Hi, I'm new to the list but have been trying to get dovecot configured for the past week and a bit. I've gone through the list archives and solved a few of my problems, but most don't seem to be addressed. First off I want to say thanks for starting this project, I've been hoping that someone would start an IMAP/POP server with some flexibility in the way it's configured and provides both packages in one.I've tried setting up Courier once and found it onerous, UW was easier but forces a bunch of assumption that don't suit the way I wanted to configure virtual mail. I'd love to run dovecot, eventually with LDAP and Jamm, and Exim to handle my virtual domains, however I'm running into a fair number of problems and haven't had any luck getting past them. I'm running a RedHat 7.3 SMP server, with iptables for a firewall, so I've got several cards and thus IPs.I started out with dovecot 99.4 but noted that it was missing the LDAP, tried 99.8-test5 and am now working with 99.8-test7, both seem to have the same problems. I'm currently trying to setup a IMAP server on the inside of the firewall, 192.168.2.X. If I use just imap, turn of SSL/TLS I'm fine, and can do plaintext authentication via shadow, but I can't get PAM authentication working. If I turn on SSL(ssl_disable = no), neither the imap or the imaps respond and a netstat -tp shows that no process owns the socket PID/process = '-', often with characters in the Recv-Q. I've tried turning on all the debugging flags for configure on, --with-rawlog --enable-debug --enable-asserts --with-ssl=openssl as well as verbose_proctitle = yes, and auth_verbose = yes, setup logfiles /var/log/dovecot/messages, yet all I get are authorization messages. And I've noted that a number of them only show up after I've killed the dovecot process, so I'm wondering if there needs to be a bit of flushing somewhere? As well I've also tried to run "dovecot -F", with the log files commented out in the .conf file, but get nothing via stderr. I note that when I try the log_timestamp option, the dates sent from imap-login are completely incorrect and don't change, so I don't think the date is being read correctly. Is log_timestamp operational? One thing I'm not clear on is what process to run it under, I've setup a user/group 'dovecot', but does dovecot have to be a member of wheel? I've also noted in earlier versions you had things running via imapd-master, but that now seems to been replaced by "dovecot", is that correct? Is anyone else running dovecot on a SMP system? Any comments or suggestions? I do have development experience, but my Linux/UNIX programming is a bit rusty. I'd love to help make this a rocking product, but need some help getting it dovecot up and running. Any help is appreciated. Thanks, TJ timsn at thtree.com http://www.thtree.com/People/TJ/Resume.html
On Fri, 2003-02-21 at 02:37, Tim Snider wrote:> I'm running a RedHat 7.3 SMP server, with iptables for a firewall, so > I've got several cards and thus IPs.I started out with dovecot 99.4 but > noted that it was missing the LDAP, tried 99.8-test5 and am now working > with 99.8-test7, both seem to have the same problems.Well, I'll put out -test8 now. There's a bit more fixes, although not for any of yours.> I'm currently trying to setup a IMAP server on the inside of the > firewall, 192.168.2.X. If I use just imap, turn of SSL/TLS I'm fine, > and can do plaintext authentication via shadow, but I can't get PAM > authentication working.What error messages does PAM give if auth_verbose = yes? Or is that just PAM configuration problem (pam_ldap?), nothing to do with Dovecot?> If I turn on SSL(ssl_disable = no), neither the imap or the imaps > respond and a netstat -tp shows that no process owns the socket > PID/process = '-', often with characters in the Recv-Q.But the dovecot processes exist? And the imap-login processes? Your certificates are ok? Maybe the processes are stuck at something.. Check if they call poll() every few seconds with strace -p? And what do you mean by doesn't respond - "connection refused" or does it just hang there?> I've tried turning on all the debugging flags for configure on, > --with-rawlog --enable-debug --enable-asserts --with-ssl=openssl > as well as verbose_proctitle = yes, and auth_verbose = yes, setup > logfiles /var/log/dovecot/messages, yet all I get are authorization > messages. And I've noted that a number of them only show up after I've > killed the dovecot process, so I'm wondering if there needs to be a bit > of flushing somewhere?I do call fflush() after each write to log. Killing with SIGTERM will do clean exit which may log more things, maybe it's just that? Also killing child processes makes master process log their exits.> As well I've also tried to run "dovecot -F", with the log files > commented out in the .conf file, but get nothing via stderr.Default is to log with syslog. If you want stderr, set log path to /dev/stderr.> I note that > when I try the log_timestamp option, the dates sent from imap-login are > completely incorrect and don't change, so I don't think the date is > being read correctly. Is log_timestamp operational?What messages do you even get from imap-login? Normally there should never be anything. I didn't anyway notice problems with log_timestamp, what format did you try? imap-logins are also chrooted by default. There used to be a bug that they couldn't get timezone right because of it, but that's the only time related problem I can think of.> One thing I'm not clear on is what process to run it under, I've setup a > user/group 'dovecot', but does dovecot have to be a member of wheel?You should run dovecot as root. The dovecot user should be used only for login processes (defined in config file), and it shouldn't be in wheel group. Actually I think it even refuses to run if it's in wheel group (or gid 0).> I've also noted in earlier versions you had things running via > imapd-master, but that now seems to been replaced by "dovecot", is that > correct?Yes.
Thanks Timo, turns out I'm more of a rookie at sysconfiguring than I thought, so perhaps this helps identify stuff that a rookie wouldn't already know...<G> On Thu, 2003-02-20 at 19:46, Timo Sirainen wrote:> > > I've not configured up LDAP on my server yet, so it's just plain PAM for > > now. I'm able to login fine with all my other apps, so I doubt it's a > > problem with PAM, but not impossible. I haven't done anything with PAM > > on this machine yet as it's live. I've been testing things out on > > another machine(NON-SMP/RH8), which I'll try tomorrow if I get a > > chance.) > > You have to have it configured in /etc/pam.d/imap. For example: > > auth required pam_unix.so nullok > account required pam_unix.soThanks this makes more sense than the options you provide in doc/auth.txt, so you may wish to change that. On both RH7.3 and a RH8.0 box here, I don't have pwdfile, it's apparently been replaced by other functionality.> > > each imap-login is waiting at a read(7, > > That's the problem then. It really shouldn't be blocking there. Could > you get the backtrace to see where it's hanging? ie. run as root: > > gdb /usr/local/libexec/dovecot/imap-login <pid of the imap-login> > > and "bt" in it.It's hung up in SSL_CTX_use_PrivateKey() in ssl-proxy-openssl.c, which as you correctly surmised below, is due to a password protected key. I've located and used mkcert.sh. As a note the only docs for doc/mkcert.sh are halfway through the NEWS file and rapidly receeding as you add new releases, (congrats on the fast progress by the way!), however you might consider adding a short note about it to the doc/auth.txt or doc/configuration.txt file for those new to dovecot.> > > I do call fflush() after each write to log. Killing with SIGTERM will do > > > clean exit which may log more things, maybe it's just that? Also killing > > > child processes makes master process log their exits. > > > > I usually note the messages log (watched by a tail -f) show up after I > > kill the dovecot master process.(Kill -9) > > Depends on what the messages are I guess. But if you're kill -9ing the > master process, it's quite likely that the child processes will complain > about losing it.After playing a bit, I think that those messages were due to the kill -9, SIGTERM is nicer. I still end up with little in the way of verbose debugging messages, by my standards. Usually all I see is login and logout messages. Otherwise, I get the occasional lockfile message, which is something that I need to sort out with Exim, and completely on my end.> > dovecot: Feb 20 18:11:51 Info: Dovecot starting up > > imap-login: Dec 31 16:00:00 Fatal: Can't load private key file > > /usr/local/ssl/private/cedarintkey.pem: error:0906406D:PEM > > routines:DEF_CALLBACK:problems getting password > > Err, isn't this the reason why your SSL doesn't work? :) Or was that > just an example? If your private key is crypted with some password, > Dovecot can't use it at least currently..Correct! Doh! I have been able to use imaps, since I built a non-passworded private key. I was using passworded keys that I'd built for Apache, and would eventually like to have one set of keys that I can reference for each virtual domain. Were you planning on something like the Apache startssl option? I can live with the constraint of one 'connection' key for now. Have you considered allowing each virtual domain to have it's own keys? Kind of difficult as the secure pipe to the server is already in place by the time the login name is seen... Kinda makes it tough for a true virtual presence without explicit assigned IP's. Hmmm, any plans for at least a different keys/identity per IP? If I understand the configuration file for now, it seems to be designed for one cert per machine. Thanks for the help, I've just got to sort out the lockfile differences between Exim and Dovecot and I should then be functional. After that I'll start using LDAP. TJ