Authenticating with checkpassword

[Mark Foley via dovecot]

I am trying to use the checkpassword authentication 
(https://wiki.dovecot.org/AuthDatabase/CheckPassword)
I do have a working checkpassword program. The protocol expects to received on 
fd 3 the
following:

usernamepasswordoptionalstuff

I find that this works properly and the program can authenticate if the client 
is using PLAIN
LOGIN.  Both username and password are sent on fd3.  But, if the client has 
specified
kerberos/gssapi authentication then only the username is passed to 
checkpassword.  The
following is a debug dump from checkpassword showing the input read on fd 3 (12 
bytes):

len 12: 636861726d61696e6500 charmaine...
User: [charmaine], PW: []

Without a password, checkpassword returns failure. 

I am running dovecot in a Samba4 Active Directory.  I have some email clients 
that use
kerberos/GSSAPI (Thunderbird) and some that can only use PLAIN LOGIN (Outlook). 
 All users,
however, are active directory domain users and all could potentially 
authenticate with AD
credentials. 

I was hoping to use checkpassword for this. Otherwise, every user who cannot 
authenticate via
kerberos/GSSAPI has to also be in the mail server's /etc/passwd file with the 
same ID/PW as 
their AD credentials, which become a bit of a pain when the user changes his 
domain password.

Why does not dovecot pass to checkpassword the user's password? When I tried 
this a few years
ago I thought it did.

If checkpassword fails, why does it not then try the kerberos/GSSAPI mechanism?

Is there a solution to this? 

THX --Mark

Re: Need to authenticate Outlook and NTLM

[Mark Foley via dovecot]

On Tue, 19 Feb 2019 08:53:13 +0200 Aki Tuomi wrote:
>
> On 19.2.2019 4.48, Mark Foley via dovecot wrote:
> > On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote:
> >> On 2019-02-13, Mark Foley via dovecot  wrote:
> >>> Is it possible that no one on this list is authenticating Outlook with 
> >>> Dovecot and NTLM?
> >> Yes, it's possible, the outdated instructions you found on the wiki
> >> suggests it's an uncommon configiration.
> > Hmmm, really? And yet Windows/Outlook is still the predominant email client 
> > out there
> > (unfortunately). Maybe everyone is going to outlook.com?
> >
> >> No actual answers from me, but it might give you some clues:
> >>
> >>> More on this ...
> >>>
> >>> I short-sheeted ntlm_auth to see what was being passed to it. It is 
> >>> getting as arg1:
> >>>
> >>> --helper-protocol=squid-2.5-ntlmssp
> >>>
> >>> I tried running ntlm_auth at the command line as:
> >>>
> >>> ntlm_auth --username=user --password=password 
> >>> --helper-protocol=squid-2.5-ntlmssp
> >>>
> >>> It did nothing, just hung there. The ntlm_auth man page says:
> >>>
> >>> --helper-protocol=PROTO
> >>>   Operate as a stdio-based helper. Valid helper protocols are:
> >> The squid auth helpers are stdio-based, they run in a loop, reading from
> >> stdin, checking authentication, and return results on stdout. This avoids 
> >> both
> >> passing sensitive data on the command line (visible to ps, at least 
> >> briefly)
> >> and the need to keep forking and initialising a new process.
> >>
> >> So it's normal that it would just sit waiting for input.
> >>
> >> Dovecot is just reusing the same protocol that squid uses.
> > If --username and --password are passed on the command line, what is it 
> > waiting for on stdin?
> > Normally, ntlm_auth, with id and pw passed on the command line prints, 
> > "NT_STATUS_OK: The
> > operation completed successfully. (0x0)" to stdout. There is no further 
> > stdin input needed.
> >
> > Is there a way to disable the --helper-protocol in Dovecot? 
> >
> >>> After more searching I came across this post, 
> >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
> >>> which, in summary, said that ntlm_auth had to run as root. So, I added 
> >>> the following to my
> >>> dovecot config per that post's suggestion:
> >>>
> >>> service auth {
> >>>   user = root
> >>> }
> >>>
> >>> After restarting and trying again to connect from Outlook I got the 
> >>> message:
> >>>
> >>> auth: Info: ntlm(?,192.168.0.58,): user not 
> >>> authenticated: NT_STATUS_NO_MEMORY
> >> I don't know the full details of how samba/ntlm works, but this seems like
> >> an error coming from the server you're attempting to authenticate against.
> >> I think you should start debugging on the samba side - make sure tools
> >> like wbinfo are working, if not then debug those with samba, then move
> >> on to Dovecot after you have that working.
> > Samba has been running for years (with updates) and everything like wbinfo 
> > works.  Dovecot can
> > authenticate with kerberos/GSSAPI, and other applications can authenticate 
> > with ntlm_auth.  My
> > suspicion here is that the "user not authenticated" problem is perhaps 
> > because dovecot cannot
> > run the auth service as root? The dovecot user is dovenull, so why would it 
> > be permitted to run
> > as root in any case?
> >
> > I think the problem is in invoking ntlm_auth. I tried simply returning zero 
> > from my "fake"
> > ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from 
> > ntlm_auth_helper.
> >
> > --Mark
>
> Hi,
>
> try
>
>
> service auth {
>
>   user = root
>
> }

Aki - yes, I did try that. It was in my original post but has been edited out 
of the email
chain since.

Things I've tried since:

I installed squid -- it wasn't installed before.

Now, with the NTLM mechanism and:

auth_use_winbind = yes
auth_winbind_helper_path = /usr/bin/ntlm_auth

I get:

ntlm_auth reports broken helper: NT_STATUS_UNSUCCESSFUL

This link: https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html, 
suggests that I
need to make /var/lib/samba/winbindd_privileged writable by, I assume, dovecot. 
 Which I did. 
T

Re: Need to authenticate Outlook and NTLM

[Mark Foley via dovecot]

On Mon, 18 Feb 2019 10:17:16 - Stuart Henderson wrote:
>
> On 2019-02-13, Mark Foley via dovecot  wrote:
> > Is it possible that no one on this list is authenticating Outlook with 
> > Dovecot and NTLM?
>
> Yes, it's possible, the outdated instructions you found on the wiki
> suggests it's an uncommon configiration.

Hmmm, really? And yet Windows/Outlook is still the predominant email client out 
there
(unfortunately). Maybe everyone is going to outlook.com?

> No actual answers from me, but it might give you some clues:
>
> > More on this ...
> >
> > I short-sheeted ntlm_auth to see what was being passed to it. It is getting 
> > as arg1:
> >
> > --helper-protocol=squid-2.5-ntlmssp
> >
> > I tried running ntlm_auth at the command line as:
> >
> > ntlm_auth --username=user --password=password 
> > --helper-protocol=squid-2.5-ntlmssp
> >
> > It did nothing, just hung there. The ntlm_auth man page says:
> >
> > --helper-protocol=PROTO
> >   Operate as a stdio-based helper. Valid helper protocols are:
>
> The squid auth helpers are stdio-based, they run in a loop, reading from
> stdin, checking authentication, and return results on stdout. This avoids both
> passing sensitive data on the command line (visible to ps, at least briefly)
> and the need to keep forking and initialising a new process.
>
> So it's normal that it would just sit waiting for input.
>
> Dovecot is just reusing the same protocol that squid uses.

If --username and --password are passed on the command line, what is it waiting 
for on stdin?
Normally, ntlm_auth, with id and pw passed on the command line prints, 
"NT_STATUS_OK: The
operation completed successfully. (0x0)" to stdout. There is no further stdin 
input needed.

Is there a way to disable the --helper-protocol in Dovecot? 

>
> > After more searching I came across this post, 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
> > which, in summary, said that ntlm_auth had to run as root. So, I added the 
> > following to my
> > dovecot config per that post's suggestion:
> >
> > service auth {
> >   user = root
> > }
> >
> > After restarting and trying again to connect from Outlook I got the message:
> >
> > auth: Info: ntlm(?,192.168.0.58,): user not 
> > authenticated: NT_STATUS_NO_MEMORY
>
> I don't know the full details of how samba/ntlm works, but this seems like
> an error coming from the server you're attempting to authenticate against.
> I think you should start debugging on the samba side - make sure tools
> like wbinfo are working, if not then debug those with samba, then move
> on to Dovecot after you have that working.

Samba has been running for years (with updates) and everything like wbinfo 
works.  Dovecot can
authenticate with kerberos/GSSAPI, and other applications can authenticate with 
ntlm_auth.  My
suspicion here is that the "user not authenticated" problem is perhaps because 
dovecot cannot
run the auth service as root? The dovecot user is dovenull, so why would it be 
permitted to run
as root in any case?

I think the problem is in invoking ntlm_auth. I tried simply returning zero 
from my "fake"
ntlm_auth, but that didn't work. Not sure what Dovecot is expecting from 
ntlm_auth_helper.

--Mark

Re: Need to authenticate Outlook and NTLM

[Mark Foley via dovecot]

Is it possible that no one on this list is authenticating Outlook with Dovecot 
and NTLM?

--Mark

-Original Message-
Date: Fri, 08 Feb 2019 00:51:01 -0500
To: dovecot@dovecot.org
Subject: Re: Need to authenticate Outlook and NTLM
From: Mark Foley via dovecot 

More on this ...

I short-sheeted ntlm_auth to see what was being passed to it. It is getting as 
arg1:

--helper-protocol=squid-2.5-ntlmssp

I tried running ntlm_auth at the command line as:

ntlm_auth --username=user --password=password 
--helper-protocol=squid-2.5-ntlmssp

It did nothing, just hung there. The ntlm_auth man page says:

--helper-protocol=PROTO
  Operate as a stdio-based helper. Valid helper protocols are:

  squid-2.5-ntlmssp
Server-side helper for use with Squid 2.5's NTLMSSP authentication.

Requires access to the directory winbindd_privileged in $LOCKDIR. The 
protocol used is described here:
http://devel.squid-cache.org/ntlm/squid_helper_protocol.html. This protocol 
has been extended to allow the
NTLMSSP Negotiate packet to be included as an argument to the YR command. 
(Thus avoiding loss of information in
the protocol exchange).

Squid NTLM authentication? As far as I know, I don't have Squid. If I leave off 
the
--helper-protocol bit on the ntlm_auth command line, it returns an OK status.

Is there a way to NOT pass "--helper-protocol=squid-2.5-ntlmssp"? Would this 
help?

--Mark

-Original Message-
Date: Fri, 08 Feb 2019 00:19:19 -0500
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Need to authenticate Outlook and NTLM

I've posted questions on this before, but now I really, really need a solution.

Using Dovecot 2.2.33.2

We've been using Dovecot as IMAP server for several years on a Linux host which 
is also the
Active Directory / Domain Controller.  We have both Thunderbird and Outlook 
clients.  The
Thunderbird clients authenticate w/o problem with AD credentials using 
Kerberos/GSSAPI. 

I've never been able to get the Outlook clients to authenticate using domain 
credentials, so
I've also hard-coded user and password into /etc/passwd and let the Dovecot 
authenticate via
PLAIN LOGIN.  Now, however, I am mandated to switch all users to Outlook, so I 
need an AD
credential solution. 

I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those 
instructions.
The first problem I ran into was in Step 3 where it said to put the following 
line in the
config: 

auth_ntlm_use_winbind = yes

This gave me an error when I restarted Dovecot:

Restarting Dovecotdoveconf: Fatal: Error in configuration file 
/usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting: 
auth_ntlm_use_winbind

googling this error indicated that this was a version 1.x directive and 2.x 
used only
auth_use_winbind.  I removed the auth_ntlm_use_winbind and Dovecot restart.  If 
this is true,
the wiki should be updated since it purports to be a version 2.x wiki.  I 
followed the rest of
the instructions on that wiki and my modified config is:

$ doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.157 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = ): ntlm_auth reports broken 
helper: NT_STATUS_UNSUCCESSFUL

After more searching I came across this post, 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
which, in summary, said that ntlm_auth had to run as root. So, I added the 
following to my
dovecot config per that post's suggestion:

service auth {
  user = root
}

After restarting and trying again to connect from Outlook I got the message:

auth: Info: ntlm(?,192.168.0.58,): user not authenticated: 
NT_STATUS_NO_MEMORY

At this point I've been unable to find a solution to this error. I've listed 
the entire dovecot
log output for this last attempt to connect from Outlook below.

Has anyone in the Universe successfully connected from Outlook using active 
domain credentials?
If so, what's the secret? What am I not doing correctly?

Thanks for any and all help! --Mark

dovecot log:

Feb 07 23:39:40 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Feb 07 23:39:40 auth: Debug: Module loaded: 
/usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Feb 07 23:39:40 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357)
Feb 07 23:39:40 auth: Debug: client in: AUTH1   NTLMservice=imap
session=SCINjFqBKcXAqAA6lip=192.168.0.2 rip=192.168.0.58   
lport=143   rport=50

Need to authenticate Outlook and NTLM

[Mark Foley via dovecot]

I've posted questions on this before, but now I really, really need a solution.

Using Dovecot 2.2.33.2

We've been using Dovecot as IMAP server for several years on a Linux host which 
is also the
Active Directory / Domain Controller.  We have both Thunderbird and Outlook 
clients.  The
Thunderbird clients authenticate w/o problem with AD credentials using 
Kerberos/GSSAPI. 

I've never been able to get the Outlook clients to authenticate using domain 
credentials, so
I've also hard-coded user and password into /etc/passwd and let the Dovecot 
authenticate via
PLAIN LOGIN.  Now, however, I am mandated to switch all users to Outlook, so I 
need an AD
credential solution. 

I found https://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm and followed those 
instructions.
The first problem I ran into was in Step 3 where it said to put the following 
line in the
config: 

auth_ntlm_use_winbind = yes

This gave me an error when I restarted Dovecot:

Restarting Dovecotdoveconf: Fatal: Error in configuration file 
/usr/local/etc/dovecot/conf.d/10-auth.conf line 84: Unknown setting: 
auth_ntlm_use_winbind

googling this error indicated that this was a version 1.x directive and 2.x 
used only
auth_use_winbind.  I removed the auth_ntlm_use_winbind and Dovecot restart.  If 
this is true,
the wiki should be updated since it purports to be a version 2.x wiki.  I 
followed the rest of
the instructions on that wiki and my modified config is:

$ doveconf -n
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.157 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi ntlm
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = ): ntlm_auth reports broken 
helper: NT_STATUS_UNSUCCESSFUL

After more searching I came across this post, 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774263
which, in summary, said that ntlm_auth had to run as root. So, I added the 
following to my
dovecot config per that post's suggestion:

service auth {
  user = root
}

After restarting and trying again to connect from Outlook I got the message:

auth: Info: ntlm(?,192.168.0.58,): user not authenticated: 
NT_STATUS_NO_MEMORY

At this point I've been unable to find a solution to this error. I've listed 
the entire dovecot
log output for this last attempt to connect from Outlook below.

Has anyone in the Universe successfully connected from Outlook using active 
domain credentials?
If so, what's the secret? What am I not doing correctly?

Thanks for any and all help! --Mark

dovecot log:

Feb 07 23:39:40 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Feb 07 23:39:40 auth: Debug: Module loaded: 
/usr/local/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Feb 07 23:39:40 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Feb 07 23:39:40 auth: Debug: auth client connected (pid=16357)
Feb 07 23:39:40 auth: Debug: client in: AUTH1   NTLMservice=imap
session=SCINjFqBKcXAqAA6lip=192.168.0.2 rip=192.168.0.58   
lport=143   rport=50473
Feb 07 23:39:40 auth: Debug: client passdb out: CONT1
Feb 07 23:39:40 auth: Debug: client in: CONT1   
TlRMTVNTUAABB4IIogAGAbEdDw== (previous base64 data 
may contain sensitive data)
Feb 07 23:39:40 auth: Debug: client passdb out: CONT1   
TlRMTVNTUAACCAAIADgFgomifTyOI3AwfogAAGIAYgBABgEAAA9IAFAAUgBTAAIACABIAFAAUgBTAAEACABNAEEASQBMAAQAFABoAHAAcgBzAC4AbABvAGMAYQBsAAMAHgBtAGEAaQBsAC4AaABwAHIAcwAuAGwAbwBjAGEAbAAHAAgAVIrLTWi/1AEA
Feb 07 23:39:40 auth: Debug: client in: CONT1   
TlRMTVNTUAADGAAYAGwAAAD8APwAhABYCAAIAFgMAAwAYACAAQAABYKIogYBsR0PEulY2h+wL/nnNAXbmMSVx20AYQByAGsAQwBPAE0ATQBPAE4A5+rNhVU1odt5650z/pNVpQEBVIrLTWi/1AFg5+W08PtmxQACAAgASABQAFIAUwABAAgATQBBAEkATAAEABQAaABwAHIAcwAuAGwAbwBjAGEAbAADAB4AbQBhAGkAbAAuAGgAcAByAHMALgBsAG8AYwBhAGwABwAIAFSKy01ov9QBBgAEAAIIADAAMAABACAAAOity40ZG1J9BpqGn4TwBjP02UByQ6D/OUD6DrRDhg+3CgAQAAAJABIAaQBtAGEAcAAvAG0AYQBpAGwA
 (previous base64 data may contain sensitive data)
Feb 07 23:39:40 auth: Info: ntlm(?,192.168.0.58,): user not 
authenticated: NT_STATUS_NO_MEMORY
Feb 07 23:39:42 auth: Debug: client passdb out: FAIL1

email not visible in users mail client

[Mark Foley]

I have an odd issue. One user has an email in her Maildir/cur folder named:
1545229920.27374_0.mail:2,. She cannot see this message in her mail client 
(Thunderbird). All
other emails have 'S' and 'W' components to the name, e.g.
1488471573.M167365P19808.mail,S=41356,W=42118:2,RS, but this one does not. 
Would that somehow
make a difference in it being visible to the mail client?

Why would this message have been saved without the 'S' and 'W' bits?

In fact, there are two such message with this abbreviated file name, both from 
the same sender.
Is there possibly something about the message that affects naming?

Dovecot version 2.2.33.2

THX --Mark

Re: Need to convert mbox to Maildir

[Mark Foley]

On Tue, 2 Oct 2018 21:17:20 +0300 Sami Ketola  wrote:
>
> > On 2 Oct 2018, at 21.05, Mark Foley  wrote:
> > 
> > I have a mbox file of emails.  I want to convert this to Maildir giving me 
> > individual message
> > files per email.  I've looked at dsync, but as far as I can tell this wants 
> > a specific target
> > user and it appears that it will "distribute" the converted messages into 
> > that user's INBOX. 
> > 
> > I don't want to put these mbox messages into any particular user's Maildir 
> > hierarchy, just
> > export to file-per-message format to a destination directory of my 
> > choosing. 
> > 
> > Is this possible?
>
>
> Yes. 
>
> [root@ketola /]# mkdir /test
> [root@ketola /]# chown vmail /test
> [root@ketola /]# doveadm backup -u sami Maildir:/test/
>
> done.
>
> Sami

Excellent! Thank you. I'll give that a try. I also found: mb2md.pl downloadable 
from
https://wiki.dovecot.org/Migration/MailFormat. 

--Mark

Need to convert mbox to Maildir

[Mark Foley]

I have a mbox file of emails.  I want to convert this to Maildir giving me 
individual message
files per email.  I've looked at dsync, but as far as I can tell this wants a 
specific target
user and it appears that it will "distribute" the converted messages into that 
user's INBOX. 

I don't want to put these mbox messages into any particular user's Maildir 
hierarchy, just
export to file-per-message format to a destination directory of my choosing. 

Is this possible?

THX --Mark

Re: folders not visible on copied mail folders

[Mark Foley]

Shortly after this post, I found a solution here: 
http://forums.mozillazine.org/viewtopic.php?t=1097725

In order to see the .Dennis\ Email.Dennis\ Inbox sub-folder you have to 
collapse and re-expand
the folder list in Thunderbird. It's that simple ... AND that annoyingly 
obscure!

Thanks for your help! --Mark

-Original Message-
From: Mark Foley 
Date: Thu, 19 Jul 2018 21:21:34 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: folders not visible on copied mail folders

On Thu, 19 Jul 2018 08:11:40 +0200 Steffen Kaiser  
wrote:
>
> On Thu, 19 Jul 2018, Mark Foley wrote:
> > On Wed, 18 Jul 2018 07:23:06 +0200 Steffen Kaiser  
> > wrote:
> >>
> >> On Tue, 17 Jul 2018, Mark Foley wrote:
> >>> On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser 
> >>>  wrote:
> >>>>
> >>>> On Mon, 16 Jul 2018, Mark Foley wrote:
> >>>>
> >>>>> We had a user quit recently.  Three days ago I copied his entire 
> >>>>> Maildir folder to another user
> >>>>> to that user's Maildir/.JoesEmail.  I changed ownership and made the 
> >>>>> permission 'chmod -R
> >>>>> og-rwx .', just like all the other files/directories of the new owner.  
> >>>>> This didn't work to show
> >>>>> the new folder.  Today, in his Thunderbird client, I subscribed to the 
> >>>>> 'JoesEmail' folder.  I
> >>>>> restarted dovecot and restarted Thunderbird.
> >>>>>
> >>>>> In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and 
> >>>>> shows none of the
> >>>>> subordinate mail folders.  I ran 'doveadm index -u newowner JoesEmail' 
> >>>>> and
> >>>>> 'doveadm force-resync -u newowner JoesEmail'.  This didn't help.
> >>>>>
> >>>>> I did this once before with a previous user who quit and only changed 
> >>>>> ownership, no
> >>>>> subscribing, no doveadm, and that worked.
> >>>>>
> >>>>> What am I doing wrong?
> >>>>
> >>>> Your description might be interpreted one way or another, esp. "copied 
> >>>> his
> >>>> entire Maildir folder ... to that user's Maildir/.JoesEmail".
> >>>>
> >>>> Also, it depends on how you have configured mail_location.
> >>>>
> >>>> If this means that you have:
> >>>> Maildir/.JoesEmail/{new,cur,tmp}
> >>>> Maildir/.JoesEmail/.mailbox/{new,cur,tmp}
> >>>> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp}
> >>>> now, that will clash with the standard Maildir format:
> >>>> https://wiki2.dovecot.org/MailboxFormat/Maildir
> >>>>
> >>>> You would need to move the subfolders with a leading dot of .JoesEmail
> >>>> into:
> >>>> Maildir/.JoesEmail/{new,cur,tmp}
> >>>> Maildir/.JoesEmail.mailbox/{new,cur,tmp}
> >>>> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp}
> >>>>
> >>>> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail
> >>>>
> >>>> Subscription is needed only, if the mail client "displays subscribed
> >>>> folders only" or does not "display all folders". The meaning of the
> >>>> setting varies from client to client.
> >>>>
> >>>> Another way would to keep the other account and share it via ACLs:
> >>>> https://wiki2.dovecot.org/SharedMailboxes/Shared
> >>>>
> >>>> Steffen Kaiser
> >>>
> >>> Steffen, thanks for your reply. I did have the copied folders as shown in 
> >>> your first example. I
> >>> changed that to what you show as the remedy. The target user's Maildir 
> >>> folder now has:
> >>>
> >>> drwx--  5 mpress domusers   4096 2017-06-28 20:07 .Deleted\ 
> >>> Messages.Junk/
> >>> drwx--  5 mpress domusers   4096 2018-07-16 23:22 .Delta\ Dental/
> >>> drwx-- 21 mpress domusers   4096 2018-07-17 16:48 .Dennis\ Email/
> >>> drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ 
> >>> Email.Deleted\ Items/
> >>> drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ 
> >>> Email.Deleted\ Items.Sent/
> >>> drwx--  5 mpress domusers   4096 2018-07-17 17:02 .Drafts/
> >>

Re: folders not visible on copied mail folders

[Mark Foley]

On Thu, 19 Jul 2018 08:11:40 +0200 Steffen Kaiser  
wrote:
>
> On Thu, 19 Jul 2018, Mark Foley wrote:
> > On Wed, 18 Jul 2018 07:23:06 +0200 Steffen Kaiser  
> > wrote:
> >>
> >> On Tue, 17 Jul 2018, Mark Foley wrote:
> >>> On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser 
> >>>  wrote:
> >>>>
> >>>> On Mon, 16 Jul 2018, Mark Foley wrote:
> >>>>
> >>>>> We had a user quit recently.  Three days ago I copied his entire 
> >>>>> Maildir folder to another user
> >>>>> to that user's Maildir/.JoesEmail.  I changed ownership and made the 
> >>>>> permission 'chmod -R
> >>>>> og-rwx .', just like all the other files/directories of the new owner.  
> >>>>> This didn't work to show
> >>>>> the new folder.  Today, in his Thunderbird client, I subscribed to the 
> >>>>> 'JoesEmail' folder.  I
> >>>>> restarted dovecot and restarted Thunderbird.
> >>>>>
> >>>>> In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and 
> >>>>> shows none of the
> >>>>> subordinate mail folders.  I ran 'doveadm index -u newowner JoesEmail' 
> >>>>> and
> >>>>> 'doveadm force-resync -u newowner JoesEmail'.  This didn't help.
> >>>>>
> >>>>> I did this once before with a previous user who quit and only changed 
> >>>>> ownership, no
> >>>>> subscribing, no doveadm, and that worked.
> >>>>>
> >>>>> What am I doing wrong?
> >>>>
> >>>> Your description might be interpreted one way or another, esp. "copied 
> >>>> his
> >>>> entire Maildir folder ... to that user's Maildir/.JoesEmail".
> >>>>
> >>>> Also, it depends on how you have configured mail_location.
> >>>>
> >>>> If this means that you have:
> >>>> Maildir/.JoesEmail/{new,cur,tmp}
> >>>> Maildir/.JoesEmail/.mailbox/{new,cur,tmp}
> >>>> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp}
> >>>> now, that will clash with the standard Maildir format:
> >>>> https://wiki2.dovecot.org/MailboxFormat/Maildir
> >>>>
> >>>> You would need to move the subfolders with a leading dot of .JoesEmail
> >>>> into:
> >>>> Maildir/.JoesEmail/{new,cur,tmp}
> >>>> Maildir/.JoesEmail.mailbox/{new,cur,tmp}
> >>>> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp}
> >>>>
> >>>> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail
> >>>>
> >>>> Subscription is needed only, if the mail client "displays subscribed
> >>>> folders only" or does not "display all folders". The meaning of the
> >>>> setting varies from client to client.
> >>>>
> >>>> Another way would to keep the other account and share it via ACLs:
> >>>> https://wiki2.dovecot.org/SharedMailboxes/Shared
> >>>>
> >>>> Steffen Kaiser
> >>>
> >>> Steffen, thanks for your reply. I did have the copied folders as shown in 
> >>> your first example. I
> >>> changed that to what you show as the remedy. The target user's Maildir 
> >>> folder now has:
> >>>
> >>> drwx--  5 mpress domusers   4096 2017-06-28 20:07 .Deleted\ 
> >>> Messages.Junk/
> >>> drwx--  5 mpress domusers   4096 2018-07-16 23:22 .Delta\ Dental/
> >>> drwx-- 21 mpress domusers   4096 2018-07-17 16:48 .Dennis\ Email/
> >>> drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ 
> >>> Email.Deleted\ Items/
> >>> drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ 
> >>> Email.Deleted\ Items.Sent/
> >>> drwx--  5 mpress domusers   4096 2018-07-17 17:02 .Drafts/
> >>> drwx--  5 mpress domusers   4096 2018-07-17 16:35 .ESI/
> >>>
> >>> Where '.Dennis Email' is the folder for the old user. I copied the old 
> >>> user's 'Maildir/.Deleted Items'
> >>> and 'Maildir/.Deleted Items/Sent' to the target user's 'Maildir/.Dennis 
> >>> Email.Deleted Items'
> >>> and 'Maildir/.Deleted Items/Sent, respective. That how I understood what 
> >>> you advised. There are
> >>> more such subfolders, but I th

Re: folders not visible on copied mail folders

[Mark Foley]

On Wed, 18 Jul 2018 07:23:06 +0200 Steffen Kaiser  
wrote:
>
> On Tue, 17 Jul 2018, Mark Foley wrote:
> > On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser  
> > wrote:
> >>
> >> On Mon, 16 Jul 2018, Mark Foley wrote:
> >>
> >>> We had a user quit recently.  Three days ago I copied his entire Maildir 
> >>> folder to another user
> >>> to that user's Maildir/.JoesEmail.  I changed ownership and made the 
> >>> permission 'chmod -R
> >>> og-rwx .', just like all the other files/directories of the new owner.  
> >>> This didn't work to show
> >>> the new folder.  Today, in his Thunderbird client, I subscribed to the 
> >>> 'JoesEmail' folder.  I
> >>> restarted dovecot and restarted Thunderbird.
> >>>
> >>> In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and 
> >>> shows none of the
> >>> subordinate mail folders.  I ran 'doveadm index -u newowner JoesEmail' and
> >>> 'doveadm force-resync -u newowner JoesEmail'.  This didn't help.
> >>>
> >>> I did this once before with a previous user who quit and only changed 
> >>> ownership, no
> >>> subscribing, no doveadm, and that worked.
> >>>
> >>> What am I doing wrong?
> >>
> >> Your description might be interpreted one way or another, esp. "copied his
> >> entire Maildir folder ... to that user's Maildir/.JoesEmail".
> >>
> >> Also, it depends on how you have configured mail_location.
> >>
> >> If this means that you have:
> >> Maildir/.JoesEmail/{new,cur,tmp}
> >> Maildir/.JoesEmail/.mailbox/{new,cur,tmp}
> >> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp}
> >> now, that will clash with the standard Maildir format:
> >> https://wiki2.dovecot.org/MailboxFormat/Maildir
> >>
> >> You would need to move the subfolders with a leading dot of .JoesEmail
> >> into:
> >> Maildir/.JoesEmail/{new,cur,tmp}
> >> Maildir/.JoesEmail.mailbox/{new,cur,tmp}
> >> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp}
> >>
> >> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail
> >>
> >> Subscription is needed only, if the mail client "displays subscribed
> >> folders only" or does not "display all folders". The meaning of the
> >> setting varies from client to client.
> >>
> >> Another way would to keep the other account and share it via ACLs:
> >> https://wiki2.dovecot.org/SharedMailboxes/Shared
> >>
> >> Steffen Kaiser
> >
> > Steffen, thanks for your reply. I did have the copied folders as shown in 
> > your first example. I
> > changed that to what you show as the remedy. The target user's Maildir 
> > folder now has:
> >
> > drwx--  5 mpress domusers   4096 2017-06-28 20:07 .Deleted\ 
> > Messages.Junk/
> > drwx--  5 mpress domusers   4096 2018-07-16 23:22 .Delta\ Dental/
> > drwx-- 21 mpress domusers   4096 2018-07-17 16:48 .Dennis\ Email/
> > drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ 
> > Email.Deleted\ Items/
> > drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ 
> > Email.Deleted\ Items.Sent/
> > drwx--  5 mpress domusers   4096 2018-07-17 17:02 .Drafts/
> > drwx--  5 mpress domusers   4096 2018-07-17 16:35 .ESI/
> >
> > Where '.Dennis Email' is the folder for the old user. I copied the old 
> > user's 'Maildir/.Deleted Items'
> > and 'Maildir/.Deleted Items/Sent' to the target user's 'Maildir/.Dennis 
> > Email.Deleted Items'
> > and 'Maildir/.Deleted Items/Sent, respective. That how I understood what 
> > you advised. There are
> > more such subfolders, but I thought I'd try this one first.
>
> > However, still only the "Dennis Email" folder shows in the mail client, 
> > empty, no sub-folders
> > even though "Deleted Items.Sent/cur" has plenty of mail files (1522).
> >
> > I did try running 'doveadm index -u mpress "Dennis Email"', again; and 
> > restarting dovecot and
> > thunderbird again, but still nothing.
>
> First check if Dovecot thinks the folders are there:
>
> doveadm mailbox list -u "mpress" | grep Dennis

yes:

# doveadm mailbox list -u "mpress" | grep Dennis
Dennis Email
Dennis Email.Deleted Items
Dennis Email.Deleted Items.Sent

> Then make sure that each of the three folders contain the cur, new, tmp 
> subfolders.

They do:

drwx---

Re: folders not visible on copied mail folders

[Mark Foley]

On Tue, 17 Jul 2018 08:06:24 +0200 Steffen Kaiser  
wrote:
>
> On Mon, 16 Jul 2018, Mark Foley wrote:
>
> > We had a user quit recently.  Three days ago I copied his entire Maildir 
> > folder to another user
> > to that user's Maildir/.JoesEmail.  I changed ownership and made the 
> > permission 'chmod -R
> > og-rwx .', just like all the other files/directories of the new owner.  
> > This didn't work to show
> > the new folder.  Today, in his Thunderbird client, I subscribed to the 
> > 'JoesEmail' folder.  I
> > restarted dovecot and restarted Thunderbird.
> >
> > In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and shows 
> > none of the
> > subordinate mail folders.  I ran 'doveadm index -u newowner JoesEmail' and
> > 'doveadm force-resync -u newowner JoesEmail'.  This didn't help.
> >
> > I did this once before with a previous user who quit and only changed 
> > ownership, no
> > subscribing, no doveadm, and that worked.
> >
> > What am I doing wrong?
>
> Your description might be interpreted one way or another, esp. "copied his 
> entire Maildir folder ... to that user's Maildir/.JoesEmail".
>
> Also, it depends on how you have configured mail_location.
>
> If this means that you have:
> Maildir/.JoesEmail/{new,cur,tmp} 
> Maildir/.JoesEmail/.mailbox/{new,cur,tmp} 
> Maildir/.JoesEmail/.mailbox.submailbox/{new,cur,tmp}
> now, that will clash with the standard Maildir format: 
> https://wiki2.dovecot.org/MailboxFormat/Maildir
>
> You would need to move the subfolders with a leading dot of .JoesEmail 
> into:
> Maildir/.JoesEmail/{new,cur,tmp} 
> Maildir/.JoesEmail.mailbox/{new,cur,tmp} 
> Maildir/.JoesEmail.mailbox.submailbox/{new,cur,tmp}
>
> If you use :LAYOUT=fs to mail_location, .JoesEmail should spell JoesEmail
>
> Subscription is needed only, if the mail client "displays subscribed 
> folders only" or does not "display all folders". The meaning of the 
> setting varies from client to client.
>
> Another way would to keep the other account and share it via ACLs: 
> https://wiki2.dovecot.org/SharedMailboxes/Shared
>
> Steffen Kaiser

Steffen, thanks for your reply. I did have the copied folders as shown in your 
first example. I
changed that to what you show as the remedy. The target user's Maildir folder 
now has:

drwx--  5 mpress domusers   4096 2017-06-28 20:07 .Deleted\ Messages.Junk/
drwx--  5 mpress domusers   4096 2018-07-16 23:22 .Delta\ Dental/
drwx-- 21 mpress domusers   4096 2018-07-17 16:48 .Dennis\ Email/
drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ Email.Deleted\ 
Items/
drwx--  5 mpress domusers   4096 2018-07-16 23:15 .Dennis\ Email.Deleted\ 
Items.Sent/
drwx--  5 mpress domusers   4096 2018-07-17 17:02 .Drafts/
drwx--  5 mpress domusers   4096 2018-07-17 16:35 .ESI/

Where '.Dennis Email' is the folder for the old user. I copied the old user's 
'Maildir/.Deleted Items'
and 'Maildir/.Deleted Items/Sent' to the target user's 'Maildir/.Dennis 
Email.Deleted Items'
and 'Maildir/.Deleted Items/Sent, respective. That how I understood what you 
advised. There are
more such subfolders, but I thought I'd try this one first.

However, still only the "Dennis Email" folder shows in the mail client, empty, 
no sub-folders
even though "Deleted Items.Sent/cur" has plenty of mail files (1522).

I did try running 'doveadm index -u mpress "Dennis Email"', again; and 
restarting dovecot and
thunderbird again, but still nothing.

What else can I try?

THX --Mark

folders not visible on copied mail folders

[Mark Foley]

We had a user quit recently.  Three days ago I copied his entire Maildir folder 
to another user
to that user's Maildir/.JoesEmail.  I changed ownership and made the permission 
'chmod -R
og-rwx .', just like all the other files/directories of the new owner.  This 
didn't work to show
the new folder.  Today, in his Thunderbird client, I subscribed to the 
'JoesEmail' folder.  I
restarted dovecot and restarted Thunderbird. 

In Thunderbird, the 'JoesEmail' folder now shows, but it is empty and shows 
none of the
subordinate mail folders.  I ran 'doveadm index -u newowner JoesEmail' and 
'doveadm force-resync -u newowner JoesEmail'.  This didn't help. 

I did this once before with a previous user who quit and only changed 
ownership, no
subscribing, no doveadm, and that worked.

What am I doing wrong?

THX --Mark

Re: AuthDatabase CheckPassword broken?

[Mark Foley]

Script didn't run:

  File "/root/tmp/checkpwtest.py", line 8
o?= with os.fdopen(DOVECOT_PW_FD, 'r') as s:
^
SyntaxError: invalid syntax

--Mark

-Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Thu, 01 Feb 2018 15:34:15 -0500
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: AuthDatabase CheckPassword broken?

On Thu, 1 Feb 2018 10:02:10 +0200 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>
> On 01.02.2018 08:00, Mark Foley wrote:
> > I had been using the CheckPassword authentication interface with dovecot 
> > 2.2.15, 
> > https://wiki2.dovecot.org/AuthDatabase/CheckPassword, and it was working.
> >
> > After upgrading to 2.2.33.2 CheckPassword no longer works. The referenced 
> > wiki page says, 
> >
> > Checkpassword Interface
> >
> > Read  NUL  NUL from fd 3. 
> >
> > I've checked the information read from fd 3 with 2.2.33.2 and I get 
> >  followed by 3
> > nulls. I'm guessing the 2nd null is supposed to be the password.
> >
> > Why is this no longer working? How can I fix it?
> >
> > THX --Mark
> Our CI has test
>
> #!/usr/bin/env python
> # -*- coding: utf-8 -*-
> import os, sys
>
> DOVECOT_PW_FD = 3
>
> def checkPassword():
>   with os.fdopen(DOVECOT_PW_FD, 'r') as s:
>     data = s.read().split("\0")
>     if data[0] != "testuser" or data[1] != "pass":
>   return False
>     os.environ["USER"] = data[0]
>     os.environ["EXTRA"] = "userdb_uid=vmail userdb_gid=vmail"
>   return True
>
> if __name__ == "__main__":
>   if not checkPassword():
>     sys.exit(1)
>   os.execv(sys.argv[1], sys.argv[1:])
>
> And it seems to work.
>
> Aki

Thanks for the script. I'm testing this on a production system, so I'll have to 
wait until
after business hours to test. Meanwhile, not being a python wizard, I have a 
couple of
questions.

I have to run this script as my passdb { args } parameter, right?

On the line where it is checking for "testuser" and password "test", I assume 
that if I want to
use a configured user I can just change these, right?

Likewise with "userdb_uid=vmail userdb_gid=vmail", what are these? UID/GID of 
the user?

Is there a way in python to output the values in data[0] and data[1] to a file 
so I can see
what's actually received? If after the 'split' line I added:

f = open("/tmp/checkpassword.log","a")
f.write("Name: " + data[0] + ", PW: " + data[1])
f.close()

Would that work?

--THX Mark

Re: AuthDatabase CheckPassword broken?

[Mark Foley]

On Thu, 1 Feb 2018 10:02:10 +0200 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>
> On 01.02.2018 08:00, Mark Foley wrote:
> > I had been using the CheckPassword authentication interface with dovecot 
> > 2.2.15, 
> > https://wiki2.dovecot.org/AuthDatabase/CheckPassword, and it was working.
> >
> > After upgrading to 2.2.33.2 CheckPassword no longer works. The referenced 
> > wiki page says, 
> >
> > Checkpassword Interface
> >
> > Read  NUL  NUL from fd 3. 
> >
> > I've checked the information read from fd 3 with 2.2.33.2 and I get 
> >  followed by 3
> > nulls. I'm guessing the 2nd null is supposed to be the password.
> >
> > Why is this no longer working? How can I fix it?
> >
> > THX --Mark
> Our CI has test
>
> #!/usr/bin/env python
> # -*- coding: utf-8 -*-
> import os, sys
>
> DOVECOT_PW_FD = 3
>
> def checkPassword():
>   with os.fdopen(DOVECOT_PW_FD, 'r') as s:
>     data = s.read().split("\0")
>     if data[0] != "testuser" or data[1] != "pass":
>   return False
>     os.environ["USER"] = data[0]
>     os.environ["EXTRA"] = "userdb_uid=vmail userdb_gid=vmail"
>   return True
>
> if __name__ == "__main__":
>   if not checkPassword():
>     sys.exit(1)
>   os.execv(sys.argv[1], sys.argv[1:])
>
> And it seems to work.
>
> Aki

Thanks for the script. I'm testing this on a production system, so I'll have to 
wait until
after business hours to test. Meanwhile, not being a python wizard, I have a 
couple of
questions.

I have to run this script as my passdb { args } parameter, right?

On the line where it is checking for "testuser" and password "test", I assume 
that if I want to
use a configured user I can just change these, right?

Likewise with "userdb_uid=vmail userdb_gid=vmail", what are these? UID/GID of 
the user?

Is there a way in python to output the values in data[0] and data[1] to a file 
so I can see
what's actually received? If after the 'split' line I added:

f = open("/tmp/checkpassword.log","a")
f.write("Name: " + data[0] + ", PW: " + data[1])
f.close()

Would that work?

--THX Mark

AuthDatabase CheckPassword broken?

[Mark Foley]

I had been using the CheckPassword authentication interface with dovecot 
2.2.15, 
https://wiki2.dovecot.org/AuthDatabase/CheckPassword, and it was working.

After upgrading to 2.2.33.2 CheckPassword no longer works. The referenced wiki 
page says, 

Checkpassword Interface

Read  NUL  NUL from fd 3. 

I've checked the information read from fd 3 with 2.2.33.2 and I get  
followed by 3
nulls. I'm guessing the 2nd null is supposed to be the password.

Why is this no longer working? How can I fix it?

THX --Mark

Re: Howto authenticate smartPhone via Active Directory

[Mark Foley]

On Tue, 5 Dec 2017 16:42:15 +0100 mj <li...@merit.unu.edu> wrote:

> Hi,
>
> Not much time to reply now.
>
> On 12/05/2017 05:21 AM, Mark Foley wrote:
> > mj - thanks! That the first useful example I've received from any 
> > forum/list. I'm getting ready
> > to try my config (have to do so after hours), but I have some probably 
> > simple-minded questions:
>
> Well, that looks as if you are testing/trying out on your production 
> machine. Why not setup a seperate (virtual?) test server to play with..? 
> Use the same os version, with the same dovecot version.
> Or clone your production machine, so you can test as much as you like, 
> without time pressure, at any given time.

I've been playing with this ldap authentication for a couple of years off and 
on. Time isn't a
problem. The issue with setting up a test environment is that I really need the 
domain
workstations and external smartphone attempting to connect when I make a change 
so I can follow
what's going on in the Dovecot log and maillog. It's rather simple to test a 
change, then put
things back. I'll likely not go the test platform route for now, but thanks for 
the input.

> > Your example is not the complete dovecot-ldap.conf.ext file, right? Have 
> > you just given me
> > differences in your config from the "original"? You've kept the hosts, 
> > base, ldap_version,
> > scope, deref, debug_level, and auth_bind_userdn settings in your config, 
> > right?

> Not the complete file, no. I just provided the essentials.
>
[deleted]

Ok, here's what I've come up with for dovecot-ldap.conf.ext

hosts = mail.hprs.local
base = dc=mail, dc=hprs, dc=local

ldap_version = 3
scope   = subtree
deref   = never

debug_level = -1

auth_bind = yes
auth_bind_userdn = %n@dom
dn = cn=Administrator,cn=users,dc=hprs,dc=local
dnpass = ***

user_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
pass_filter = 
(&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))



I've enabled auth-ldap.conf.ext in 10-auth.conf. My doveconf is listed at 
bottom.

Unfortuntately, this doesn't work. My remote devices are not even showing as 
trying to connect.
For internal domain LAN users I get:

Dec 06 01:08:10 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 30 secs): user=<>, 
rip=192.168.0.52, lip=192.168.0.2, session=<3/ZyxaVfE8PAqAA0>

I do see ldap listening on 389, imap[s] (Dovecot) listening on 143 and 993, 
these last two are
opened externally through the firewall. 

> For the rest: my advise is that you *really* need to pay around with 
> this much more. Get yourself a test environment, and play and test.
>
> Plus: read some dovecot/ad howto's, and try things in your own environment.
>
> Quick google returns:
> https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
>

I know my level of sophistication on this must sound like I've glibly posted a 
question hoping
someone will do the work for me without my having to do any thinking myself, 
but believe me,
I've been reading and experimenting with this for a very long time.  I've got 
internal AD
authentication working with GSSAPI and I've got a rather complex checkpassword 
program able to
do authentication, so I don't think I'm a complete moron, although this project 
makes me feel
that way. Now, I just want smartphones to authenticate with their owners' 
domain credentials
and get them out of /etc/passwd.

I believe I've read all the Dovecot wikis on ldap plus things from many other 
sites.  I've been
to that howtoforge site before.  It mostly deals with setting up Postfix, which 
I'm not using. 
The dovecot bits make more sense in light of your feedback.  I've tried that 
ldapsearch
example:

ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'

with the domain user I specified in my dovecot-ldap.conf.ext with my host and 
dc info and I get
the error 

ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.

I've seen confusing postings on this error having to do with port 636 and LDAPS 
-- no idea what
they're talking about.  My user is the Samba/domain administrator and has a 
pretty complex
password. None of the sites I've visited on this error indicate it has anything 
to do with the
actual password's complexity.

Perhaps I'm just thick-skulled with all this.

If you or anyone can see something obviously wrong with my conf, or have any 
suggestion at all
on a baby step I can take to incm me forward, please let me know.

Thanks, --Mark

doveconf -n:
# 2.2.33.2 (d6601f4ec): /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_ho

Can passdb be bypassed for non-plaintext authentication mechanisms

[Mark Foley]

I am using Active directory authentication via gssapi for most users.  In 
dovecot.conf I have:

auth_mechanisms = plain login gssapi
auth_use_winbind = yes

I also have

passdb { driver = shadow }
userdb { driver = passwd }

for those few users who are NOT AD users.

Even though the AD users do not exist in /etc/passwd or /etc/shadow, Dovecot 
ALWAYS first looks
them up in shadow, which ALWAYS fails. 

The https://wiki2.dovecot.org/PasswordDatabase wiki says, "these databases 
can't be used with
non-plaintext authentication mechanisms."

Is there a way to bypass checking passdb (and userdb?) for these mechanism?

--Mark

Re: Howto authenticate smartPhone via Active Directory

[Mark Foley]

mj - thanks! That the first useful example I've received from any forum/list. 
I'm getting ready
to try my config (have to do so after hours), but I have some probably 
simple-minded questions:

Your example is not the complete dovecot-ldap.conf.ext file, right? Have you 
just given me
differences in your config from the "original"? You've kept the hosts, base, 
ldap_version,
scope, deref, debug_level, and auth_bind_userdn settings in your config, right?

Your dn is:

dn = cn=search_dovecit,cn=users,dc=company,dc=com

Mine (original) is:

dn = cn=user_for_bind,cn=Users,dc=dom

Can you tell me why you have "search_dovecit" versus "user_for_bind"? Is that 
something I need
in order to make this work?

Is your "dc=company,dc=com" meta-syntax and you use your actual domain CNs 
here, or is that
litterally what you have there?

My dnpass (original) is:

dnpass = 

your example is:

dnpass = top_secret

Again, are the assigned values meta-syntax (meta-syntax in configs is not 
obvious to me unless
it is bold, underlined, italicized and colored ... or uses brackets or some 
other convention)?
If meta, what is actually supposed to go there?

With your "this user/passwd filter". Can you tell me why you have 
"userAccountControl=514"? Is
that 514 bit documented somewhere? Your user_filer/pass_filter is *completely* 
different from
my installed original.

You don't mention the user_attrs/pass_attrs settings. Is this because you use 
the originals or
because you have commented them out? My current settings are:

user_attrs  = quotaFieldAD=quota_rule=*:storage=%$MB
pass_attrs  = userPassword=password

My auth_mechanisms are:

auth_mechanisms = plain login gssapi

Is this sufficient for ldap?

Thanks for your help --Mark

btw - I have been running Dovecot with AD for years, but for local Domain users 
authenticating
via GSSAPI.  Remote users (e.g. smartPhones) don't have that mechanism that I'm 
aware of.
Currently they are authenticated via shadow, but I'd like to remove AD users 
from /etc/passwd. 

On Mon, 4 Dec 2017 09:04:57 +0100 mj <li...@merit.unu.edu> wrote
>
> Hi Mark,
>
> Just to let you know that we are running dovecot with AD. (and I guess: 
> *many* people are running that combination)
>
> It worked without issues, we are using in dovecot-ldap.conf.ext:
>
>  > auth_bind = yes
>
> this user/passwd filter:
> > = (&(objectclass=person)(sAMAccountName=%n)(!(userAccountControl=514)))
>
>  > dn = cn=search_dovecit,cn=users,dc=company,dc=com
>  > dnpass = top_secret
>
> And not the 3268 port, but regular 389.
>
> Hope that helps.
>
> MJ
>
>
>
> On 12/04/2017 01:38 AM, Mark Foley wrote:
> > Unfortunately, I tried for weeks to figure out passdb ldap without success. 
> > I guess I'm just
> > not knowledgeable enough about how to use ldap and Active Directory. The 
> > dovecot wiki
> > https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it 
> > says is:
> > 
> > Active Directory
> > 
> > When connecting to AD, you may need to use port 3268. Then again, not all 
> > LDAP fields are
> > available in port 3268. Use whatever works. 
> > http://technet.microsoft.com/en-us/library/cc978012.aspx
> > 
> > I have not been able to find an example of someone using Dovecot and ldap 
> > with AD.
> > 
> > However, I have had some success with CheckPassword
> > (https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
> > wrote to do
> > ntlm_auth, I am able to authenticate the smartPhone user and pass the 
> > required parameters back
> > to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
> > pointing to my
> > checkpassword executable.
> > 
> > passdb {
> >   driver = checkpassword
> > args = /user/util/bin/checkpassword
> > }
> > userdb {
> >   driver = prefetch
> > }
> > 
> > The one issue I have with this at the moment is that dovecot runs 
> > checkpassword for every user,
> > smartphone or otherwise:
> > 
> > Dec 03 18:56:32 auth-worker(14903): Info: 
> > shadow(charmaine,192.168.0.52,): unknown user  - trying 
> > the next passdb
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): execute: 
> > /user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): Received input:
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): exit_status=1
> > Dec 03 18:56:32 auth: Debug: 
> > checkpassword(charmaine,192.168.0.52,): Credentials

Re: Howto authenticate smartPhone via Active Directory

[Mark Foley]

Unfortunately, I tried for weeks to figure out passdb ldap without success. I 
guess I'm just
not knowledgeable enough about how to use ldap and Active Directory. The 
dovecot wiki
https://wiki2.dovecot.org/AuthDatabase/LDAPm doesn't help me much. All it says 
is:

Active Directory

When connecting to AD, you may need to use port 3268. Then again, not all LDAP 
fields are
available in port 3268. Use whatever works. 
http://technet.microsoft.com/en-us/library/cc978012.aspx

I have not been able to find an example of someone using Dovecot and ldap with 
AD.

However, I have had some success with CheckPassword
(https://wiki2.dovecot.org/AuthDatabase/CheckPassword).  Using a program I 
wrote to do
ntlm_auth, I am able to authenticate the smartPhone user and pass the required 
parameters back
to Dovecot.  My auth-checkpasswd.conf.ext is the as-shipped standard except 
pointing to my
checkpassword executable. 

passdb {
  driver = checkpassword
args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

The one issue I have with this at the moment is that dovecot runs checkpassword 
for every user,
smartphone or otherwise:

Dec 03 18:56:32 auth-worker(14903): Info: 
shadow(charmaine,192.168.0.52,): unknown user  - trying the 
next passdb
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Received input: 
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): exit_status=1
Dec 03 18:56:32 auth: Debug: 
checkpassword(charmaine,192.168.0.52,): Credentials: 
Dec 03 18:56:32 auth: Debug: client passdb out: OK  1   user=charmaine  
original_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 auth: Debug: master in: REQUEST 1884160001  14902   1   
586863e54c57c999ee5731906a59257csession_pid=14907 request_auth_token
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): lookup
Dec 03 18:56:32 auth-worker(14903): Debug: 
passwd(charmaine,192.168.0.52,): username changed charmaine 
-> HPRS\charmaine
Dec 03 18:56:32 auth: Debug: master userdb out: USER1884160001  
HPRS\charmaine  system_groups_user=HPRS\charmaineuid=10003gid=1 
  home=/home/HPRS/charmaine   
auth_token=d8d39ec4cc71923806ca7f539427e8aac44e90f7 
auth_user=charmaine@HPRS.LOCAL
Dec 03 18:56:32 imap-login: Info: Login: user=, method=GSSAPI, 
rip=192.168.0.52, lip=192.168.0.2, mpid=14907, TLS, session=
Dec 03 18:56:50 auth: Debug: auth client connected (pid=14913)

Notice after the "shadow" auth fails it says, "unknown user - trying the next 
passdb", which is
checkpassword (which apparently succeeds), then it goes on to gssapi which also 
succeeds.  Is
there a way to only have it do checkpassword if all shadow and gssapi fail? My 
mechanisms are:

auth_mechanisms = plain login gssapi

THX, --Mark

--Mark

-Original Message-
Date: Sun, 03 Dec 2017 22:28:53 +0200
Subject: Re: Howto authenticate smartPhone via Active Directory
From: Aki Tuomi <aki.tu...@dovecot.fi>
To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org

with passdb ldap i guess.

---Aki Tuomi
Dovecot oy

---- Original message 
From: Mark Foley <mfo...@ohprs.org> 
Date: 03/12/2017  21:18  (GMT+02:00) 
To: dovecot@dovecot.org 
Subject: Re: Howto authenticate smartPhone via Active Directory 

Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-
> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org
>
> Actually you are authenticating gssapi clients from ad and everyone else from 
> shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
>  Original message 
> From: Mark Foley <mfo...@ohprs.org> 
> Date: 03/12/2017  06:03  (GMT+02:00) 
> To: dovecot@dovecot.org 
> Subject: Howto authenticate smartPhone via Active Directory 

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
> domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
> authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot

Re: Howto authenticate smartPhone via Active Directory

[Mark Foley]

Yes, you are right. This link: 
https://www.redips.net/linux/android-email-postfix-auth/#section2
shows:

passdb pam {
}

used for authenticating Android.  Problem #1 is that Slackware does not ship 
with PAM and the
AD/DC Samba4 does not use it. It is used on Slackware for a domain member, but 
I'm not sure I
should try configuring PAM on the AD/DC.

Is there some otherway I can get authentication using domain credentials 
besides pam? the phone
can send user and password.

--Mark

-Original Message-
> Date: Sun, 03 Dec 2017 15:22:56 +0200
> Subject: Re: Howto authenticate smartPhone via Active Directory
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> To: Mark Foley <mfo...@ohprs.org>, dovecot@dovecot.org
>
> Actually you are authenticating gssapi clients from ad and everyone else from 
> shadow. maybe you need to configure pam module?
> ---Aki TuomiDovecot oy
>
> ---- Original message 
> From: Mark Foley <mfo...@ohprs.org> 
> Date: 03/12/2017  06:03  (GMT+02:00) 
> To: dovecot@dovecot.org 
> Subject: Howto authenticate smartPhone via Active Directory 

> I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
> domain credentials
> using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
> authentication via
> shadow first and. failing that, it does authenticate via GSSAPI.
>
> Smartphones connect to Dovecot via port 143 and SSL.  They are not domain 
> members so if the
> shadow authentication fails, no other methods are tried and no connection is 
> made. 
>
> What can I do with my dovecot config to fix this?
>
> > doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 4.4.88 x86_64 Slackware 14.2 
> auth_debug = yes
> auth_debug_passwords = yes
> auth_gssapi_hostname = $ALL
> auth_krb5_keytab = /etc/dovecot/dovecot.keytab
> auth_mechanisms = plain login gssapi
> auth_use_winbind = yes
> auth_username_format = %n
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = 
>  ssl_key =  userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark

Re: Upgrade to 2.2.32 from 2.2.15 failed

[Mark Foley]

On Sat, 25 Nov 2017 10:13:58 +0200 (EET) Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>
> > On November 25, 2017 at 7:04 AM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > I have a problem. I have been running Dovecot 2.2.15 and I'd like to 
> > upgrade. My distro
> > (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, 
> > but it didn't work.
> > No one was able to get messages from the dovecot server on their 
> > workstations. The following is
> > the entire dovecot log file from startup to the last message generated. No 
> > more messages went
> > into the logfile after line 76, even with clients trying to connect. The 
> > 174.233.134.88 IP is
> > from an external user connecting from his iPhone. The normal successful 
> > message from this user
> > are shown at bottom.
> > 
> > I'm suspecting something to do with line 18 where is says "Auth process 
> > broken." If anyone has
> > any insight I'd deeply appreciate it as I'd love to upgrade.
> > 
> > THX -- Mark
> >
>
> Can you try adding
>
> service auth {
>   executable = strace -o /tmp/auth.trace /usr/libexec/dovecot/auth
> }
>
> and see if it gives any insight why it dies?
>
> Aki
>

The problem was that I did an install from sbopkg which downloads and installs 
the package in
the SlackBuilds repository. This mechanism does not easily allow setting 
options. I needed to
have the --with-gssapi=yes option set.

So, I just downloaded directly from 
http://www.dovecot.org/releases/2.2/dovecot-2.2.33.2.tar.gz
and did:

./configure --with-gssapi=yes
make
make install

and everything appears to be working fine!

--Mark

Howto authenticate smartPhone via Active Directory

[Mark Foley]

I have a Samba4 Active Directory server. Dovecot authenticates AD Users with 
domain credentials
using GSSAPI (Thunderbird client). I believe I have Dovecot set to attempt 
authentication via
shadow first and. failing that, it does authenticate via GSSAPI.

Smartphones connect to Dovecot via port 143 and SSL.  They are not domain 
members so if the
shadow authentication fails, no other methods are tried and no connection is 
made. 

What can I do with my dovecot config to fix this?

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = 

iPhone no longer authenticating

[Mark Foley]

I've switched a user to being an active directory user. That user's email 
client authorizes
just fine with dovecot using GSSAPI. However, now his iPhone won't authorize. 
In the dovecot
log file I get:

Dec 01 14:27:28 auth: Debug: client in: AUTH1   PLAIN   service=imap
secured session=q4n3W0xfggBiZj9slip=98.102.63.107 rip=98.102.63.108 
  lport=993   rport=49538 resp=AG1wcmVzcwBEaW5va3JvbndhbGw0NQ== 
(previous base64 data may contain sensitive data)
Dec 01 14:27:32 auth-worker(5988): Debug: shadow(mpress,98.102.xx.yyy): lookup
Dec 01 14:27:32 auth-worker(5988): Info: shadow(mpress,98.102.xx.yyy): unknown 
user (given password: ***)
Dec 01 14:27:34 auth: Debug: client passdb out: FAIL1   user=mpress
Dec 01 14:27:34 imap-login: Info: Aborted login (auth failed, 1 attempts in 6 
secs): user=, method=PLAIN, rip=98.102.xx.yyy, lip=98.102.63.107, TLS, 
session=
Dec 01 14:27:34 imap-login: Debug: SSL alert: close notify [98.102.xx.yyy]

This same user will authenticate OK from his local domain workstation:

Dec 01 14:28:52 auth: Debug: master userdb out: USER1948516353  mpress  
system_groups_user=HPRS\mpress  uid=10005gid=1
home=/home/HPRS/mpress  auth_token=ce3050035718ed0996af698400c4de1be453ec06 
auth_user=mpress@HPRS.LOCAL
Dec 01 14:28:52 imap-login: Info: Login: user=, method=GSSAPI, 
rip=192.168.0.54, lip=192.168.0.2, mpid=9755, TLS, session=<6MT1YExftwDAqAA2>

I'm pretty sure the reason has to do with Active Directory authenication 
locally, but of course
his iPhone is not a member of the domain, and he is no longer in 
/etc/passwd/shadow.

So, what is the best way to get the iPhone to authenticate?

Here's my current config:

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.88 x86_64 Slackware 14.2 
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = 

Unable to build sieve plugin

[Mark Foley]

I'm wanting to experiment with sieve processing for the first time. Having some 
trouble getting
started. I googled to page, https://wiki2.dovecot.org/Pigeonhole/Sieve, went to 
the "Download
and Installation" link, then the "Pigeonhole download page" link and downloaded
dovecot-2.2-pigeonhole-0.4.21.tar.gz (I have Dovecot version 2.2.15). I 
untarred, ran
./configure (which appeared to run OK), then `make` and got the following erro:

make[4]: Entering directory 
'/user/util/src/dovecot/dovecot-2.2-pigeonhole-0.4.21/src/lib-sieve/util'
/bin/sh ../../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. 
-I../../..  -I/usr/local/include/dovecot   
-DMODULEDIR=\""/usr/local/lib/dovecot"\"   -std=gnu99 -g -O2 -Wall -W 
-Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts 
-Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2  
-I../../.. -MT edit-mail.lo -MD -MP -MF .deps/edit-mail.Tpo -c -o edit-mail.lo 
edit-mail.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../../.. 
-I/usr/local/include/dovecot -DMODULEDIR=\"/usr/local/lib/dovecot\" -std=gnu99 
-g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith 
-Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime 
-Wstrict-aliasing=2 -I../../.. -MT edit-mail.lo -MD -MP -MF .deps/edit-mail.Tpo 
-c edit-mail.c  -fPIC -DPIC -o .libs/edit-mail.o
edit-mail.c: In function 'edit_mail_get_special':
edit-mail.c:1592:8: error: 'MAIL_FETCH_STORAGE_ID' undeclared (first use in 
this function)
   case MAIL_FETCH_STORAGE_ID:
^
edit-mail.c:1592:8: note: each undeclared identifier is reported only once for 
each function it appears in

This was followed by several more errors and the make failed.

What did I do wrong?

--Mark

Re: Mark message as read when moved to Trash

[Mark Foley]

See: https://forum.kde.org/viewtopic.php?f=215=55940

--Mark

Felix Rubio Dalmau  wrote:

> Hi all,
>
>   When I send a message to trash, without previously reading it (just 
> with the subject is enough to say I do not want to read it), it remains as 
> "unread". Then, clients (I am using Kmail) report there are unread message, 
> when all of them are in Trash. The question, then is: Is there any way to 
> automatically mark a message as read, when that message is moved to Trash?
>
>   Thank you!
>   Felix

Re: Upgrade to 2.2.32 from 2.2.15 failed

[Mark Foley]

No, is that something that would make a difference between 2.2.15 and 2.2.32?

--Mark

On Fri, 24 Nov 2017 21:37:47 -0800 Gary  wrote:

> Out of curiosity, do you do a !SSLv3 in the conf file? 
>
>
>   Original Message  
>> From: mfo...@ohprs.org
>> Sent: November 24, 2017 9:04 PM
>> To: dovecot@dovecot.org
>> Subject: Upgrade to 2.2.32 from 2.2.15 failed
>>
>> I have a problem. I have been running Dovecot 2.2.15 and I'd like to 
>> upgrade. My distro
>> (Slackware) has dovecot 2.2.32 available. I downloaded and installed that, 
>> but it didn't work.
>> No one was able to get messages from the dovecot server on their 
>> workstations. The following is
>> the entire dovecot log file from startup to the last message generated. No 
>> more messages went
>> into the logfile after line 76, even with clients trying to connect. The 
>> 174.233.134.88 IP is
>> from an external user connecting from his iPhone. The normal successful 
>> message from this user
>> are shown at bottom.
>>
>> I'm suspecting something to do with line 18 where is says "Auth process 
>> broken." If anyone has
>> any insight I'd deeply appreciate it as I'd love to upgrade.
>>
>> THX -- Mark
>>
>> 1  Nov 24 19:22:24 master: Info: Dovecot v2.2.32 (dfbe293d4) starting up for 
>> imap (core dumps disabled)
>> 2  Nov 24 19:22:24 ssl-params: Info: Generating SSL parameters
>> 3  Nov 24 19:22:26 ssl-params: Info: SSL parameters regeneration completed
>> 4  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
>> initialization [174.233.134.88]
>> 5  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: 
>> before/accept initialization [174.233.134.88]
>> 6  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client hello A [174.233.134.88]
>> 7  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> server hello A [174.233.134.88]
>> 8  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> certificate A [174.233.134.88]
>> 9  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> key exchange A [174.233.134.88]
>> 10  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> server done A [174.233.134.88]
>> 11  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush 
>> data [174.233.134.88]
>> 12  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client certificate A [174.233.134.88]
>> 13  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A [174.233.134.88]
>> 14  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A [174.233.134.88]
>> 15  Nov 24 19:23:02 auth: Debug: Loading modules from directory: 
>> /usr/lib64/dovecot/auth
>> 16  Nov 24 19:23:02 auth: Debug: Module loaded: 
>> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
>> 17  Nov 24 19:23:02 auth: Debug: Loading modules from directory: 
>> /usr/lib64/dovecot/auth
>> 18  Nov 24 19:23:02 imap-login: Info: Disconnected: Auth process broken 
>> (disconnected before auth was ready, waited 0 secs): user=<>, 
>> rip=174.233.134.88, lip=98.102.63.107, TLS handshaking, 
>> session=
>> 19  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
>> initialization [174.233.134.88]
>> 20  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: 
>> before/accept initialization [174.233.134.88]
>> 21  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client hello A [174.233.134.88]
>> 22  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> server hello A [174.233.134.88]
>> 23  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> certificate A [174.233.134.88]
>> 24  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> key exchange A [174.233.134.88]
>> 25  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
>> server done A [174.233.134.88]
>> 26  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush 
>> data [174.233.134.88]
>> 27  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client certificate A [174.233.134.88]
>> 28  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A [174.233.134.88]
>> 29  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> client key exchange A [174.233.134.88]
>> 30  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> client key exchange A [174.233.134.88]
>> 31  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> certificate verify A [174.233.134.88]
>> 32  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
>> finished A [174.233.134.88]
>> 33  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
>> finished A 

Upgrade to 2.2.32 from 2.2.15 failed

[Mark Foley]

I have a problem. I have been running Dovecot 2.2.15 and I'd like to upgrade. 
My distro
(Slackware) has dovecot 2.2.32 available. I downloaded and installed that, but 
it didn't work.
No one was able to get messages from the dovecot server on their workstations. 
The following is
the entire dovecot log file from startup to the last message generated. No more 
messages went
into the logfile after line 76, even with clients trying to connect. The 
174.233.134.88 IP is
from an external user connecting from his iPhone. The normal successful message 
from this user
are shown at bottom.

I'm suspecting something to do with line 18 where is says "Auth process 
broken." If anyone has
any insight I'd deeply appreciate it as I'd love to upgrade.

THX -- Mark

 1  Nov 24 19:22:24 master: Info: Dovecot v2.2.32 (dfbe293d4) starting up for 
imap (core dumps disabled)
 2  Nov 24 19:22:24 ssl-params: Info: Generating SSL parameters
 3  Nov 24 19:22:26 ssl-params: Info: SSL parameters regeneration completed
 4  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [174.233.134.88]
 5  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [174.233.134.88]
 6  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
client hello A [174.233.134.88]
 7  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
server hello A [174.233.134.88]
 8  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [174.233.134.88]
 9  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
key exchange A [174.233.134.88]
10  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
server done A [174.233.134.88]
11  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush 
data [174.233.134.88]
12  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
client certificate A [174.233.134.88]
13  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
client key exchange A [174.233.134.88]
14  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
client key exchange A [174.233.134.88]
15  Nov 24 19:23:02 auth: Debug: Loading modules from directory: 
/usr/lib64/dovecot/auth
16  Nov 24 19:23:02 auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
17  Nov 24 19:23:02 auth: Debug: Loading modules from directory: 
/usr/lib64/dovecot/auth
18  Nov 24 19:23:02 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 0 secs): user=<>, 
rip=174.233.134.88, lip=98.102.63.107, TLS handshaking, 
session=
19  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [174.233.134.88]
20  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [174.233.134.88]
21  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
client hello A [174.233.134.88]
22  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
server hello A [174.233.134.88]
23  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [174.233.134.88]
24  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
key exchange A [174.233.134.88]
25  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
server done A [174.233.134.88]
26  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush 
data [174.233.134.88]
27  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
client certificate A [174.233.134.88]
28  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
client key exchange A [174.233.134.88]
29  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
client key exchange A [174.233.134.88]
30  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
client key exchange A [174.233.134.88]
31  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
certificate verify A [174.233.134.88]
32  Nov 24 19:23:02 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
finished A [174.233.134.88]
33  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
finished A [174.233.134.88]
34  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
change cipher spec A [174.233.134.88]
35  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
finished A [174.233.134.88]
36  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush 
data [174.233.134.88]
37  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [174.233.134.88]
38  Nov 24 19:23:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL 
negotiation finished successfully [174.233.134.88]
39  Nov 24 19:23:04 auth: Debug: Loading modules from directory: 

stopped being able to kerberos/GSSAPI authenticate with new email accounts

[Mark Foley]

I've been running with Dovecot 2.2.15 on my mail server and Thunderbird on 
workstations with
Kerberos/GSSAPI authentication. This has been working for over a year for 10 
users.

The other day, I replaced a user's workstation and set up this user with a 
Thunderbird client.
Unfortunately, I got the error:

 "The Kerberos/GSSAPI ticket was not accepted by the IMAP server ...  please 
check that you are
 logged into the Kerberos/GSSAPI realm."

Doing more experimentation I've found that I cannot set up *any* existing user 
with a new
account without getting that same message.  Interestingly, all existing users 
can still connect
just fine from their Tbird clients on their current workstations which were set 
up over a year
ago, I just can't create an account for them on a different workstation. 

I'm at a loss as to where to start on this. My config is:

$ dovconf -n:
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 4.4.38 x86_64 Slackware 14.2
auth_debug = yes
auth_debug_passwords = yes
auth_gssapi_hostname = $ALL
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi
auth_use_winbind = yes
auth_username_format = %n
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = ): 
Credentials:
Jul 11 17:28:31 auth: Debug: client passdb out: OK  1   user=mark   
original_user=mark@HPRS.LOCAL
Jul 11 17:28:31 auth: Debug: master in: REQUEST 3872522241  64211   
46614c53fd96efa48a94b889ad2405d3   session_pid=6429
request_auth_token
Jul 11 17:28:31 auth-worker(5858): Debug: shadow(mark,192.168.0.99): lookup
Jul 11 17:28:31 auth-worker(5858): Debug: shadow(mark,192.168.0.99): username 
changed mark -> HPRS\mark
Jul 11 17:28:31 auth: Debug: master userdb out: USER3872522241  mark
system_groups_user=HPRS\mark  uid=10001gid=1   
home=/home/HPRS/markauth_token=4959011413324b3d5d2d6f77c0adf2629551d91d   
auth_user=mark@HPRS.LOCAL
Jul 11 17:28:31 imap-login: Info: Login: user=, method=GSSAPI, 
rip=192.168.0.99, lip=192.168.0.2, mpid=6429, TLS, session=


Here is that same user set up on a new client computer, with all the same 
settings (as far as I
can tell. This one apparently doesn't even try kerberos.

Jul 11 18:08:25 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jul 11 18:08:25 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jul 11 18:08:25 auth: Debug: auth client connected (pid=1055)
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
hello A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
hello A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
exchange A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
done A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
certificate A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
key exchange A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
key exchange A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
key exchange A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
certificate verify A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
finished A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
session ticket A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change 
cipher spec A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
finished A [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [192.168.0.57]
Jul 11 18:08:25 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
finished successfully [192.168.0.57]
Jul 11 18:08:25 auth: Debug: client in: AUTH1   GSSAPI  service=imap
secured 

Unable to Kerberos/GSSAPI an existing user on new workstation

[Mark Foley]

My last message probably contained too much information. This one is more 
succient.

I have a user, 'mark', who has been running a Thunderbird client on Windows to 
Dovecot server
with Kerberos/GSSAPI authentication for over a year.  I created a new Tbird 
account on a new
Linux workstation for 'mark', also with Kerberos/GSSAPI and that worked just 
fine. 

I have another user, 'dsmith', who has been running a Thunderbird client on 
Windows to Dovecot
server with Kerberos/GSSAPI authentication for over a year as well, no 
problems. I created a
new Tbird account on the same new Linux workstation as above for 'dsmith', also 
with
KerberosGSSAPI and that DID NOT WORK! I get the message in Thunderbird:

  "The Kerberos/GSSAPI ticket was not accepted by the IMAP server ...  please 
check that you
  are logged into the Kerberos/GSSAPI realm."

I created/recreated the smith account numerous time with slightly different 
settings hoping
something will work, but I always get the same message.

Why? I need to figure this out ASAP.

Here is the dovecot log when user dsmith attempts to connect to dovecot from 
the Tbird client:

Jul 11 19:29:43 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jul 11 19:29:43 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jul 11 19:29:43 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jul 11 19:29:43 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Jul 11 19:29:43 auth: Debug: auth client connected (pid=1578)
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
hello A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
hello A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
exchange A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
done A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
certificate A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
key exchange A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
key exchange A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
key exchange A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
certificate verify A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
finished A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
session ticket A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change 
cipher spec A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
finished A [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
finished successfully [192.168.0.57]
Jul 11 19:29:46 imap-login: Debug: SSL alert: close notify [192.168.0.57]
Jul 11 19:29:46 imap-login: Info: Disconnected (no auth attempts in 3 secs): 
user=<>, rip=192.168.0.57, lip=192.168.0.2, TLS, session=
Jul 11 19:30:17 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jul 11 19:30:17 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jul 11 19:30:17 auth: Debug: auth client connected (pid=3148)
Jul 11 19:30:17 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [192.168.0.57]
Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.0.57]
Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [192.168.0.57]
Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
hello A [192.168.0.57]
Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
hello A [192.168.0.57]
Jul 11 19:30:17 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [192.168.0.57]
Jul 11 19:30:17 imap-login: Debug: SSL: 

Re: Apparent Maildir permission issue

[Mark Foley]

On Wed, 25 Jan 2017 08:01:00 +0100 (CET) Steffen Kaiser 
<skdove...@smail.inf.fh-brs.de> wrote:

> 1) Why does both UIDs 326 and 10001 translate back to HPRS\mark ? 
> What HPRS\mark translates to?
>
> > Permission on that folder are:
> >
> > $ ls -ld /home/HPRS/mark/Maildir
> > drwx-- 17 HPRS\mark domusers 4096 Dec  7 23:07 /home/HPRS/mark/Maildir/
>
> 2) I guess this HPRS\mark is 10001 ? (And not 326)
>
> > Permissions are unchanged since before the backup.
>
> "backup"? You've restored the Maildir's from somewhere else? What was the 
> _numerical_ UID within the backup and what is it now?

"backup" meaning I looked at the permissions on an older routine, backup.  No, 
I did not
restore anything. 

BUT ... I found the problem.  I upgraded Samba4 10 days ago from version 4.2.12 
to 4.4.8 and,
in the course of researching this problem, I found that the A/D authentication 
was broken:

with 4.2.12 on AD/DC:
$ getent passwd mark
HPRS\mark:*:10001:1:Mark Foley:/home/HPRS/mark:/bin/false

With 4.4.8 on AD/DC:
$ getent passwd mark
HPRS\mark:*:326:100:Mark Foley:/home/HPRS/mark:/bin/bash

The new version of Samba is giving me this bogus UID:GID. I've no idea why. I 
have posted
messages on the Samba List asking for help on this.

Email clients authenticate with Dovecot via Kerberos/GSSAPI and Dovecot was 
therefore trying to
use 326:100 to access Maildir files/directories created with owner 
10001:1.

I've done a workaround by added the correct UID, GID for this user to 
/etc/passwd, although one
is not suppose to have AD users in /etc/passwd. However, that is working for 
the time being.

If anyone on this list has had this experience and knows what needs to be 
fixed, please let me know!

Thanks -- Mark

Re: Apparent Maildir permission issue

[Mark Foley]

On Tue, 17 Jan 2017 12:25:27 +0200 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
>
> Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
> (euid=326(HPRS\mark) egid=100(users) missing +r perm: 
> /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
>
>
> Just wanted to point out that you have at different UID for the folder
> than your EUID (gotten from userdb/passdb).
>
> Aki
>

Yes, very puzzling. I'm restoring some older dovecot logs now to see if that 
was true e.g. in 2016.
Perhaps an upgrade of some other software caused a problem. On the other hand, 
the other user I
mentioned in my Jan 24 17:15 message, shay, also shows this UID/EUID 
discrepancy, but that does
not prevent her from getting mail and there is no permission denied error on 
her messages.

More when I know more

--Mark

> On 16.01.2017 23:09, Mark Foley wrote:
> > More info ...
> >
> > This is the only user having this permission problem. All other 
> > Thunderbird/dovecot users are
> > getting mail file. They all have the same permissions set on their Maildir 
> > folder.
> >
> > --Mark
> >
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Mon, 16 Jan 2017 13:21:31 -0500
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Apparent Maildir permission issue
> >
> > I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with 
> > dovecot -- it's the
> > same version that was running before the upgrade. However, now I'm getting 
> > a permission error:
> >
> > /var/log/maillog:
> >
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +r perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:44 mail last message repeated 4 times
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +x perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +x perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +r perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:45 mail last message repeated 11 times
> >
> > Permission on that folder are:
> >
> > $ ls -ld /home/HPRS/mark/Maildir
> > drwx-- 17 HPRS\mark domusers 4096 Dec  7 23:07 /home/HPRS/mark/Maildir/
> >
> > Permissions are unchanged since before the backup.
> >
> > What do I do to fix this?
> >
> > THX --Mark
>

Re: Apparent Maildir permission issue

[Mark Foley]

On Mon, 16 Jan 2017 17:51:48 -0500 Bill Shirley <b...@knoxvillechristian.org> 
wrote:
>
> I've gotten errors like this when it was actually a selinux denial. If you're 
> running
> selinux, check those logs too.
>

OK, this is getting serious -- mail not getting delivered.

No, I am not running selinux. Here is the error I get in the maillog:

Jan 24 16:42:49 mail dovecot: imap(mark): Error: 
stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +x perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))

Permission are:

$ ls -l /home/HPRS/mark/Maildir/
total 200
drwx-- 2 HPRS\mark domusers 45056 Dec 19 08:13 cur/
-rw--- 1 HPRS\mark domusers   131 Jul  1  2016 dovecot-keywords
-rw--- 1 HPRS\mark domusers  5249 Dec  7 23:06 dovecot-uidlist
-rw--- 1 HPRS\mark domusers 8 Jul  7  2016 dovecot-uidvalidity
-r--r--r-- 1 HPRS\mark domusers 0 Jan 16  2015 dovecot-uidvalidity.54b9def3
-rw--- 1 HPRS\mark domusers  4080 Nov 27 23:28 dovecot.index
-rw--- 1 HPRS\mark domusers 88612 Dec  7 23:07 dovecot.index.cache
-rw--- 1 HPRS\mark domusers  8748 Dec  7 23:07 dovecot.index.log
-rw--- 1 HPRS\mark domusers  2016 Jul  7  2016 dovecot.mailbox.log
drwx-- 2 HPRS\mark domusers 12288 Jan 13 12:10 new/
-rw--- 1 HPRS\mark domusers   137 Jul  7  2016 subscriptions
drwx-- 2 HPRS\mark domusers 12288 Jan 13 12:10 tmp/

Permission on the Maildir folder for another user who is NOT having this 
problem:

$ ls -l /home/HPRS/shay/Maildir/
total 88
drwx-- 2 HPRS\shay domusers 12288 Jan 24 15:50 cur/
-rw--- 1 HPRS\shay domusers41 Sep 13 11:59 dovecot-keywords
-rw--- 1 HPRS\shay users 1442 Jan 24 15:48 dovecot-uidlist
-rw--- 1 HPRS\shay domusers 8 Jan 18 15:13 dovecot-uidvalidity
-r--r--r-- 1 HPRS\shay domusers 0 Jul 15  2016 dovecot-uidvalidity.5789a8ca
-rw--- 1 HPRS\shay users 1408 Jan 20 08:18 dovecot.index
-rw--- 1 HPRS\shay users12928 Jan 24 15:50 dovecot.index.cache
-rw--- 1 HPRS\shay users20844 Jan 24 15:51 dovecot.index.log
-rw--- 1 HPRS\shay domusers  2856 Jan 18 15:13 dovecot.mailbox.log
drwx-- 2 HPRS\shay domusers  4096 Jan 24 15:48 new/
-rw--- 1 HPRS\shay users 2906 Jan 18 15:13 subscriptions
drwx-- 2 HPRS\shay domusers  4096 Jan 24 15:48 tmp/

You can see that the tmp/ folders for both users are set exactly the same, yet 
user 'mark' is
getting the permission error. mark's mail is not getting delivered; shay's mail 
is.

Why?

> On 1/16/2017 4:09 PM, Mark Foley wrote:
> > More info ...
> >
> > This is the only user having this permission problem. All other 
> > Thunderbird/dovecot users are
> > getting mail file. They all have the same permissions set on their Maildir 
> > folder.
> >
> > --Mark
> >
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Mon, 16 Jan 2017 13:21:31 -0500
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Apparent Maildir permission issue
> >
> > I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with 
> > dovecot -- it's the
> > same version that was running before the upgrade. However, now I'm getting 
> > a permission error:
> >
> > /var/log/maillog:
> >
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +r perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:44 mail last message repeated 4 times
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +x perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +x perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
> > opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
> > (euid=326(HPRS\mark) egid=100(users) missing +r perm: 
> > /home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
> > Jan 16 13:09:45 mail last message repeated 11 times
> >
> > Permission on that folder are:
> >
> > $ ls -ld /home/HPRS/mark/Maildir
> > drwx-- 17 HPRS\mark domusers 4096 Dec  7 23:07 /home/HPRS/mark/Maildir/
> >
> > Permissions are unchanged since before the backup.
> >
> > What do I do to fix this?
> >
> > THX --Mark
>

Re: Apparent Maildir permission issue

[Mark Foley]

More info ...

This is the only user having this permission problem. All other 
Thunderbird/dovecot users are
getting mail file. They all have the same permissions set on their Maildir 
folder.

--Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 16 Jan 2017 13:21:31 -0500
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Apparent Maildir permission issue

I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with 
dovecot -- it's the
same version that was running before the upgrade. However, now I'm getting a 
permission error:

/var/log/maillog:

Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +r perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:44 mail last message repeated 4 times
Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +x perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +x perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +r perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:45 mail last message repeated 11 times

Permission on that folder are:

$ ls -ld /home/HPRS/mark/Maildir
drwx-- 17 HPRS\mark domusers 4096 Dec  7 23:07 /home/HPRS/mark/Maildir/

Permissions are unchanged since before the backup.

What do I do to fix this?

THX --Mark

Apparent Maildir permission issue

[Mark Foley]

I've just upgraded from Slackware 14.1 to 14.2. I've not done anything with 
dovecot -- it's the
same version that was running before the upgrade. However, now I'm getting a 
permission error:

/var/log/maillog:

Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +r perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:44 mail last message repeated 4 times
Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
stat(/home/HPRS/mark/Maildir/.Trash) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +x perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
stat(/home/HPRS/mark/Maildir/tmp) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +x perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:44 mail dovecot: imap(mark): Error: 
opendir(/home/HPRS/mark/Maildir) failed: Permission denied 
(euid=326(HPRS\mark) egid=100(users) missing +r perm: 
/home/HPRS/mark/Maildir, conflicting dir uid=10001(HPRS\mark))
Jan 16 13:09:45 mail last message repeated 11 times

Permission on that folder are:

$ ls -ld /home/HPRS/mark/Maildir
drwx-- 17 HPRS\mark domusers 4096 Dec  7 23:07 /home/HPRS/mark/Maildir/

Permissions are unchanged since before the backup.

What do I do to fix this?

THX --Mark

Re: IMAP flags and dovecot-keywords not working as expected

[Mark Foley]

will need some revising based on my recent experimentation, but should be a 
rather simple bash
exercise in any case. 

Note that the Outlook messages are also the same MAPI files, only the client 
used (Outlook
versus Thunderbird) are different. Outlook does not set IMAP flags to designate 
categories.
Categories are apparently stored in the user's .pst file.

CUT--
Public Sub ListOutlookFolders()

Dim olApp As Outlook.Application
Dim olNamespace As Outlook.Namespace
Dim olFolder As Outlook.MAPIFolder

Set olApp = New Outlook.Application
Set olNamespace = olApp.GetNamespace("MAPI")

For Each olFolder In olNamespace.Folders
Debug.Print olFolder.Name; ":", olFolder.Description
ListFolders olFolder, 1
Next

Set olFolder = Nothing
Set olNamespace = Nothing
Set olApp = Nothing

End Sub

Sub ListFolders(myFolder As Outlook.MAPIFolder, Level As Integer)
Dim olFolder As Outlook.MAPIFolder
'  go through each email
scanFolder myFolder

'  Now we'll check for subfolders
For Each olFolder In myFolder.Folders
'Debug.Print ":"; String(Level * 2, "-"); olFolder.Name

'go through each email
scanFolder olFolder

If olFolder.Folders.Count > 0 Then
ListFolders olFolder, Level + 1
End If
Next
End Sub

Sub scanFolder(sFolder As Outlook.MAPIFolder)
Dim src As Folder
Dim oItem As Object
Dim propertyAccessor As Outlook.propertyAccessor
Set src = sFolder

Dim strHeader As String

For Each oItem In src.Items
If TypeOf oItem Is Outlook.MailItem And oItem.Categories <> "" Then
'Debug.Print "Cat: " + oItem.Categories
Set propertyAccessor = oItem.propertyAccessor
header =
propertyAccessor.GetProperty("http://schemas.microsoft.com/mapi/proptag/0x007D001E;)
Dim headerLines() As String
headerLines() = Split(header, vbCrLf)

Dim thisHeader As Variant

For Each thisHeader In headerLines
If InStr(thisHeader, "Message-ID:") > 0 Then
   Debug.Print thisHeader + "~" + oItem.Categories
   Exit For
   End If
Next
End If
Next
End Sub
--CUT-

Example of resulting output:

Message-ID: <201109011105.p81b5666028...@webserver.ohprs.org>~Red Category

Hopefully someone finds this useful.

THX --Mark

-Original Message-
> Subject: Re: IMAP flags and dovecot-keywords not working as expected
> To: dovecot@dovecot.org
> From: Peter Chiochetti <p...@myzel.net>
> Date: Sat, 30 Jul 2016 11:26:09 +0200
>
> Am 2016-07-30 um 08:00 schrieb Mark Foley:
> ?
> >
> > However, none of the tags show up correctly in Thunderbird.  If I manually 
> > set a message to
> > have a tag of 0, the corresponding IMAP file gets a flag of 'm', not 'a' 
> > and the following is
> > added to the dovecot-keywords files:
> >
> > 12 $label1
> >
> > How can I fix this? Where is "$label1" text defined? Why did Thunderbird 
> > not snag the text for
> > '0' from the dovecot-keywords file and give the IMAP file a tag of 'a'?
>
> Thunderbird flags are stored in the users prefs.js, eg:
> - user_pref("mailnews.tags.$label1.tag", "Important");
> - user_pref("mailnews.tags.$label1.color", "#FF");
>
> A kind of key->value assignment. The "$label[1-9]" keys are special, 
> where the number magically corresponds to the keyboard shorcut to tag 
> messages, 0 meaning clear all tags.
>
> There can be more than nine tags, but they wont have a shortcut then:
> - user_pref("mailnews.tags.ten.tag", "ten");
>
> 1) The server will only ever see the key. The user will only ever see 
> the value.
>
> 2) If you rename a label in TB, then only the value will change and the 
> server will still see the same key as before.
>
> 3) If you rename a key in dovecot, TB will not create a label for it and 
> the affected messages will no longer appear tagged, if TB does not know 
> about the key.
>
> 4) Dovecot adds to the keywords as it receives requests from clients: 
> Very likely there is a limit of 26 (letters of the alphabet) per 
> account; a-d=0-3 are already taken for internal use, so 22 remain.
>
>
> > My current theory is that the "Default" Thunderbird Tags corresponding to 
> > IMAP flags are not
> > changeable and if new tags are create in Tbird, they get new flag letters.  
> > That would, of
> > course, mean that if a user changes Thunderbird tag name, they would lose 
> > all tag settings on
> > existing message.  That doesn't seem right and I hope my theory is wrong.
>
> I think you are mostly wrong: as long as you only use TB to work and as 
> long as you do not exceed the limit you should be save.
>
> Notice that tags are a scarce resource: any key you ever created counts 
> toward the limit - reusing old tags requires you to text-edit both 
> dovecot-keywords and TB prefs.js.
>
> -- 
> peter
>

IMAP flags and dovecot-keywords not working as expected

[Mark Foley]

I've converted most of our users from Outlook to Thunderbird.  One important 
feature of
Thunderbird is that it pays attention to the IMAP non-standard message flags 
via the 'tags'
feature (see http://wiki2.dovecot.org/MailboxFormat/Maildir).  This is 
important because 2
users make extensive use of Outlook categories (Tags, in Thunderbird).  I found 
that when I set
a message to the 1st Tbird tag 0 (Important), the corresponding IMAP file got 
an 'a' suffix. 
Likewise, if I manually added an 'a' suffix to an IMAP file the corresponding 
tag was set
displayed in Thunderbird.  This made it easy for me to exports Outlook 
Categories and set IMAP
messages flags accordingly.  This worked perfectly on the user I was 
experimenting with (me). 

Recently, I converted one of these Outlook 'categories' users to Thunderbird.  
I added the
appropriate flag letters to their IMAP messages, changed their tag names in 
Thunderbird, and
created the following dovecot-keywords file as:

0 Board_and_Committee
1 Completed
2 Health_Care_meetings
3 Notifications
4 OSHP-DAS
5 personal_or_To_Do
6 Retirement_exits
7 $label5
8 Junk
9 $Forwarded
10 $MDNSent
11 $label2

However, none of the tags show up correctly in Thunderbird.  If I manually set 
a message to
have a tag of 0, the corresponding IMAP file gets a flag of 'm', not 'a' and 
the following is
added to the dovecot-keywords files:

12 $label1

How can I fix this? Where is "$label1" text defined? Why did Thunderbird not 
snag the text for
'0' from the dovecot-keywords file and give the IMAP file a tag of 'a'?

My current theory is that the "Default" Thunderbird Tags corresponding to IMAP 
flags are not
changeable and if new tags are create in Tbird, they get new flag letters.  
That would, of
course, mean that if a user changes Thunderbird tag name, they would lose all 
tag settings on
existing message.  That doesn't seem right and I hope my theory is wrong. 

Any insight would be appreciated.

--Mark

Re: Moving Maildir folders

[Mark Foley]

On Date: Sun, 17 Jul 2016 12:24:04 +0200 Luigi Rosa  wrote:
>
> Peter Chiochetti wrote on 17/07/2016 11:01:
>
> > With Maildir and path separator "." one can have incomplete paths: eg.
> > bpatterson.INBOX.2011 will say that there is 2011 within INBOX within 
> > bpatterson
> > -- while it is possible, that both bpatterson and bpatterson.INBOX do not 
> > exist!
> > Thunderbird will render the missing folders gray in the UI, you probably 
> > cannot
> > subscribe to those, even from the subscribe dialogue. You should be able to
> > create them though.
>
> That is correct.
>
> If you want to create the "path" Somename/Foo/Bar/Baz (as seen by the IMAP 
> client), even if only Somename and Baz contains messages, you must have the 
> entire "path", that is tour mailbox directory must contain the directories:
>
> .Somename
> .Somename.Foo
> .Somename.Foo.Bar
> .Somename.Foo.Bar.Baz
>
> Of course each of the directories will contain cur, tmp, new and Dovecot files
>
> Ciao,
> luigi

That was probably my problem. While I moved the entire Maildir structure from 
the old user's
Maildir hierarchy, I just created

.bpatterson.Foo.Bar/
.bpatterson.Foo.raB/
etc

I never did create

.bpatterson/
.bpatterson.Foo/

etc.

Good to know. I'll sort that out better next time. Meanwhile, before reading 
this message, I
created a new folder in Tbird, then dragged the folders out of the .bpatterson 
hierarchy to the
new folder. That worked, but was a bit time consuming. 

I supposed I was thrown off because the destination user's Maildir has no 
.INBOX/ directory, only:

.INBOX.this/
.INBOX.that/

but, I suppose INBOX is a special case since the rest of the top-level folders 
(Drafts,
Templates, Sent Items, ...) do have directories. Next time!

Thanks --Mark

Re: Moving Maildir folders

[Mark Foley]

On Sun, 17 Jul 2016 03:44:05 +0200 Achim Gottinger <ac...@ag-web.biz> wrote:

Am 17.07.2016 um 02:36 schrieb Mark Foley:
> Not quite there yet. The folders show up, but I cannot see the mail inside 
> the folders unless
> (in the Thunderbird client) I uncheck the setting "Show only subscribed 
> folders". Still, the
> top-level folder is shown as grayed-out/italics as well as the the sub-folder 
> INBOX. All other
> sub-folder at the same level as INBOX are not grayed-out, nor are folders 
> subordinate to INBOX:
>
> u...@mydom.org <-- topmost "real" account folder
>+Inbox
>Drafts
>Templates
>send Items
>Junk E-mail
>Deleted Items
>+bpatterson   <-- added Maildir folders from former user, grayed-out, 
> italics
>  +INBOX  <-- grayed out, italic
>Payabled  <-- not grayed
>Health Care  <-- not grayed
>:
>:
>  Sent   <-- not grayed
>  Sent Items <-- not grayed
>  Templates  <-- not grayed
>  Trash  <-- not grayed
>
> Mozilla has a reference to this phenomenon 
> http://kb.mozillazine.org/Grey_italic_folders, but
> this seems to have to do with GMAIL accounts. Mine is a local IMAP server and 
> the link has no
> apparent remedy.
>
> Furthermore, if I attempt to delete e.g. "Trash" I get an error, presumably 
> from Dovecot: "The
> current command did not succeed. The mail server for account u...@mydom.org 
> responded:
> [ALREADYEXISTS] Target mailbox already exists." Seem like an odd error when 
> trying to delete.
>
> My theory is that if I can designated these folders as 'subcribed' everything 
> would work
> normally. I don't know if that's true. I've tried added these folders to the 
> 'subscriptions'
> file in the user's Maildir folder, an excerpt of which:
>
> INBOX.Directed Brokerage
> INBOX.Directed Brokerage.Abel Noser
> INBOX.Investments-Active.Kayne
> INBOX.Pending - Open Projects
> Deleted Items.Oath
> INBOX.Board Info.New Trustee-Oath of Office
> INBOX.Rule Filing-Rule Changes
> bpatterson.INBOX.2011 Investment Confirmation Responses
> bpatterson.INBOX.2011 and 2012 KCR Audit
> bpatterson.INBOX.2012 Investment Confirmation Responses
> bpatterson.INBOX.2013 Health Care Changes - Information
> bpatterson.INBOX.2013 Investment Confirmation Responses
>
> where the 1st 7 listed are part of the user's existing list and the next ones 
> are what I added
> for the former user's mail folders. This did not work.
>
> Ideas?
>
> --Mark
Hi Mark,

Try to subscribe in thundebird via your accounts right click context menu.
The greyed out folders may not contain mails (missing .cur etc. 
suubfolders).
Sometimes it is neccessary to clean the ImapMail folder in the 
thunderbird user profile (as an last resort).

achim~

> From dovecot-boun...@dovecot.org  Sat Jul 16 21:44:27 2016
> X-Virus-Status: Clean
> X-Virus-Scanned: clamav-milter 0.98.6 at mail
> X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.20__ (2011-06-06) on
>   mail.hprs.local
> X-Spam-Level: 
> X-Spam-Status: No, score=-102.7 required=3.0 tests=LOCAL_FROM_WORDS5,
>   USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=no
>   version=3.3.2-_revision__1.20__
> X-Original-To: dovecot@dovecot.org
> Delivered-To: dovecot@dovecot.org
> Subject: Re: Moving Maildir folders
> To: dovecot@dovecot.org
> From: Achim Gottinger <ac...@ag-web.biz>
> Date: Sun, 17 Jul 2016 03:44:05 +0200
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
>   Icedove/45.1.0
> Content-Type: text/plain; charset=windows-1252; format=flowed
> X-Authenticated-Sender: ac...@ag-web.biz
> X-Virus-Scanned: Clear (ClamAV 0.99.2/21916/Sun Jul 17 00:49:18 2016)
> X-BeenThere: dovecot@dovecot.org
> X-Mailman-Version: 2.1.17
> Precedence: list
> Reply-To: Dovecot Mailing List <dovecot@dovecot.org>
> List-Id: Dovecot Mailing List 
> List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
>   <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
> List-Archive: <http://dovecot.org/pipermail/dovecot/>
> List-Post: <mailto:dovecot@dovecot.org>
> List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
> List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
>   <mailto:dovecot-requ...@dovecot.org?subject=subscribe>
> Errors-To: dovecot-boun...@dovecot.org
> Sender: "dovecot" <dovecot-boun...@dovecot.org>
> X-Spam-Report: 
>   * -100 USER_IN_WHITELIST From: address is in the user's white-list
>   *  3.3 LOCAL_FROM_WORDS5 From contains words in reject list

Re: an e-mail client for dovecot ?

[Mark Foley]

Hmmm, one thing to perhaps try first is upgrading your software. You mentioned 
that your
dovecot is version 1.2.17. I'm running 2.2.15 (which is also older. Current 
version is 2.2.25).
I know there were major changes between version 1.x and 2.x.

Your Ubuntu is 14.04 which is 2 released old, now at 16.04 (I'm running 15.10). 
I do have 16.04
booting with x86, but I haven't yet installed it.

You didn't mention your Thunderbird version, but I'm guessing they are 
similarly dated. My
Ubuntu Tbird is 38.8.0 and my Win7 is 45.2.0.

It could be your older versions of things don't support what you want.

My dovecot server is Slackware64 14.1. One of the users has over 1400 mail 
folders and 7.2G of
IMAP space. She has had no problems with Thunderbird.

All of our WIN7 workstations are x64, so perhaps there are issues with x86 
version of
dovecot/Thunderbird.

--Mark

-Original Message-
> Subject: Re: an e-mail client for dovecot ?
> To: dovecot@dovecot.org
> From: Kenneth Porter <sh...@sewingwitch.com>
> Date: Sat, 16 Jul 2016 16:52:08 -0700

> On 7/16/2016 10:22 AM, Mark Foley wrote:
> > I concur with Charles Marcus' query: can you elaborate on how Thunderbird 
> > is failing for you?
>
> I run Thunderbird and Mulberry side-by-side, as there are features in 
> Mulberry I don't want to give up, even though it's old and buggy. I've 
> noticed that Mulberry finds folders in my huge hierarchy (100's of 
> folders) that Tbird misses. Notably my SpamAssassin folder, and it's 
> consistent across several accounts I monitor. Both programs are set to 
> scan all IMAP folders. It's not just because the SA folder is flagged as 
> an additional Junk folder. I've got other folders that Tbird misses. 
> Most receive automated server mail from Linux services (such as 
> logwatch). I haven't been able to find a pattern.
>

Re: Moving Maildir folders

[Mark Foley]

Not quite there yet. The folders show up, but I cannot see the mail inside the 
folders unless
(in the Thunderbird client) I uncheck the setting "Show only subscribed 
folders". Still, the
top-level folder is shown as grayed-out/italics as well as the the sub-folder 
INBOX. All other
sub-folder at the same level as INBOX are not grayed-out, nor are folders 
subordinate to INBOX:

u...@mydom.org <-- topmost "real" account folder
  +Inbox
  Drafts
  Templates
  send Items
  Junk E-mail
  Deleted Items
  +bpatterson   <-- added Maildir folders from former user, grayed-out, italics
+INBOX  <-- grayed out, italic
  Payabled  <-- not grayed
  Health Care  <-- not grayed
  :
  :
Sent   <-- not grayed
Sent Items <-- not grayed
Templates  <-- not grayed  
Trash  <-- not grayed

Mozilla has a reference to this phenomenon 
http://kb.mozillazine.org/Grey_italic_folders, but
this seems to have to do with GMAIL accounts. Mine is a local IMAP server and 
the link has no
apparent remedy.

Furthermore, if I attempt to delete e.g. "Trash" I get an error, presumably 
from Dovecot: "The
current command did not succeed. The mail server for account u...@mydom.org 
responded:
[ALREADYEXISTS] Target mailbox already exists." Seem like an odd error when 
trying to delete.

My theory is that if I can designated these folders as 'subcribed' everything 
would work
normally. I don't know if that's true. I've tried added these folders to the 
'subscriptions'
file in the user's Maildir folder, an excerpt of which:

INBOX.Directed Brokerage
INBOX.Directed Brokerage.Abel Noser
INBOX.Investments-Active.Kayne
INBOX.Pending - Open Projects
Deleted Items.Oath
INBOX.Board Info.New Trustee-Oath of Office
INBOX.Rule Filing-Rule Changes
bpatterson.INBOX.2011 Investment Confirmation Responses
bpatterson.INBOX.2011 and 2012 KCR Audit
bpatterson.INBOX.2012 Investment Confirmation Responses
bpatterson.INBOX.2013 Health Care Changes - Information
bpatterson.INBOX.2013 Investment Confirmation Responses

where the 1st 7 listed are part of the user's existing list and the next ones 
are what I added
for the former user's mail folders. This did not work.

Ideas?

--Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Sat, 16 Jul 2016 15:05:33 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: Moving Maildir folders

Hey!! It is now showing the former users' folders at the top level of the 
current user.  Great!
Perhaps dovecot just needed time to "index" the new messages? Anyway, Luigi's 
suggestion on
moving and renaming the folders apparently worked. 

Thanks --Mark

-Original Message-
> Subject: Re: Moving Maildir folders
> From: Frank-Ulrich Sommer <f-...@gmx.net>
> Date: Sat, 16 Jul 2016 20:41:10 +0200
> To: dovecot@dovecot.org

> How did you verify that dovecot doesn't show these folders? Couldn't this be 
> a client problem? In Thunderbird e.g. it might be necessary to update the 
> list of displayed folders.
>
> Am 16. Juli 2016 19:07:39 MESZ, schrieb Mark Foley <mfo...@ohprs.org>:
> >On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa <li...@luigirosa.com>
> >wrote:
> >>
> >> Mark Foley wrote on 16/07/2016 07:43:
> >> > Our office had a user leave.  Another user is taking over her
> >duties and needs reference to the
> >> > departing user's email.  I've copied that entire departed user's
> >Maildir structure to the current
> >> > user:
> >> >
> >> > mv olduser/Maildir/.* curuser/Maildir/.olduser
> >> >
> >> > I did change permission and ownership on curuser/Maildir/.olduser
> >to be the target user. I did
> >> > not bring over the olduser/Maildir/dovecot* files (indexes,
> >subscriptions, etc.) as I thought
> >> > that would be bad.
> >>
> >> Maildir has no nested folders.
> >>
> >> If you want a subtree structure in maildir you must create each
> >folder at the 
> >> first level
> >>
> >> in the new user you must have something like:
> >>
> >> .olduser.INBOX
> >> .olduser.Sent
> >> .olduser.Trash
> >> .olduser.Drafts
> >> .olduser.whatever
> >>
> >> Each directory with tmp, newm cur subdirs only (ad dovecot files, of
> >course)
> >>
> >>
> >>
> >> -- 
> >>
> >>
> >> Ciao,
> >> luigi
> >>
> >> /
> >> +--[Luigi Rosa]--
> >> \
> >>
> >> Understanding is a three-edged sword.
> >>  --Kosh, "Deathwalker"
> >
> >OK, I believe I'v

Re: Moving Maildir folders

[Mark Foley]

Hey!! It is now showing the former users' folders at the top level of the 
current user.  Great!
Perhaps dovecot just needed time to "index" the new messages? Anyway, Luigi's 
suggestion on
moving and renaming the folders apparently worked. 

Thanks --Mark

-Original Message-
> Subject: Re: Moving Maildir folders
> From: Frank-Ulrich Sommer <f-...@gmx.net>
> Date: Sat, 16 Jul 2016 20:41:10 +0200
> To: dovecot@dovecot.org

> How did you verify that dovecot doesn't show these folders? Couldn't this be 
> a client problem? In Thunderbird e.g. it might be necessary to update the 
> list of displayed folders.
>
> Am 16. Juli 2016 19:07:39 MESZ, schrieb Mark Foley <mfo...@ohprs.org>:
> >On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa <li...@luigirosa.com>
> >wrote:
> >>
> >> Mark Foley wrote on 16/07/2016 07:43:
> >> > Our office had a user leave.  Another user is taking over her
> >duties and needs reference to the
> >> > departing user's email.  I've copied that entire departed user's
> >Maildir structure to the current
> >> > user:
> >> >
> >> > mv olduser/Maildir/.* curuser/Maildir/.olduser
> >> >
> >> > I did change permission and ownership on curuser/Maildir/.olduser
> >to be the target user. I did
> >> > not bring over the olduser/Maildir/dovecot* files (indexes,
> >subscriptions, etc.) as I thought
> >> > that would be bad.
> >>
> >> Maildir has no nested folders.
> >>
> >> If you want a subtree structure in maildir you must create each
> >folder at the 
> >> first level
> >>
> >> in the new user you must have something like:
> >>
> >> .olduser.INBOX
> >> .olduser.Sent
> >> .olduser.Trash
> >> .olduser.Drafts
> >> .olduser.whatever
> >>
> >> Each directory with tmp, newm cur subdirs only (ad dovecot files, of
> >course)
> >>
> >>
> >>
> >> -- 
> >>
> >>
> >> Ciao,
> >> luigi
> >>
> >> /
> >> +--[Luigi Rosa]--
> >> \
> >>
> >> Understanding is a three-edged sword.
> >>  --Kosh, "Deathwalker"
> >
> >OK, I believe I've done as you suggested, but still nothing showing on
> >the target users mail
> >client. Here's what part of the Maildir looks like with the 1st set of
> >folders belonging to the
> >target user and those beginning with .bpatterson from the old user.
> >Does this look right as
> >you've advised? Perhaps I need to do something else?
> >
> >.INBOX.Travel/
> >.INBOX.UPS/
> >.INBOX.US\ Bank/
> >.INBOX.United\ Health\ Care-Employee/
> >.INBOX.VRC/
> >.INBOX.Website/
> >.INBOX.Website.Mouse\ Pad\ Insert/
> >.INBOX.iLink/
> >.Junk\ E-mail/
> >.Sent\ Items/
> >.Templates/
> >.bpatterson.Deleted\ Items/
> >.bpatterson.Drafts/
> >.bpatterson.INBOX.2011\ Investment\ Confirmation\ Responses/
> >.bpatterson.INBOX.2011\ and\ 2012\ KCR\ Audit/
> >.bpatterson.INBOX.2012\ Investment\ Confirmation\ Responses/
> >.bpatterson.INBOX.2013\ Health\ Care\ Changes\ -\ Information/
> >.bpatterson.INBOX.2013\ Investment\ Confirmation\ Responses/
> >
> >At the top level, the target user has (in email client):
> >
> >Inbox
> >Drafts
> >Templates
> >Sent Items
> >Junk E-mail
> >Deleted Items
> >
> >I'm expecting to see "bpatterson" appear in that list.
> >
> >Thanks --Mark
>
> -- 
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
>

Re: an e-mail client for dovecot ?

[Mark Foley]

Wow! That's interesting.  Our office of 10+ Windows 7 *and* Ubuntu workstations 
have been
moving from Outlook to Thunderbird over the past year. Our users find it WAY 
BETTER than
Outlook. Have you actually tried Outlook 2013 and later? The suckiness of 2013 
was what drove
us to look elsewere in the first place. We tried a number of clients including 
Evolution and
emClient and Tbird proved the best in my testing.

Thunderbird runs on both Windows and Ubuntu, can do AD authentication and 
basically has all the
features of Outlook including color categories which our director could not 
live without; and
can be configured to have a very similar look-and-feel as Outlook.  In over a 
year of running
Thunderbird (currently at 38.8.0 Ubuntu, 45.2.0 Window) it has performed 
flawlessly. 

I concur with Charles Marcus' query: can you elaborate on how Thunderbird is 
failing for you?

--Mark

-Original Message-
> Date: Sat, 16 Jul 2016 08:02:33 + (UTC)
> From: Spyros Tsiolis 
> To: Dovecot 
> Subject: an e-mail client for dovecot ?
>
> Hello all,
>
> For some years now, I've been using Thunderbird for dovecot.
> I am not very satisfied with t/b so I thought of using m/s outlook 
> but then I thought that I want to distance my clients from office
> products.
>
> I have a newly created dovecot installation on a very small site.
> Three nodes, all x86 Windows 7 professional with an ubuntu v14.04
> server (x86 again) running dovecot 1.2.17.
>
> The clients there use dovecot as an imap server, so they have a 
> real-world e-mail account each and whatever they want to keep , they
> store by gradding-and-dropping to the imap (local / archive) account.
>
> Since I have quite some experiece with thunderbird, I know most of
> its shortcomings; So I thought if there's an alternative (better?)
> imap mail client for x86 windows 7 systems than t/b.
>
> Even better if there's an alternative client that is also supporeted under
> linux .
>
> Any ideas are welcome,
>
> TIA,
>
> s.t.
>

Re: Moving Maildir folders

[Mark Foley]

On Sat, 16 Jul 2016 08:53:27 +0200 Luigi Rosa <li...@luigirosa.com> wrote:
>
> Mark Foley wrote on 16/07/2016 07:43:
> > Our office had a user leave.  Another user is taking over her duties and 
> > needs reference to the
> > departing user's email.  I've copied that entire departed user's Maildir 
> > structure to the current
> > user:
> >
> > mv olduser/Maildir/.* curuser/Maildir/.olduser
> >
> > I did change permission and ownership on curuser/Maildir/.olduser to be the 
> > target user. I did
> > not bring over the olduser/Maildir/dovecot* files (indexes, subscriptions, 
> > etc.) as I thought
> > that would be bad.
>
> Maildir has no nested folders.
>
> If you want a subtree structure in maildir you must create each folder at the 
> first level
>
> in the new user you must have something like:
>
> .olduser.INBOX
> .olduser.Sent
> .olduser.Trash
> .olduser.Drafts
> .olduser.whatever
>
> Each directory with tmp, newm cur subdirs only (ad dovecot files, of course)
>
>
>
> -- 
>
>
> Ciao,
> luigi
>
> /
> +--[Luigi Rosa]--
> \
>
> Understanding is a three-edged sword.
>  --Kosh, "Deathwalker"

OK, I believe I've done as you suggested, but still nothing showing on the 
target users mail
client. Here's what part of the Maildir looks like with the 1st set of folders 
belonging to the
target user and those beginning with .bpatterson from the old user. Does this 
look right as
you've advised? Perhaps I need to do something else?

.INBOX.Travel/
.INBOX.UPS/
.INBOX.US\ Bank/
.INBOX.United\ Health\ Care-Employee/
.INBOX.VRC/
.INBOX.Website/
.INBOX.Website.Mouse\ Pad\ Insert/
.INBOX.iLink/
.Junk\ E-mail/
.Sent\ Items/
.Templates/
.bpatterson.Deleted\ Items/
.bpatterson.Drafts/
.bpatterson.INBOX.2011\ Investment\ Confirmation\ Responses/
.bpatterson.INBOX.2011\ and\ 2012\ KCR\ Audit/
.bpatterson.INBOX.2012\ Investment\ Confirmation\ Responses/
.bpatterson.INBOX.2013\ Health\ Care\ Changes\ -\ Information/
.bpatterson.INBOX.2013\ Investment\ Confirmation\ Responses/

At the top level, the target user has (in email client):

Inbox
Drafts
Templates
Sent Items
Junk E-mail
Deleted Items

I'm expecting to see "bpatterson" appear in that list.

Thanks --Mark

Moving Maildir folders

[Mark Foley]

Our office had a user leave.  Another user is taking over her duties and needs 
reference to the
departing user's email.  I've copied that entire departed user's Maildir 
structure to the current
user:

mv olduser/Maildir/.* curuser/Maildir/.olduser

I did change permission and ownership on curuser/Maildir/.olduser to be the 
target user. I did
not bring over the olduser/Maildir/dovecot* files (indexes, subscriptions, 
etc.) as I thought
that would be bad.

Nevertheless, the curuser cannot see this new olduser folder (which should be 
at the same level
as Inbox, Junk Mail, etc.).  I did manually add olduser to the 
curuser/Maildir/subscriptions
file, but still nothing. 

So, what did I do wrong and how do I fix it?

THX -- Mark

Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

[Mark Foley]

Brendan - yes, go ahead and send that doc directly to my email address. I've 
got Maildir
folders going, but not nfs; and I'm curious about your load balance.

THX --Mark

-Original Message-
> Date: Mon, 04 Jul 2016 10:40:06 -0400
> From: Brendan Kearney <bpk...@gmail.com>
> To: dovecot@dovecot.org
> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI 
> config]
>
> On 07/04/2016 03:30 AM, Mark Foley wrote:
> > Actually, I see that you used host.domain.name further down. That's a good 
> > substitute for mail.hprs.local.
> >
> > Also, not to be a literary critic, but it might not hurt to show an example 
> > keytab beneath your
> > "Make sure your keytab has entry for ...". Just in case people don't 
> > exactly know how to "make sure:
> >
> > $ klist -Kek /etc/dovecot/dovecot.keytab
> > Keytab name: FILE:/etc/dovecot/dovecot.keytab
> > KVNO Principal
> >  
> > --
> > 1 imap/host.domain.name@MYREALM (des-cbc-crc)  (0x232616c2a4fd08f7)
> > 1 imap/host.domain.name@MYREALM (des-cbc-md5)  (0x232616c2a4fd08f7)
> > 1 imap/host.domain.name@MYREALM (arcfour-hmac)  
> > (0x9dae89a221dc374a39f560833
> >
> > --Mark
> >
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Mon, 04 Jul 2016 03:23:30 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI 
> > config]
> >
> > On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
> >
> >>> http://wiki2.dovecot.org/Authentication/Kerberos
> >> It has been now updated.
> > Excellent! That was quick!
> >
> > Although, you used my actual local domain in your example: mail.hprs.local. 
> >  Not that I care,
> > no one can get to that, but it might be clearer to those of us who 
> > uncomprehendingly
> > monkey-type things from wiki's when we don't fully understand.  Perhaps 
> > something more generic
> > would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- 
> > something like that.
> > Not sure what is best; just don't want to imply that they HAVE TO use 
> > mail.hprs.local.
> >
> >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> >> I have to set up some kind of test environment to find out why it bugs.
> > I'm going to give my brain a rest for a bit before I resume tilting at the 
> > NTML windmill! I'll
> > check back with the list to see if you've come up with anything.
> >
> >> Aki
> > Again, thanks for all your help.
> >
> > --Mark
> >
> > -Original Message-
> >> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI 
> >> config]
> >> To: dovecot@dovecot.org
> >> From: Aki Tuomi <aki.tu...@dovecot.fi>
> >> Organization: Dovecot Oy
> >> Date: Mon, 4 Jul 2016 08:54:27 +0300
> >> On 04.07.2016 07:44, Mark Foley wrote:
> >>> After a over a year and a half struggling to get Dovecot to do either 
> >>> NTLM or GSSAPI
> >>> authentication with Samba4 AD/DC, I believe I've finally got it! Thanks 
> >>> to all those in this
> >>> list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey 
> >>> especially Aki Tuomi;
> >>> and infinite thanks to Achim Gottinger on the SambaList for his patience 
> >>> in working this
> >>> through with me.  Although my purpose was for Dovecot to authenticate 
> >>> mail clients, the
> >>> configuration settings needed were on the Samba side.  I hope a variation 
> >>> of these instructions
> >>> can eventually make it into:
> >>>
> >>> http://wiki2.dovecot.org/Authentication/Kerberos
> >>>
> >>>
> >> It has been now updated.
> >>
> >> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> >> I have to set up some kind of test environment to find out why it bugs.
> >>
> >> Aki
> >>
> i have a document that i had written, recording each of the changes 
> needed to each of the files to be modified, in order to have dovecot 
> authenticate against kerberos and authorize against ldap.  in addition, 
> the use of nfs for maildir mailboxes and load balanced nuances are 
> covered.  the doc is in odt format (libre office writer), and i have 
> attempted to post it to this mailing list, but it was quarantined.
>
> if there is any interest in the doc, reach out to me.  i welcome input 
> and feedback on it.
>
> brendan
>

Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

[Mark Foley]

Actually, I see that you used host.domain.name further down. That's a good 
substitute for mail.hprs.local.

Also, not to be a literary critic, but it might not hurt to show an example 
keytab beneath your
"Make sure your keytab has entry for ...". Just in case people don't exactly 
know how to "make sure:

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
 --
   1 imap/host.domain.name@MYREALM (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 imap/host.domain.name@MYREALM (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 imap/host.domain.name@MYREALM (arcfour-hmac)  (0x9dae89a221dc374a39f560833

--Mark

-Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 04 Jul 2016 03:23:30 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:

> > http://wiki2.dovecot.org/Authentication/Kerberos
>
> It has been now updated.

Excellent! That was quick!

Although, you used my actual local domain in your example: mail.hprs.local.  
Not that I care,
no one can get to that, but it might be clearer to those of us who 
uncomprehendingly
monkey-type things from wiki's when we don't fully understand.  Perhaps 
something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- 
something like that.
Not sure what is best; just don't want to imply that they HAVE TO use 
mail.hprs.local.

> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> I have to set up some kind of test environment to find out why it bugs.

I'm going to give my brain a rest for a bit before I resume tilting at the NTML 
windmill! I'll
check back with the list to see if you've come up with anything.

> Aki

Again, thanks for all your help.

--Mark

-Original Message-
> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI 
> config]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Mon, 4 Jul 2016 08:54:27 +0300

>
> On 04.07.2016 07:44, Mark Foley wrote:
> > After a over a year and a half struggling to get Dovecot to do either NTLM 
> > or GSSAPI
> > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to 
> > all those in this
> > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey 
> > especially Aki Tuomi;
> > and infinite thanks to Achim Gottinger on the SambaList for his patience in 
> > working this
> > through with me.  Although my purpose was for Dovecot to authenticate mail 
> > clients, the
> > configuration settings needed were on the Samba side.  I hope a variation 
> > of these instructions
> > can eventually make it into:
> >
> > http://wiki2.dovecot.org/Authentication/Kerberos
> >
> >
>
> It has been now updated.
>
> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> I have to set up some kind of test environment to find out why it bugs.
>
> Aki
>

Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

[Mark Foley]

On Mon, 4 Jul 2016 08:54:27 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:

> > http://wiki2.dovecot.org/Authentication/Kerberos
>
> It has been now updated.

Excellent! That was quick!

Although, you used my actual local domain in your example: mail.hprs.local.  
Not that I care,
no one can get to that, but it might be clearer to those of us who 
uncomprehendingly
monkey-type things from wiki's when we don't fully understand.  Perhaps 
something more generic
would be clearer: myhost.myrealm, or myhost.mydom.local, or myLocalFDQN -- 
something like that.
Not sure what is best; just don't want to imply that they HAVE TO use 
mail.hprs.local.

> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> I have to set up some kind of test environment to find out why it bugs.

I'm going to give my brain a rest for a bit before I resume tilting at the NTML 
windmill! I'll
check back with the list to see if you've come up with anything.

> Aki

Again, thanks for all your help.

--Mark

-Original Message-
> Subject: Re: Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI 
> config]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Mon, 4 Jul 2016 08:54:27 +0300

>
> On 04.07.2016 07:44, Mark Foley wrote:
> > After a over a year and a half struggling to get Dovecot to do either NTLM 
> > or GSSAPI
> > authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to 
> > all those in this
> > list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey 
> > especially Aki Tuomi;
> > and infinite thanks to Achim Gottinger on the SambaList for his patience in 
> > working this
> > through with me.  Although my purpose was for Dovecot to authenticate mail 
> > clients, the
> > configuration settings needed were on the Samba side.  I hope a variation 
> > of these instructions
> > can eventually make it into:
> >
> > http://wiki2.dovecot.org/Authentication/Kerberos
> >
> >
>
> It has been now updated.
>
> I had a look at the NTLM mechanism, it *should* support SSP and NTLMv2.
> I have to set up some kind of test environment to find out why it bugs.
>
> Aki
>

Configure Dovecot for GSSAPI [formerly: Looking for GSSAPI config]

[Mark Foley]

After a over a year and a half struggling to get Dovecot to do either NTLM or 
GSSAPI
authentication with Samba4 AD/DC, I believe I've finally got it! Thanks to all 
those in this
list who helped: Jan Jurkus, Edgar Pettijohn, Gregory Sloop, Tom Talpey 
especially Aki Tuomi;
and infinite thanks to Achim Gottinger on the SambaList for his patience in 
working this
through with me.  Although my purpose was for Dovecot to authenticate mail 
clients, the
configuration settings needed were on the Samba side.  I hope a variation of 
these instructions
can eventually make it into:

http://wiki2.dovecot.org/Authentication/Kerberos

What is essentially missing from the wiki is how to set up the proper Service 
Principal Names
and the subsequent creation of a dovecot useable kerberos keytab file.  The 
wiki comment on
"k5principals passdb" was not helpful and largely unintelligble to me. 

Perhaps like many of you, I have switched from Microsoft SBS and Exchange to 
Samaba4 and
Dovecot/IMAP. The transition was completely transparent to my users, except 
they needed a
separate password for email authentication in the absence of NTLM or GSSAPI 
working with
Dovecot. A mild inconvenience, but I have been on a "quest" to fill that gap. 
This solution
finally takes care of that last piece.

The following describes how to create the SPNs and krb5 keytab files using 
Samba4 which has
its own built-in (Heimdal) kerberos. The procedures are probably similar for 
other facilities
such as setspn for Windows, but I've not used those so I won't attempt to 
discuss those
mechanism here.

You do need kerberos as the Samba built-in kerberos does not have needed 
commands like `klist`.

My distro (Slackware 14.1) does not come with kerberos (nor, I think, does 
Ubuntu), but is
easily found at:

https://slackbuilds.org/repository/14.1/network/krb5/

Ubuntu/Debian: apt-get install krb5-config libpam-krb5 krb5-user ssh-krb5 
(perhaps more)

After provisioning Samba4, copy the krb5.conf template to /etc/krb5.conf.

(Note: the actual docs advise symlinking:

  ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf

but I prefer making a copy in case I need to modify things).

I've set The /etc/krb5.conf file to world readable.  It's default contents are 
(and these do
not need to be changed):

[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

where HPRS.LOCAL is my realm, of course use your own.

Now, we need a samba user in order to create the necessary SPNs (Server 
Principal Names):

$ samba-tool user create dovecot
New Password:
Retype Password:
User 'dovecot' created successfully

Next, add the SPN(s), and create the keytab:

$ samba-tool spn add imap/mail.hprs.local dovecot
$ samba-tool domain exportkeytab --principal imap/mail.hprs.local 
/etc/dovecot/dovecot.keytab

Dovecot does not do my (outgoing) SMTP serving, only (incoming) IMAP, but if it 
did I'd have to
create another SPN for smtp:

$ samba-tool spn add smtp/mail.hprs.local dovecot
$ samba-tool domain exportkeytab --principal smtp/mail.hprs.local 
/etc/dovecot/dovecot.keytab

Dovecot needs to be able to read the keytab file:

$ chgrp dovecot /etc/dovecot/dovecot.keytab
$ chmod g+r /etc/dovecot/dovecot.keytab

my new keytab:

$ klist -Kek /etc/dovecot/dovecot.keytab
Keytab name: FILE:/etc/dovecot/dovecot.keytab
KVNO Principal
 --
   1 imap/mail.hprs.local@HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local@HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 imap/mail.hprs.local@HPRS.LOCAL (arcfour-hmac)  
(0x9dae89a221dc374a39f560833352f60f)
(and if I also created the spn for smtp I would also have these:) 
   1 smtp/mail.hprs.local@HPRS.LOCAL (des-cbc-crc)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local@HPRS.LOCAL (des-cbc-md5)  (0x232616c2a4fd08f7)
   1 smtp/mail.hprs.local@HPRS.LOCAL (arcfour-hmac)  
(0x9dae89a221dc374a39f560833352f60f)

DOVECOT SETTINGS:

My version: 2.2.15

Of crucial importance is to build dovecot with GSSAPI! That is NOT one of the 
default settings. 
In the dovecot build directory:

./configure --with-gssapi=yes

Other than that serious build gotcha, settings are pretty simple.  Add the 
following 3
settings to 10-auth.conf:

auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = plain login gssapi

The auth_gssapi_hostname is supposedly not required according to some of the 
above-listed
commentors, but my 10-auth.conf template implies differently, so it can't hurt. 

gssapi does not require a passdb. Use whatever userdb you want. The dovecot 
wiki doc has some
suggestions, not of which I've tried. I use the 'driver = passwd' for my userdb 
for unrelated
reasons.

I couldn't get any of this working until I rebooted the Samba AD/DC-Dovecot 
server, but that
just may have been me not stopping/starting Samba and Dovecot in the right 
sequence (or,

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - comments interspersed below ...

--Mark

-Original Message-
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Fri, 1 Jul 2016 10:10:43 +0300
>
> The distinction is that kerberos principals are in form
>
> /@
>
> the hostname bit *must* match to the host you are connecting to, exactly
> and verbatim. It can differ in case, I guess.
>
> The service is what service you are connecting to. These have special
> meanings and can be case sensitive (like http won't always work, it has
> to be HTTP).

The current IMAP "Principle" in my keytab is:

imap/mail.hprs.local@HPRS.LOCAL

Explicitly, are you saying it needs to look like:

IMAP/mail@HPRS.LOCAL

Meaning, capitalized "IMAP" and just hostname, no FDQN?

> host/ is always needed in at least system keytab. Not sure if it's
> needed now in the service tab. But I suspect that you need to have IMAP
> and not imap. Also make sure and double-check that the hostname is correct.

Confused.  What do you mean by "host/"? Can you give an example using my host 
and domain names?
I don't know where "host/" goes.  I assume this is not a synonym for 
"/"?

This is the first I've head of a system keytab versus a service tab. What are 
they? Do I need
both?

> Once you've done the keytab you'll want to grab a cup of coffee and
> local newspaper or something and read it thru before trying, because it
> might take some time for it to work.

Really? I can reboot this evening.

> Also, your client *and* host needs to be able to access KDC (all of
> them) on 88/tcp.

There should be no problem with the intra-LAN firewall. Everything is 
permitted, but I'll
double-check on the WIN7 workstation I'm testing from.

Is there a way to know for sure my dovecot is enabled for gssapi?

> Aki
>
> On 01.07.2016 09:42, Mark Foley wrote:
> > My keytab now has:
> >
> > ktutil:  read_kt /etc/dovecot/dovecot.keytab
> > ktutil:  list
> > slot KVNO Principal
> >   
> > -
> >11  smtp/mail.hprs.local@HPRS.LOCAL
> >21  imap/mail.hprs.local@HPRS.LOCAL
> >
> > I added these in ktutil with:
> >
> > addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac
> >
> > Aki wrote:
> >
> >> I think the problem still is that your keytab file has no entry
> >> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
> >> you also have no host/hostname@DOMAIN
> > Not sure how to interpret your template. Are you suggesting I should ...
> >
> > addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
> > addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
> >
> > (one IMAP uppercase and one lowercase?)
> >
> > I don't get your distinction between host and hostname in your 3rd example: 
> > host/hostname@DOMAIN
> >
> > Meanwhile ...
> >
> > Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi 
> > is enabled in my
> > dovecot.  I did rebuild and reinstall using `./configure 
> > --with-gssapi=yes`, but if I only
> > enable gssapi authentication, I get "No authenticators available" (mail 
> > client).  How can I
> > verify gssapi is really available? dovecot --build-options shows:
> >
> > Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
> > Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
> > SQL drivers:
> > Passdb: checkpassword passwd passwd-file shadow
> > Userdb: checkpassword nss passwd prefetch passwd-file
> >
> > should I see authentication methods there?
> >
> > --Mark
> >
> > -Original Message-
> > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > example]
> > To: dovecot@dovecot.org
> > From: Aki Tuomi <aki.tu...@dovecot.fi>
> > Organization: Dovecot Oy
> > Date: Thu, 30 Jun 2016 09:58:14 +0300
> >
> > I think the problem still is that your keytab file has no entry
> > imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
> >
> > you also have no host/hostname@DOMAIN
> >
> > Aki
> >
> > On 29.06.2016 18:40, Mark Foley wrote:
> >> Yes, I think that's exactly correct. I just made a similar reply to Edgar 
> >> Pettijohn about that.
> >> The Thunderbird message is:
> >>
> >> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
> >> m

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

My keytab now has:

ktutil:  read_kt /etc/dovecot/dovecot.keytab
ktutil:  list
slot KVNO Principal
  -
   11  smtp/mail.hprs.local@HPRS.LOCAL
   21  imap/mail.hprs.local@HPRS.LOCAL

I added these in ktutil with:

addent -password -p smtp/mail.hprs.local@HPRS.LOCAL -k 1 -e arcfour-hmac

Aki wrote:

> I think the problem still is that your keytab file has no entry
> imap/hostname@DOMAIN and IMAP/hostname@DOMAIN
> you also have no host/hostname@DOMAIN

Not sure how to interpret your template. Are you suggesting I should ...

addent -password -p IMAP/mail@HPRS.LOCAL -k 1 -e arcfour-hmac
addent -password -p imap/mail@HPRS.LOCAL -k 1 -e arcfour-hmac

(one IMAP uppercase and one lowercase?)

I don't get your distinction between host and hostname in your 3rd example: 
host/hostname@DOMAIN

Meanwhile ...

Tried a bunch of things.  No go so far.  In fact, I'm questioning if gssapi is 
enabled in my
dovecot.  I did rebuild and reinstall using `./configure --with-gssapi=yes`, 
but if I only
enable gssapi authentication, I get "No authenticators available" (mail 
client).  How can I
verify gssapi is really available? dovecot --build-options shows:

Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc pop3c raw fail
SQL drivers:
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file

should I see authentication methods there?

--Mark

-Original Message-
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
To: dovecot@dovecot.org
From: Aki Tuomi <aki.tu...@dovecot.fi>
Organization: Dovecot Oy
Date: Thu, 30 Jun 2016 09:58:14 +0300

I think the problem still is that your keytab file has no entry
imap/hostname@DOMAIN and IMAP/hostname@DOMAIN

you also have no host/hostname@DOMAIN

Aki

On 29.06.2016 18:40, Mark Foley wrote:
> Yes, I think that's exactly correct. I just made a similar reply to Edgar 
> Pettijohn about that.
> The Thunderbird message is:
>
> "The Kerberos/GSSAPI ticket was not accepted by the IMAP server 
> m...@ohprs.org. Please check
> that you are logged in to the Kerberos/GSSAPI realm."
>
> I made further comments in that message that I won't clutter the list by 
> repeating here. Check
> out that message and see what you think could be wrong.
>
> Thanks for your help! I'm sure this is solvable!
>
> --Mark
>
> -Original Message-
>> Date: Wed, 29 Jun 2016 08:03:14 -0400
>> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>> From: brendan kearney <bpk...@gmail.com>
>> To: Mark Foley <mfo...@ohprs.org>
>> Cc: dovecot@dovecot.org
>>
>> The last log line shows "user=<>".  This indicates no credentials were
>> presented.  If the rip field matches the client ip you tested from, I would
>> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
>> pulled for the authentication.
>> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:
> [deleted]

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Yes, I think that's exactly correct. I just made a similar reply to Edgar 
Pettijohn about that.
The Thunderbird message is:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. 
Please check
that you are logged in to the Kerberos/GSSAPI realm."

I made further comments in that message that I won't clutter the list by 
repeating here. Check
out that message and see what you think could be wrong.

Thanks for your help! I'm sure this is solvable!

--Mark

-Original Message-
> Date: Wed, 29 Jun 2016 08:03:14 -0400
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> From: brendan kearney <bpk...@gmail.com>
> To: Mark Foley <mfo...@ohprs.org>
> Cc: dovecot@dovecot.org
>
> The last log line shows "user=<>".  This indicates no credentials were
> presented.  If the rip field matches the client ip you tested from, I would
> bet the appropriate kerberos ticket (imap/host.domain.tld@REALM) was not
> pulled for the authentication.
> On Jun 28, 2016 11:33 PM, "Mark Foley" <mfo...@ohprs.org> wrote:

[deleted]

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

On Tue, 28 Jun 2016 22:52:25 -0500 Edgar Pettijohn <ed...@pettijohn-web.com> 
wrote:

> What does thunderbird tell you?

Good question.  I saw Tbird's message after sending my last email.  When Tbird 
starts I get a
message box in the lower right saying:

"The Kerberos/GSSAPI ticket was not accepted by the IMAP server m...@ohprs.org. 
Please check
that you are logged in to the Kerberos/GSSAPI realm."

The interesting bit, to me, is that the IMAP server's hostname is not 
m...@ohprs.org. It should
be mail.ohprs.org, or I would rather expect it to be mail.hprs.local using the 
actual local
domain/realm name, not the public FQDN. I'm suspecting there is something wrong 
with the
kerberos config.

To further confuse.  There *is* a WIN7 workstation 'mark' in the domain, though 
not the
workstation from which this testing is being done (this workstation is named 
'common') and host
'mark' is not reachable as m...@ohprs.org.  Furthermore, the Thunderbird 
account/user for this
testing is also 'mark', not to be confused with the host 'mark' (though I think 
that's exactly
what's being confused). 

Where is this m...@ohprs.org coming from? The Thunderbird Account Name is 
m...@ohprs.org, which
is this user's email address.

Perhaps Thunderbird simply has a badly worded error message and didn't really 
mean "IMAP server
m...@ohprs.org", or perhapd kerberos is not configured correctly.  My 
/etc/krb5.conf is shown
below.  Any ideas on what might be wrong?

> >>> [libdefaults]
> >>>  default_realm = HPRS.LOCAL
> >>>  dns_lookup_realm = false
> >>>  dns_lookup_kdc = true
> >>> 
> >>> [libdefaults]
> >>>  default_realm = HPRS.LOCAL
> >>>  dns_lookup_kdc = true
> >>>  kdc_timesync = 1
> >>>  ccache_type = 4
> >>>  forwardable = true
> >>>  proxiable = true
> >>>  fcc-mit-ticketflags = true
> >>> 
> >>> [realms]
> >>>  HPRS.LOCAL = {
> >>>default_domain = hprs.local
> >>>auth_to_local_names = {
> >>>Administrator = root
> >>>  }
> >>> }
> >>> 
> >>> [domain_realm]
> >>>hprs.local = HPRS.LOCAL
> >>> # this is not a mistake
> >>>.hprs.local = HPRS.LOCAL

Thanks, --Mark

-Original Message-
> From: Edgar Pettijohn <ed...@pettijohn-web.com>
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> Date: Tue, 28 Jun 2016 22:52:25 -0500
> To: Mark Foley <mfo...@ohprs.org>
>
>
>
> > On Jun 28, 2016, at 10:32 PM, Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, 
> > and restarted. Now I
> > don't get that "Unknown authentication mechanism 'gssapi'" message in 
> > maillog, and mail is
> > delivered successfully to the other domain users having PLAIN 
> > authentication. That's a big
> > step. In examining my original config.log output I apparently did not have 
> > --with-gssapi enabled.
> > 
> > HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
> > cannot correctly
> > authenticate and retrieve mail. Here is the dovecot log for that host:
> > 
> What does thunderbird tell you?
>
>
> > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
> > /usr/local/lib/dovecot/auth
> > Jun 28 22:44:05 auth: Debug: Read auth token secret from 
> > /usr/local/var/run/dovecot/auth-token-secret.dat
> > Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> > initialization [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> > initialization [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> > client hello A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> > client hello A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> > server hello A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> > certificate A [192.168.0.58]
> > Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> > key exchange A [192.168.0.58]
>

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - partial success! I rebuilt my dovecot with ./config --with-gssapi, and 
restarted. Now I
don't get that "Unknown authentication mechanism 'gssapi'" message in maillog, 
and mail is
delivered successfully to the other domain users having PLAIN authentication. 
That's a big
step. In examining my original config.log output I apparently did not have 
--with-gssapi enabled.

HOWEVER - the Thunderbird client configured for 'Kerberos / GSSAPI' still 
cannot correctly
authenticate and retrieve mail. Here is the dovecot log for that host:

Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 22:44:05 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 22:44:05 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Jun 28 22:44:05 auth: Debug: auth client connected (pid=24076)
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
initialization [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
client hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
hello A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server 
done A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client 
certificate A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client 
key exchange A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
certificate verify A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
session ticket A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change 
cipher spec A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
finished A [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 
[192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
finished successfully [192.168.0.58]
Jun 28 22:44:06 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
finished successfully [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Debug: SSL alert: close notify [192.168.0.58]
Jun 28 22:44:11 imap-login: Info: Disconnected (no auth attempts in 6 secs): 
user=<>, rip=192.168.0.58, lip=98.102.63.107, TLS, session=

Does this tell you anything? `doveconf -n` and krb5.conf are configured as 
shown in previous
messages below.

Closer! --Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Tue, 28 Jun 2016 22:04:42 -0400
To: dovecot@dovecot.org
Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]

Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
> it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send 
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing 
obvious
realated to gssapi)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > --SNIP
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki, you wrote:

> Doh. Seems your dovecot isn't compiled with gssapi support? Can you compile 
> it yourself?
>
> I'll try to check status of NTLM this week.

I'm OK with continuing to try gssapi, esp. if NTLM is restricted to v1.

I do have the Dovecot sources and will peruse the possible options after I send 
this.  I am on
version 2.2.15 and I see that the current downloadable version is 2.2.24.  
Should I upgrade? Do
you think that would help? (a perusal of the changes since 2.2.15 shows nothing 
obvious
realated to gssapi)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 18:06:10 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 5:17 PM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > 
> > Aki - made your suggested changes, but no joy :(
> > 
> > My /etc/krb5.conf:
> > 
> > --SNIP
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_realm = false
> >   dns_lookup_kdc = true
> > 
> > [libdefaults]
> >   default_realm = HPRS.LOCAL
> >   dns_lookup_kdc = true
> >   kdc_timesync = 1
> >   ccache_type = 4
> >   forwardable = true
> >   proxiable = true
> >   fcc-mit-ticketflags = true
> > 
> > [realms]
> >   HPRS.LOCAL = {
> > default_domain = hprs.local
> > auth_to_local_names = {
> > Administrator = root
> >   }
> > }
> > 
> > [domain_realm]
> > hprs.local = HPRS.LOCAL
> > # this is not a mistake
> > .hprs.local = HPRS.LOCAL
> > --PINS---
> > 
> > you wrote:
> > > You can remove the krb4_ stuff
> > 
> > I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
> > section altogether.
> > Question on [realms]Administrator: should that really be root or should it 
> > be my AD Administrator?
> > 
> > my doveconf -n is exactly the same as posted below, but in particular:
> > 
> > auth_krb5_keytab = /etc/krb5.keytab
> > auth_mechanisms = plain login gssapi
> > 
> > When I reloaded dovecot no mail was delivered to anyone (even though 
> > everyone was still using
> > plain/ssl, no one yet configured for gssapi).
> > 
> > In /var/log/maillog I got (repeatedly):
> > 
> > Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not 
> > responding, delayed sending initial response (greeting): user=<>, 
> > rip=192.168.0.54, lip=192.168.0.2, session=
> > Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
> > 'gssapi'
> > Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
> > failed, throttling for 60 secs
> > Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not 
> > responding, delayed sending initial response (greeting): user=<>, 
> > rip=166.170.27.161, lip=98.102.63.107, TLS, session=
> > 
> > This looks pretty bad right off. Why "Unknown authentication mechanism 
> > 'gssapi'"?
> > 
> > Do you have any idea from the configs I've posted? I'm rather depressed 
> > about this. I thought I'd
> > finally able to get AD authentication going for Dovecot. Not ready to give 
> > up though!
> > 
> > Suggestions?
> > 
> > THX -- Mark
> > 
> > -original Message-
> > > Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config 
> > > example]
> > > To: dovecot@dovecot.org
> > > From: Aki Tuomi <aki.tu...@dovecot.fi>
> > > Date: Tue, 28 Jun 2016 15:13:11 +0300
> > >
> > > On 28.06.2016 09:27, Mark Foley wrote:
> > > > Aki,
> > > >
> > > > To review your 5 points:
> > > >
> > > > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> 
> > > > wrote:
> > > >
> > > >> 1. Functional AD or Kerberos environment
> > > >> 2. Time synced against your KDC (which is your Domain Controller on 
> > > >> Windows)
> > > >> 3. /etc/krb5.conf configured
> > > >> 4. Both forward / reverse DNS names correct for clients and servers.
> > > >> Reverse is only mandatory for servers, but having them right will work
> > > >> wonders. Most kerberos problems are about DNS problems.
> > > >> 5. You need a keytab. This keytab needs to hold entries like
> > > >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki - made your suggested changes, but no joy :(

My /etc/krb5.conf:

--SNIP
[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[libdefaults]
  default_realm = HPRS.LOCAL
  dns_lookup_kdc = true
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  fcc-mit-ticketflags = true

[realms]
  HPRS.LOCAL = {
default_domain = hprs.local
auth_to_local_names = {
Administrator = root
  }
}

[domain_realm]
hprs.local = HPRS.LOCAL
# this is not a mistake
.hprs.local = HPRS.LOCAL
--PINS---

you wrote:
> You can remove the krb4_ stuff

I've remove krb4_ stuff from the [libdefaults] and eliminated the [login] 
section altogether.
Question on [realms]Administrator: should that really be root or should it be 
my AD Administrator?

my doveconf -n is exactly the same as posted below, but in particular:

auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi

When I reloaded dovecot no mail was delivered to anyone (even though everyone 
was still using
plain/ssl, no one yet configured for gssapi).

In /var/log/maillog I got (repeatedly):

Jun 28 09:43:36 mail dovecot: imap-login: Warning: Auth process not responding, 
delayed sending initial response (greeting): user=<>, rip=192.168.0.54, 
lip=192.168.0.2, session=
Jun 28 09:43:37 mail dovecot: auth: Fatal: Unknown authentication mechanism 
'gssapi'
Jun 28 09:43:37 mail dovecot: master: Error: service(auth): command startup 
failed, throttling for 60 secs
Jun 28 09:43:37 mail dovecot: imap-login: Warning: Auth process not responding, 
delayed sending initial response (greeting): user=<>, rip=166.170.27.161, 
lip=98.102.63.107, TLS, session=

This looks pretty bad right off. Why "Unknown authentication mechanism 
'gssapi'"?

Do you have any idea from the configs I've posted? I'm rather depressed about 
this. I thought I'd
finally able to get AD authentication going for Dovecot. Not ready to give up 
though!

Suggestions?

THX -- Mark

-original Message-
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Date: Tue, 28 Jun 2016 15:13:11 +0300
>
> On 28.06.2016 09:27, Mark Foley wrote:
> > Aki,
> >
> > To review your 5 points:
> >
> > On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi <aki.tu...@dovecot.fi> wrote:
> >
> >> 1. Functional AD or Kerberos environment
> >> 2. Time synced against your KDC (which is your Domain Controller on 
> >> Windows)
> >> 3. /etc/krb5.conf configured
> >> 4. Both forward / reverse DNS names correct for clients and servers.
> >> Reverse is only mandatory for servers, but having them right will work
> >> wonders. Most kerberos problems are about DNS problems.
> >> 5. You need a keytab. This keytab needs to hold entries like
> >> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> >> these on any Windows DC server (at least).
> > I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
> > tested it with kinit
> > and klist according to the instructions at
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos
> >
> > As to the the keytab (#5) I did the following:
> >
> > $ samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > which created the file.  I made this owned and readable by group dovecot, 
> > per instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
> > /etc/krb5.keytab` shows me
> > configuration listing all the users and computers in the domain, mostly in 
> > triplicate.  A
> > partial list:
> >
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> >  
> > --
> >18 COMMON$@HPRS.LOCAL
> >18 COMMON$@HPRS.LOCAL
> >18 COMMON$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 MAIL$@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> > 1 charmaine@HPRS.LOCAL
> >
> > where COMMON and MAIL are hosts and charmaine is a user. I don't really 
> > understand the listing,
> > but am assuming it is OK.
>
> Strange that you do not have any host/ entries. Maybe it works without.
>
> >> setspn -q is helpful here, also setspn command in general.
> > I have no such command in my system. Is that a Windows thing?
> >
>
> Yes, but you can do those kind of things in Samba too.
>
> > As to the /etc/krb5.conf, the default one generated by s

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki,

To review your 5 points:

On Mon, 27 Jun 2016 09:18:54 +0300 Aki Tuomi  wrote:

> 1. Functional AD or Kerberos environment
> 2. Time synced against your KDC (which is your Domain Controller on Windows)
> 3. /etc/krb5.conf configured
> 4. Both forward / reverse DNS names correct for clients and servers.
> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.
> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

I believe I am good on 1,2 and 4.  I downloaded and installed kerberos and 
tested it with kinit
and klist according to the instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

As to the the keytab (#5) I did the following:

$ samba-tool domain exportkeytab /etc/krb5.keytab

which created the file.  I made this owned and readable by group dovecot, per 
instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  Running `klist -k 
/etc/krb5.keytab` shows me
configuration listing all the users and computers in the domain, mostly in 
triplicate.  A
partial list:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
  18 COMMON$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 MAIL$@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL
   1 charmaine@HPRS.LOCAL

where COMMON and MAIL are hosts and charmaine is a user. I don't really 
understand the listing,
but am assuming it is OK.

> setspn -q is helpful here, also setspn command in general.

I have no such command in my system. Is that a Windows thing?


As to the /etc/krb5.conf, the default one generated by samba is:

[libdefaults]
default_realm = HPRS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true

I'd like to modify that to your suggestions, but I need more help. You have 
(with my questions):

> Here is a *SAMPLE* configuration:
>
> [libdefaults]
> default_realm = YOUR.REALM
> dns_lookup_kdc = true
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms

Here, you have krb4_*. Do you mean that? My config file is krb5.conf. Should I 
rather have:

krb5_config = /etc/krb5.conf

Also, I have no /etc/krb*.realms file. Do I need this? If so, what should be in 
there?

> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> fcc-mit-ticketflags = true
>
> [realms]
> YOUR.REALM = {
> default_domain = your.domain.name
> auth_to_local_names = {
> Administrator = root
> }
> }

I suppose my "YOUR.REALM" is HPRS.LOCAL, right? Is my "your.domain.name" my 
FQDN for my AD
server: mail.hprs.local, or is it just hprs.local? (or something else!)

> [domain_realm]
>   your.domain.name = YOUR.REALM
> # this is not a mistake
>   .your.domain.name = YOUR.REALM
> [login]
> krb4_convert = true
> krb4_get_tickets = false

Likewise here a question on the whole krb4 versus krb5 thing.

Your closing comment:

> Also, note that kerberos can only act as AUTHENTICATION system. It
> cannot act as USER DATABASE. For that you need to configure LDAP or
> something else. With Active Directory LDAP is probably a damn good idea.

I have the following doveconf -n:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_krb5_keytab = /etc/krb5.keytab
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

aki.tu...@dovecot.fi wrote:

> As mentioned before, you can use ldap as userdb instead of static userdb. 
> Username matching in AD environment should be done against userPrincipalName 
> attribute.

Do you see any problem with my continuing to use:

userdb {
driver = passwd
}

... with gssapi? (providing I get other configs correct)

--Mark

-Original Message-
> Date: Tue, 28 Jun 2016 00:19:45 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
>
> > On June 28, 2016 at 12:02 AM Jan Jurkus  wrote:
> > 
> > 
> > Hi,
> > 
> > I'm not entirely happy with the static userdb, because of the 
> > limitations with kerberos/pam, but this can of course be changed rather 
> > easily. The hardest part is to get the SSO working.
> > One of the limitiations is stated here: 
> > http://wiki.dovecot.org/UserDatabase/Static
> > 
> > Postfix SMTP auth is using LMTP, reading from my notes.
> > 
> > I hope you can get a clearer picture with this rather long and chaotic 
> > reply.
> > 
>
> As mentioned before, you can use ldap as userdb instead of static userdb. 
> Username matching in AD environment should be done against userPrincipalName 
> attribute.
>
> This should let you get rid of pam as well.
>
> ---
> Aki Tuomi 
> Dovecot oy 
>
> > -- 
> > Jan Jurkus | ICT Beheerder | GCE cad-service B.V.
> > Postbus 12, 3220 AA Hellevoetsluis
> > Daltonweg 9, 3225 LR Hellevoetsluis
> > tel: 0181-336955 | fax: 0181-311899
> > j.jur...@gcecad-service.nl | www.gcecad-service.nl

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Jan, thanks for your helpful reply. You wrote:

> With Dovecot I got the SSO working with Kerberos, and this part is 
> working great. Other parts (shared mailboxes, that sort of stuff) aren't 
> working for me yet. ...

I'm the opposite. My mailbox setup has been working great for a year and a 
half, though I've
not bothered with shared mailboxes yet.

I've attempted to follow your instructions, but still having problems. First, 
my errors:

Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 01:04:49 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 28 01:04:49 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 01:04:49 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Jun 28 01:04:49 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, 
lip=98.102.63.107, session=

Now, your instructions:

> One of the tricky bits is you need a kerberos keytab with two services. 
> I used ktutil:
> # ktutil
>ktutil: read_kt mail-imap.keytab
>ktutil: read_kt mail-smtp.keytab
>ktutil: write_kt mail.keytab
>ktutil: quit
>
> I'm using a windows 2003 r2 server as domain controller, to create a 
> keytab file you need the windows 2003 support tools.
>
> ktpass.exe -princ imap/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL 
> -mapuser GCECAD-SERVICE\mail-imap -crypto RC4-HMAC-NT -pass koeltje234 
> -ptype KRB5_NT_PRINCIPAL -out mail-imap.keytab
>
> ktpass.exe -princ smtp/mailserver.gcecad-service.nl@GCECAD-SERVICE.LOCAL 
> -mapuser GCECAD-SERVICE\mail-smtp -crypto RC4-HMAC-NT -pass koeltje234 
> -ptype KRB5_NT_PRINCIPAL -out mail-smtp.keytab

I ran ktutil, but the commands "read_kt mail-imap.keytab" and "read_kt 
mail-smtp.keytab" 
returned: No such file or directory while reading keytab "mail-imap.keytab"

Perhaps your subsequent ktpass commands are meant to create those. I do not 
have a ktpass
command. I therefore do not have these files. I suppose that could be part of 
my problem. Can
you share the actual contents of these file? I could create them by-hand. Does 
Dovecot and/or
kerberos know where to look for these?

> On the dovecot server I had to install a kerberos package:

Likewise, I installed kerberos for slackware. It tested OK. I was able to do a 
kinit and klist
per the instruction at 
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

> My kerberos configuration:
> # vi /etc/krb5.conf
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log

I added the [logging] section.  Of note, these log file do not exists after 
multiple attempts
with my gssapi connection.  Probably a bad sign.  

> [libdefaults]
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   forwardable = true
>   rdns = false
>   default_realm = GCECAD-SERVICE.LOCAL
>   default_keytab_file = /etc/krb5.keytab
>   default_ccache_name = KEYRING:persistent:%{uid}
>   allow_weak_crypto = true
>   default_tkt_enctypes = arcfour-hmac-md5
>   default_tgs_enctypes = arcfour-hmac-md5
>   permitted_enctypes = arcfour-hmac-md5
 
I added all these as well, changing your GCECAD-SERVICE.LOCAL to my HPRS.LOCAL

> [appdefaults]
>   pam = {
>debug = false
>ticket_lifetime = 24h
>renew_lifetime = 7d
>forwardable = true
>krb4_convert = false
>   }

I also added this [appdefaults] section.

>
> [realms]
>   GCECAD-SERVICE.LOCAL = {
>kdc = this.is.the.dns.name.of.your.kdc
>admin_server = this.is.the.dns.name.of.your.kdc
>   }

I tried with and without this section. Not sure what 
this.is.the.dns.name.of.your.kdc is
supposed to be. I changed mine to the domain FDQN of the server:

[realms]
  HPRS.LOCAL = {
kdc = mail.hprs.local
admin_server = mail.hprs.local
  }

>
> [domain_realm]
>   .gcecad-service.local = GCECAD-SERVICE.LOCAL
>   gcecad-service.local = GCECAD-SERVICE.LOCAL
>   .gcecad-service.nl = GCECAD-SERVICE.LOCAL
>   gcecad-service.nl = GCECAD-SERVICE.LOCAL
>

I also tried with and without this section. Again, not sure what should go 
there. I tried:

[domain_realm]
  .hprs.local = HPRS.LOCAL
  hprs.local = HPRS.LOCAL
  .hprs.nl = HPRS.LOCAL
  hprs.nl = HPRS.LOCAL

I'm a bit skeptical on the above as .nl your public top level domain.

In fact, after adding these sections I got no error logged in dovecot_log, but 
did get a
message pop up on Thunderbird saying, "Could not connect to mail server 
m...@ohprs.org; the
connection was refused."

> Dovecot config, the needed parts:
> In /etc/dovecot/conf.d/10-auth.conf :
> auth_krb5_keytab = /etc/dovecot/mail.keytab
> auth_mechanisms = plain gssapi

I added those.

> In /etc/dovecot/conf.d/auth-system.conf.ext :
> passdb {
>driver = 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Aki, again, thanks A LOT for your reply. Concerning your checklist:

> 1. Functional AD or Kerberos environment

Check!

> 2. Time synced against your KDC (which is your Domain Controller on Windows)

Check! (needed for AD/DC anyway)

> 3. /etc/krb5.conf configured

NO

> 4. Both forward / reverse DNS names correct for clients and servers.

> Reverse is only mandatory for servers, but having them right will work
> wonders. Most kerberos problems are about DNS problems.

Check!

> 5. You need a keytab. This keytab needs to hold entries like
> IMAP/your.host.name@REALM  and IMAP/$HOSTNAME@REALM. You can generate
> these on any Windows DC server (at least).

NO

So, I'm apparently lacking in the kerberos stuff. Here's the problem -- Samba4 
uses Heimdal
Kerberos and when I provisioned my domain apparently none of these needed 
kerberos files were
set up. I can, however, kerberos authenticate from domain workstations both 
WIN7 and Linux.

I will (and have already) contacted the Samba list to see what needs to be done.

I'll post back what I find.

Maybe I can finally get to the bottom of this problem.

Thanks again -- Mark

-Original Message
> Subject: Re: Looking for GSSAPI config [was: Looking for NTLM config example]
> To: dovecot@dovecot.org
> From: Aki Tuomi <aki.tu...@dovecot.fi>
> Organization: Dovecot Oy
> Date: Mon, 27 Jun 2016 09:18:54 +0300
>
> On 27.06.2016 07:31, Mark Foley wrote:
> > Thanks for the reply.  When you say it [NTLM] "should" work, I understand 
> > you to be implying
> > you've not actually tried NTLM yourself, right? I've never gotten a 
> > response from someone
> > saying they have or are actually using it. Your subsequent messages about 
> > NTLM v[1|2] may be
> > the problem, but email clients I've tried (Outlook, Thunderbird) don't 
> > really give a choice.
> >
> > That's OK, I'd be glad to try something different that would work!!! I am 
> > trying your advice
> > for gssapi.  I've followed the instructions at
> > http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I 
> > changed the
> > auth_mechanism line to:
> >
> > auth_mechanisms = plain login gssapi
> >
> > Which is only different from before with the addition of "gssapi".  That's 
> > all I've done.  I'm
> > using the same userdb as before which is /etc/passwd.  My doveconf -n is:
> >
> > --SNIP
> >> doveconf -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login gssapi
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> >   driver = shadow
> > }
> > protocols = imap
> > ssl_cert = 
> >  > ssl_key =  > userdb {
> >   driver = passwd
> > }
> > verbose_ssl = yes
> > PINS-
> >
> > I attempted to connect from Thunderbird on Ubuntu 15.10 to Dovecot on a 
> > Slackware 14.1 AD/DC. I
> > selected "Kerberos/GSSAPI" as the authentication method on Tbird. When 
> > trying the connection I
> > got the following in my Dovecot log:
> >
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 imap-login: Debug: SSL: elliptic curve secp384r1 will be 
> > used for ECDH and ECDHE key exchanges
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory: 
> > /usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 auth: Debug: Loading modules from directory: 
> > /usr/local/lib/dovecot/auth
> > Jun 27 00:04:54 imap-login: Info: Disconnected: Auth process broken 
> > (disconnected before auth was ready, waited 0 secs): user=<>, 
> > rip=192.168.0.99, lip=98.102.63.107, session=
> >
> > So, any idea why this is not working? I'll say up-front that I do not have 
> > the auth_krb5_keytab
> > configured in 10-auth.conf. I could find no such file on the host running 
> > Dovecot. Is that file
> > needed? If so, I've got a message in to the Samba4 folks asking where it is 
> > located.
> >
> > I'm also using Dovecot 2.2.15. Too old?
> >
> > Do you think auth_krb5_keytab is my problem or something deeper?
> >
> > THX --Mark
> >
>
> You need to set up keytab. I'll assume you know nothing about kerberos,
> so please if you already knew all this, sorry.
>
> For kerberos to work PROPERLY you nee

Re: Looking for NTLM config example

[Mark Foley]

While continuing to test gssapi, I thought I check out your suggestion on NTLM 
v1. I did set
Thunderbird to NTLM v1 and modified the Dovecot config:

auth_debug_passwords = yes
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = , 
rip=192.168.0.54, lip=192.168.0.2, session=
Jun 27 02:34:58 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 8 secs): user=<>, rip=192.168.0.58, 
lip=98.102.63.107, session=
Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Jun 27 02:34:58 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges

This looks quite similar to the output I got with the gssapi test. It seems 
there is nothing I
can do to get AD authentication working with Dovecot. Do you (or anyone) have 
any ideas?

What does "disconnected before auth was ready" mean?

Has anyone on Planet Earth actually used either NTLM or GSSAPI successfully 
with Dovecot?
Please speak up! Let me know you exist!

--Mark

-Original Message-
> Date: Sun, 26 Jun 2016 15:08:03 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org, Mark Foley <mfo...@ohprs.org>
> Subject: Re: Looking for NTLM config example
>
> Also it seems we lack support for NTLMv2. If you want to use NTLM you need to 
> permit use of NTLM(v1), which is usually not enabled by default.
>
> Aki
>
> > On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > 
> > I've asked this several times over the past year with essentially zero 
> > responses. I'll keep it simple:
> > 
> > Does NTLM authentication work in Dovecot?
> > 
> > I'll post this one last time. If I still have no responses I'll have to 
> > conclude that no one
> > has actually tried this authentication method and it therefore does not 
> > work.
> > 
> > Thanks, --Mark
> > 
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Looking for NTLM config example
> > 
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, 
> > > I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my 
> > > Samba4 AC/DC. 
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM 
> > > authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to 
> > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with 
> > > "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and 
> > > NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what 
> > > the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells 
> > > you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to 
> > > configure dovecot config
> > > files.  I'm much more interested in the "how to" than in: "NTLMv2: server 
> > > and client nonce,
> > > MITM can't force downgrade" ...  whatever that means. 
> > >
> > > Anyway, probably it's my lack of understanding terminology.  I don't even 
> > > know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a sample 
> > > 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly 
> > > for well over a year
> > > now, are:
> > >
> > > $ dovecot -n
> > > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > > auth_debug_passwords = yes
> > > auth_mechanisms = plain login
> > > auth_verbose = yes
> > > auth_verbose_passwords = plain
> > > 

Re: Looking for GSSAPI config [was: Looking for NTLM config example]

[Mark Foley]

Thanks for the reply.  When you say it [NTLM] "should" work, I understand you 
to be implying
you've not actually tried NTLM yourself, right? I've never gotten a response 
from someone
saying they have or are actually using it. Your subsequent messages about NTLM 
v[1|2] may be
the problem, but email clients I've tried (Outlook, Thunderbird) don't really 
give a choice.

That's OK, I'd be glad to try something different that would work!!! I am 
trying your advice
for gssapi.  I've followed the instructions at
http://wiki2.dovecot.org/Authentication/Kerberos.  In my 10-auth.conf I changed 
the
auth_mechanism line to:

auth_mechanisms = plain login gssapi

Which is only different from before with the addition of "gssapi".  That's all 
I've done.  I'm
using the same userdb as before which is /etc/passwd.  My doveconf -n is:

--SNIP
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login gssapi
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = , rip=192.168.0.99, 
lip=98.102.63.107, session=

So, any idea why this is not working? I'll say up-front that I do not have the 
auth_krb5_keytab
configured in 10-auth.conf. I could find no such file on the host running 
Dovecot. Is that file
needed? If so, I've got a message in to the Samba4 folks asking where it is 
located.

I'm also using Dovecot 2.2.15. Too old?

Do you think auth_krb5_keytab is my problem or something deeper?

THX --Mark

-Original Message-
> Date: Sun, 26 Jun 2016 14:00:49 +0300 (EEST)
> From: aki.tu...@dovecot.fi
> To: dovecot@dovecot.org
> Subject: Re: Looking for NTLM config example
>
> It should work. Although if you are using linux server you might want to use 
> gssapi instead. 
>
> > On June 25, 2016 at 7:43 PM Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > 
> > I've asked this several times over the past year with essentially zero 
> > responses. I'll keep it simple:
> > 
> > Does NTLM authentication work in Dovecot?
> > 
> > I'll post this one last time. If I still have no responses I'll have to 
> > conclude that no one
> > has actually tried this authentication method and it therefore does not 
> > work.
> > 
> > Thanks, --Mark
> > 
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Fri, 22 Apr 2016 02:07:24 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: Looking for NTLM config example
> > 
> > > Now that I am running Thunderbird on Linux and away from Windows/Outlook, 
> > > I'd like to take
> > > another run at setting up NTLM authentication from Thunderbird to my 
> > > Samba4 AC/DC. 
> > >
> > > With the help of the samba maillist folks I was able to set up NTLM 
> > > authentication for domain
> > > user login.  I should be able to do the same for email!
> > >
> > > But, I need help. I went to 
> > > http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> > > lost immediately. Are "authenticaion submethods" synonymous with 
> > > "password schemes"? The 7th
> > > line down says, "NTLM password scheme is required for NTLM, NTLM2 and 
> > > NTLMv2.", but in the
> > > referenced link I found no reference to "NTLM password scheme".
> > >
> > > The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> > > http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what 
> > > the 4 NTLM
> > > authentication submethods are, tells you what password schemes are, tells 
> > > you what the NTLM
> > > client/server handshake is, but doesn't actually tell you how to 
> > > configure dovecot config
> > > files.  I'm much more interested in the "how to" than in: "NTLMv2: server 
> > > and client nonce,
> > > MITM can't force downgrade" ...  whatever that means. 
> > >
> > > Anyway, probably it's my lack of understanding terminology.  I don't even 
> > > know what a "nonce"
> > > is.  But, I learn well from examples! Can somone please give me a sample 
> > > 10-auth.conf for NTML
> > > and any other supporting settings or configs I need?
> > >
> > > My current/working dovecot settings, which have been running perfectly 
> > > for well over a year
> > > now

Re: Looking for NTLM config example

[Mark Foley]

I've asked this several times over the past year with essentially zero 
responses. I'll keep it simple:

Does NTLM authentication work in Dovecot?

I'll post this one last time. If I still have no responses I'll have to 
conclude that no one
has actually tried this authentication method and it therefore does not work.

Thanks, --Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Fri, 22 Apr 2016 02:07:24 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Looking for NTLM config example

> Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd 
> like to take
> another run at setting up NTLM authentication from Thunderbird to my Samba4 
> AC/DC. 
>
> With the help of the samba maillist folks I was able to set up NTLM 
> authentication for domain
> user login.  I should be able to do the same for email!
>
> But, I need help. I went to 
> http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
> lost immediately. Are "authenticaion submethods" synonymous with "password 
> schemes"? The 7th
> line down says, "NTLM password scheme is required for NTLM, NTLM2 and 
> NTLMv2.", but in the
> referenced link I found no reference to "NTLM password scheme".
>
> The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
> http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 
> NTLM
> authentication submethods are, tells you what password schemes are, tells you 
> what the NTLM
> client/server handshake is, but doesn't actually tell you how to configure 
> dovecot config
> files.  I'm much more interested in the "how to" than in: "NTLMv2: server and 
> client nonce,
> MITM can't force downgrade" ...  whatever that means. 
>
> Anyway, probably it's my lack of understanding terminology.  I don't even 
> know what a "nonce"
> is.  But, I learn well from examples! Can somone please give me a sample 
> 10-auth.conf for NTML
> and any other supporting settings or configs I need?
>
> My current/working dovecot settings, which have been running perfectly for 
> well over a year
> now, are:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert = 
>  ssl_key =  userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> Here's what I've tried so far as 10-auth.conf:
>
> disable_plaintext_auth = no
> auth_use_winbind = yes
> info_log_path = /var/log/dovecot_info
> auth_verbose = yes
> auth_debug_passwords = yes
> auth_verbose_passwords= plain
> auth_winbind_helper_path = /usr/bin/ntlm_auth
>
> auth_mechanisms = ntlm plain login
>
> userdb {
>   driver = passwd
>   args = username_format=%n allow_all_users=yes
>
> }
>
>
> Which gives me a dovecot -n of:
>
> $ dovecot -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = ntlm plain login
> auth_use_winbind = yes
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> protocols = imap
> ssl_cert = 
>  ssl_key =  userdb {
>   args = username_format=%n allow_all_users=yes
>   driver = passwd
> }
> verbose_ssl = yes
>
>
> I configured Thunderbird for NTLM authentication, then tried sending a 
> message, I got the
> following in /var/log/dovecot_info:
>
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
> for ECDH and ECDHE key exchanges
> Apr 22 01:37:57 auth: Debug: Loading modules from directory: 
> /usr/local/lib/dovecot/auth
> Apr 22 01:37:57 imap-login: Info: Disconnected: Auth process broken 
> (disconnected before auth was ready, waited 0 secs): user=<>, 
> rip=192.168.0.58, lip=98.102.63.107, session=
>
>
> On Thunderbird I got the error, "Sending of the message failed.  The 
> Outlgoing server (SMTP)
> my.server.name does not support the selected authentication method.  Please 
> change the
> 'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."
>
> Clearly, something is configured wrong, but I've no clue what.

Looking for NTLM config example

[Mark Foley]

Now that I am running Thunderbird on Linux and away from Windows/Outlook, I'd 
like to take
another run at setting up NTLM authentication from Thunderbird to my Samba4 
AC/DC. 

With the help of the samba maillist folks I was able to set up NTLM 
authentication for domain
user login.  I should be able to do the same for email!

But, I need help. I went to 
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and got
lost immediately. Are "authenticaion submethods" synonymous with "password 
schemes"? The 7th
line down says, "NTLM password scheme is required for NTLM, NTLM2 and NTLMv2.", 
but in the
referenced link I found no reference to "NTLM password scheme".

The links http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM and
http://wiki2.dovecot.org/Authentication/PasswordSchemes, tell you what the 4 
NTLM
authentication submethods are, tells you what password schemes are, tells you 
what the NTLM
client/server handshake is, but doesn't actually tell you how to configure 
dovecot config
files.  I'm much more interested in the "how to" than in: "NTLMv2: server and 
client nonce,
MITM can't force downgrade" ...  whatever that means. 

Anyway, probably it's my lack of understanding terminology.  I don't even know 
what a "nonce"
is.  But, I learn well from examples! Can somone please give me a sample 
10-auth.conf for NTML
and any other supporting settings or configs I need?

My current/working dovecot settings, which have been running perfectly for well 
over a year
now, are:

$ dovecot -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = , rip=192.168.0.58, 
lip=98.102.63.107, session=


On Thunderbird I got the error, "Sending of the message failed.  The Outlgoing 
server (SMTP)
my.server.name does not support the selected authentication method.  Please 
change the
'Autnentication method' in 'Account Settings | Outgoing Server (SMTP)'."

Clearly, something is configured wrong, but I've no clue what.

Can I get some advice?

THX --Mark

Interpreting keywords

[Mark Foley]

I've marked several messages in Thunderbird using tags. Tags used are:

0 Important
1 Work
2 To Do
3 Personal
4 Later

The messages so tagged appear to have the flag fields set in the IMAP Maildir:

cur/1449002162.8993_0.mail:2,Sb
cur/1449001929.28087_0.mail:2,Sad

I've looked in dovecot-keywords and find:

$ more dovecot-keywords 
 0 $label1
 1 $label2
 2 $label3
 3 $label4
 
I assume these "$label" values are macros that possibly refer to "Important", 
"Work", etc., but
where are these $label's defined? Are they defined in the dovecot configs 
somewhere or does the
mail client just "know" what these correspond to?

--Mark

Re: How to Restore emails

[Mark Foley]

On Fri, 13 Nov 2015 09:08:55 CET Steffen Kaiser wrote:
> a problem will arise, if Dovecot indexes the directory when the file is 
> not fully restorred, hence, changes later.
>
> Therefore, either prevent any access in Dovecot (deliver and retrieval) or 
> use Heiko's approach, because mv is atomic on the same filesystem (rename 
> instead of copy).

I did shut down Dovecot before restoring the files.

> The next problem comes with duplicates, because Maildir saves flags, 
> keywords and status in the filename.

Good point.  I was only restoring the ".Deleted Items" mail folder and 
sub-folder, so I wasn't
too concerned with the flags since they shouldn't really be changing much for 
deleted messages.
Still, you are right, it is possible that the user could have altered the flags 
on some of his
deleted messages (since he's keeping these around for months essentially as 
another email
archive). 

I did a tar restore of that mail folder with the end-of-October full backup, 
and again with the
incremental backup from the previous day. The user reported all message were 
restored OK. If he
had changed flags he'd certainly end up with duplicates.

Next time I will restore to a temp directory and check the flags and not 
restore files with the
same name but different flags.

--Mark

-Original Message-
> Date: Fri, 13 Nov 2015 09:08:55 +0100 (CET)
> From: Steffen Kaiser <skdove...@smail.inf.fh-brs.de>
> To: Mark Foley <mfo...@ohprs.org>
> Subject: Re: How to Restore emails
> Cc: dovecot@dovecot.org
>
> On Thu, 12 Nov 2015, Mark Foley wrote:
>
> >> About the 'cur' I'd not be too sure.
> >
> > Well, I'm just restoring to .Deleted Items, so it shouldn't be a problem. 
> > The tar restore
> > should preserve names, permission, etc. I'll backup the current Maildir, 
> > the try the restore
> > and see what happens. I'll report back.
>
> a problem will arise, if Dovecot indexes the directory when the file is 
> not fully restorred, hence, changes later.
>
> Therefore, either prevent any access in Dovecot (deliver and retrieval) or 
> use Heiko's approach, because mv is atomic on the same filesystem (rename 
> instead of copy).
>
> The next problem comes with duplicates, because Maildir saves flags, 
> keywords and status in the filename.
>
> I, therefore, copy a backup to another subdir, say "tmp2", then run fdupes 
> (or similiar program) over cur, new and tmp2 to find duplicates, delete 
> them in tmp2, and finally "mv -i " (you never know ;-) ) the remaining 
> files from tmp2 to cur or new.
>
> > -Original Message-
> >> Date: Thu, 12 Nov 2015 23:36:52 +0100
> >> From: Heiko Schlittermann <h...@schlittermann.de>
> >> To: dovecot@dovecot.org
> >> Subject: Re: How to Restore emails
> >>
> >> Hi,
> >>
> >> Mark Foley <mfo...@ohprs.org> (Do 12 Nov 2015 23:31:39 CET):
> >>> According to a message to this list from Oli Schacher,
> >>> http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to 
> >>> do is copy the deleted
> >>> emails to their original folder and dovecot will take care of it:
> >>>
> >> ???
> >>>> exactly, just copy the mail from your backup back into the users
> >>>> maildir (usually into 'cur'). Make sure the permissions of the restored
> >>>> file are correct. No need to synchronize anything, dovecot automatically
> >>>> detects the added message.
> >>
> >> About the 'cur' I'd not be too sure. If you *mv* the files there from a
> >> directory on the same filesystem, you should be fine, but if copy the
> >> files, I'd be careful. Probably you want to mimic the maildir behaviour:
> >>
> >> copy the files to tmp/
> >> mv the files to cur/ (not sure, if new/ would be fine to,
> >>   because new/ is the natural place after
> >>   tmp/. I'm not sure, what this does to the
> >>   message state the client sees.)
> >>
> >> Best regards from Dresden/Germany
> >> Viele Grüße aus Dresden
> >> Heiko Schlittermann
> >> --
> >>  SCHLITTERMANN.de  internet & unix support -
> >>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> >>  gnupg encrypted messages are welcome --- key ID: F69376CE -
> >>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -
> >
>
> - -- 
> Steffen Kaiser

How to Restore emails

[Mark Foley]

I have a user who accidentially deleted a large number of emails prior to a 
certain date.  He
wants them back.  I do have a tarfile backup of these messages.  Is there a 
good way to restore
them? Can I simply restore them to the appropriate Maildir directory and 
dovecot will just
"figure it out"?

Thanks, --Mark

Re: How to Restore emails

[Mark Foley]

According to a message to this list from Oli Schacher, 
http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to do is 
copy the deleted
emails to their original folder and dovecot will take care of it:

On Tue Jun 7 08:43:54 EEST 2011 Oli Schacher wrote:
>> OK, but if I want to restore a particular mail from backups, what're
>> the steps involved? What I mean is do I just copy and paste that mail
>> file from backups to the user account maildir folder and what program
>> should I run to synchronize it.
> 
>
> exactly, just copy the mail from your backup back into the users
> maildir (usually into 'cur'). Make sure the permissions of the restored
> file are correct. No need to synchronize anything, dovecot automatically
> detects the added message. 

Unless someone out there advises me against doing this, I'm going to try it.

I've also seen `dovadm import` as a possible suggestion, though if a simple 
copy works I don't
see why anyone would use `dovadm import`.

--Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Thu, 12 Nov 2015 17:13:50 -0500
To: dovecot@dovecot.org
Subject: How to Restore emails

I have a user who accidentially deleted a large number of emails prior to a 
certain date.  He
wants them back.  I do have a tarfile backup of these messages.  Is there a 
good way to restore
them? Can I simply restore them to the appropriate Maildir directory and 
dovecot will just
"figure it out"?

Thanks, --Mark

Re: How to Restore emails

[Mark Foley]

Thanks for the reply Heiko

> About the 'cur' I'd not be too sure.

Well, I'm just restoring to .Deleted Items, so it shouldn't be a problem. The 
tar restore
should preserve names, permission, etc. I'll backup the current Maildir, the 
try the restore
and see what happens. I'll report back.

--Mark

-Original Message-
> Date: Thu, 12 Nov 2015 23:36:52 +0100
> From: Heiko Schlittermann <h...@schlittermann.de>
> To: dovecot@dovecot.org
> Subject: Re: How to Restore emails
>
> Hi,
>
> Mark Foley <mfo...@ohprs.org> (Do 12 Nov 2015 23:31:39 CET):
> > According to a message to this list from Oli Schacher, 
> > http://www.dovecot.org/list/dovecot/2011-June/059493.html, all I need to do 
> > is copy the deleted
> > emails to their original folder and dovecot will take care of it:
> > 
> ???
> > > exactly, just copy the mail from your backup back into the users
> > > maildir (usually into 'cur'). Make sure the permissions of the restored
> > > file are correct. No need to synchronize anything, dovecot automatically
> > > detects the added message. 
>
> About the 'cur' I'd not be too sure. If you *mv* the files there from a
> directory on the same filesystem, you should be fine, but if copy the
> files, I'd be careful. Probably you want to mimic the maildir behaviour:
>
> copy the files to tmp/
> mv the files to cur/ (not sure, if new/ would be fine to,
>   because new/ is the natural place after
>   tmp/. I'm not sure, what this does to the
>   message state the client sees.)
>  
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> -- 
>  SCHLITTERMANN.de  internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --- key ID: F69376CE -
>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -

MAPI Properties?

[Mark Foley]

I'm using Dovceot/IMAP on Linux and Outlook clients on WIN7 workstations.  Mail
on Linux is stored in Maildir format. 

I'm searching for where Outook keeps its information on color categories in
IMAP. According to Diane Poremsky at slipstick.com, "Outlook stores it in the
mapi properties of each message. If you use MFCMAPI to viuw the messages, you'll
see the properties." MAPI is a Windows thing and the recommended MFCMAPI is for
viewing these properties in Exchange. Not what I can use.

Outlook must be storing these properties somewhere in the Dovecot/IMAP system as
color categories can be set from Outlook. Can someone tell me where to look for
these properties?

THX - Mark

Re: How to "Windows Authenticate"

[Mark Foley]

Love your "ASCII Ribbon Campaign" signature! I still use mailx myself.

I'll have to check out that "access denied" message for the email to
mfo...@ohprs.org. I haven't seen that before. FreeBSD.org is not blocked in my
access.db. Hmmm ...

Anyway, yes, I've been through those instructions over and over and they
certainly do "suggest" it should work, but I haven't yet found anyone that has
actually got it working. I assume you have not either, right?

The platform these instructions are targeted to are not quite my setup as the
Dovecot host is also the AD/DC using Samba4, so the DC/join instructions don't
apply, nor does the Kerberos: "Please note that you do not need to install or
configure any other Kerberos KDC for Samba to work.  Samba includes a
AD-compatible KDC, currently based on an included copy of the Heimdal project."

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Testing_Kerberos

Also, the instruction in the link you reference must be a bit out of date
because the suggested userdb:

userdb static {
   args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
   mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
   allow_all_users=yes
}

gives an error with my dovecot 2.2.15. The word "static" has to go inside the
curly-braces as "driver static" and the "allow_all_users" has to be added to the
'args' string. Otherwise, Dovecot won't run the config as shown in the link.

Otherwise and with the above changes to the userdb, I believe I've followed all
applicable instructions in that link.  The error I get with my config in the
Dovecot log is:

Sep 13 00:53:12 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 13 00:53:12 imap-login: Info: Disconnected: Auth process broken 
(disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.0.58, 
lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Any idea what would generate this message?

--Mark

-Original Message-
> Subject: Re: How to "Windows Authenticate"
> From: Remko Lodder <re...@freebsd.org>
> Date: Wed, 16 Sep 2015 19:38:08 +0200
> To: Mark Foley <mfo...@ohprs.org>
> Cc: dovecot@dovecot.org
>
> > On 16 Sep 2015, at 19:10, Mark Foley <mfo...@ohprs.org> wrote:
> > 
> > Does the Dovecot NTLM mechanism work with MS Outlook?
> > 
> > [ ] YES
> > [ ] NO
> > 
> > Please check one ... anybody.
> > 
> > ???Mark
>
>
>
> The URL on the wiki, which had probably been shared before with you;
>
> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>
> suggests it does.
>
> The URL quotes:
>
> Step 5. Passwordless authentication
>
> If you have logged on from Windows to the AD domain, try leaving the password 
> field, on the account, on the MUA, blank. The username / password, from the 
> initial logon to the Windows machine, are seamlessly picked up and supplied 
> to the challenge-response process between the MUA, Dovecot and AD. Employing 
> this way of authentication  we achieve single sign-on and we don't need to 
> maintain MUA local passwords.
>
> Did you follow the suggestions that are on that page? (all of them).
>
> Thank you,
> Remko
>
> --
> /"\   Best regards,  | re...@freebsd.org
> \ /   Remko Lodder   | remko@EFnet
>  Xhttp://www.evilcoder.org/  |
> / \   ASCII Ribbon Campaign  | Against HTML Mail and News
>

Re: How to "Windows Authenticate"

[Mark Foley]

Does the Dovecot NTLM mechanism work with MS Outlook?

[ ] YES
[ ] NO

Please check one ... anybody.

--Mark

-Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Sun, 13 Sep 2015 01:10:57 -0400
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"

I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the
Active Directory/Domain Controller on the same host as Dovecot.
Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the
client MTU used to connect with Dovecot to read mail on the Users' WIN7
workstations.

I believe I have confirmed that MS Outlook will either ...

1) send the userid and password configured in the Outlook settings to Dovecot
for authorizing. This mechanism has been working fine for months.

or ...

2) Use NTML authorization if "Require login using Secure Password Authentication
(SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication

Those, I believe, are the only two choices with Outlook (other than Exchange). 
Therefore, in order not to configure a Domain-distinct password in Outlook, I
need to use the NTLM auth_mechanism for AD "Windows Authentication" with
Dovecot.  I've tried the settings below (just trying one user at the moment):

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = , rip=192.168.0.58, 
lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Can someone tell me what this means and how to fix it?

Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over 
and
over, so simply referring me to that link will not help.

Thanks, Mark

Re: How to "Windows Authenticate"

[Mark Foley]

I am running Dovecot 2.2.15 on Linux Slackware 14.1 and Samba 4.1.17 as the
Active Directory/Domain Controller on the same host as Dovecot.
Sendmail/procmail delivers mail to users' $HOME/Maildir. MS Outlook/IMAP is the
client MTU used to connect with Dovecot to read mail on the Users' WIN7
workstations.

I believe I have confirmed that MS Outlook will either ...

1) send the userid and password configured in the Outlook settings to Dovecot
for authorizing. This mechanism has been working fine for months.

or ...

2) Use NTML authorization if "Require login using Secure Password Authentication
(SPA)" is checked: https://en.wikipedia.org/wiki/Secure_Password_Authentication

Those, I believe, are the only two choices with Outlook (other than Exchange). 
Therefore, in order not to configure a Domain-distinct password in Outlook, I
need to use the NTLM auth_mechanism for AD "Windows Authentication" with
Dovecot.  I've tried the settings below (just trying one user at the moment):

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
protocols = imap
ssl_cert = , rip=192.168.0.58, 
lip=98.102.63.107, session=<2PnkuZkfqADAqAA6>

Can someone tell me what this means and how to fix it?

Note that I have read http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm over 
and
over, so simply referring me to that link will not help.

Thanks, Mark

Re: Need help on checkpassword userdb/passdb

[Mark Foley]

I figured out how to make checkpassword work. There is a problem with the
documentation. http://wiki2.dovecot.org/AuthDatabase/CheckPassword, under
'Security' says, "a. If possible, change the checkpassword to return userdb_uid
and userdb_gid extra fields instead of using setuid() and setgid(). This also
improves the performance." And, under 'Checkpassword Interface' it says,
"Return the user's UNIX UID and GID using userdb_uid and userdb_gid
environments and add them to the EXTRA environment ..."

I did all of this and it didn't work. However, when I added the userdb_home
environment variable and added that to the EXTRA environment variable, it
worked. I tried this because I happened upon
http://wiki2.dovecot.org/UserDatabase/Prefetch which mentioned userdb_home. The
http://wiki2.dovecot.org/AuthDatabase/CheckPassword needs to have this bit of
information added in the appropriate place(s) or the developer/hackster will
waste days trying to get checkpassword working until he/she stumbles across the
userdb_home comment elsewhere.

Nevertheless, checkpassword turns out not to be the solution to my original
problem, so I will keep on keepin' on ... 

--Mark

-Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Fri, 11 Sep 2015 21:57:40 -0400
To: dovecot@dovecot.org
Subject: Re: Need help on checkpassword userdb/passdb

[grumpy bit deleted]

To follow up on my previous posting in this thread, I'm trying to get
checkpassword to work. I have confirmed that it is setting the environment
variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword).
My debug output of env variables sent to checkpassword-reply:

$USER=mark
userdb_uid=326
userdb_gid=100
INSECURE_SETUID=1
EXTRA=userdb_uid userdb_gid

I have confirmed that my checkpassword program returns 0 authenticating the user
with the AD:

fork pid = 4239, ntlm_auth status: 0

The pid listed above is the pid of the forked 
/usr/local/libexec/dovecot/checkpassword-reply 
program. For testing purposes, I've replaced that with a stub of my own that
shows the set environment variables so I know checkpassword-reply is getting
them (listed above).

Notice in the log messages below that everything looks correct. It has the
correct username, UID, GID, client passdb out: OK. No error in the log that I
can see.

I believe I've done everything exactly as documented in the wiki, but it doesn't
work I get the Outlook message "Your IMAP server closed the connection ... 
Error Code: 0x800CCCDD".  Finally, I tried setting:

chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply

As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same
error. 

Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but
that makes no different. Same error.

I believe I've done everything exactly according to the documentation.  Does
checkpassword actually work with Dovecot version 2.2.15? If not, could someone
please tell me so I can stop wasting my time.  If it does work, can someone
please help me figure out why it does not for me?

Thanks -- Mark

My dovecot log:

Sep 11 21:18:22 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 11 21:18:22 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234)
Sep 11 21:18:22 auth: Debug: client in: AUTH1   PLAIN   service=imap
session=tHPCm4IftgDAqAA6  lip=192.168.0.2  rip=192.168.0.58
lport=143   rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data 
may contain sensitive data)
Sep 11 21:18:22 auth: Debug: 
checkpassword(mark,192.168.0.58,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 11 21:18:22 auth: Debug: 
checkpassword(mark,192.168.0.58,): exit_status=0
Sep 11 21:18:22 auth: Debug: 
checkpassword(mark,192.168.0.58,): Received input: 
userdb_uid=326   userdb_gid=100
Sep 11 21:18:22 auth: Debug: client passdb out: OK  1   user=mark
Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681  42341   
c2551b70ccf5e2f8e022869663bf6a70   session_pid=4240
request_auth_token
Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,): 
success
Sep 11 21:18:22 auth: Debug: master userdb out: USER1794375681  mark
uid=326 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4
Sep 11 21:18:22 imap-login: Info: Login: user=, method=PLAIN, 
rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=


-----Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Thu, 10 Sep 2015 23:05:18 -0400
To: dovecot@dovecot.org
Subject: Need help on checkpassword userdb/passdb

I'm experimenting with checkpassword as an auth method for usedb and passdb 
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

[Mark Foley]

Fran - thanks for your reply. I'm cc'ing you directly on this as well as posting
to the list as I'm not sure how often you check the list and I'm down to hanging
by my last fingernail on this project.

I have some preliminary questions interspersed below.

Thanks, --Mark

-Original Message-
> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>   against AD2008
> To: dovecot@dovecot.org
> From: Fran <cumc-436...@chguadalquivir.es>
> Date: Thu, 10 Sep 2015 13:26:21 +0200
>
> Hi Mark,
>
> when I say AD 2003/8 I mean Active Directory 2003/8.

Hmmm, I've not heard of "Active Directory 2003" or 2008.  The year numbers
indicated to me you might be talking about Windows Small Business Server 2003 or
2008.  Is your AD Server Windows? Linux? Something else? I'm using Samba4 AD/DC
on Linux. 

>
> My configuration is attached.

Thank you very much for that. If I make some headway, I'll likely have more
questions on specifics.

>
> I based my installation (dovecot+postfix) in the guides of this site:
> http://www.linuxmail.info
>
> The LDAP part is this:
> http://www.linuxmail.info/postfix-dovecot-ldap-centos-5/

If you were able to make sense out of these sites' tiny screen-shots and 
one-line
descriptions my hat's off to you. "Your a better man that I am Gunga-Din!" If
there was more detailed narrative somewhere I couldn't find it. Also, I don't
have jXplorer on my system, so probably I couldn't get too far anyway.

BIG QUESTIONS:

1. Are you using MS Outlook IMAP clients in your environment? If so, how are you
making them connect with LDAP? By checking the SPA checkbox?

2.  The mail_gid/mail_uid as vmail confuses me.  I see that setting a lot,
including in your config.  http://wiki2.dovecot.org/VirtualUsers says, "You can
create, for example, one vmail user which owns all the mails, or you can assign
a separate UID for each user." I have assigned a separte UID for each based on
the UID returned by `wbinfo -u `.  Does assigning separate UIDs mess
up my ability to adapt your configuration?

little questions:

3. I'm not planning on using quotas. Can I safely omit your mail_plugins = " 
quota"
setting and all your plugin { quota_...} settings? I want to be as simple as
possible to start.

4. Likewise, dovecot seems to be able to find users' mailboxes just fine. Can I
omit the namespace inbox {} setting?

These may seem like amaturish questions, but little details have foiled me a lot
on this Dovecot project. 

If I feel confident with the answers you provide here, I'll move on to trying
some things.

Thanks a lot for your help!!!

--Mark

>
> You can also use PAM to connect to AD
> (http://www.linuxmail.info/active-directory-dovecot-pam-authentication/)
> but that way doesn't allow to retrieve custom fields from the AD (ex. a
> field to set quota per user), so I'm using the standard LDAP method.
>
> Regards
>
> El 10/09/2015 a las 4:51, Mark Foley escribió:
> > Fran and/or Matthias,
> >
> > Could you publish your doveconf -n? I can't get dovecot to authenticate 
> > with my
> > AD. Maybe you have a solution I could try.
> >
> > What mail client(s) are you using? I assume by "AD 2003/8" You mean 
> > SBS2003/8
> > and are therefore using Outlook?
> >
> > --Mark
> >
> > -Original Message-
[deleted]

Re: Need help on checkpassword userdb/passdb

[Mark Foley]

Not to be grumpy, but I've posted a dozen or more message to this list in the
past week about what I think might be relatively common/easy issues and have had
zero response except from Rick Romero who is trying, but hasn't actually done
what I need himself.  I'm sure someone has.  Perhaps these problem are too 
mundane
compared to CalDAV, sieve filtering and IPA to excite List interest? Come on
Dovecotters! Let's step up to the plate!

To follow up on my previous posting in this thread, I'm trying to get
checkpassword to work. I have confirmed that it is setting the environment
variables as described in (http://wiki2.dovecot.org/AuthDatabase/CheckPassword).
My debug output of env variables sent to checkpassword-reply:

$USER=mark
userdb_uid=326
userdb_gid=100
INSECURE_SETUID=1
EXTRA=userdb_uid userdb_gid

I have confirmed that my checkpassword program returns 0 authenticating the user
with the AD:

fork pid = 4239, ntlm_auth status: 0

The pid listed above is the pid of the forked 
/usr/local/libexec/dovecot/checkpassword-reply 
program. For testing purposes, I've replaced that with a stub of my own that
shows the set environment variables so I know checkpassword-reply is getting
them (listed above).

Notice in the log messages below that everything looks correct. It has the
correct username, UID, GID, client passdb out: OK. No error in the log that I
can see.

I believe I've done everything exactly as documented in the wiki, but it doesn't
work I get the Outlook message "Your IMAP server closed the connection ... 
Error Code: 0x800CCCDD".  Finally, I tried setting:

chgrp dovecot /usr/local/libexec/dovecot/checkpassword-reply
chmod g+s /usr/local/libexec/dovecot/checkpassword-reply

As the wiki suggested and setting the env variable INSECURE_SETUID=1. Same
error. 

Googling the 0x800CCCDD code simply says to turn of scheduled send/received, but
that makes no different. Same error.

I believe I've done everything exactly according to the documentation.  Does
checkpassword actually work with Dovecot version 2.2.15? If not, could someone
please tell me so I can stop wasting my time.  If it does work, can someone
please help me figure out why it does not for me?

Thanks -- Mark

My dovecot log:

Sep 11 21:18:22 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 11 21:18:22 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 11 21:18:22 auth: Debug: auth client connected (pid=4234)
Sep 11 21:18:22 auth: Debug: client in: AUTH1   PLAIN   service=imap
session=tHPCm4IftgDAqAA6  lip=192.168.0.2  rip=192.168.0.58
lport=143   rport=50614 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data 
may contain sensitive data)
Sep 11 21:18:22 auth: Debug: 
checkpassword(mark,192.168.0.58,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 11 21:18:22 auth: Debug: 
checkpassword(mark,192.168.0.58,): exit_status=0
Sep 11 21:18:22 auth: Debug: 
checkpassword(mark,192.168.0.58,): Received input: 
userdb_uid=326   userdb_gid=100
Sep 11 21:18:22 auth: Debug: client passdb out: OK  1   user=mark
Sep 11 21:18:22 auth: Debug: master in: REQUEST 1794375681  42341   
c2551b70ccf5e2f8e022869663bf6a70   session_pid=4240
request_auth_token
Sep 11 21:18:22 auth: Debug: prefetch(mark,192.168.0.58,): 
success
Sep 11 21:18:22 auth: Debug: master userdb out: USER1794375681  mark
uid=326 gid=100 auth_token=008ebf0ebd9c1654085de247f10cdf0a746555d4
Sep 11 21:18:22 imap-login: Info: Login: user=, method=PLAIN, 
rip=192.168.0.58, lip=192.168.0.2, mpid=4240, session=


-Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Thu, 10 Sep 2015 23:05:18 -0400
To: dovecot@dovecot.org
Subject: Need help on checkpassword userdb/passdb

I'm experimenting with checkpassword as an auth method for usedb and passdb 
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
and passdb *exactly* as the wiki suggests as the "standard way":

passdb {
  driver = checkpassword
  args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

I've created a checkpassword program that does receive the correct user and
password from dovecot.  And I am successfully authenticating with ntlm_auth and
exiting with status 0.  My debug output:

AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0

Now, the wiki says 2 things that have me stumped:

1.  It says that, "Dovecot calls the script with AUTHORIZED=1 environment set
when performing a userdb lookup.  The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."

As you can see from my program log, "AUTHORIZED" is not set.  Why? N

Need help on checkpassword userdb/passdb

[Mark Foley]

I'm experimenting with checkpassword as an auth method for usedb and passdb 
(http://wiki2.dovecot.org/AuthDatabase/CheckPassword). I've set up the userdb
and passdb *exactly* as the wiki suggests as the "standard way":

passdb {
  driver = checkpassword
  args = /user/util/bin/checkpassword
}
userdb {
  driver = prefetch
}

I've created a checkpassword program that does receive the correct user and
password from dovecot.  And I am successfully authenticating with ntlm_auth and
exiting with status 0.  My debug output:

AUTHORIZED: (null)
USER: (null)
userdb_uid: (null)
userdb_gid: (null)
arg1=/usr/local/libexec/dovecot/checkpassword-reply
CMD: /usr/bin/ntlm_auth --username="mark" --password='mypass'
ntlm_auth status: 0

Now, the wiki says 2 things that have me stumped:

1.  It says that, "Dovecot calls the script with AUTHORIZED=1 environment set
when performing a userdb lookup.  The script must acknowledge this by changing
the environment to AUTHORIZED=2, otherwise the lookup fails."

As you can see from my program log, "AUTHORIZED" is not set.  Why? Nor are any 
of the
other environment variables mentioned in the wiki. I've listed all the
environment variables that *are* passed to the program at the bottom of this 
message.

2. The wiki says, "Your program received a path to checkpassword-reply binary 
as the first
parameter. Execute it."

I did so as a fork() and then 
execve("/usr/local/libexec/dovecot/checkpassword-reply")
How do I know it worked ... or failed?

What am I doing wrong?

Dovecot log entries:

Sep 10 22:54:04 auth: Debug: auth client connected (pid=14748)
Sep 10 22:54:04 auth: Debug: client in: AUTH1   PLAIN   service=imap
session=AkYg1G8f8QDAqAA6  lip=192.168.0.2  rip=192.168.0.58
lport=143   rport=49649 resp=AG1hcmsAZ2xhY29uXzk= (previous base64 data 
may contain sensitive data)
Sep 10 22:54:04 auth: Debug: 
checkpassword(mark,192.168.0.58,): execute: 
/user/util/bin/checkpassword /usr/local/libexec/dovecot/checkpassword-reply
Sep 10 22:54:04 auth: Debug: 
checkpassword(mark,192.168.0.58,): exit_status=0
Sep 10 22:54:04 auth: Debug: 
checkpassword(mark,192.168.0.58,): Received input:
Sep 10 22:54:06 auth: Debug: client passdb out: FAIL1   user=mark   
temp

ENV variables passed to the checkpassword program:

DOVECOT_PRESERVE_ENVS=TZ CORE_OUTOFMEM CORE_ERROR
DOVECOT_CHILD_PROCESS=1
CONFIG_FILE=/usr/local/var/run/dovecot/config
CLIENT_LIMIT=1000
PROCESS_LIMIT=1
PROCESS_MIN_AVAIL=0
IDLE_KILL=60
GENERATION=2991
DOVECOT_HOSTNAME=mail
DOVECOT_HOSTDOMAIN=mail.hprs.local
DOVECOT_VERSION=2.2.15
LOG_SERVICE=1
SOCKET_COUNT=6
SSL_SOCKET_COUNT=0
SOCKET_NAMES=login  tokenlogin  auth-login  auth-client 
auth-userdb auth-master
PROTO=TCP
ORIG_UID=151
SERVICE=imap
TCPLOCALIP=192.168.0.2
LOCAL_IP=192.168.0.2
TCPREMOTEIP=192.168.0.58
REMOTE_IP=192.168.0.58
TCPLOCALPORT=143
TCPREMOTEPORT=49649
AUTH_USER=mark
AUTH_USERNAME=mark
AUTH_SERVICE=imap
AUTH_LIP=192.168.0.2
AUTH_RIP=192.168.0.58
AUTH_PID=14748
AUTH_MECH=PLAIN
AUTH_SECURED=
AUTH_LPORT=143
AUTH_RPORT=49649
AUTH_CERT=
AUTH_SESSION=AkYg1G8f8QDAqAA6
AUTH_REAL_LIP=192.168.0.2
AUTH_REAL_RIP=192.168.0.58
AUTH_REAL_LPORT=143
AUTH_REAL_RPORT=49649
AUTH_ORIG_USER=mark
AUTH_ORIG_USERNAME=mark

--Mark

Re: How to "Windows Authenticate"

[Mark Foley]

As to your suggested links,

Samba4 uses Heimdal Kerberos which is part of the Samba4 installation:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Installation, so I don't know
if the krb5 configs discussed in your link will apply. I'll revisit this if 
other
things I'm trying don't work out.

If that http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm link were on paper
I've have worn out the pages by now.  I did see your original message to me on
that, tried what I could and posted my results to the list dated Sat, 05 Sep
2015 17:12:50 -0400.  Didn't work, probably because I don't know what I'm doing,
although I don't think I've spent longer on any other software package without
mastering it! The userdb syntax shown on that site had errors with my dovecot
2.2.15.  Instructions for an older version (dates on wikis would be nice)? Check
out my Sep 5 posting if you missed it and see if I'm doing something stupidly
obviously wrong. 

I'll have to also say the the wiki docs are pretty, but very difficult to
comprehend. There's an awful lot of assumed knowledge and terminology in there
and even though I have decades of Unix sysadmin experience, I get lost very
quickly.

A lot of things seem overcomplicated. For example, I'm now trying the
checkpassword auth method. Seems pretty simple at first: it gets the username
and password and returns 0 if OK or 1 if not. Simple right? But no, the Dovecot
implmentation wants you to also set environment variables (which don't appear to
be there) and execute programs from within programs, and of course, it doesn't
"just work". Why the complexity? Why not return a simple 0 or 1 and go with
that? Oh well, I'm going to have to abandon this soon. Workplace indulgence is
wearing thin.

--Mark

-Original Message-
> Date: Thu, 10 Sep 2015 08:27:15 -0500
> From: Rick Romero <r...@havokmon.com>
> To: dovecot@dovecot.org
> Cc: mfo...@ohprs.org
> Subject: Re: How to "Windows Authenticate"
>
>   Quoting Mark Foley <mfo...@ohprs.org>:
>
> > Rick,
> >
> > Samba4 AD/DC and Dovecot work perfectly for everything including access
> > from
> > SmartPhones.  I've got roaming domain logins, redirected folders,
> > calendars and
> > contacts work just fine with Outlook and WebDav for sharing calendars;
> > don't
> > need them in Dovecot. 
> >  
>
> Do you have that documented somewhere?  I would love to see how that's
> done.
>
> > For the most part, Outlook users can't tell they are not
> > still on Exchange ...  except they have to maintain their Outlook
> password
> > distinct from their Windows password.  Which is their one HUGE issue.
> >
> > My absolutely LAST issue with totally duplicating SBS/Exchange
> > functionality on
> > Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients
> > using
> > Windows Authentication which, as I understand things, can supposedly be
> > done
> > with NTLM.  I just can't get it to work.  I think a heck of a lot if
> > Windows
> > [SB]Server shops would convert to Samba4/Dovecot if someone figured out
> > how to
> > do this.
> >
> > My Dovecot log messages make it look close to working:
> >
> > Sep 05 16:45:19 auth-worker(5498): Debug:
> > shadow(mark@hprs,192.168.0.58): lookup
> > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
> > unknown user
> >
> > Dovecot gets the user as" mark@hprs" instead of "mark" and therefore
> > can't find
> > it in the userdb.
> >
> > I can find no Dovecot wiki on this. If Dovecot just can't authenticate
> > this way
> > can someone (Timo?) tell me so and I'll cease my 8 month quest.
>
> These are two
>
> http://wiki2.dovecot.org/Authentication/Kerberos
> http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
>
> As I understand it, NTLM is a layer above Kerberos.  I don't see either
> referenced similarly to either wiki pages in the pasted config...
>
> > Otherwise, what should I have for a userdb? What should I have for a
> > passdb? Can
> > I parse the "@hprs" bit off the userId received by Dovecot? These seem
> > to be my
> > hang-ups.  At this point, I'm open to guesses.
> >
> > Just for the heck of it, here's one of the doveconf's I tested with,
> > reproduced
> > here because it's burried in the messages below:
> >
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain ntlm login
> > auth_use_winbind = yes
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth =

Re: How to "Windows Authenticate"

[Mark Foley]

Rick,

I extremely dislike Exchange as well.  I have a long list of problems: near
impossibility to monitor logs for trouble, poor configurable spam checking, no
good way to archive and review emails ...  I could go on for paragraphs, but the
main reason we recently migrated away from SBS/Exchange is that Microsoft no
longer sells Small Business Server and its replacement, Server Essentials, does
not support Exchange! Exchange has to run on Server 2012, but MS would prefer
you to use Server Essentials with your email in the cloud.  We're not gonna do
that. 

Samba4 AD/DC and Dovecot work perfectly for everything including access from
SmartPhones.  I've got roaming domain logins, redirected folders, calendars and
contacts work just fine with Outlook and WebDav for sharing calendars; don't
need them in Dovecot.  For the most part, Outlook users can't tell they are not
still on Exchange ...  except they have to maintain their Outlook password
distinct from their Windows password.  Which is their one HUGE issue. 

My absolutely LAST issue with totally duplicating SBS/Exchange functionality on
Samba4/Dovecot is getting Dovecot to authenticate with Outlook clients using
Windows Authentication which, as I understand things, can supposedly be done
with NTLM.  I just can't get it to work.  I think a heck of a lot if Windows
[SB]Server shops would convert to Samba4/Dovecot if someone figured out how to
do this. 

My Dovecot log messages make it look close to working:

Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): 
unknown user

Dovecot gets the user as" mark@hprs" instead of "mark" and therefore can't find
it in the userdb. 

I can find no Dovecot wiki on this. If Dovecot just can't authenticate this way
can someone (Timo?) tell me so and I'll cease my 8 month quest.

Otherwise, what should I have for a userdb? What should I have for a passdb? Can
I parse the "@hprs" bit off the userId received by Dovecot? These seem to be my
hang-ups.  At this point, I'm open to guesses. 

Just for the heck of it, here's one of the doveconf's I tested with, reproduced
here because it's burried in the messages below:

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert =  It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
> mapping.  Your AD users shouldn't be in there when all is said and
> done.

If not there, where?

Humor me. Give me ONE suggestion to try!

--Mark

-Original Message-
> Date: Tue, 08 Sep 2015 21:21:13 -0500
> From: Rick Romero <r...@havokmon.com>
> To: dovecot@dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
>   If I had time I would be all over this - but IMHO the main problem is that
> Dovecot != Exchange.  Even in small environments - unless I'm out of date,
> there's no calendar, tasks or contact lists within Dovecot.
>
> Your next best best is to use something like Horde that would allow you to
> auth via ActiveSync (on Outlook 2013 clients) and manage everything else
> that the users will want, with Dovecot as the mail backend.
> Though I believe there could be licensing issues if you're looking to do it
> for free.  I think, by license, you still need CALs for each ActiveSync
> client (if you're in the US).
>
> Auth-Wise it'd be a whole different animal.  I'm not sure if there's
> anything pre-packaged NTLM + Horde - though Apache/PHP/Linux with Samba
> would accept the username via GSSAPI and I suppose you could pass that to
> HordeAuth.
>
> I hate Exchange - I have a nagging 45 second delay on OWA logins ever since
> I had to setup multiple NICs to get Outlook to stop complaining about
> certs, and today while trying to fix that issue, AD decided to stop
> replicating one of my trusted domains (and began rejecting auths for linked
> mailboxes from that domain) and in short I really just hate that
> environment with every fiber of my being and would love to see a decent
> free Exchange replacement on *nix.
>
> Rick
>
> Quoting Mark Foley <mfo...@ohprs.org>:
>
> > More experimentation ...
> >
> > I tried removing userdb and passdb from the dovecot NTLM config. That
> > didn't
> > work. I then tried adding a static userdb as follows:
> >
> > userdb {
> > driver = static
> > #  allow_all_users = yes
> > args = gid=100 home=/home/HPRS/%n
> > }
> >
> > (Interestingly, when I uncommented "allow_all_users&q

Re: My dovecot works fine against Active Directory 2003, but not against AD2008

[Mark Foley]

Fran and/or Matthias,

Could you publish your doveconf -n? I can't get dovecot to authenticate with my
AD. Maybe you have a solution I could try.

What mail client(s) are you using? I assume by "AD 2003/8" You mean SBS2003/8
and are therefore using Outlook?

--Mark

-Original Message-
> Date: Wed, 9 Sep 2015 17:22:34 +0200
> From: Matthias Lay 
> To: Dovecot Mailing List 
> Subject: Re: My dovecot works fine against Active Directory 2003, but not
>   against AD2008
>
>
> hi,
>
> check your 
>
> /etc/openldap/ldap.conf
>
> for
>
> REFERRALS off
>
> I had this errors with "referrals on" in misconfigured dns environments.
>
>
> you can debug the dns packets by strace-ing the auth process
>
>
>
>
> On Tue, 8 Sep 2015 11:00:37 +0200
> Fran  wrote:
>
> > Hello,
> > 
> > my dovecot installation has been working fine against AD till we
> > upgrade from AD 2003 to AD 2008. As
> > http://wiki2.dovecot.org/AuthDatabase/LDAP said, now I'm not able to
> > connect AD through 389 port. The port 3268 works fine though.
> > 
> > (...)
> > Sep  7 19:02:05  dovecot: imap-login: Error:
> > master(imap): Auth request timed out (received 0/12 bytes)
> > Sep  7 19:02:05  dovecot: imap-login: Internal login
> > failure (pid=4846 id=1) (internal failure, 1 successful auths):
> > user=<>, method=PLAIN, rip=,
> > lip=, TLS, session=
> > (...)
> > Sep  7 19:02:06  dovecot: auth: Error:
> > ldap(,,): Connection appears
> > to be hanging, reconnecting
> > Sep  7 19:02:06  dovecot: auth: Error:
> > ldap(,,): LDAP search
> > returned multiple entries
> > (...)
> > 
> > Is there a technical reason for this problem? Does it exist any
> > workaround?
> > 
> > The use of Global Catalog (port 3268) is not a solution for me, since
> > it misses many attributes. (ex. I use the field "initials" to set the
> > quota and this field is not available through port 3268).
> > 
> > I also noticed that, now, it uses any DC available in the domain, it
> > doesn't care what I configured in "hosts = " parameter.
> > 
> > This is using "hosts = dc03.domain:389":
> > ---
> > 
> > [root@ ~]# netstat -anp | grep dovecot | grep auth
> > tcp   22  0 :55217 
> > :389  ESTABLISHED 4872/dovecot/auth
> > tcp   22  0 :57645 
> > :389ESTABLISHED 4872/dovecot/auth
> > tcp0  0 :55216 
> > :389  ESTABLISHED 4872/dovecot/auth
> > 
> > It looks like it does a look up for other domains controller (I don't
> > know how nor why) and it connect aleatory to any DC in my domain (in
> > this case dc06.domain, but it changes any time), additionally to the
> > configured one (dc03.domain).
> > 
> > This is using "hosts = dc03.domain:3268":
> > 
> > [root@ ~]# netstat -anp | grep dovecot | grep auth
> > tcp0  0 :58485 
> > :3268 ESTABLISHED 4982/dovecot/auth
> > 
> > In this case, only the configured server in host parameter is used (I
> > think this is the right behaviour)
> > 
> > 
> > Aditional info:
> > ---
> > CentOS Linux release 7.0.1406 (Core)
> > 
> > dovecot 2.2.10
> > 
> > Build options: ioloop=epoll notify=inotify ipv6 openssl
> > io_block_size=8192 Mail storages: shared mdbox sdbox maildir mbox
> > cydir imapc pop3c raw fail SQL driver plugins: mysql postgresql sqlite
> > Passdb: checkpassword ldap pam passwd passwd-file shadow sql
> > Userdb: checkpassword ldap(plugin) nss passwd prefetch passwd-file sql
> > 
> > 
> > My /etc/dovecot/dovecot-ldap.conf.ext
> > --
> > #hosts = dc03.domain:3268
> > hosts = dc03.domain:389
> > #uris = ldap://dc03.domain
> > base = DC=domain
> > #tls = yes
> > tls = no
> > ldap_version = 3
> > auth_bind = yes
> > auth_bind_userdn = %u@domain
> > #auth_bind_userdn = DOMAIN\%u
> > dn = cn=,cn=Users,dc=domain
> > dnpass = 
> > 
> > #scope   = subtree
> > #deref   = never
> > 
> > user_filter =
> > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> > pass_filter =
> > (&(userPrincipalName=%u@domain)(objectClass=person)(|(mail=%u@)(othermailbox=%u@)))
> > pass_attrs  = userPassword=password
> > user_attrs  = Initials=quota_rule=*:storage=%$MB
> > ---
> > 
> > 
> > --
> > Log trace using PORT 389:
> > --
> > Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> > elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> > where=0x10, ret=1: before/accept initialization []
> > Sep  7 19:00:35  dovecot: imap-login: Debug: SSL:
> > where=0x2001, ret=1: before/accept initialization 

Re: How to "Windows Authenticate"

[Mark Foley]

More experimentation ...

I tried removing userdb and passdb from the dovecot NTLM config. That didn't
work. I then tried adding a static userdb as follows:

userdb {
  driver = static
#  allow_all_users = yes
  args = gid=100 home=/home/HPRS/%n
}

(Interestingly, when I uncommented "allow_all_users" I got an "unsupported
setting" [or something like that], even though that was in there from the
beginning and is shown in the example wiki 
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm)

Anyway, in both tests my error messages were the same:

Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Sep 08 18:38:16 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Sep 08 18:38:16 auth: Debug: auth client connected (pid=8758)
Sep 08 18:38:16 auth: Debug: client in: AUTH1   NTLMservice=imap
session=vPWqBUQfeADAqAA6  lip=192.168.0.2  rip=192.168.0.58
lport=143   rport=56184
Sep 08 18:38:16 auth: Debug: client passdb out: CONT1
Sep 08 18:38:16 auth: Info: ntlm(?,192.168.0.58,): user not 
authenticated: NT_STATUS_LOGON_FAILURE
Sep 08 18:38:18 auth: Debug: client passdb out: FAIL1

Notice that my userid (mark or mark@ohprs) is nowhere to be found.  Whereas when
I specified the userdb passwd at least it had a user id in the error log.  From
my previous test with userdb passwd amd passdb shadow:

Sep 05 16:45:19 auth: Debug: client passdb out: OK      1      user=mark@hprs  
original_user=mark@HPRS
Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): 
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND       998899713

The "Info: ntml" log entry has ntlm(?,192.168.0.58,), whereas
the previous test "Info shadow" log entry has Info: 
shadow(mark@hprs,192.168.0.58).

Of course I have no passdb specified which is right for NTML ... or is it?

I feel like this should be obvious to someone familiar with Dovecot. Once again,
it's difficult for me to believe no on on planet Earth (who also happens to
subscribe to this list) had ever done Dovecot/ntlm from Outlook before.

Help!!! If I can't get this last bit sorted out I'll be forced back to Server
2012 and Exchange.

Thanks, --Mark

-----Original Message-
From: Mark Foley <mfo...@ohprs.org>
Date: Mon, 07 Sep 2015 21:28:23 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"

Comments interspersed with yours ...

--Mark

-Original Message-
> Date: Sun, 06 Sep 2015 20:00:11 -0500
> From: Rick Romero <r...@havokmon.com>
> To: dovecot@dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
>   Hmm.  I would expect to see 'm...@hprs.com'.  Whatever your full domain
> name is.

Full user@domain would be mark@hprs.local

> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
> mapping.  Your AD users shouldn't be in there when all is said and done. 

I was thinking this too.  I don't know why NTLM would need a userdb at all.  It
should just use something like ntlm_auth (which is configured in
auth_winbind_helper).

What if I simply removed the userdb?  What would you recommend for userdb, 
passdb?

> Well, at when I did a Samba4 install as a DC it still behaved like a Samba3
> member, and there were no AD users in the local unix passwd files.
>
> What does wbinfo -u provide?  It should list all your users - especially
> because it's an DC.  Whatever wbinfo -u shows, you may need to adjust
> another config file to match waht Dovecot is receiving. 

$ wbinfo -u

Administrator
Guest
krbtgt
dns-mail
mark
sogo
**arr
**ress
**mith
**nee
**ris
**atterson
**armaine
**tkeson
**mmitoh

These are all the AD users (most obfuscated for a bit of security). I am testing
with user mark.

>
> I assume /etc/nsswitch.conf has been modified to use Samba?
>

Unless the Samba provision did something to nnswitch, I've done nothing; nor
have I seen anything in the Samba or dovecot wikis suggesting changes.  Remember
also that the Samba4 AD/DC works perfectly with redirected folders and users
logging on to any Windows workstations, and works perfectly with things wanting
"Windows Authentication" like SQLserver, so the "Windows Authentication" does
work at some level.  My /etc/nsswitch.conf is:

passwd: compat
group:  compat

hosts:  files dns
networks:   files

services:   files
protocols:  files
rpc:files
ethers: files
netmasks:   files
netgroup:   files
bootparams: files

automount:  files
aliases:files

> Sorry I haven't done this, but it doesn't seem like anyone else has either
> - so I'm just shooting in the

Re: How to "Windows Authenticate"

[Mark Foley]

Comments interspersed with yours ...

--Mark

-Original Message-
> Date: Sun, 06 Sep 2015 20:00:11 -0500
> From: Rick Romero <r...@havokmon.com>
> To: dovecot@dovecot.org
> Subject: Re: How to "Windows Authenticate"
>
>   Hmm.  I would expect to see 'm...@hprs.com'.  Whatever your full domain
> name is.

Full user@domain would be mark@hprs.local

> It also won't look up /etc/shadow - Samba is doing the AD->Unix UID
> mapping.  Your AD users shouldn't be in there when all is said and done. 

I was thinking this too.  I don't know why NTLM would need a userdb at all.  It
should just use something like ntlm_auth (which is configured in
auth_winbind_helper).

What if I simply removed the userdb?  What would you recommend for userdb, 
passdb?

> Well, at when I did a Samba4 install as a DC it still behaved like a Samba3
> member, and there were no AD users in the local unix passwd files.
>
> What does wbinfo -u provide?  It should list all your users - especially
> because it's an DC.  Whatever wbinfo -u shows, you may need to adjust
> another config file to match waht Dovecot is receiving. 

$ wbinfo -u

Administrator
Guest
krbtgt
dns-mail
mark
sogo
**arr
**ress
**mith
**nee
**ris
**atterson
**armaine
**tkeson
**mmitoh

These are all the AD users (most obfuscated for a bit of security). I am testing
with user mark.

>
> I assume /etc/nsswitch.conf has been modified to use Samba?
>

Unless the Samba provision did something to nnswitch, I've done nothing; nor
have I seen anything in the Samba or dovecot wikis suggesting changes.  Remember
also that the Samba4 AD/DC works perfectly with redirected folders and users
logging on to any Windows workstations, and works perfectly with things wanting
"Windows Authentication" like SQLserver, so the "Windows Authentication" does
work at some level.  My /etc/nsswitch.conf is:

passwd: compat
group:  compat

hosts:  files dns
networks:   files

services:   files
protocols:  files
rpc:files
ethers: files
netmasks:   files
netgroup:   files
bootparams: files

automount:  files
aliases:files

> Sorry I haven't done this, but it doesn't seem like anyone else has either
> - so I'm just shooting in the dark here trying to get you steered in the
> right direction...
>
> Rick

Yeah, I can't seem to find a soul on the planet who has actually done this. If I
get it figured out I'll post with a suggestion to Timo to wiki-ize it.

I'm a bit puzzled that no one appears to have done this. I would think that a
Samba4 AD/DC in a office environment with lots of Windows workstations running
Outlook would be about the most common environment there is; especially now that
Small Business Server is no longer sold and Server Essentials does not support
Exchange. What are all the SBS/Exchange/Outlook small businesses doing? Limping
along with SBS2008/11, or putting their email in Outlook.com? Seems like the
Samba4/dovecot/Outlook combo would be an ideal migration.

I appreciate your help.

>
> Quoting Mark Foley <mfo...@ohprs.org>:
>
> > More info ...
> >
> > My dovecot error log shows:
> >
> > Sep 05 16:45:19 auth: Debug: client in: AUTH    1       NTLM   
> > service=imap
> > Sep 05 16:45:19 auth: Debug: client passdb out: OK      1     
> >  user=mark@hprs  original_user=mark@HPRS
> > Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713     
>  10219 
> >  1       f56352c207cb8f6dea4d264b2c0f8dc1     
>  session_pid=10220     
> >  request_auth_token
> > Sep 05 16:45:19 auth-worker(5498): Debug:
> > shadow(mark@hprs,192.168.0.58): lookup
> > Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58):
> > unknown user
> > Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND       
> 998899713
> >
> > whereas the successful 'plain login' config'ed mechanism (before adding
> > NTLM
> > config) have:
> >
> > Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210):
> > lookup
> >
> > The failed ntlm look-up is looking up user mark@hprs in shadow, which it
> > doesn't
> > find. Is there a way to strip the "@hprs" bit from the user so it can
> > find the
> > correct entry in /etc/shadow? That might fix the problem.
> >
> > --Mark
> >
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Sat, 05 Sep 2015 17:12:50 -0400
> > To: dovecot@dovecot.org
> > Subject: Re: How to "Windows Authenticate"
> >
> > Rick et al,
> >
> > The link you gave was a start, but is targeted for Samba3 and is
> > assuming a
> > probably Windows [SBS]Server AD/

Re: How to "Windows Authenticate"

[Mark Foley]

More info ...

My dovecot error log shows:

Sep 05 16:45:19 auth: Debug: client in: AUTH1   NTLMservice=imap
Sep 05 16:45:19 auth: Debug: client passdb out: OK  1   user=mark@hprs  
original_user=mark@HPRS
Sep 05 16:45:19 auth: Debug: master in: REQUEST 998899713   10219   1   
f56352c207cb8f6dea4d264b2c0f8dc1   session_pid=10220   
request_auth_token
Sep 05 16:45:19 auth-worker(5498): Debug: shadow(mark@hprs,192.168.0.58): lookup
Sep 05 16:45:19 auth-worker(5498): Info: shadow(mark@hprs,192.168.0.58): 
unknown user
Sep 05 16:45:19 auth: Debug: master userdb out: NOTFOUND998899713

whereas the successful 'plain login' config'ed mechanism (before adding NTLM
config) have:

Sep 06 20:27:38 auth-worker(18616): Debug: shadow(mark,104.6.249.210): lookup

The failed ntlm look-up is looking up user mark@hprs in shadow, which it doesn't
find. Is there a way to strip the "@hprs" bit from the user so it can find the
correct entry in /etc/shadow? That might fix the problem.

--Mark

-Original Message-----
From: Mark Foley <mfo...@ohprs.org>
Date: Sat, 05 Sep 2015 17:12:50 -0400
To: dovecot@dovecot.org
Subject: Re: How to "Windows Authenticate"

Rick et al,

The link you gave was a start, but is targeted for Samba3 and is assuming a
probably Windows [SBS]Server AD/DC separate from the DC hosting dovecot, and
includes setting up kerberos. 

I'm using a Samba4 AD/DC with integrated kerberos (so I don't think there is any
setup I can do there).  Nevertheless I've followed the instructions otherwise;
specifically adding to 10-auto.conf the following recommended lines:

auth_use_winbind = yes
auth_winbind_helper_path = /usr/bin/ntlm_auth
mechanisms = plain ntlm login

(Before, my 'mechanisms' were only plain and login). /usr/bin/ntlm_auth has
global r/w privilege.

I did not specify the static userdb since these users are configued in
/etc/passwd and I thought that would work; example given in link (could that be
an issue?):

userdb static {
   args= uid=501 gid=501 home=/home/vmail/%1Ln/%Ln
   mail=maildir:/home/vmail/%d/%1Ln/%Ln:INBOX=/home/vmail/%d/%1Ln/%Ln
   allow_all_users=yes
}

This didn't work. Also, existing, working Outlook connections using 'logon'
(i.e. the userID and PW are configured in Outlook) stopped working.

I changed a test Outlook client to check the 'Request login using Secure
Password Authentication (SPA)' and also checked: More Settings > Outgoing Server
> My outgoing server (SMTP) requires authentication' and 'Use same settings as
my incoming mail server'.  Note that on the "Change Account" dialog (where the
SPA checkbox is) the 'User Name' and 'Password' retained their values and were
not grayed out as I would have expected if using AD authentication. 

After doing the above and clicking 'Test Account Settings' I was re-promted to
enter a password - also not expected. At bottom are the Dovecot log message I
received after doing the 'Test Account Settings'.

Surely, connecting from an Outlook client to Dovecot on a Samba4 AD/DC should be
a very common implementation. Has someone done this successfully?

Immediately below is my doveconf -n and below that the dovecot log messages.

> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = , method=NTLM, 
rip=192.168.0.58, lip=192.168.0.2, mpid=10220, session=
Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Sep 05 16:46:22 imap-login: Debug: SSL: elliptic curve secp384r1 will be used 
for ECDH and ECDHE key exchanges
Sep 05 16:46:22 auth: Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 05 16:46:22 auth: Debug: Read auth token secret from 
/usr/local/var/run/dovecot/auth-token-secret.dat
Sep 05 16:46:22 auth: Debug: auth client connected (pid=13487)
Sep 05 16:46:22 auth: Debug: client in: AUTH1   NTLMservice=imap
session=IlvqGwYf0wDAqAA6lip=192.168.0.2 rip=192.168.0.58
lport=143   rport=52947
Sep 05 16:46:22 auth: Debug: client passdb out: OK  1   user=mark@hprs  
original_user=mark@HPRS
Sep 05 16:46:22 auth: Debug: master in: REQUEST 3030384641  13487   1   
bac5f6531f9d4c3316f93bd4c4a63dddsession_pid=13491   
request_auth_token
Sep 05 16:46:22 auth-worker(13492): Debug: Loading modules from directory: 
/usr/local/lib/dovecot/auth
Sep 05 16:46:22 auth-worker(13492): Debug: shadow(mark@hprs,192.168.0.58): 
lookup
Sep 05 16:46:22 auth-worker(13492): Info: shadow(mark@hprs,192.168.0.58): 
unknown user 
Sep 05 16:46:22 auth: Debug: master userdb out: NOTFOUND3030384641
Sep

Re: How to "Windows Authenticate"

[Mark Foley]

i, you may need to
> recompile with the right features.
>
> Also - check the permissions of the ntlm_auth program. That's caused many
> issues with Radius installs, IIRC.
>
> Hope that helps!
>
> Rick
>
> Quoting Mark Foley <mfo...@ohprs.org>:
>
> > This can't be that hard. I think I've enabled LDAP in Dovecot just by
> > including
> > dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I
> > now have
> > the configuration shown below. Two questions:
> >
> > 1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
> > accounts still have the ID and password set in "Logon Information".
> > Checking
> > "Require logon using Secure Password Authentication (SPA)" doesn't work.
> > All I
> > can seem to find on the Internet is how to configure address books using
> > LDAP.
> >
> > 2. Should I remove "passdb { drive = shadow } from the dovecot
> > configuration?
> >
> > Anybody?
> >
> > $ doveconf -n
> > # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> > # OS: Linux 3.10.17 x86_64 Slackware 14.1
> > auth_debug_passwords = yes
> > auth_mechanisms = plain login
> > auth_verbose = yes
> > auth_verbose_passwords = plain
> > disable_plaintext_auth = no
> > info_log_path = /var/log/dovecot_info
> > mail_location = maildir:~/Maildir
> > passdb {
> > driver = shadow
> > }
> > passdb {
> > args = /etc/dovecot/dovecot-ldap.conf.ext
> > driver = ldap
> > }
> > protocols = imap
> > ssl_cert =  > ssl_key =  > userdb {
> > driver = passwd
> > }
> > userdb {
> > args = /etc/dovecot/dovecot-ldap.conf.ext
> > driver = ldap
> > }
> > verbose_ssl = yes
> >
> > -Original Message-
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Wed, 02 Sep 2015 13:31:35 -0400
> > To: dovecot@dovecot.org
> > Subject: How to "Windows Authenticate"
> >
> >> I've been using Dovecot 2.2.15 as the IMAP server for Outlook
> >> (2010/2013) on
> >> Windows workstations for over 6 months with no problems.  Dovecot is
> >> hosted on
> >> the office Samba4 AC/DC server.
> >>
> >> I have been using auth_mechanisms plain login, and passdb driver =
> >> shadow.
> >>
> >> What I'd like to do now is use the "Windows Authenticated" login so I
> >> don't have
> >> to have separate passwords for users logging into the Windows AD
> >> workstations
> >> and their Outlook clients.
> >>
> >> If anyone has actually done this I'd appreciate some tips. My various
> >> attempts
> >> have not been successful.
> >>
> >> Here is my current config:
> >>
> >> $ doveconf -n
> >> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> >> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> >> auth_debug_passwords = yes
> >> auth_mechanisms = plain login
> >> auth_verbose = yes
> >> auth_verbose_passwords = plain
> >> disable_plaintext_auth = no
> >> info_log_path = /var/log/dovecot_info
> >> mail_location = maildir:~/Maildir
> >> passdb {
> >>   driver = shadow
> >> }
> >> protocols = imap
> >> ssl_cert =  >> ssl_key =  >> userdb {
> >>   driver = passwd
> >> }
> >> verbose_ssl = yes
> >>
> >> Thanks, Mark Foley
> >
> > From dovecot-boun...@dovecot.org  Wed Sep  2 13:32:13 2015
> > Return-Path: <dovecot-boun...@dovecot.org>
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__
> > (2011-06-06) on
> >         mail.hprs.local
> > X-Spam-Level:
> > X-Spam-Status: No, score=0.0 required=3.0 tests=none
> autolearn=unavailable
> >         version=3.3.2-_revision__1.14__
> > X-Original-To: dovecot@dovecot.org
> > Delivered-To: dovecot@dovecot.org
> > X-Virus-Status: Clean
> > X-Virus-Scanned: clamav-milter 0.98.6 at mail
> > From: Mark Foley <mfo...@ohprs.org>
> > Date: Wed, 02 Sep 2015 13:31:35 -0400
> > Organization: Ohio Highway Patrol Retirement System
> > To: dovecot@dovecot.org
> > Subject: How to "Windows Authenticate"
> > User-Agent: Heirloom mailx 12.5 7/5/10
> > Content-Type: text/plain; charset=us-ascii
> > X-BeenThere: dovecot@dovecot.org
> > X-Mailman-Version: 2.1.17
> > Precedence: list
> > List-Id: Dovecot

Re: How to "Windows Authenticate"

[Mark Foley]

This can't be that hard. I think I've enabled LDAP in Dovecot just by including
dovecot-ldap.conf.ext in 10-auth.conf and using the default settings. I now have
the configuration shown below. Two questions:

1. How do I set Outlook to authenticate with LDAP? Currently the Outlook
accounts still have the ID and password set in "Logon Information". Checking
"Require logon using Secure Password Authentication (SPA)" doesn't work. All I
can seem to find on the Internet is how to configure address books using LDAP.

2. Should I remove "passdb { drive = shadow } from the dovecot configuration?

Anybody?

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocols = imap
ssl_cert = 
Date: Wed, 02 Sep 2015 13:31:35 -0400
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"

> I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on
> Windows workstations for over 6 months with no problems.  Dovecot is hosted on
> the office Samba4 AC/DC server. 
>
> I have been using auth_mechanisms plain login, and passdb driver = shadow.
>
> What I'd like to do now is use the "Windows Authenticated" login so I don't 
> have
> to have separate passwords for users logging into the Windows AD workstations
> and their Outlook clients.
>
> If anyone has actually done this I'd appreciate some tips. My various attempts
> have not been successful.
>
> Here is my current config:
>
> $ doveconf -n
> # 2.2.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.10.17 x86_64 Slackware 14.1
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot_info
> mail_location = maildir:~/Maildir
> passdb {
>   driver = shadow
> }
> protocols = imap
> ssl_cert =  ssl_key =  userdb {
>   driver = passwd
> }
> verbose_ssl = yes
>
> Thanks, Mark Foley
>From dovecot-boun...@dovecot.org  Wed Sep  2 13:32:13 2015
Return-Path: <dovecot-boun...@dovecot.org>
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Spam-Checker-Version: SpamAssassin 3.3.2-_revision__1.14__ (2011-06-06) on
mail.hprs.local
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=3.0 tests=none autolearn=unavailable
version=3.3.2-_revision__1.14__
X-Original-To: dovecot@dovecot.org
Delivered-To: dovecot@dovecot.org
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.6 at mail
From: Mark Foley <mfo...@ohprs.org>
Date: Wed, 02 Sep 2015 13:31:35 -0400
Organization: Ohio Highway Patrol Retirement System
To: dovecot@dovecot.org
Subject: How to "Windows Authenticate"
User-Agent: Heirloom mailx 12.5 7/5/10
Content-Type: text/plain; charset=us-ascii
X-BeenThere: dovecot@dovecot.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Dovecot Mailing List 
List-Unsubscribe: <http://dovecot.org/cgi-bin/mailman/options/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
List-Archive: <http://dovecot.org/pipermail/dovecot/>
List-Post: <mailto:dovecot@dovecot.org>
List-Help: <mailto:dovecot-requ...@dovecot.org?subject=help>
List-Subscribe: <http://dovecot.org/cgi-bin/mailman/listinfo/dovecot>,
<mailto:dovecot-requ...@dovecot.org?subject=subscribe>
Errors-To: dovecot-boun...@dovecot.org
Sender: "dovecot" <dovecot-boun...@dovecot.org>
Status: R

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on
Windows workstations for over 6 months with no problems.  Dovecot is hosted on
the office Samba4 AC/DC server. 

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have
to have separate passwords for users logging into the Windows AD workstations
and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts
have not been successful.

Here is my current config:

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = 

How to "Windows Authenticate"

[Mark Foley]

I've been using Dovecot 2.2.15 as the IMAP server for Outlook (2010/2013) on
Windows workstations for over 6 months with no problems.  Dovecot is hosted on
the office Samba4 AC/DC server. 

I have been using auth_mechanisms plain login, and passdb driver = shadow.

What I'd like to do now is use the "Windows Authenticated" login so I don't have
to have separate passwords for users logging into the Windows AD workstations
and their Outlook clients.

If anyone has actually done this I'd appreciate some tips. My various attempts
have not been successful.

Here is my current config:

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = 

Howto NTML

[Mark Foley]

Has anyone gotten NTLM working with Dovecot and Outlook? 

I have a Samba4 domain controller / active directory running just fine on Linux
Slackware64 14.1.  PLAIN authenticiation works just fine if I create /etc/passwd
accounts for the domain users. 

I've tried for over two weeks to get NTLM working from Outlook 2007 on a domain
workstation without success.  I end up with various permission errors and
ultimately procmail won't deliver if I adjust mailbox folder permissions too
liberally.  Also it seems I have to log in each time in Outlook. 

If someone has made this work, I'd be very interesting in seeing the doveconf -n
output, the permissions on the mailbox directories, the nsswitch.conf, and
anything else you had to tweak to get this working.

I'd really love to have AD authentication working on this setup!

--Mark