Dimitri KOPRIWA
2017-Jun-29 10:39 UTC
Why does Dovecot authentication against Openldap fail when using TLS encryption?
Dear Mailing list,
I have a Dovecot v2.2.9 server that authenticate against a Openldap server.
I want to configure Dovecot to use TLS for LDAP authentication.
I have tried to fetch/send emails using Thunderbird:
- IMAP succeed to fetch mail
- SMTP failed to send mail
The Dovecot server produce the following log :
Jun 29 08:44:00 mail postfix/submission/smtpd[634]: connect from
virtual.domain.com[172.16.0.1]
Jun 29 08:44:01 mail dovecot: auth: Debug: auth client connected (pid=0)
Jun 29 08:44:02 mail dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=172.17.0.15#011rip=172.16.0.1#011secured#011resp=<hidden>
Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me at
domain.com,172.16.0.1):
bind search: base=dc=mail,dc=domain,dc=com
filter=(&(objectClass=CourierMailAccount)(mail=me at domain.com))
Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me at
domain.com,172.16.0.1):
no fields returned by the server
Jun 29 08:44:02 mail dovecot: auth: Debug: ldap(me at
domain.com,172.16.0.1):
result: uid missing
Jun 29 08:44:02 mail dovecot: auth: Debug: client passdb out:
OK#0111#011user=me at domain.com
Jun 29 08:44:04 mail postfix/submission/smtpd[661]: connect from
mail.node.domain-ovh.consul[172.16.0.2]
Jun 29 08:44:04 mail postfix/submission/smtpd[661]: lost connection
after CONNECT from mail.node.domain-ovh.consul[172.16.0.2]
Jun 29 08:44:04 mail postfix/submission/smtpd[661]: disconnect from
mail.node.domain-ovh.consul[172.16.0.2]
Jun 29 08:44:07 mail dovecot: auth: Debug: auth client connected
(pid=662)
Jun 29 08:44:07 mail dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=172.16.0.2, lip=172.17.0.15, TLS
handshaking: Disconnected, session=<MGK6TRVTRACsEAAC>
**Note that before I switch to use TLS**, the server was doing clear
connection to Openldap and the **binding was working fine**.
I have verified the ldap query using `ldapsearch` and it confirmed my
binding must have worked:
me at dev-01:[~]: ldapsearch -x -D "cn=readonly,dc=domain,dc=com"
-W -H
ldap://ldap.domain.com:389 -b "dc=mail,dc=domain,dc=com" -LLL
"(&(objectClass=CourierMailAccount)(mail=me at domain.com))" -ZZ
homeDirectory
Enter LDAP Password:
dn: mail=me at domain.com,dc=mailAccount,dc=domain.com
,dc=mail,dc=domain,dc=com
homeDirectory: /var/mail
I have the following `dovecot.cf`:
login_greeting = server ready
mail_uid = 5000
mail_gid = 5000
auth_mechanisms = plain login
disable_plaintext_auth = yes
ssl_ca = </etc/postfix/ssl/cacert.pem
auth_debug_passwords = no
auth_debug = yes
auth_verbose = yes
userdb {
driver = ldap
args = /etc/dovecot/conf.d/auth-ldap.conf.ext
}
passdb {
driver = ldap
args = /etc/dovecot/conf.d/auth-ldap.conf.ext
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
And this is the included `/etc/dovecot/conf.d/auth-ldap.conf.ext` file:
# SSL/TLS
uris = ldap://virtual.domain.com
auth_bind = yes
ldap_version = 3
dn = cn=readonly,dc=domain,dc=com
dnpass = abc
base = dc=mail,dc=domain,dc=com
user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
user_attrs
uidNumber=5000,gidNumber=5000,homeDirectory=home,mailbox=mail=maildir:%$/Maildir:LAYOUT=fs
default_pass_scheme = SSHA
tls = yes
tls_ca_cert_dir = /etc/postfix/ssl
Why does Dovecot authentication against Openldap fail when I switch to TLS
encryption?
Hoping this mail will be read by somebody,
Regards,
Dimitri
Apparently Analagous Threads
Wisdom of the Ancients
