dovecot - Feb 2013 - help needed with dovecot authentication

Hi
I have been asked to configure an dedicated rhel6 server for a customer.
I did not realise when I took this on how complicated it was going to be!
The purpose of the server is to host a group of websites for small
businesses.
It came with postfix-2.6.6-2.2  dovecot-2.0.9 and mysql-2.1.67-1
I have installed virtualmin 3.98, usermin1.540-1 and horde 5
About a dozen currently inactive websites have been set up, mail is in
/home/<domain>/Maildir
My problem is that I can telnet to postfix to send and receive emails and
can see these within postfix in webmin
I have been having many problems getting dovecot to connect successfully to
postfix.
I have also installed horde 5 which requires to authenticate to an imap
server - that is dovecot.
This one server is intended to provide all services, so plain
authentication is fine.
But I can't use /etc/passwd as the users are in virtualmin
I tried configuring ssl, with self-certification so the browser interface
is https:

At the moment I've restored dovecot.conf and conf.d/10-master.conf,
10-auth.conf and 10-mail.conf to their original settings.
So an attempt to login through usermin gives me this
Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Feb 28 19:44:19 scotz1 dovecot: auth: Fatal: sql: Configuration file path
not given
Feb 28 19:44:19 scotz1 dovecot: master: Error: service(auth): command
startup failed, throttling

Previous to restoring the conf files I  was getting this from horde
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: auth client connected
(pid=25627)
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=439
54#011resp=dGVzdHNjb3R6LmNvLnVrAHRlc3RzY290ei5jby51awBwYXNzd29yZA=Feb 28
17:55:02 scotz1 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Feb 28 17:55:02 scotz1 dovecot: auth: Debug: passwd(testscotz.co.uk,127.0.0.1):
lookup
Feb 28 17:55:02 scotz1 dovecot: auth: passwd(testscotz.co.uk,127.0.0.1):
unknown user

Horde is using mysql for its database, but I don't particularly care what
dovecot uses, although it seems sensible to do the same
I have created and removed several mysql databases during my attempts to
get this to work.

I would greatly appreciate some assistance with this as every 'howto' I
have found by googling describes different setups and just gets me deeper
in the mire!

I want an authentication mechanism on this one server that virtualmin users
and horde users (same people!) can use for imap mail.

I thought I knew what I was doing before I took this one on (I have
configured and manage a dozen centos servers), but this one is making my
head spin.
Yours in hope!
Peter Lawrie

On 28 Feb 2013 21:51, "peter lawrie" <peter.lawrie at
glendiscovery.co.uk>
wrote:
>
> Hi
> I have been asked to configure an dedicated rhel6 server for a customer.
> I did not realise when I took this on how complicated it was going to be!
> The purpose of the server is to host a group of websites for small
> businesses.
> It came with postfix-2.6.6-2.2  dovecot-2.0.9 and mysql-2.1.67-1
> I have installed virtualmin 3.98, usermin1.540-1 and horde 5
> About a dozen currently inactive websites have been set up, mail is in
> /home/<domain>/Maildir
> My problem is that I can telnet to postfix to send and receive emails and
> can see these within postfix in webmin
> I have been having many problems getting dovecot to connect successfully
to
> postfix.
> I have also installed horde 5 which requires to authenticate to an imap
> server - that is dovecot.
> This one server is intended to provide all services, so plain
> authentication is fine.
> But I can't use /etc/passwd as the users are in virtualmin
> I tried configuring ssl, with self-certification so the browser interface
> is https:
>
> At the moment I've restored dovecot.conf and conf.d/10-master.conf,
> 10-auth.conf and 10-mail.conf to their original settings.
> So an attempt to login through usermin gives me this
> Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Loading modules from
> directory: /usr/lib64/dovecot/auth
> Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libauthdb_ldap.so
> Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_mysql.so
> Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Feb 28 19:44:19 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libmech_gssapi.so
> Feb 28 19:44:19 scotz1 dovecot: auth: Fatal: sql: Configuration file path
> not given
> Feb 28 19:44:19 scotz1 dovecot: master: Error: service(auth): command
> startup failed, throttling
>
> Previous to restoring the conf files I  was getting this from horde
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Loading modules from
> directory: /usr/lib64/dovecot/auth
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libauthdb_ldap.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_mysql.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libmech_gssapi.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: auth client connected
> (pid=25627)
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: client in:
>
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=439
> 54#011resp=dGVzdHNjb3R6LmNvLnVrAHRlc3RzY290ei5jby51awBwYXNzd29yZA=> Feb
28 17:55:02 scotz1 dovecot: auth: Debug: Loading modules from
> directory: /usr/lib64/dovecot/auth
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libauthdb_ldap.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_mysql.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libmech_gssapi.so
> Feb 28 17:55:02 scotz1 dovecot: auth: Debug: passwd(testscotz.co.uk
,127.0.0.1):
> lookup
> Feb 28 17:55:02 scotz1 dovecot: auth: passwd(testscotz.co.uk,127.0.0.1):
> unknown user
>
> Horde is using mysql for its database, but I don't particularly care
what
> dovecot uses, although it seems sensible to do the same
> I have created and removed several mysql databases during my attempts to
> get this to work.
>
> I would greatly appreciate some assistance with this as every
'howto' I
> have found by googling describes different setups and just gets me deeper
> in the mire!
>
> I want an authentication mechanism on this one server that virtualmin
users
> and horde users (same people!) can use for imap mail.
>
> I thought I knew what I was doing before I took this one on (I have
> configured and manage a dozen centos servers), but this one is making my
> head spin.
> Yours in hope!
> Peter Lawrie
Peter

Dovecot/postfix will need their own db, different from horde.  (Although I
suppose it's possible to add tables too it, but I'd hold it for you
risky).

Several how-to's will give you sample db structures.  However check out
automx.org

Simon

On 2/28/2013 12:50 PM, peter lawrie wrote:
> Hi
> I have been asked to configure an dedicated rhel6 server for a customer.
> I did not realise when I took this on how complicated it was going to be!
> The purpose of the server is to host a group of websites for small
> businesses.
> It came with postfix-2.6.6-2.2  dovecot-2.0.9 and mysql-2.1.67-1
> I have installed virtualmin 3.98, usermin1.540-1 and horde 5
> About a dozen currently inactive websites have been set up, mail is in
> /home/<domain>/Maildir
> My problem is that I can telnet to postfix to send and receive emails and
> can see these within postfix in webmin
> I have been having many problems getting dovecot to connect successfully to
> postfix.
> I have also installed horde 5 which requires to authenticate to an imap
> server - that is dovecot.
> This one server is intended to provide all services, so plain
> authentication is fine.
Do consider that since you have been tasked with setting up the server, 
you are responsible for doing it correctly.  I see this configuration 
all the time and it is why so many servers get hacked.

Only necessary services should be run in a single environment.  The 
problem is that the more services that are run together, the more likely 
one will be found with a flaw, which then can be exploited to take down 
the whole server.  It does no good to run Dovecot in a chroot jail when 
Apache has access to the whole filesystem.

Best: separate hardware - one web server, one DNS server (if you need to 
run DNS), one mail server, on SQL server, etc.

Good: some virtualizer, like Xen and run virtual instances of each of 
the above.

OK: run all servers daemons carefully chroot jailed, with no common 
filesystem sharing.  Interprocess communication can easily be 
accomplished via sockets.

Bad: Run everything in a big soup.

The traps is that for a small company, the belief is that no one want to 
target them.  That may be true sort of, but opportunistic hackers will 
take any third party machine because it gives them anonymity when 
attacking other more valuable targets.  Put a sniffer on your Internet 
connection and you will see an average of three attacks / scans / probes 
per minute.

As Simon and Reindl have already covered some of your configuration 
questions, I will not repeat their answers.

Best of luck.

Dem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 28 Feb 2013, peter lawrie wrote:
> My problem is that I can telnet to postfix to send and receive emails and
> can see these within postfix in webmin
> I have been having many problems getting dovecot to connect successfully to
> postfix.
Er, #1: Dovecot connects to postfix?
> I have also installed horde 5 which requires to authenticate to an imap
> server - that is dovecot.
#2: You use imp-authentification then?
> This one server is intended to provide all services, so plain
> authentication is fine.
> But I can't use /etc/passwd as the users are in virtualmin
#3: Where are the users in virtualmin?
> I would greatly appreciate some assistance with this as every
'howto' I
> have found by googling describes different setups and just gets me deeper
> in the mire!
>
> I want an authentication mechanism on this one server that virtualmin users
> and horde users (same people!) can use for imap mail.
Dovecot to use passwords from SQL, e.g. mysql:
http://wiki2.dovecot.org/AuthDatabase/SQL

Dovecot to fetch user information from SQL, e.g. mysql:
http://wiki2.dovecot.org/UserDatabase

Postfix is using Dovecot for AUTH:
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

Postfix delivers message to Dovecot via LMTP:
http://wiki2.dovecot.org/HowTo/Virtual%2BPostfix%2BDspam%2BDovecot
(just skip the Dspam part)

Use imp-Auth in Horde.

Left: virtualmin
You will find information about password_query, user_query,& 
iterate_query in the first two links. Give Dovecot the correct SQL SELECT 
statements, be sure the password scheme vurtualmin uses is supported by 
Dovecot, have ensured that the configuration (either from SQL or conf 
files) tells Dovecot, where the home and the mail base directories are, 
then it should work.

You will find plenty of HOWTOs about Postfix and Dovecot setup in the net.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUTB1/V3r2wJMiz2NAQIuLAf8CM6NZpa6I8aUjQmpr0X/aa89a3C4q6Fy
3Ajoalzvf0vPU3fhT6yuqPbSPNfOssDhv9p2LWhp+xhY9VYPgnMj58guTdwu8qiq
f/BOKXRoty378H6mf+UYc+uX+/hpOuSNM7IRiaFdlvr0gcpLz3a3x2NWtxvCrm5S
JXgGRg/0DmPIAv6o/Wkn8dO/re6WmuSBdQ/wy2LmKYv/o5oMNb/WWBCJhABzy/E2
WQVOB3pgAVIRY6ecM+n6r3Ug4FizuNEAVDRmdrFsBX5vMnEqml3aAFC1NMDJkBkT
3sp6i3vHB2Bp8cB6R/TeMKr4o0eBFCxkaZ/bGgWdjQFgca3prNHU9Q==6Eph
-----END PGP SIGNATURE-----