similar to: dovecot 1.2rc5 fails to authenticate user via GSSAPI

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a

Hi All. I have a problem with authorization users AD via kerberos in Dovecot&Postfix. Windows SRV 2008 Standart - AD mail server: Gentoo + cyrus-sasl + postfix + dovecot with support ldap&kerberos. I am created a 4 keytabs on Windows box. C:\Users\Admin>ktpass -princ host/srv-mail.cn.energy at CN.ENERGY -mapuser ldapmail at CN.ENERGY -pass "superpasswd" -crypto RC4-HMAC-NT

Hello, I'm trying to authenticate using GSSAPI, but getting this in dovecot.log "authn_name and authz_name differ: not supported". What is actually trying to say me? I've remeber once encounter this problem but it get away silently. I'm using Mozilla Thunderbird 3 beta 3 and Dovecot 1.0.15

I've been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle. On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at:

On 4/12/19 12:48 AM, Stephan Bosch wrote: > > > On 29/03/2019 10:23, Michal Hlavinka via dovecot wrote: >> On 3/28/19 6:41 PM, Aki Tuomi via dovecot wrote: >>> >>>> On 28 March 2019 19:40 Michal Hlavinka via dovecot >>>> <dovecot at dovecot.org> wrote: >>>> >>>> ? Hi, >>>> >>>> when trying to

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Attached is a patch against current CVS that adds support for the GSSAPI SASL mechanism. It was written from scratch, after reading the patch from Colin Walters against a much older version of dovecot. Other then support for the 'GSSAPI' mechanism, it contains the following changes: - - Added 'auth_krb5_keytab' option for

Hi, thanks for the answer. I think your environment was not set up correctly to reproduce this bug. I've retested with 2.3.5 and I can still reproduce it. I've attached a script that will configure everything for testing and if you have a virtual machine available, you can use it directly (it expects linux with systemd for dovecot restart). relevant section from config: namespace {

On 3/28/19 6:41 PM, Aki Tuomi via dovecot wrote: > >> On 28 March 2019 19:40 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: >> >> >> Hi, >> >> when trying to build dovecot 2.3.5.1 pigeonhole testsuite crashes in >> > > Which version of pigeonhole are you using? latest available - 0.5.5

Sorry, we have not yet been able to look into this.. It's now in our internal system as DOP-966 Aki > On 7 March 2019 17:31 Michal Hlavinka via dovecot <dovecot at dovecot.org> wrote: > > > Hi, > any progress with this issue? Do you need more information to debug and > fix this? > > Cheers > Michal Hlavinka > > On 9/18/18 4:10 PM, Michal Hlavinka

Hi, we were modifying old SELinux rules for dovecot 2.0. Everything seems ok, only one report seems odd: "SELinux is preventing /usr/sbin/dovecot "write" access on dovecot.conf." Looking at strace output, dovecot tries to use socket on /etc/dovecot/dovecot.conf which is regular file and no socket: ... geteuid() = 0 getegid()

Hi, when trying to build dovecot 2.3.5.1 pigeonhole testsuite crashes in Test case: ./tests/extensions/editheader/deleteheader.svtest: 1: Test 'Deleteheader - nonexistent' SUCCEEDED 2: Test 'Deleteheader - nonexistent (match)' SUCCEEDED 3: Test 'Deleteheader - one' SUCCEEDED 4: Test 'Deleteheader - two (first)' SUCCEEDED 5: Test 'Deleteheader - two

Hi all, We have 2 mail servers sitting behind linux-HA machines.The mail servers are currently running dovecot 1.0rc2. Looking to enable GSSAPI authentication, I exported krb keytabs for imap/node01.domain at REALM and imap/node02.domain at REALM for both mail servers. However, clients are connecting to mail.domain.com, which results in a mismatch as far as the keytab is concerned (and rightly

Hi, /sbin/upsdrvctl is used as the near final step in /etc/init.d/halt to command the UPS to shut down power to the computer. On Fedora / Red Hat Enterprise Linux system, /usr can reside on its own partition. Drivers are linked to several libraries, but some of them lives in /usr/lib and this can be umounted when drivers are used. There are 16 libraries used on Fedora 11 system. This

Hi, I've got report about issue when dovecot fails to start and there is no error logged (error goes only to stderr) situation: 1) dovecot is running 2) dovecot is automatically updated to new version (by yum update daemon), after update, dovecot is restarted (it's part of update script) 3) new dovecot fails to start (for whatever reason) result: dovecot not running and no error

Hi, one Fedora user complains about not some troubles after update to dovecot 1.2. He suspects wrong capability information given by dovecot 1.2 In dovecot.conf he uses imap_capability= option. While response to 'A CAPABILITY' respects imap_capability value, the capability info in hello message does not. for imap_capability=IMAP4 IMAP4rev1 ACL NAMESPACE CHILDREN SORT QUOTA

Hi, we found a bug in ssl-params. It calls openssl DH generator for 512 and 1024 bits, but in FIPS mode, openssl won't generate anything for less than 1024, so it fails with: error:0506A06E:Diffie-Hellman routines:DH_BUILTIN_GENPARAMS:key size too small but when DH generator fails, ssl-params hangs forever in io_loop_run: __epoll_wait_nocancel() io_loop_handler_run(..) at

Hi, there are few documents on the wiki ( http://wiki.dovecot.org/Upgrading ) about migration between old versions. Is there any document for 1.2->2.0 or list of configuration changes (especially the missing ones) in 2.0? Regards, Michal Hlavinka

Hi, I'm forwarding feature request from one Fedora user: <snip> Shortly before suicide after migration to dbmail/postfix from Eudora Mailserver because we use % in Usernames as fallback and Apple-Mail does no Plaintext- Auth if CRAM-MD% was used before i installed dovecot as proxy BUT it allows no % in Username Please could be the following patch included? ---

Hi, is it expected that dovecot 2.0.beta4 pass all of it's self-tests or some failures are normal? I've tried make check and everything passed up to this test: ... message_date_parse(7) ................................................ : ok 0 / 8 tests failed test-message-decoder.c:67: Assert failed: message_decoder_decode_next_block(ctx, &input, &output)

Hi, we've seen SELinux reports from our users that dovecot tried to use something that needs CAP_NET_ADMIN capability. Before enabling it, we would like to know where it originated from. I've checked the sources, but was not able to find anything that would require this capability. Do you know for what it is used? CAP_NET_ADMIN Perform various network-related operations: * interface