dovecot - May 2022 - running alternate dovecot instances on the same server

I'm posting to the list, but not on the list. I presume that means a
reply-all to get to me as well
as the list?

We have two servers (dovecot --version:? 2.2.22 (fe789d2)) that handle email for
two different
departments.

We are transitioning mail service to the University central IT. They need to
move accounts in an
automated fashion and therefore need a master password to our dovecot servers.
However, we are
running with LDAP authentication, and I understand that a master password is not
possible in that
configuration.

Would it be possible to run an alternate dovecot process that would use local
account
authentication, have a master password, and use an alternate port for
connecting? Ideally it would
only read accounts without changing anything, and would not interfere with the
operation of the
other dovecot process. I'm hoping that I could copy the configuration files,
make these changes, and
then launch it manually without any startup scripts in /etc/inetd.conf.

Oh, by the way, we are running Ubuntu 16.04 LTS and have contracts with Ubuntu
Advantage for ongoing
patch support. The dovecot version is from the distribution, installed with
aptitude.


-- 
---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator, Retired
   c/ /'_ --- Biology & Geosciences Departments
  (*) \(*) -- 315 Morrill Science Center III
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk at bio.umass.edu>

---------------

Erd?s 4

> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk at bio.umass.edu>
wrote:
> 
>  
> I'm posting to the list, but not on the list. I presume that means a
reply-all to get to me as well
> as the list?
> 
> We have two servers (dovecot --version:? 2.2.22 (fe789d2)) that handle
email for two different
> departments.
> 
> We are transitioning mail service to the University central IT. They need
to move accounts in an
> automated fashion and therefore need a master password to our dovecot
servers. However, we are
> running with LDAP authentication, and I understand that a master password
is not possible in that
> configuration.
> 
Hi!

It is totally possible to use LDAP with master password, using configuration
like this:

# this must be first
passdb {
  driver = static
  args = password=masterpass
}

# current passdb config

# you probably already have this
userdb {
  driver = ldap
  args = /path/to/ldap/userdb
}

If this does not work, please send your `doveconf -n` as well.

Aki

Hello Chris,

Did you find a solutions for this problem?
I also have to migrate some users to Office365 and was looking at 
exactly the same problem.
I don't have that many users, and it is totally possible to ask all 
users to enter their password in the migration tool, but it would be a 
lot easier if we could do the migration without this.

Jan Hugo Prins


On 3/20/22 21:36, Chris Hoogendyk wrote:
> I'm posting to the list, but not on the list. I presume that means a 
> reply-all to get to me as well as the list?
>
> We have two servers (dovecot --version:? 2.2.22 (fe789d2)) that handle 
> email for two different departments.
>
> We are transitioning mail service to the University central IT. They 
> need to move accounts in an automated fashion and therefore need a 
> master password to our dovecot servers. However, we are running with 
> LDAP authentication, and I understand that a master password is not 
> possible in that configuration.
>
> Would it be possible to run an alternate dovecot process that would 
> use local account authentication, have a master password, and use an 
> alternate port for connecting? Ideally it would only read accounts 
> without changing anything, and would not interfere with the operation 
> of the other dovecot process. I'm hoping that I could copy the 
> configuration files, make these changes, and then launch it manually 
> without any startup scripts in /etc/inetd.conf.
>
> Oh, by the way, we are running Ubuntu 16.04 LTS and have contracts 
> with Ubuntu Advantage for ongoing patch support. The dovecot version 
> is from the distribution, installed with aptitude.
>
>

Aki,

Thankyou for your advice. I finally got around to this. I'm retired, working
part time, and have
more to do than fits the time. Anyway . . .

I did the configuration in /etc/dovecot/local.conf, which is included in the 
/etc/dovecot/dovecot.conf. However, the dovecot.conf includes the
/etc/dovecot/conf.d/* before the
local.conf. I? believe that means that the entries in the conf.d come first and
have precedence. I
was getting authorization failures. The section of my local.conf is as follows:

    #
    # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot
support list 3/21/2022,
    # modified based on example from
    https://doc.dovecot.org/configuration_manual/authentication/master_users/
    # also added userdb at bottom of this and removed lines from
conf.d/auth-system.conf.ext to
    resolve precedence.
    #????? CGH
    #
    auth_master_user_separator = *
    passdb {
     ? driver = passwd-file
     ? args = /etc/dovecot/passwd.masterusers
     ? master = yes
     ? result_success = continue
    }
    passdb {
     ? driver = pam
     ? args = session=yes %Ls
    }
    userdb {
     ? driver = passwd
    }

I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set
drivers to pam for
passdb and passwd for userdb. I commented those two lines out since I had them
covered in my
local.conf. That failed with the control process exiting with an error code. I
quickly uncommented
those two lines in auth-system.conf.ext and it started just fine (I have a lot
of users dependent on
this, although it is Saturday afternoon and a bit slow). Dovecot starts up
alright with the above
local.conf, but master user doesn't seem to work.

I'm testing with the following (master username and passwrd replaced):

    chrisho at marlin:/etc/dovecot$ telnet localhost 143
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN]
    Dovecot ready.
    1 login chrisho*masteruser masterpassword
    1 NO [AUTHORIZATIONFAILED] Authorization failed
    2 exit
    Connection closed by foreign host.

What I'm seeing in the logs is:

    Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication
failure; logname    uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
    Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
    "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
    Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication
failure; logname= uid=0
    euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
    Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
    "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)

The output of doveconf -n is as follows:

    # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.4.13 (7b14904)
    # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
    auth_master_user_separator = *
    default_process_limit = 200
    first_valid_gid = 98
    first_valid_uid = 1000
    login_access_sockets = tcpwrap
    mail_location = mbox:~/mail:INBOX=/var/mail/%u
    mail_max_userip_connections = 8
    mail_privileged_group = mail
    mbox_write_locks = dotlock fcntl
    namespace inbox {
     ? inbox = yes
     ? location      ? mailbox Drafts {
     ??? special_use = \Drafts
     ? }
     ? mailbox Junk {
     ??? special_use = \Junk
     ? }
     ? mailbox Sent {
     ??? special_use = \Sent
     ? }
     ? mailbox "Sent Messages" {
     ??? special_use = \Sent
     ? }
     ? mailbox Trash {
     ??? special_use = \Trash
     ? }
     ? prefix     }
    passdb {
     ? driver = pam
    }
    passdb {
     ? args = /etc/dovecot/passwd.masterusers
     ? driver = passwd-file
     ? master = yes
     ? result_success = continue
    }
    passdb {
     ? args = session=yes %Ls
     ? driver = pam
    }
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_reuse_xuidl = yes
    pop3_uidl_format = %08Xv%08Xu
    protocols = " imap pop3"
    service imap-login {
     ? inet_listener imap {
     ??? address = localhost
     ??? port = 143
     ? }
     ? inet_listener imaps {
     ??? port = 993
     ??? ssl = yes
     ? }
    }
    service pop3-login {
     ? inet_listener pop3 {
     ??? port = 0
     ? }
     ? inet_listener pop3s {
     ??? port = 995
     ??? ssl = yes
     ? }
    }
    service tcpwrap {
     ? unix_listener login/tcpwrap {
     ??? group = $default_login_user
     ??? mode = 0600
     ??? user = $default_login_user
     ? }
    }
    ssl = required
    ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
    ssl_cert = </etc/mail/tls/marlin/sendmail.pem
    ssl_key = </etc/mail/tls/marlin/sendmail.pem
    ssl_protocols = !SSLv2 !SSLv3
    syslog_facility = local2
    userdb {
     ? driver = passwd
    }
    userdb {
     ? driver = passwd
    }

And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account
for this server. So
we do get security patches and the hope is that we can do a release upgrade this
summer.

Any further guidance would be much appreciated. If any further information is
needed, I can provide it.


On 3/21/22 1:57 AM, Aki Tuomi wrote:
>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk at bio.umass.edu>
wrote:
>>
>>   
>> I'm posting to the list, but not on the list. I presume that means
a reply-all to get to me as well
>> as the list?
>>
>> We have two servers (dovecot --version:? 2.2.22 (fe789d2)) that handle
email for two different
>> departments.
>>
>> We are transitioning mail service to the University central IT. They
need to move accounts in an
>> automated fashion and therefore need a master password to our dovecot
servers. However, we are
>> running with LDAP authentication, and I understand that a master
password is not possible in that
>> configuration.
>>
> Hi!
>
> It is totally possible to use LDAP with master password, using
configuration like this:
>
> # this must be first
> passdb {
>    driver = static
>    args = password=masterpass
> }
>
> # current passdb config
>
> # you probably already have this
> userdb {
>    driver = ldap
>    args = /path/to/ldap/userdb
> }
>
> If this does not work, please send your `doveconf -n` as well.
>
> Aki
-- 
---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator, Retired
   c/ /'_ --- Biology & Geosciences Departments
  (*) \(*) -- 315 Morrill Science Center III
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk at bio.umass.edu>

---------------

Erd?s 4