Drew Calcott
2008-Nov-12 04:19 UTC
[Dovecot] Sieve authentication / directory issue after upgrade to 1.0.13.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everyone,
I have come across a problem after upgrading from 1.0.rc17 to 1.0.13
(debian builds 1.0.13 is from etch-backports).
I initially upgraded as 1.0.rc17 isn't compiled with regex support, so
vacation messages that were uploaded via horde were being rejected.
(Everything else was working fine, just messages that required regex
functions were failing).
Horde is uploading the filters via pysieved, which is then in turn
placing them in the directory of:
- ---------
/shared/spool/active/%d/%0.1u/%1.1u/%n/sieve/ingo
- ---------
At least, it was previously. Since upgrading, dovecot has changed the
way it passes authentication details to pysieved and the domain is no
longer included in the username, so the domain cannot be parsed and
pysieved fails as it is unable to strip a value for %d. (as a quick
aside, this isn't an issue with single domain servers as there is a
"defaultdomain" option that will force the value for %d, however,
since
we have 9 domains to deal with, this isn't going to cut it).
Prior to upgrade, authentication was passed as thus (= are a new line in case
the formatting dies)
- --------
======= > 'AUTH\t1\tPLAIN\tservice=pysieved\tresp=YWNhbD* restofstring *
====== < OK\t1\tuser=acal030 at sit.auckland.ac.nz\tuser=acal030\t\n'
===== Finished SASL authentication : {'username':'acal030 at
sit.auckland.ac.nz', 'result': 'OK'}
===== Plugin returned home
:'/shared/spool/active/sit.auckland.ac.nz/a/c/acal030/'
= Authenticated user acal030 at sit.auckland.ac.nz
- --------
Both user and user at domain were being passed and it was a matter of
simple nagging of the pysieved guys to update their code to strip the
required information.
However, the new version is passing auth like this:
- --------
======= > 'AUTH\t1\tPLAIN\tservice=pysieved\tresp=YWNhbD* restofstring *
======= < 'OK\t1\tuser=acal030\n'
===== Finished SASL authentication : {'username': 'acal030',
'result': 'OK'}
===== Plugin returned home : '/shared/spool/active//a/c/acal030/'
- -------
The only change to the dovecot config I have made is to add
"allow_all_users=yes" to userdb static as the new version was a lot
stricter about the passdb pam lookup not containing the user data (and
failing completely as a result).
In the dovecot logs themselves, the following lines were from the earlier build:
- ------
Info: auth(default): client out: OK 1 user=acal030 at sit.auckland.ac.nz
user=acal030
Info: auth(default): master in: REQUEST 243 23994 1
Info: auth(default): master out: USER 243 acal030 at sit.auckland.ac.nz
home=/blah, mail=/blah etc.
- ------
Compared to this from the new one:
- ------
Info: auth(default): auth(acal030 at sit.auckland.ac.nz,130.216.39.182):
username changed acal030 at sit.auckland.ac.nz -> acal030
Info: auth(default): client out: OK 1 user=acal030
Info: auth(default): prefetch(acal030,130.216.39.182): success
Info: auth(default): master out: USER 2 acal030 home=/blah,
mail=/blah etc.
- ------
I am rather at the end of my tether with this, unfortunately. :( I have
browsed through many wiki pages looking for a possible solution
or config variable I may have missed, but I really am coming up dry.
Cleaned up dovecot.conf is at: http://pastebin.com/m7f4303af
Should anyone want strace logs or whatever, I'm more than happy to make with
them.
Thanks in advance for any assistance.
Regards,
- ---
Drew Calcott
Science IT
University of Auckland
(p) +64 9 373 7599 x84269
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkkaWWQACgkQD+yXTWfduLFGmACfW3XXNFLu8zhHUz8FeU+QqgmX
pg4An3SdPh0OyWHGBe9k/qWzjqFRJmBl
=fIMA
-----END PGP SIGNATURE-----
Drew Calcott
2008-Nov-12 20:39 UTC
[Dovecot] Sieve authentication / directory issue after upgrade to 1.0.13.
This has been resolved. The rather helpful tss from #dovecot noticed that the username variable within the checkpassword script was being rewritten and passed back without the domain. Simple matter of changing the variable name that checkpassword was using. :) Drew Calcott wrote:> Hi everyone, > > I have come across a problem after upgrading from 1.0.rc17 to 1.0.13 > (debian builds 1.0.13 is from etch-backports). > > I initially upgraded as 1.0.rc17 isn't compiled with regex support, so > vacation messages that were uploaded via horde were being rejected. > (Everything else was working fine, just messages that required regex > functions were failing). > > Horde is uploading the filters via pysieved, which is then in turn > placing them in the directory of: > > > --------- > > /shared/spool/active/%d/%0.1u/%1.1u/%n/sieve/ingo > > --------- > > > At least, it was previously. Since upgrading, dovecot has changed the > way it passes authentication details to pysieved and the domain is no > longer included in the username, so the domain cannot be parsed and > pysieved fails as it is unable to strip a value for %d. (as a quick > aside, this isn't an issue with single domain servers as there is a > "defaultdomain" option that will force the value for %d, however, since > we have 9 domains to deal with, this isn't going to cut it). > > Prior to upgrade, authentication was passed as thus (= are a new line in case the formatting dies) > > > -------- > > ======= > 'AUTH\t1\tPLAIN\tservice=pysieved\tresp=YWNhbD* restofstring * > ====== < OK\t1\tuser=acal030 at sit.auckland.ac.nz\tuser=acal030\t\n' > ===== Finished SASL authentication : {'username':'acal030 at sit.auckland.ac.nz', 'result': 'OK'} > ===== Plugin returned home :'/shared/spool/active/sit.auckland.ac.nz/a/c/acal030/' > = Authenticated user acal030 at sit.auckland.ac.nz > > -------- > > > Both user and user at domain were being passed and it was a matter of > simple nagging of the pysieved guys to update their code to strip the > required information. > > However, the new version is passing auth like this: > > > -------- > > ======= > 'AUTH\t1\tPLAIN\tservice=pysieved\tresp=YWNhbD* restofstring * > ======= < 'OK\t1\tuser=acal030\n' > ===== Finished SASL authentication : {'username': 'acal030', 'result': 'OK'} > ===== Plugin returned home : '/shared/spool/active//a/c/acal030/' > > ------- > > The only change to the dovecot config I have made is to add > "allow_all_users=yes" to userdb static as the new version was a lot > stricter about the passdb pam lookup not containing the user data (and > failing completely as a result). > > In the dovecot logs themselves, the following lines were from the earlier build: > > > ------ > > Info: auth(default): client out: OK 1 user=acal030 at sit.auckland.ac.nz user=acal030 > Info: auth(default): master in: REQUEST 243 23994 1 > Info: auth(default): master out: USER 243 acal030 at sit.auckland.ac.nz home=/blah, mail=/blah etc. > > ------ > > > Compared to this from the new one: > > > ------ > > Info: auth(default): auth(acal030 at sit.auckland.ac.nz,130.216.39.182): username changed acal030 at sit.auckland.ac.nz -> acal030 > Info: auth(default): client out: OK 1 user=acal030 > Info: auth(default): prefetch(acal030,130.216.39.182): success > Info: auth(default): master out: USER 2 acal030 home=/blah, mail=/blah etc. > > ------ > > > I am rather at the end of my tether with this, unfortunately. :( I have browsed through many wiki pages looking for a possible solution > or config variable I may have missed, but I really am coming up dry. > > Cleaned up dovecot.conf is at: http://pastebin.com/m7f4303af > > Should anyone want strace logs or whatever, I'm more than happy to make with them. > > Thanks in advance for any assistance. > > > Regards, > > > > --- > Drew Calcott > Science IT > University of Auckland > (p) +64 9 373 7599 x84269