Chris Hoogendyk
2022-May-01 00:00 UTC
running alternate dovecot instances on the same server
Aki,
Thankyou for your advice. I finally got around to this. I'm retired, working
part time, and have
more to do than fits the time. Anyway . . .
I did the configuration in /etc/dovecot/local.conf, which is included in the
/etc/dovecot/dovecot.conf. However, the dovecot.conf includes the
/etc/dovecot/conf.d/* before the
local.conf. I? believe that means that the entries in the conf.d come first and
have precedence. I
was getting authorization failures. The section of my local.conf is as follows:
#
# master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot
support list 3/21/2022,
# modified based on example from
https://doc.dovecot.org/configuration_manual/authentication/master_users/
# also added userdb at bottom of this and removed lines from
conf.d/auth-system.conf.ext to
resolve precedence.
#????? CGH
#
auth_master_user_separator = *
passdb {
? driver = passwd-file
? args = /etc/dovecot/passwd.masterusers
? master = yes
? result_success = continue
}
passdb {
? driver = pam
? args = session=yes %Ls
}
userdb {
? driver = passwd
}
I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that set
drivers to pam for
passdb and passwd for userdb. I commented those two lines out since I had them
covered in my
local.conf. That failed with the control process exiting with an error code. I
quickly uncommented
those two lines in auth-system.conf.ext and it started just fine (I have a lot
of users dependent on
this, although it is Saturday afternoon and a bit slow). Dovecot starts up
alright with the above
local.conf, but master user doesn't seem to work.
I'm testing with the following (master username and passwrd replaced):
chrisho at marlin:/etc/dovecot$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN]
Dovecot ready.
1 login chrisho*masteruser masterpassword
1 NO [AUTHORIZATIONFAILED] Authorization failed
2 exit
Connection closed by foreign host.
What I'm seeing in the logs is:
Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth): authentication
failure; logname uid=0 euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as user
"uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication
failure; logname= uid=0
euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as user
"uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
The output of doveconf -n is as follows:
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
auth_master_user_separator = *
default_process_limit = 200
first_valid_gid = 98
first_valid_uid = 1000
login_access_sockets = tcpwrap
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_max_userip_connections = 8
mail_privileged_group = mail
mbox_write_locks = dotlock fcntl
namespace inbox {
? inbox = yes
? location ? mailbox Drafts {
??? special_use = \Drafts
? }
? mailbox Junk {
??? special_use = \Junk
? }
? mailbox Sent {
??? special_use = \Sent
? }
? mailbox "Sent Messages" {
??? special_use = \Sent
? }
? mailbox Trash {
??? special_use = \Trash
? }
? prefix }
passdb {
? driver = pam
}
passdb {
? args = /etc/dovecot/passwd.masterusers
? driver = passwd-file
? master = yes
? result_success = continue
}
passdb {
? args = session=yes %Ls
? driver = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_reuse_xuidl = yes
pop3_uidl_format = %08Xv%08Xu
protocols = " imap pop3"
service imap-login {
? inet_listener imap {
??? address = localhost
??? port = 143
? }
? inet_listener imaps {
??? port = 993
??? ssl = yes
? }
}
service pop3-login {
? inet_listener pop3 {
??? port = 0
? }
? inet_listener pop3s {
??? port = 995
??? ssl = yes
? }
}
service tcpwrap {
? unix_listener login/tcpwrap {
??? group = $default_login_user
??? mode = 0600
??? user = $default_login_user
? }
}
ssl = required
ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
ssl_cert = </etc/mail/tls/marlin/sendmail.pem
ssl_key = </etc/mail/tls/marlin/sendmail.pem
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local2
userdb {
? driver = passwd
}
userdb {
? driver = passwd
}
And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage account
for this server. So
we do get security patches and the hope is that we can do a release upgrade this
summer.
Any further guidance would be much appreciated. If any further information is
needed, I can provide it.
On 3/21/22 1:57 AM, Aki Tuomi wrote:>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk at bio.umass.edu>
wrote:
>>
>>
>> I'm posting to the list, but not on the list. I presume that means
a reply-all to get to me as well
>> as the list?
>>
>> We have two servers (dovecot --version:? 2.2.22 (fe789d2)) that handle
email for two different
>> departments.
>>
>> We are transitioning mail service to the University central IT. They
need to move accounts in an
>> automated fashion and therefore need a master password to our dovecot
servers. However, we are
>> running with LDAP authentication, and I understand that a master
password is not possible in that
>> configuration.
>>
> Hi!
>
> It is totally possible to use LDAP with master password, using
configuration like this:
>
> # this must be first
> passdb {
> driver = static
> args = password=masterpass
> }
>
> # current passdb config
>
> # you probably already have this
> userdb {
> driver = ldap
> args = /path/to/ldap/userdb
> }
>
> If this does not work, please send your `doveconf -n` as well.
>
> Aki
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator, Retired
c/ /'_ --- Biology & Geosciences Departments
(*) \(*) -- 315 Morrill Science Center III
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk at bio.umass.edu>
---------------
Erd?s 4
Chris Hoogendyk
2022-May-01 20:59 UTC
running alternate dovecot instances on the same server
Progress???
I realized that the error might indicate I had an empty conf paragraph or
whatever you call it when
dovecot failed to start. That is I commented out the driver = pam, but left the
enclosing passdb { }
with no contents. That was the error. So I commented out everything in
/etc/dovecot/conf.d/auth-system.conf.ext. That worked and doveconf -n gave me
the right precedence
for masteruser and regular logins.
Then my login from telnet still failed. So I had two terminal windows, one with
`sudo journalctl -u
dovecot.service -f` to follow the journal entries form dovecot, and another to
do my telnet
localhost 143. Now, when I tried to login with the masteruser, I got an error in
the journal that said:
May 01 16:15:50 marlin dovecot[31944]: auth-worker(32577): Error:
pam(chrisho,127.0.0.1):
pam_authenticate() failed: Authentication failure (/etc/pam.d/imap missing?)
hmm. No idea what to put there. /etc/pam.d/ contains a bunch of entries,
including dovecot. Then
there are some entries that start with common and include common-auth,
common-session,
common-password, etc. The dovecot entry simply includes those. So, I tried just
setting up a symlink
from imap pointing at the dovecot file. Then I tried logging in again via
telnet. Now I simply get:
May 01 16:26:40 marlin dovecot[31944]: imap-login: Aborted login (auth
failed, 2 attempts in 112
secs): user=<chrisho>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1,
secured,
session=<2BspEfndKMN/AAAB>
The entry of that line in the journal seemed to be slightly delayed. It showed
up when I entered `2
logout`.
At this point, my dovecot -n output is as follows:
chrisho at marlin:/etc/dovecot$ sudo doveconf -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
auth_master_user_separator = *
default_process_limit = 200
first_valid_gid = 98
first_valid_uid = 1000
login_access_sockets = tcpwrap
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_max_userip_connections = 8
mail_privileged_group = mail
mbox_write_locks = dotlock fcntl
namespace inbox {
? inbox = yes
? location ? mailbox Drafts {
??? special_use = \Drafts
? }
? mailbox Junk {
??? special_use = \Junk
? }
? mailbox Sent {
??? special_use = \Sent
? }
? mailbox "Sent Messages" {
??? special_use = \Sent
? }
? mailbox Trash {
??? special_use = \Trash
? }
? prefix }
passdb {
? args = /etc/dovecot/passwd.masterusers
? driver = passwd-file
? master = yes
? result_success = continue
}
passdb {
? args = session=yes %Ls
? driver = pam
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_reuse_xuidl = yes
pop3_uidl_format = %08Xv%08Xu
protocols = " imap pop3"
service imap-login {
? inet_listener imap {
??? address = localhost
??? port = 143
? }
? inet_listener imaps {
??? port = 993
??? ssl = yes
? }
}
service pop3-login {
? inet_listener pop3 {
??? port = 0
? }
? inet_listener pop3s {
??? port = 995
??? ssl = yes
? }
}
service tcpwrap {
? unix_listener login/tcpwrap {
??? group = $default_login_user
??? mode = 0600
??? user = $default_login_user
? }
}
ssl = required
ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
ssl_cert = </etc/mail/tls/marlin/sendmail.pem
ssl_key = </etc/mail/tls/marlin/sendmail.pem
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local2
userdb {
? driver = passwd
}
On 4/30/22 8:00 PM, Chris Hoogendyk wrote:> Aki,
>
> Thankyou for your advice. I finally got around to this. I'm retired,
working part time, and have
> more to do than fits the time. Anyway . . .
>
> I did the configuration in /etc/dovecot/local.conf, which is included in
the
> /etc/dovecot/dovecot.conf. However, the dovecot.conf includes the
/etc/dovecot/conf.d/* before the
> local.conf. I? believe that means that the entries in the conf.d come first
and have precedence. I
> was getting authorization failures. The section of my local.conf is as
follows:
>
> ?? #
> ?? # master passwd added 4/30/2022 based on email from Aki Tuomi on Dovecot
support list 3/21/2022,
> ?? # modified based on example from
> https://doc.dovecot.org/configuration_manual/authentication/master_users/
> ?? # also added userdb at bottom of this and removed lines from
conf.d/auth-system.conf.ext to
> ?? resolve precedence.
> ?? #????? CGH
> ?? #
> ?? auth_master_user_separator = *
> ?? passdb {
> ??? ? driver = passwd-file
> ??? ? args = /etc/dovecot/passwd.masterusers
> ??? ? master = yes
> ??? ? result_success = continue
> ?? }
> ?? passdb {
> ??? ? driver = pam
> ??? ? args = session=yes %Ls
> ?? }
> ?? userdb {
> ??? ? driver = passwd
> ?? }
>
> I had found entries in the /etc/dovecot/conf.d/auth-system.conf.ext that
set drivers to pam for
> passdb and passwd for userdb. I commented those two lines out since I had
them covered in my
> local.conf. That failed with the control process exiting with an error
code. I quickly uncommented
> those two lines in auth-system.conf.ext and it started just fine (I have a
lot of users dependent
> on this, although it is Saturday afternoon and a bit slow). Dovecot starts
up alright with the
> above local.conf, but master user doesn't seem to work.
>
> I'm testing with the following (master username and passwrd replaced):
>
> ?? chrisho at marlin:/etc/dovecot$ telnet localhost 143
> ?? Trying 127.0.0.1...
> ?? Connected to localhost.
> ?? Escape character is '^]'.
> ?? * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE STARTTLS AUTH=PLAIN]
> ?? Dovecot ready.
> ?? 1 login chrisho*masteruser masterpassword
> ?? 1 NO [AUTHORIZATIONFAILED] Authorization failed
> ?? 2 exit
> ?? Connection closed by foreign host.
>
> What I'm seeing in the logs is:
>
> ?? Apr 30 19:32:29 marlin auth[20859]: pam_unix(dovecot:auth):
authentication failure; logname> ?? uid=0 euid=0 tty=dovecot ruser=chrisho
rhost=127.0.0.1
> ?? Apr 30 19:32:29 marlin auth[20859]: pam_ldap: error trying to bind as
user
> ?? "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
> ?? Apr 30 19:32:31 marlin auth[20859]: pam_unix(imap:auth): authentication
failure; logname= uid=0
> ?? euid=0 tty=dovecot ruser=chrisho rhost=127.0.0.1
> ?? Apr 30 19:32:31 marlin auth[20859]: pam_ldap: error trying to bind as
user
> ?? "uid=chrisho,ou=People,dc=bio,dc=nsm" (Invalid credentials)
>
> The output of doveconf -n is as follows:
>
> ?? # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
> ?? # Pigeonhole version 0.4.13 (7b14904)
> ?? # OS: Linux 4.4.0-223-generic x86_64 Ubuntu 16.04.7 LTS
> ?? auth_master_user_separator = *
> ?? default_process_limit = 200
> ?? first_valid_gid = 98
> ?? first_valid_uid = 1000
> ?? login_access_sockets = tcpwrap
> ?? mail_location = mbox:~/mail:INBOX=/var/mail/%u
> ?? mail_max_userip_connections = 8
> ?? mail_privileged_group = mail
> ?? mbox_write_locks = dotlock fcntl
> ?? namespace inbox {
> ??? ? inbox = yes
> ??? ? location > ??? ? mailbox Drafts {
> ??? ??? special_use = \Drafts
> ??? ? }
> ??? ? mailbox Junk {
> ??? ??? special_use = \Junk
> ??? ? }
> ??? ? mailbox Sent {
> ??? ??? special_use = \Sent
> ??? ? }
> ??? ? mailbox "Sent Messages" {
> ??? ??? special_use = \Sent
> ??? ? }
> ??? ? mailbox Trash {
> ??? ??? special_use = \Trash
> ??? ? }
> ??? ? prefix > ?? }
> ?? passdb {
> ??? ? driver = pam
> ?? }
> ?? passdb {
> ??? ? args = /etc/dovecot/passwd.masterusers
> ??? ? driver = passwd-file
> ??? ? master = yes
> ??? ? result_success = continue
> ?? }
> ?? passdb {
> ??? ? args = session=yes %Ls
> ??? ? driver = pam
> ?? }
> ?? pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
> ?? pop3_reuse_xuidl = yes
> ?? pop3_uidl_format = %08Xv%08Xu
> ?? protocols = " imap pop3"
> ?? service imap-login {
> ??? ? inet_listener imap {
> ??? ??? address = localhost
> ??? ??? port = 143
> ??? ? }
> ??? ? inet_listener imaps {
> ??? ??? port = 993
> ??? ??? ssl = yes
> ??? ? }
> ?? }
> ?? service pop3-login {
> ??? ? inet_listener pop3 {
> ??? ??? port = 0
> ??? ? }
> ??? ? inet_listener pop3s {
> ??? ??? port = 995
> ??? ??? ssl = yes
> ??? ? }
> ?? }
> ?? service tcpwrap {
> ??? ? unix_listener login/tcpwrap {
> ??? ??? group = $default_login_user
> ??? ??? mode = 0600
> ??? ??? user = $default_login_user
> ??? ? }
> ?? }
> ?? ssl = required
> ?? ssl_ca = </etc/mail/tls/marlin/InCommonBundle.crt
> ?? ssl_cert = </etc/mail/tls/marlin/sendmail.pem
> ?? ssl_key = </etc/mail/tls/marlin/sendmail.pem
> ?? ssl_protocols = !SSLv2 !SSLv3
> ?? syslog_facility = local2
> ?? userdb {
> ??? ? driver = passwd
> ?? }
> ?? userdb {
> ??? ? driver = passwd
> ?? }
>
> And, yes, Ubuntu 16.04 is EOL; however, we do have an Ubuntu Advantage
account for this server. So
> we do get security patches and the hope is that we can do a release upgrade
this summer.
>
> Any further guidance would be much appreciated. If any further information
is needed, I can
> provide it.
>
>
> On 3/21/22 1:57 AM, Aki Tuomi wrote:
>>> On 20/03/2022 22:36 Chris Hoogendyk <hoogendyk at
bio.umass.edu> wrote:
>>>
>>> ? I'm posting to the list, but not on the list. I presume that
means a reply-all to get to me as
>>> well
>>> as the list?
>>>
>>> We have two servers (dovecot --version:? 2.2.22 (fe789d2)) that
handle email for two different
>>> departments.
>>>
>>> We are transitioning mail service to the University central IT.
They need to move accounts in an
>>> automated fashion and therefore need a master password to our
dovecot servers. However, we are
>>> running with LDAP authentication, and I understand that a master
password is not possible in that
>>> configuration.
>>>
>> Hi!
>>
>> It is totally possible to use LDAP with master password, using
configuration like this:
>>
>> # this must be first
>> passdb {
>> ?? driver = static
>> ?? args = password=masterpass
>> }
>>
>> # current passdb config
>>
>> # you probably already have this
>> userdb {
>> ?? driver = ldap
>> ?? args = /path/to/ldap/userdb
>> }
>>
>> If this does not work, please send your `doveconf -n` as well.
>>
>> Aki
>
--
---------------
Chris Hoogendyk
-
O__ ---- Systems Administrator, Retired
c/ /'_ --- Biology & Geosciences Departments
(*) \(*) -- 315 Morrill Science Center III
~~~~~~~~~~ - University of Massachusetts, Amherst
<hoogendyk at bio.umass.edu>
---------------
Erd?s 4