windows [SBS]Server AD/
Re: How to "Windows Authenticate"
More info ... My dovecot error log shows: Sep 05 16:45:19 auth: Debug: client in: AUTH1 NTLMservice=imap Sep 05 16:45:19 auth: Debug: client passdb out: OK 1 user=mark@hprs original_user=mark@HPRS Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713 10219 1 f56352c207cb8f6dea4d264b2c0f8dc1 session_pid=10220 request_auth_token Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND998899713 whereas the successful 'plain login' config'ed mechanism (before adding NTLM config) have: Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup The failed ntlm look-up is looking up user mark@hprs in shadow, which it doesn't find. Is there a way to strip the "@hprs" bit from the user so it can find the correct entry in /etc/shadow? That might fix the problem. --Mark -Original Message----- From: Mark Foley <mfo...@ohprs.org> Date: Sat, 05 Sep 2015 17:12:50 -0400 To: dovecot@dovecot.org Subject: Re: How to "Windows Authenticate" Rick et al, The link you gave was a start, but is targeted for Samba3 and is assuming a probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and includes setting up kerberos. I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any setup I can do there). Nevertheless I've followed the instructions otherwise; specifically adding to 10-auto.conf the following recommended lines: auth_use_winbind = yes auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain ntlm login (Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has global r/w privilege. I did not specify the static userdb since these users are configued in /etc/passwd and I thought that would work; example given in link (could that be an issue?): userdb static { args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln allow_all_users=yes } This didn't work. Also, existing, working Outlook connections using 'logon' (i.e. the userID and PW are configured in Outlook) stopped working. I changed a test Outlook client to check the 'Request login using Secure Password Authentication (SPA)' and also checked: More Settings > Outgoing Server > My outgoing server (SMTP) requires authentication' and 'Use same settings as my incoming mail server'. Note that on the "Change Account" dialog (where the SPA checkbox is) the 'User Name' and 'Password' retained their values and were not grayed out as I would have expected if using AD authentication. After doing the above and clicking 'Test Account Settings' I was re-promted to enter a password - also not expected. At bottom are the Dovecot log message I received after doing the 'Test Account Settings'. Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be a very common implementation. Has someone done this successfully? Immediately below is my doveconf -n and below that the dovecot log messages. > doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain ntlm login auth_use_winbind = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert = , method=NTLM, rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session= Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Sep 05 16:46:22 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487) Sep 05 16:46:22 auth: Debug: client in: AUTH1 NTLMservice=imap session=IlvqGwYf0wDAqAA6lip=192.168.0.2 rip=192.168.0.58 lport=143 rport=52947 Sep 05 16:46:22 auth: Debug: client passdb out: OK 1 user=mark@hprs original_user=mark@HPRS Sep 05 16:46:22 auth: Debug: master in: REQUEST 3030384641 13487 1 bac5f6531f9d4c3316f93bd4c4a63dddsession_pid=13491 request_auth_token Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark@hprs,192.168.0.58): lookup Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark@hprs,192.168.0.58): unknown user Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND3030384641 Sep
Re: How to "Windows Authenticate"
i, you may need to > recompile with the right features. > > Also - check the permissions of the ntlm_auth program. That's caused many > issues with Radius installs, IIRC. > > Hope that helps! > > Rick > > Quoting Mark Foley <mfo...@ohprs.org>: > > > This can't be that hard. I think I've enabled LDAP in Dovecot just by > > including > > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I > > now have > > the configuration shown below. Two questions: > > > > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook > > accounts still have the ID and password set in "Logon Information". > > Checking > > "Require logon using Secure Password Authentication (SPA)" doesn't work. > > All I > > can seem to find on the Internet is how to configure address books using > > LDAP. > > > > 2. Should I remove "passdb { drive = shadow } from the dovecot > > configuration? > > > > Anybody? > > > > $ doveconf -n > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > > auth_debug_passwords = yes > > auth_mechanisms = plain login > > auth_verbose = yes > > auth_verbose_passwords = plain > > disable_plaintext_auth = no > > info_log_path = /var/log/dovecot_info > > mail_location = maildir:~/Maildir > > passdb { > > driver = shadow > > } > > passdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > protocols = imap > > ssl_cert = > ssl_key = > userdb { > > driver = passwd > > } > > userdb { > > args = /etc/dovecot/dovecot-ldap.conf.ext > > driver = ldap > > } > > verbose_ssl = yes > > > > -Original Message- > > From: Mark Foley <mfo...@ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > To: dovecot@dovecot.org > > Subject: How to "Windows Authenticate" > > > >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook > >> (2010/2013) on > >> Windows workstations for over 6 months with no problems. Dovecot is > >> hosted on > >> the office Samba4 AC/DC server. > >> > >> I have been using auth_mechanisms plain login, and passdb driver = > >> shadow. > >> > >> What I'd like to do now is use the "Windows Authenticated" login so I > >> don't have > >> to have separate passwords for users logging into the Windows AD > >> workstations > >> and their Outlook clients. > >> > >> If anyone has actually done this I'd appreciate some tips. My various > >> attempts > >> have not been successful. > >> > >> Here is my current config: > >> > >> $ doveconf -n > >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > >> # OS: Linux 3.10.17 x86_64 Slackware 14.1 > >> auth_debug_passwords = yes > >> auth_mechanisms = plain login > >> auth_verbose = yes > >> auth_verbose_passwords = plain > >> disable_plaintext_auth = no > >> info_log_path = /var/log/dovecot_info > >> mail_location = maildir:~/Maildir > >> passdb { > >> driver = shadow > >> } > >> protocols = imap > >> ssl_cert = >> ssl_key = >> userdb { > >> driver = passwd > >> } > >> verbose_ssl = yes > >> > >> Thanks, Mark Foley > > > > From dovecot-boun...@dovecot.org Wed Sep 2 13:32:13 2015 > > Return-Path: <dovecot-boun...@dovecot.org> > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ > > (2011-06-06) on > > mail.hprs.local > > X-Spam-Level: > > X-Spam-Status: No, score=0.0 required=3.0 tests=none > autolearn=unavailable > > version=3.3.2-_revision__1.14__ > > X-Original-To: dovecot@dovecot.org > > Delivered-To: dovecot@dovecot.org > > X-Virus-Status: Clean > > X-Virus-Scanned: clamav-milter 0.98.6 at mail > > From: Mark Foley <mfo...@ohprs.org> > > Date: Wed, 02 Sep 2015 13:31:35 -0400 > > Organization: Ohio Highway Patrol Retirement System > > To: dovecot@dovecot.org > > Subject: How to "Windows Authenticate" > > User-Agent: Heirloom mailx 12.5 7/5/10 > > Content-Type: text/plain; charset=us-ascii > > X-BeenThere: dovecot@dovecot.org > > X-Mailman-Version: 2.1.17 > > Precedence: list > > List-Id: Dovecot
Re: How to "Windows Authenticate"
This can't be that hard. I think I've enabled LDAP in Dovecot just by including dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have the configuration shown below. Two questions: 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook accounts still have the ID and password set in "Logon Information". Checking "Require logon using Secure Password Authentication (SPA)" doesn't work. All I can seem to find on the Internet is how to configure address books using LDAP. 2. Should I remove "passdb { drive = shadow } from the dovecot configuration? Anybody? $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = imap ssl_cert = Date: Wed, 02 Sep 2015 13:31:35 -0400 To: dovecot@dovecot.org Subject: How to "Windows Authenticate" > I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on > Windows workstations for over 6 months with no problems. Dovecot is hosted on > the office Samba4 AC/DC server. > > I have been using auth_mechanisms plain login, and passdb driver = shadow. > > What I'd like to do now is use the "Windows Authenticated" login so I don't > have > to have separate passwords for users logging into the Windows AD workstations > and their Outlook clients. > > If anyone has actually done this I'd appreciate some tips. My various attempts > have not been successful. > > Here is my current config: > > $ doveconf -n > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf > # OS: Linux 3.10.17 x86_64 Slackware 14.1 > auth_debug_passwords = yes > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = plain > disable_plaintext_auth = no > info_log_path = /var/log/dovecot_info > mail_location = maildir:~/Maildir > passdb { > driver = shadow > } > protocols = imap > ssl_cert = ssl_key = userdb { > driver = passwd > } > verbose_ssl = yes > > Thanks, Mark Foley >From dovecot-boun...@dovecot.org Wed Sep 2 13:32:13 2015 Return-Path: <dovecot-boun...@dovecot.org> X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on mail.hprs.local X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable version=3.3.2-_revision__1.14__ X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.6 at mail From: Mark Foley <mfo...@ohprs.org> Date: Wed, 02 Sep 2015 13:31:35 -0400 Organization: Ohio Highway Patrol Retirement System To: dovecot@dovecot.org Subject: How to "Windows Authenticate" User-Agent: Heirloom mailx 12.5 7/5/10 Content-Type: text/plain; charset=us-ascii X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Dovecot Mailing List List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>, <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe> List-Archive: <http://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>, <mailto:dovecot-requ...@dovecot.org?subject=subscribe> Errors-To: dovecot-boun...@dovecot.org Sender: "dovecot" <dovecot-boun...@dovecot.org> Status: R I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems. Dovecot is hosted on the office Samba4 AC/DC server. I have been using auth_mechanisms plain login, and passdb driver = shadow. What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients. If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful. Here is my current config: $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
How to "Windows Authenticate"
I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on Windows workstations for over 6 months with no problems. Dovecot is hosted on the office Samba4 AC/DC server. I have been using auth_mechanisms plain login, and passdb driver = shadow. What I'd like to do now is use the "Windows Authenticated" login so I don't have to have separate passwords for users logging into the Windows AD workstations and their Outlook clients. If anyone has actually done this I'd appreciate some tips. My various attempts have not been successful. Here is my current config: $ doveconf -n # 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 3.10.17 x86_64 Slackware 14.1 auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no info_log_path = /var/log/dovecot_info mail_location = maildir:~/Maildir passdb { driver = shadow } protocols = imap ssl_cert =
Howto NTML
Has anyone gotten NTLM working with Dovecot and Outlook? I have a Samba4 domain controller / active directory running just fine on Linux Slackware64 14.1. PLAIN authenticiation works just fine if I create /etc/passwd accounts for the domain users. I've tried for over two weeks to get NTLM working from Outlook 2007 on a domain workstation without success. I end up with various permission errors and ultimately procmail won't deliver if I adjust mailbox folder permissions too liberally. Also it seems I have to log in each time in Outlook. If someone has made this work, I'd be very interesting in seeing the doveconf -n output, the permissions on the mailbox directories, the nsswitch.conf, and anything else you had to tweak to get this working. I'd really love to have AD authentication working on this setup! --Mark