dovecot - Nov 2011 - Problem with lmtp proxy

Hello everyone,

I have set up postfix to deliver mails to dovecot (2.0.16) using LMTP. On the
other hand, I've successfully configured the IMAP proxy setting in dovecot
in order to be able to distribute mailboxes among different servers. I wanted to
do the same proxy at LMTP level, but it's not working. If I put lmtp_proxy =
no, then everything works ok (assuming the mailbox is local), but when I set
lmtp_proxy = yes then the user is not found when deliverying the message via
LMTP, so the mail remains in the postfix queue.

Users are validated through active directory. However, this AD hasn't the
SFU installed, thus its LDAP schema doesn't provide me with the required
uid, gid, etc. To solve this, I have winbind configured in the system, so
I'm doing this:
  - To validate users *and* be able to set the proxy extra fields, I use ldap as
"passdb" (I believe it's not possible to use proxies with PAM).
I'm using some LDAP field to store the host that has the user's mailbox.
  - In order to get the user account data that is not available in the AD, I use
passwd as "userdb".

I know that when using LMTP with proxy, a passdb needs to be configured. I
assume this is needed for the service to lookup for the appropriate host to send
the message. So, initially I set ldap as the passdb for LMTP, but just because
it didn't work I put both ldap and passwd, and even a userdb (passwd), but
the problems remain the same. Anyway the ldap should be the right one as it is
there where I have the host information for each user.

I think I'm missing something but I can't find what it is. To summarize:
with lmtp_proxy = no it does work, with lmtp_proxy = yes it doesn't. Thank
you for your help!

This is my current config:

************* dovecot -n **************
# 2.0.16: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.37-gentoo-edicom-1104 x86_64 Gentoo Base System release 1.12.14
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_username_format = %n
auth_verbose = yes
base_dir = /var/run/dovecot/
listen = *
lmtp_proxy = yes
login_trusted_networks = 127.0.0.1
mail_debug = yes
mail_location = maildir:~/maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at domain.com
protocols = imap pop3 sieve lmtp
quota_full_tempfail = yes
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    group = root
    mode = 0600
    user = root
  }
}
service imap {
  vsz_limit = 512 M
}
service lmtp {
  inet_listener lmtp {
    address = 192.168.0.90
    port = 24
  }
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/ssl/dovecot/server.pem
ssl_key = </etc/ssl/dovecot/server.key
submission_host = 192.168.0.22
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol lmtp {
  passdb {
    args     driver = passwd
  }
  passdb {
    args = /etc/dovecot/dovecot-ldap.conf.ext
    driver = ldap
  }
  userdb {
    args     driver = passwd
  }
}
protocol lda {
  mail_plugins = sieve
}
protocol imap {
  imap_client_workarounds = delay-newmail
}
protocol pop3 {
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}
****************************************************

************** cat dovecot-ldap.conf.ext **************
hosts = dcserver:389
dn = cn=binduser,cn=Users,dc=edicom,dc=es
dnpass = bindpassword
tls = no
debug_level = -1
auth_bind = yes
ldap_version = 3
base = CN=Users,DC=domain,DC=com
deref = never
scope = subtree
user_filter =
(&(memberOf=CN=correo,OU=Alfresco,DC=edicom,DC=es)(sAMAccountName=%u))
pass_attrs =
userPassword=password,=proxy_maybe=Y,physicalDeliveryOfficeName=host
pass_filter =
(&(memberOf=CN=correo,OU=Alfresco,DC=edicom,DC=es)(sAMAccountName=%u))
****************************************************

The results I get in the log:
****************************************************
dovecot [2011-11-24 15:53:39] [warning] master: Warning: Killed with signal 15
(by pid=10437 uid=0 code=kill)
dovecot [2011-11-24 15:53:40] [info] master: Dovecot v2.0.16 starting up (core
dumps disabled)
dovecot [2011-11-24 15:53:50] [debug] lmtp(10506): Debug: none: root=, index=,
control=, inbox=, altdovecot [2011-11-24 15:53:50] [info] lmtp(10506): Connect
from local
dovecot [2011-11-24 15:53:50] [debug] auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_bind
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_simple_bind
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_sasl_bind
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_send_initial_request
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_new_connection 1 1 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_int_open_connection
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_connect_to_host: TCP
dcserver:389
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_new_socket: 17
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_prepare_socket: 17
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_connect_to_host: Trying
192.168.0.67:389
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_pvt_connect: fd: 17 tm: -1
async: 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_open_defconn: successful
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_send_server_request
dovecot [2011-11-24 15:53:50] [debug] auth: Debug: master in: PASS      1      
myuser at domain.com service=lmtp
dovecot [2011-11-24 15:53:50] [debug] auth: Debug: password(myuser): passdb
doesn't support credential lookups
dovecot [2011-11-24 15:53:50] [debug] auth: Debug: password(myuser): passdb
doesn't support credential lookups
dovecot [2011-11-24 15:53:50] [debug] auth: Debug: password(myuser): passdb
doesn't support credential lookups
dovecot [2011-11-24 15:53:50] [debug] auth: Debug: master out: FAIL     1
dovecot [2011-11-24 15:53:50] [err] lmtp(10506): Error: user myuser at
domain.com: Auth PASS lookup failed
dovecot [2011-11-24 15:53:50] [debug] lmtp(10506): Debug: auth input:
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_result ld 0x16518d0 msgid
-1
dovecot [2011-11-24 15:53:50] [err] auth: Error: wait4msg ld 0x16518d0 msgid -1
(timeout 0 usec)
dovecot [2011-11-24 15:53:50] [err] auth: Error: wait4msg continue ld 0x16518d0
msgid -1 all 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ** ld 0x16518d0 Connections:
dovecot [2011-11-24 15:53:50] [err] auth: Error: * host: domain.com  port: 389 
(default)
dovecot [2011-11-24 15:53:50] [err] auth: Error:   refcnt: 2  status: Connected
dovecot [2011-11-24 15:53:50] [err] auth: Error:   last used: Thu Nov 24
15:53:50 2011
dovecot [2011-11-24 15:53:50] [err] auth: Error:
dovecot [2011-11-24 15:53:50] [err] auth: Error:
dovecot [2011-11-24 15:53:50] [err] auth: Error: ** ld 0x16518d0 Outstanding
Requests:
dovecot [2011-11-24 15:53:50] [err] auth: Error:  * msgid 1,  origid 1, status
InProgress
dovecot [2011-11-24 15:53:50] [err] auth: Error:    outstanding referrals 0,
parent count 0
dovecot [2011-11-24 15:53:50] [err] auth: Error:   ld 0x16518d0 request count 1
(abandoned 0)
dovecot [2011-11-24 15:53:50] [err] auth: Error: ** ld 0x16518d0 Response Queue:
dovecot [2011-11-24 15:53:50] [err] auth: Error:    Empty
dovecot [2011-11-24 15:53:50] [err] auth: Error:   ld 0x16518d0 response count 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_chkResponseList ld
0x16518d0 msgid -1 all 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_chkResponseList returns ld
0x16518d0 NULL
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_int_select
dovecot [2011-11-24 15:53:50] [err] auth: Error: read1msg: ld 0x16518d0 msgid -1
all 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: read1msg: ld 0x16518d0 msgid 1
message type bind
dovecot [2011-11-24 15:53:50] [err] auth: Error: read1msg: ld 0x16518d0 0 new
referrals
dovecot [2011-11-24 15:53:50] [err] auth: Error: read1msg:  mark request
completed, ld 0x16518d0 msgid 1
dovecot [2011-11-24 15:53:50] [err] auth: Error: request done: ld 0x16518d0
msgid 1
dovecot [2011-11-24 15:53:50] [err] auth: Error: res_errno: 0, res_error:
<>, res_matched: <>
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_free_request (origid 1,
msgid 1)
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_parse_result
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_msgfree
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_result ld 0x16518d0 msgid
-1
dovecot [2011-11-24 15:53:50] [err] auth: Error: wait4msg ld 0x16518d0 msgid -1
(timeout 0 usec)
dovecot [2011-11-24 15:53:50] [err] auth: Error: wait4msg continue ld 0x16518d0
msgid -1 all 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ** ld 0x16518d0 Connections:
dovecot [2011-11-24 15:53:50] [err] auth: Error: * host: domain.com  port: 389 
(default)
dovecot [2011-11-24 15:53:50] [err] auth: Error:   refcnt: 1  status: Connected
dovecot [2011-11-24 15:53:50] [err] auth: Error:   last used: Thu Nov 24
15:53:50 2011
dovecot [2011-11-24 15:53:50] [err] auth: Error:
dovecot [2011-11-24 15:53:50] [err] auth: Error:
dovecot [2011-11-24 15:53:50] [err] auth: Error: ** ld 0x16518d0 Outstanding
Requests:
dovecot [2011-11-24 15:53:50] [err] auth: Error:    Empty
dovecot [2011-11-24 15:53:50] [err] auth: Error:   ld 0x16518d0 request count 0
(abandoned 0)
dovecot [2011-11-24 15:53:50] [err] auth: Error: ** ld 0x16518d0 Response Queue:
dovecot [2011-11-24 15:53:50] [err] auth: Error:    Empty
dovecot [2011-11-24 15:53:50] [err] auth: Error:   ld 0x16518d0 response count 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_chkResponseList ld
0x16518d0 msgid -1 all 0
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_chkResponseList returns ld
0x16518d0 NULL
dovecot [2011-11-24 15:53:50] [err] auth: Error: ldap_int_select
dovecot [2011-11-24 15:53:50] [info] lmtp(10506): Disconnect from local: Client
quit (in reset)
****************************************************

El Jueves, 24 de Noviembre de 2011 17:11:11 Miguel Tormo
escribi?:
> dn = cn=binduser,cn=Users,dc=edicom,dc=es
Obviously this part should be "dn =
cn=binduser,cn=Users,dc=domain,dc=com" to be coherent with the rest. I
replace the real domain and user names used, but forgot this part :S.

2011/11/24 Miguel Tormo <mlists at edicom.eu>
> El Jueves, 24 de Noviembre de 2011 17:11:11 Miguel Tormo escribi?:
> > dn = cn=binduser,cn=Users,dc=edicom,dc=es
>
> Obviously this part should be "dn =
cn=binduser,cn=Users,dc=domain,dc=com"
> to be coherent with the rest. I replace the real domain and user names
> used, but forgot this part :S.
>
>

On Thu, 2011-11-24 at 17:11 +0100, Miguel Tormo wrote:
> I think I'm missing something but I can't find what it is. To
summarize: with lmtp_proxy = no it does work, with lmtp_proxy = yes it
doesn't. Thank you for your help!
The problem is:
> ************** cat dovecot-ldap.conf.ext **************
> auth_bind = yes
auth_bind=yes requires a user authentication, but LMTP of course can't
authenticate a user. So it fails:
> dovecot [2011-11-24 15:53:50] [debug] auth: Debug: password(myuser): passdb
doesn't support credential lookups
Either try to get auth_bind=no working, or I think you can also set up a
separate passdb for lmtp:

protocol lmtp {
  passdb {
    driver = ldap
    args = some-other-ldap.conf
  }
}

And in this other ldap.conf have auth_bind=no, and possibly return
password field always as something like "foo".