dago at quantentunnel.de
2013-Aug-15 17:23 UTC
[Dovecot] IMAP Proxying and SSL Certificates on OpenBSD
Hi list,
?
I am currently trying to configure dovecot to act as a imap proxy in front of a
Groupwise server. Because of a policy no services of the gw server may be
directly served to the web. So currently this is only a security measure.
Dovecot was previously used for providing sasl-auth capabilities to postfix.
IMAP proxy features should be added now. Authentication backend is LDAP. OS is
OpenBSD 5.2. Dovecot version is 2.1.8.?
?
Currently I am fighting with the following error in the logs:
?
dovecot: master: Dovecot v2.1.8 starting up
dovecot: auth: Warning: userdb passwd: Move templates args to override_fields
setting
dovecot: auth: Error: passwd(username,78.104.X.X,<e9YE/gDkOQBOaKfg>):
getpwnam() failed: Operation not permitted
dovecot: imap-login: Login: user=<username>, method=PLAIN, rip=78.104.X.X,
lip=5.9.X.X, mpid=1765, session=<e9YE/gDkOQBOaKfg>
dovecot: imap(username): Error: user username: Initialization failed:
Initializing mail storage from mail_location setting failed: imapc: missing
imapc_password
dovecot: imap(username): Error: Invalid user settings. Refer to server log for
more information.
?
I hope to also see therein the cause for not providing STARTTLS:
?
# openssl s_client -connect mail.example.com:143 -starttls imap
CONNECTED(00000003)
didn't found STARTTLS in server response, try anyway...
15096:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_clnt.c:607:
?
As postfix is already using the certificates, they should be okay ?.
?
# dovecot -n
# 2.1.8: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.2 i386 ?
disable_plaintext_auth = no
imapc_host = 10.0.0.2
mail_gid = vmail
mail_home = /home/vmail/%u
mail_location = imapc:~/imapc
mail_uid = vmail
passdb {
? args = scheme=plain-md5 username_format=%n /etc/dovecot/passwd
? driver = passwd-file
}
passdb {
? args = /etc/dovecot/dovecot-ldap.conf
? default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
? driver = ldap
}
protocols = imap
service auth {
? unix_listener /var/spool/postfix/private/auth {
? ? group = _postfix
? ? mode = 0660
? ? user = _postfix
? }
? user = root
}
service imap-login {
? chroot = login
}
service pop3-login {
? chroot = login
}
ssl = no
ssl_ca = </etc/ssl/ca.crt
ssl_cert = </etc/ssl/pf/mail.example.com.crt
ssl_key = </etc/ssl/pf/mail.example.comkey
userdb {
? args = username_format=%n /etc/dovecot/passwd
? driver = passwd
}
userdb {
? args = /etc/dovecot/dovecot-ldap.conf
? driver = ldap
}
?
# dovecot-ldap.conf
hosts = 10.0.0.2:389
dn = cn=ldapaccess,o=servercontext
dnpass = secretpass
auth_bind = yes
ldap_version = 3
base = o=usercontext
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter =
(&(&(objectClass=Person)(cn=%u))(groupMembership=cn=SMTPsender,o=permissiongroups))
pass_attrs = cn=user,userPassword=password
pass_filter =
(&(&(objectClass=Person)(cn=%u))(groupMembership=cn=SMTPsender,o=permissiongroups))
?
?
Thanks in advance!
?
Best regards
Timo Sirainen
2013-Aug-15 20:05 UTC
[Dovecot] IMAP Proxying and SSL Certificates on OpenBSD
On 15.8.2013, at 20.23, dago at quantentunnel.de wrote:> dovecot: imap(username): Error: user username: Initialization failed: Initializing mail storage from mail_location setting failed: imapc: missing imapc_password..> passdb { > args = /etc/dovecot/dovecot-ldap.conf > default_fields = userdb_imapc_user=%u userdb_imapc_password=%w > driver = ldap > }Here you are setting the userdb_* fields, which work only with userdb prefetch.> userdb { > args = username_format=%n /etc/dovecot/passwd > driver = passwd > } > userdb { > args = /etc/dovecot/dovecot-ldap.conf > driver = ldap > }But you're not using userdb prefetch.