Hi Everyone, I'm currently using dovecot SASL in postfix and passwd-file in dovecot for authenticating my users. I want to switch to using IPA instead. I have both the postfix (mailman01) and dovecot (mailman02) servers joined to the IPA domain. I have GSSAPI working in dovecot for IMAP. But, the SASL GSSAPI authentication in postfix fails with this error: warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed: This is what dovecot logs: Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected (pid=0) Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1 GSSAPI service=smtp nologin lip=10.200.9.14 rip=10.200.5.100 secured resp=<hidden> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100): Obtaining credentials for smtp at mailman02.theinside.rnr Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Wrong principal in request Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1 I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf file to "mailman02.theinside.rnr", but I get the same errors in dovecot and postfix. Right now the config in postfix looks like this: import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab" smtpd_sasl_local_domain = mailman01.theoutside.rnr Does what I'm trying to do make sense? If so, how do I fix it? Do I have to stop using dovecot sasl in postfix and switch to cyrus sasl? -- Ranbir
Hi Ranbir This is more a postfix question but I have done this configs before in a BETA-Lab and it's a real pain. I'll be glad to help if I can. I my environment I had postfix directly authenticating SASL with the IPA server (FreeIPA) using Cyrus SASL libs. In IPA the service most be registered with principal smtp/HOSTNAME. ## # /etc/postfix/sasl/smtpd.conf ## pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN ## # /etc/default/saslauthd ## START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" Regards, Manuel Delgado ----------------------------------------------------------- *Usuario Linux* *#520940 <http://counter.li.org/>* Mag. Computaci?n e Inform?tica Universidad de Costa Rica Centro de Inform?tica On Sun, Dec 13, 2015 at 11:21 AM, Ranbir <m3freak at thesandhufamily.ca> wrote:> Hi Everyone, > > I'm currently using dovecot SASL in postfix and passwd-file in dovecot > for authenticating my users. I want to switch to using IPA instead. > > I have both the postfix (mailman01) and dovecot (mailman02) servers > joined to the IPA domain. I have GSSAPI working in dovecot for IMAP. > But, the SASL GSSAPI authentication in postfix fails with this error: > > warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed: > > This is what dovecot logs: > > Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected > (pid=0) > Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1 > GSSAPI service=smtp nologin lip=10.200.9.14 rip=10.200.5.100 > secured resp=<hidden> > Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100): > Obtaining credentials for smtp at mailman02.theinside.rnr > Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While > processing incoming data: Unspecified GSS failure. Minor code may provide > more information > Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While > processing incoming data: Wrong principal in request > Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1 > > I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf > file to "mailman02.theinside.rnr", but I get the same errors in dovecot > and postfix. Right now the config in postfix looks like this: > > import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab" > smtpd_sasl_local_domain = mailman01.theoutside.rnr > > Does what I'm trying to do make sense? If so, how do I fix it? Do I > have to stop using dovecot sasl in postfix and switch to cyrus sasl? > > > -- > Ranbir >
On Mon, 2015-12-14 at 09:10 -0600, Manuel Delgado wrote:> This is more a postfix question but I have done this configs before > in a > BETA-Lab and it's a real pain. I'll be glad to help if I can. > > I my environment I had postfix directly authenticating SASL with the > IPA > server (FreeIPA) using Cyrus SASL libs. In IPA the service most be > registered with principal smtp/HOSTNAME.I managed to get past the SASL GSSAPI errors in postfix and now I'm seeing this in dovecot whenever postfix tries to deliver a message via lmtp: Dec 14 17:24:49 mailman02 dovecot: auth: Debug: password( ranbir at theinside.rnr,DESKTOP): passdb doesn't support credential lookups Dec 14 17:24:49 mailman02 dovecot: auth: Debug: password( ranbir at theinside.rnr,DESKTOP): Credentials: Dec 14 17:24:49 mailman02 dovecot: auth: Debug: client passdb out: OK 1 user=ranbir at theinside.rnr Dec 14 17:24:49 mailman02 dovecot: imap(ranbir at theinside.rnr): Debug: acl vfile: file /var/spool/mail/thesandhufamily.ca/ranbir/Maildir/.Sent/dovecot-acl not found Dec 14 17:24:49 mailman02 dovecot: lmtp(15525): Debug: none: root=, index=, indexpvt=, control=, inbox=, altDec 14 17:24:49 mailman02 dovecot: lmtp(15525): Connect from POSTFIX Dec 14 17:24:49 mailman02 dovecot: auth: Debug: master in: USER 2 ranbir at thesandhufamily.ca service=lmtp lip=DOVEC OT lport=24 rip=POSTFIX rport=56214 Dec 14 17:24:49 mailman02 dovecot: auth-worker(15521): Debug: passwd( ranbir at thesandhufamily.ca,POSTFIX): lookup Dec 14 17:24:50 mailman02 dovecot: auth-worker(15521): passwd( ranbir at thesandhufamily.ca,POSTFIX): unknown user Dec 14 17:24:50 mailman02 dovecot: auth: Debug: userdb out: NOTFOUND 2 Obviously postfix replies the with a "user doesn't exist" message. I've tried creating a ldap_aliases file (and I added the config in main.cf) which should allow postfix to do a bind to my freeipa box, but postfix appears to never even try the ldap lookup. A manual testworks OK, so I know the ldap_alises file was done correctly. Is it possible in Dovecot to translate the mail address lookup from postfix into just a "uid" search? If I could do that, Dovecot would find "ranbir" and report back to postfix the user exists. -- Ranbir -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20151214/5d647282/attachment.sig>