-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 22 Jun 2015, lejeczek wrote:> On 22/06/15 09:43, Steffen Kaiser wrote: >> On Mon, 22 Jun 2015, lejeczek wrote: >>> On 22/06/15 09:16, lejeczek wrote: >>>> >>>> to=<me at my.domain>,orig_to=<root at localhost>, relay=dovecot, delay=39296, >>>> delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure) >>>> >>>> and dovecot logs no error, despite having debug to yes in couple of >>>> places, >>>> it shows: >>>> >>>> auth: Debug: master in: USER 1 me at my.domain service=lda >>>> auth-worker(25343): Debug: passwd(me at my.domain): lookup >>>> auth-worker(25343): passwd(me at my.domain): unknown user >>>> auth: Debug: ldap(me at my.domain): user search: >>>> base=ou=People,dc=my,dc=domain scope=subtree >>>> filter=(&(objectClass=person)(uid=me)) fields>>>> auth: Debug: ldap(me at my.domain): result: objectClass=top,top,top,top, >>>> >>>> ... here goes the whole lot of ldap atrribs, and at the end: >>>> >>>> unused. >>>> >>>> For passdb & userdb in the configs I only configure ldap backed, nothing >>>> else. Ldap works, I can query it without failling. >>>> I believe it's very simple set up but I must be wrong somewhere. >>>> >>>> pass_filter = (&(objectClass=posixAccount)(uid=%n)) >>>> pass_attrs = uid=user=%n,userPassword=password >> >> Use either uid=user oder =user=%n but not uid=user=%n. I would use >> uid=user, so the user cannot specify the case of the username. >> >>>> user_attrs = >>>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>>> user_filter = (&(objectClass=person)(uid=%n)) >>>> >>> even stranger, if I use(along with ldap in configs): >> >> Please post: >> >> complete doveconf -n >> and the complete LDAP config being referenced by the config. >> >>> userdb { >>> driver = static >>> args = uid=vmail gid=mail home=/var/spool/mail/%d/%n >>> mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>> sieve_storage=/var/spool/mail/%d/%n/SIEVE >>> sieve=/var/spool/mail/%d/%n/dovecot.sieve >>> } >>> >>> dovecot start to core dump: >>> >>> auth: Fatal: master: service(auth): child 9188 killed with signal 11 (core >>> dumped) > > auth_debug = yesThe first lines should be something like this: # 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.8 (3df7e50f986d) # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10 What version are you using?> auth_mechanisms = login > auth_verbose = yes > first_valid_uid = 999 > mail_debug = yes > mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir > mail_uid = vmail > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character > vacation subaddress comparator-i;ascii-numeric relational regex imap4flags > copy include variables body enotify environment mailbox date ihave > mbox_write_locks = fcntl > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > driver = pam > }Did you've removed or commented the line : 10-auth.conf:#!include auth-system.conf.ext ?> passdb { > args = /etc/dovecot/ldap-passdb-my.domain.conf > driver = ldap > } > plugin { > sieve = ~/.dovecot.sieve > sieve_dir = ~/sieve > sieve_storage = SIEVE > } > protocols = imap sieve > service auth { > unix_listener /var/spool/postfix/private/auth { > group = mail > mode = 0660 > user = vmail > } > unix_listener auth-userdb { > group = mail > mode = 0660 > user = vmail > } > } > service imap-login { > inet_listener imap { > port = 143 > } > inet_listener imaps { > port = 993 > } > } > ssl = required > ssl_cert = </etc/pki/dovecot/certs/dovecot.pem > ssl_key = </etc/pki/dovecot/private/dovecot.pem > userdb { > driver = passwd > } > userdb { > args = /etc/dovecot/ldap-userdb-my.domain.conf > driver = ldap > } > protocol lmtp { > mail_plugins = " sieve" > } > protocol lda { > mail_plugins = " sieve" > } > > #ldap-passdb > hosts = localhost > uris = ldap://localhost:389/ > ldap_version = 3 > base = ou=People,dc=my,dc=domain > dn = cn=Manager,dc=my,dc=domain > dnpass = my.pass > auth_bind = no > pass_attrs = uid=%n,userPassword=passworduid=%n makes no sense. Please use just: pass_attrs = userPassword=password> pass_filter = (&(objectClass=posixAccount)(uid=%n)) > > > #ldap-userdb > hosts = localhost > uris = ldap://localhost:389/ > ldap_version = 3 > base = ou=People,dc=my,dc=domain > dn = cn=Manager,dc=my,dc=domain > dnpass = my.pass > auth_bind = no > user_attrs = > =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n > user_filter = (&(objectClass=person)(uid=%n)) > default_pass_scheme = SSHA > > It cannot be postfix if it relays and dovecots gets these relays. Can it be?I have tried your config with above mentioned version, with LDAP as only passdb and userdb and these LDAP-settings: hosts = localhost auth_bind = yes base = <baseDN> deref = searching user_attrs = =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n user_filter = (&(objectClass=fhMailAlias)(uid=%n)) pass_attrs = userPassword=password pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) iterate_filter = (objectClass=fhMailAlias) Note the pass_attrs. Then I submitted a new message with: socat stdin UNIX:/var/run/dovecot2.2/lmtp LHLO loc mail from:<me at example.com> rcpt to:<other at example.com> data Subject: 1 1 . successfully. Maildir was created and message spooled to /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP successfully as well. I also tried the other order: reload Dovecot to flush any caches, log in via IMAP and submit via LMTP. You should however note the following: Both filters treat users "me at example.com" and "me at localhost.localdomain" as the same user, because they match the same LDAP item (uid=%n), however the directories of the users _should_ differ, but they won't as long as the user's information is cached in the auth cache. That means: doveadm auch cache flush doveadm user me at example.net doveadm user me at example.com returns the date for me at example.net in both cases and doveadm auch cache flush doveadm user me at example.com doveadm user me at example.net returns the data for me at example.com in both cases. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVYkZtnz1H7kL/d9rAQIZEQf6AsT93VQg1bvF+kla4q9m/0cFlZpAEzDl t4V1XwiYUENBCCvXuxKpY1QvKCKVwryS+GUbPh0eP0t+Rjl6bOT1wP4qwkOlRIkN V6kmx6sBabdObTUgI1kl07ss2vt0MVzjFh5WDRPz6Z/UzKRIGkuphzksVle14GDG UefgtdOYhR+Mfn0nRil2FOSFbWnMgR/9rkKEBr7Ou4vxgU7BF1nfOUA/bmc/tEF+ oMuNkq8xdsKmuN5AhbIghUr3o4DARW0KnLCo4uUJTx7BRreO651Cw4K3fwKlRyAu Pvt4NqxAkJ2Iyu0lFc60xkN0RX+vndfqGOwfIwRYhiBIbX03Cvesaw==Hn9X -----END PGP SIGNATURE-----
On 23/06/15 09:32, Steffen Kaiser wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 22 Jun 2015, lejeczek wrote: >> On 22/06/15 09:43, Steffen Kaiser wrote: >>> On Mon, 22 Jun 2015, lejeczek wrote: >>>> On 22/06/15 09:16, lejeczek wrote: >>>>> >>>>> to=<me at my.domain>,orig_to=<root at localhost>, >>>>> relay=dovecot, delay=39296, delays=39294/2.2/0/0.27, >>>>> dsn=4.3.0, status=deferred (temporary failure) >>>>> >>>>> and dovecot logs no error, despite having debug to yes >>>>> in couple of places, >>>>> it shows: >>>>> >>>>> auth: Debug: master in: USER 1 me at my.domain >>>>> service=lda >>>>> auth-worker(25343): Debug: passwd(me at my.domain): lookup >>>>> auth-worker(25343): passwd(me at my.domain): unknown user >>>>> auth: Debug: ldap(me at my.domain): user search: >>>>> base=ou=People,dc=my,dc=domain scope=subtree >>>>> filter=(&(objectClass=person)(uid=me)) fields>>>>> auth: Debug: ldap(me at my.domain): result: >>>>> objectClass=top,top,top,top, >>>>> >>>>> ... here goes the whole lot of ldap atrribs, and at >>>>> the end: >>>>> >>>>> unused. >>>>> >>>>> For passdb & userdb in the configs I only configure >>>>> ldap backed, nothing else. Ldap works, I can query it >>>>> without failling. >>>>> I believe it's very simple set up but I must be wrong >>>>> somewhere. >>>>> >>>>> pass_filter = (&(objectClass=posixAccount)(uid=%n)) >>>>> pass_attrs = uid=user=%n,userPassword=password >>> >>> Use either uid=user oder =user=%n but not uid=user=%n. I >>> would use uid=user, so the user cannot specify the case >>> of the username. >>> >>>>> user_attrs = >>>>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>>>> user_filter = (&(objectClass=person)(uid=%n)) >>>>> >>>> even stranger, if I use(along with ldap in configs): >>> >>> Please post: >>> >>> complete doveconf -n >>> and the complete LDAP config being referenced by the >>> config. >>> >>>> userdb { >>>> driver = static >>>> args = uid=vmail gid=mail home=/var/spool/mail/%d/%n >>>> mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>>> sieve_storage=/var/spool/mail/%d/%n/SIEVE >>>> sieve=/var/spool/mail/%d/%n/dovecot.sieve >>>> } >>>> >>>> dovecot start to core dump: >>>> >>>> auth: Fatal: master: service(auth): child 9188 killed >>>> with signal 11 (core dumped) >> >> auth_debug = yes > > The first lines should be something like this: > > # 2.2.18 (8906101589f9): > /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.8 (3df7e50f986d) > # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10 > > What version are you using? > >> auth_mechanisms = login >> auth_verbose = yes >> first_valid_uid = 999 >> mail_debug = yes >> mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir >> mail_uid = vmail >> managesieve_notify_capability = mailto >> managesieve_sieve_capability = fileinto reject envelope >> encoded-character vacation subaddress >> comparator-i;ascii-numeric relational regex imap4flags >> copy include variables body enotify environment mailbox >> date ihave >> mbox_write_locks = fcntl >> namespace inbox { >> inbox = yes >> location >> mailbox Drafts { >> special_use = \Drafts >> } >> mailbox Junk { >> special_use = \Junk >> } >> mailbox Sent { >> special_use = \Sent >> } >> mailbox "Sent Messages" { >> special_use = \Sent >> } >> mailbox Trash { >> special_use = \Trash >> } >> prefix >> } >> passdb { >> driver = pam >> } > > Did you've removed or commented the line : > > 10-auth.conf:#!include auth-system.conf.ext > > ? > >> passdb { >> args = /etc/dovecot/ldap-passdb-my.domain.conf >> driver = ldap >> } >> plugin { >> sieve = ~/.dovecot.sieve >> sieve_dir = ~/sieve >> sieve_storage = SIEVE >> } >> protocols = imap sieve >> service auth { >> unix_listener /var/spool/postfix/private/auth { >> group = mail >> mode = 0660 >> user = vmail >> } >> unix_listener auth-userdb { >> group = mail >> mode = 0660 >> user = vmail >> } >> } >> service imap-login { >> inet_listener imap { >> port = 143 >> } >> inet_listener imaps { >> port = 993 >> } >> } >> ssl = required >> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >> ssl_key = </etc/pki/dovecot/private/dovecot.pem >> userdb { >> driver = passwd >> } >> userdb { >> args = /etc/dovecot/ldap-userdb-my.domain.conf >> driver = ldap >> } >> protocol lmtp { >> mail_plugins = " sieve" >> } >> protocol lda { >> mail_plugins = " sieve" >> } >> >> #ldap-passdb >> hosts = localhost >> uris = ldap://localhost:389/ >> ldap_version = 3 >> base = ou=People,dc=my,dc=domain >> dn = cn=Manager,dc=my,dc=domain >> dnpass = my.pass >> auth_bind = no >> pass_attrs = uid=%n,userPassword=password > > uid=%n makes no sense. Please use just: > > pass_attrs = userPassword=password > >> pass_filter = (&(objectClass=posixAccount)(uid=%n)) >> >> >> #ldap-userdb >> hosts = localhost >> uris = ldap://localhost:389/ >> ldap_version = 3 >> base = ou=People,dc=my,dc=domain >> dn = cn=Manager,dc=my,dc=domain >> dnpass = my.pass >> auth_bind = no >> user_attrs = >> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >> user_filter = (&(objectClass=person)(uid=%n)) >> default_pass_scheme = SSHA >> >> It cannot be postfix if it relays and dovecots gets these >> relays. Can it be? > > I have tried your config with above mentioned version, > with LDAP as only passdb and userdb and these LDAP-settings: > > hosts = localhost > auth_bind = yes > base = <baseDN> > deref = searching > user_attrs = > =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n > user_filter = (&(objectClass=fhMailAlias)(uid=%n)) > pass_attrs = userPassword=password > pass_filter = > (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) > iterate_filter = (objectClass=fhMailAlias) > > Note the pass_attrs. Then I submitted a new message with: > > socat stdin UNIX:/var/run/dovecot2.2/lmtp > LHLO loc > mail from:<me at example.com> > rcpt to:<other at example.com> > data > Subject: 1 > > 1 > . > > successfully. Maildir was created and message spooled to > /var/spool/mail/example.com/other/Maildir. Then I logged > in via IMAP successfully as well. > > I also tried the other order: reload Dovecot to flush any > caches, log in via IMAP and submit via LMTP. > > You should however note the following: > > Both filters treat users "me at example.com" and > "me at localhost.localdomain" as the same user, because they > match the same LDAP item (uid=%n), however the directories > of the users _should_ differ, but they won't as long as > the user's information is cached in the auth cache. > > That means: > > doveadm auch cache flush > doveadm user me at example.net > doveadm user me at example.com > > returns the date for me at example.net in both cases and > > doveadm auch cache flush > doveadm user me at example.com > doveadm user me at example.net > > returns the data for me at example.com in both cases.it's weird I know, I do: # doveadm auth test -x service=smtp -x rip=172.25.12.214 me at my.domain Password: passdb: me at my.domain auth succeeded extra fields: user=me at my.domain and in the logs: auth-worker(32531): Debug: pam(me at my.domain,172.25.12.214): lookup service=dovecot auth-worker(32531): Debug: pam(me at my.domain,172.25.12.214): #1/1 style=1 msg=Password: pam_unix(dovecot:auth): check pass; user unknown pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=me at my.domain rhost=172.25.12.214 auth-worker(32531): pam(me at my.domain,172.25.12.214): unknown user auth: Debug: ldap(me at my.domain,172.25.12.214): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain))) fields=uid,userPassword auth: Debug: ldap(me at my.domain,172.25.12.214): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me at my.domain,172.25.12.214): result: uid=info userPassword=<hidden> auth: Debug: client passdb out: OK 1 user=me at my.domain so it seems fine, right? only I do simple test on that dovecot locally echo repli_test | mail -s "repl test" my at my.domain to get: auth-worker(365): Debug: passwd(me at my.domain): lookup auth-worker(365): passwd(me at my.domain): unknown user auth: Debug: password(me at my.domain): passdb doesn't support credential lookups auth: Debug: ldap(me at my.domain): pass search: base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain))) fields=uid,userPassword auth: Debug: ldap(me at my.domain): result: uid=info userPassword=<hidden>; uid,userPassword unused auth: Debug: ldap(me at my.domain): result: uid=info userPassword=<hidden> auth: Fatal: master: service(auth): child 364 killed with signal 11 (core dumped) the same error with: doveadm user me at my.domain so it's must be userdb, right? maybe it's postfix twisting something?> > - -- Steffen Kaiser > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEVAwUBVYkZtnz1H7kL/d9rAQIZEQf6AsT93VQg1bvF+kla4q9m/0cFlZpAEzDl > > t4V1XwiYUENBCCvXuxKpY1QvKCKVwryS+GUbPh0eP0t+Rjl6bOT1wP4qwkOlRIkN > > V6kmx6sBabdObTUgI1kl07ss2vt0MVzjFh5WDRPz6Z/UzKRIGkuphzksVle14GDG > > UefgtdOYhR+Mfn0nRil2FOSFbWnMgR/9rkKEBr7Ou4vxgU7BF1nfOUA/bmc/tEF+ > > oMuNkq8xdsKmuN5AhbIghUr3o4DARW0KnLCo4uUJTx7BRreO651Cw4K3fwKlRyAu > > Pvt4NqxAkJ2Iyu0lFc60xkN0RX+vndfqGOwfIwRYhiBIbX03Cvesaw=> =Hn9X > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 23 Jun 2015, lejeczek wrote:> On 23/06/15 09:32, Steffen Kaiser wrote: >> On Mon, 22 Jun 2015, lejeczek wrote: >>> On 22/06/15 09:43, Steffen Kaiser wrote: >>>> On Mon, 22 Jun 2015, lejeczek wrote: >>>>> On 22/06/15 09:16, lejeczek wrote: >>>>>> >>>>>> to=<me at my.domain>,orig_to=<root at localhost>, relay=dovecot, delay=39296, >>>>>> delays=39294/2.2/0/0.27, dsn=4.3.0, status=deferred (temporary failure) >>>>>> >>>>>> and dovecot logs no error, despite having debug to yes in couple of >>>>>> places, >>>>>> it shows: >>>>>> >>>>>> auth: Debug: master in: USER 1 me at my.domain service=lda >>>>>> auth-worker(25343): Debug: passwd(me at my.domain): lookup >>>>>> auth-worker(25343): passwd(me at my.domain): unknown user >>>>>> auth: Debug: ldap(me at my.domain): user search: >>>>>> base=ou=People,dc=my,dc=domain scope=subtree >>>>>> filter=(&(objectClass=person)(uid=me)) fields>>>>>> auth: Debug: ldap(me at my.domain): result: objectClass=top,top,top,top, >>>>>> >>>>>> ... here goes the whole lot of ldap atrribs, and at the end: >>>>>> >>>>>> unused. >>>>>> >>>>>> For passdb & userdb in the configs I only configure ldap backed, >>>>>> nothing else. Ldap works, I can query it without failling. >>>>>> I believe it's very simple set up but I must be wrong somewhere. >>>>>> >>>>>> pass_filter = (&(objectClass=posixAccount)(uid=%n)) >>>>>> pass_attrs = uid=user=%n,userPassword=password >>>> >>>> Use either uid=user oder =user=%n but not uid=user=%n. I would use >>>> uid=user, so the user cannot specify the case of the username. >>>> >>>>>> user_attrs = >>>>>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>>>>> user_filter = (&(objectClass=person)(uid=%n)) >>>>>> >>>>> even stranger, if I use(along with ldap in configs): >>>> >>>> Please post: >>>> >>>> complete doveconf -n >>>> and the complete LDAP config being referenced by the config. >>>> >>>>> userdb { >>>>> driver = static >>>>> args = uid=vmail gid=mail home=/var/spool/mail/%d/%n >>>>> mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>>>> sieve_storage=/var/spool/mail/%d/%n/SIEVE >>>>> sieve=/var/spool/mail/%d/%n/dovecot.sieve >>>>> } >>>>> >>>>> dovecot start to core dump: >>>>> >>>>> auth: Fatal: master: service(auth): child 9188 killed with signal 11 >>>>> (core dumped) >>> >>> auth_debug = yes >> >> The first lines should be something like this: >> >> # 2.2.18 (8906101589f9): /usr/local/dovecot-2.2.18/etc/dovecot/dovecot.conf >> # Pigeonhole version 0.4.8 (3df7e50f986d) >> # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.10 >> >> What version are you using? >> >>> auth_mechanisms = login >>> auth_verbose = yes >>> first_valid_uid = 999 >>> mail_debug = yes >>> mail_location = maildir:/var/spool/mail/my.domain/%u/Maildir >>> mail_uid = vmail >>> managesieve_notify_capability = mailto >>> managesieve_sieve_capability = fileinto reject envelope encoded-character >>> vacation subaddress comparator-i;ascii-numeric relational regex imap4flags >>> copy include variables body enotify environment mailbox date ihave >>> mbox_write_locks = fcntl >>> namespace inbox { >>> inbox = yes >>> location >>> mailbox Drafts { >>> special_use = \Drafts >>> } >>> mailbox Junk { >>> special_use = \Junk >>> } >>> mailbox Sent { >>> special_use = \Sent >>> } >>> mailbox "Sent Messages" { >>> special_use = \Sent >>> } >>> mailbox Trash { >>> special_use = \Trash >>> } >>> prefix >>> } >>> passdb { >>> driver = pam >>> } >> >> Did you've removed or commented the line : >> >> 10-auth.conf:#!include auth-system.conf.ext >> >> ? >> >>> passdb { >>> args = /etc/dovecot/ldap-passdb-my.domain.conf >>> driver = ldap >>> } >>> plugin { >>> sieve = ~/.dovecot.sieve >>> sieve_dir = ~/sieve >>> sieve_storage = SIEVE >>> } >>> protocols = imap sieve >>> service auth { >>> unix_listener /var/spool/postfix/private/auth { >>> group = mail >>> mode = 0660 >>> user = vmail >>> } >>> unix_listener auth-userdb { >>> group = mail >>> mode = 0660 >>> user = vmail >>> } >>> } >>> service imap-login { >>> inet_listener imap { >>> port = 143 >>> } >>> inet_listener imaps { >>> port = 993 >>> } >>> } >>> ssl = required >>> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >>> ssl_key = </etc/pki/dovecot/private/dovecot.pem >>> userdb { >>> driver = passwd >>> } >>> userdb { >>> args = /etc/dovecot/ldap-userdb-my.domain.conf >>> driver = ldap >>> } >>> protocol lmtp { >>> mail_plugins = " sieve" >>> } >>> protocol lda { >>> mail_plugins = " sieve" >>> } >>> >>> #ldap-passdb >>> hosts = localhost >>> uris = ldap://localhost:389/ >>> ldap_version = 3 >>> base = ou=People,dc=my,dc=domain >>> dn = cn=Manager,dc=my,dc=domain >>> dnpass = my.pass >>> auth_bind = no >>> pass_attrs = uid=%n,userPassword=password >> >> uid=%n makes no sense. Please use just: >> >> pass_attrs = userPassword=password >> >>> pass_filter = (&(objectClass=posixAccount)(uid=%n)) >>> >>> >>> #ldap-userdb >>> hosts = localhost >>> uris = ldap://localhost:389/ >>> ldap_version = 3 >>> base = ou=People,dc=my,dc=domain >>> dn = cn=Manager,dc=my,dc=domain >>> dnpass = my.pass >>> auth_bind = no >>> user_attrs = >>> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >>> user_filter = (&(objectClass=person)(uid=%n)) >>> default_pass_scheme = SSHA >>> >>> It cannot be postfix if it relays and dovecots gets these relays. Can it >>> be? >> >> I have tried your config with above mentioned version, with LDAP as only >> passdb and userdb and these LDAP-settings: >> >> hosts = localhost >> auth_bind = yes >> base = <baseDN> >> deref = searching >> user_attrs = >> =home=/var/spool/mail/%d/%n,=mail=maildir:/var/spool/mail/%d/%n/Maildir:INDEX=/var/spool/mail/%d/%n:CONTROL=/var/spool/mail/%d/%n >> user_filter = (&(objectClass=fhMailAlias)(uid=%n)) >> pass_attrs = userPassword=password >> pass_filter = (&(objectClass=fhMailAlias)(uid=%Ln)(!(deniedService=%Ls))) >> iterate_filter = (objectClass=fhMailAlias) >> >> Note the pass_attrs. Then I submitted a new message with: >> >> socat stdin UNIX:/var/run/dovecot2.2/lmtp >> LHLO loc >> mail from:<me at example.com> >> rcpt to:<other at example.com> >> data >> Subject: 1 >> >> 1 >> . >> >> successfully. Maildir was created and message spooled to >> /var/spool/mail/example.com/other/Maildir. Then I logged in via IMAP >> successfully as well. >> >> I also tried the other order: reload Dovecot to flush any caches, log in >> via IMAP and submit via LMTP. >> >> You should however note the following: >> >> Both filters treat users "me at example.com" and "me at localhost.localdomain" as >> the same user, because they match the same LDAP item (uid=%n), however the >> directories of the users _should_ differ, but they won't as long as the >> user's information is cached in the auth cache. >> >> That means: >> >> doveadm auch cache flush >> doveadm user me at example.net >> doveadm user me at example.com >> >> returns the date for me at example.net in both cases and >> >> doveadm auch cache flush >> doveadm user me at example.com >> doveadm user me at example.net >> >> returns the data for me at example.com in both cases. > it's weird I know, I do: > > # doveadm auth test -x service=smtp -x rip=172.25.12.214 me at my.domain > Password: > passdb: me at my.domain auth succeeded > extra fields: > user=me at my.domain > > and in the logs: > > auth-worker(32531): Debug: pam(me at my.domain,172.25.12.214): lookup > service=dovecot > auth-worker(32531): Debug: pam(me at my.domain,172.25.12.214): #1/1 style=1 > msg=Password: > pam_unix(dovecot:auth): check pass; user unknown > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=me at my.domain rhost=172.25.12.214 > auth-worker(32531): pam(me at my.domain,172.25.12.214): unknown user > auth: Debug: ldap(me at my.domain,172.25.12.214): pass search: > base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree > filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain))) > fields=uid,userPassword > auth: Debug: ldap(me at my.domain,172.25.12.214): result: uid=info > userPassword=<hidden>; uid,userPassword unused > auth: Debug: ldap(me at my.domain,172.25.12.214): result: uid=info > userPassword=<hidden> > auth: Debug: client passdb out: OK 1 user=me at my.domain > > so it seems fine, right? > only I do simple test on that dovecot locally > > echo repli_test | mail -s "repl test" my at my.domain > > to get: > > auth-worker(365): Debug: passwd(me at my.domain): lookup > auth-worker(365): passwd(me at my.domain): unknown user > auth: Debug: password(me at my.domain): passdb doesn't support credential > lookups > auth: Debug: ldap(me at my.domain): pass search: > base=ou=spotdepression.org,ou=mail,dc=virtual,dc=hosting scope=subtree > filter=(&(objectclass=person)(|(uid=info)(mail=me at my.domain))) > fields=uid,userPassword > auth: Debug: ldap(me at my.domain): result: uid=info userPassword=<hidden>; > uid,userPassword unused > auth: Debug: ldap(me at my.domain): result: uid=info userPassword=<hidden> > auth: Fatal: master: service(auth): child 364 killed with signal 11 (core > dumped) > > the same error with: > doveadm user me at my.domain > > so it's must be userdb, right?No, you've authentificated before and some data are now in the auth cache, which are used by the userdb, too. 1) You do not have no system users, right? Then remove the passwd userdb and pam passdb. 2) Did you removed the "uid=user=%n" from pass_attr? There might be fixes since 2.2.10: changeset: 18538:d3332ee1d26a user: Timo Sirainen <tss at iki.fi> date: Thu May 07 17:18:44 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Added assert to make sure previous change is correct. changeset: 18537:8a3da4ef590f user: Timo Sirainen <tss at iki.fi> date: Thu May 07 11:27:55 2015 +0300 files: src/auth/auth-worker-client.c description: auth: Fixed credentials lookups via auth-workers when no actual password was returned. For example LDAP lookup with auth_bind=yes should still return any extra fields. changeset: 18536:5dc00179dd60 user: Timo Sirainen <tss at iki.fi> date: Thu May 07 11:21:33 2015 +0300 files: src/auth/passdb-ldap.c description: ldap auth: If password is already verified (e.g. master user login), skip LDAP auth binding. This happens only if auth_bind_userdn isn't set, i.e. it only makes sense if the LDAP DN lookup also returns some extra fields. changeset: 18402:635f9c7d5991 user: Timo Sirainen <tss at iki.fi> date: Mon Apr 13 20:38:10 2015 +0300 files: src/auth/auth-request.c description: auth: If passdb/userdb changes the username, add the changed username also to the cache. changeset: 18401:08b2f79e8212 user: Timo Sirainen <tss at iki.fi> date: Mon Apr 13 20:37:48 2015 +0300 files: src/auth/auth-request.c description: auth: Setting userdb fields from cache didn't set handle any special fields. The special fields were relatively rarely used though. changeset: 18364:3546457ae3fb user: Timo Sirainen <tss at iki.fi> date: Tue Mar 17 17:30:33 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Crashfixes for earlier changes. Hopefully works correctly now changeset: 18363:a4acf88b0c91 user: Timo Sirainen <tss at iki.fi> date: Tue Mar 17 10:49:20 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Fixed crash when handling invalid SSL option. changeset: 18362:870cb73e5960 user: Timo Sirainen <tss at iki.fi> date: Tue Mar 17 09:58:03 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h description: auth ldap: Fixed assert-crash when both passdb ldap and userdb ldap was used changeset: 18361:0a17875f0ece user: Timo Sirainen <tss at iki.fi> date: Mon Mar 16 23:25:34 2015 +0200 files: src/auth/db-ldap.c src/auth/db-ldap.h src/auth/passdb-ldap.c src/auth/userdb-ldap.c description: auth ldap: Start LDAP connection only after auth process initialization is finished. This way even if connecting to LDAP takes a while it won't cause the master process to kill the auth process due to it not sending the startup "I'm ok" notification early enough. changeset: 18360:d9a0d4f4f4b6 user: Timo Sirainen <tss at iki.fi> date: Mon Mar 16 23:21:05 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: Make sure config file path is included in all fatal error messages. changeset: 18359:ec2e7ae958c5 user: Timo Sirainen <tss at iki.fi> date: Mon Mar 16 23:17:39 2015 +0200 files: src/auth/db-ldap.c description: auth ldap: If any tls_* settings are given when they're not supported, fail with fatal instead of just warning. These may be important for intended security, especially tls_cipher_suite. We shouldn't allow setting them and then somewhat silently just ignore them. .... - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVYlMtnz1H7kL/d9rAQJA1gf9FQqfLMutqbE1BWYGzg15tLIT9kH7Nfwu bwA16Er3lVehuEk1GnmbsJxlVmcz96Yei7MFUAOcNmjM9x0JqLj/Jp5LiXKlHa0+ ZAzF+ivMij9wsNlFzPCb9M16B92GaGd6Q8d4ud0Wd5IeQuC/+Vs5avPcgGKdCxon ygqZPeFBhXZDLCxnfgcKuW05lO+mlgkD6zXcywfMLDpjwHwy1EOchGJ+ciwdaZky tKYj3ZPXrDLzIl2sBwXNOEeFpsIQR+FRH1Llje3+coVbvWK09DM6HKa8ynts2YmN pDgQph43yOTgv27LlUMcN80HjNknHjg0sLw05OtJoVt+ZDVOSZTxug==wlvQ -----END PGP SIGNATURE-----