Topic: Dovecot using the wrong LDAP search filters
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I am setting up a mail server using iRedMail with RoundCube client and I'm running into some issues authenticating against my Windows Active Directory.
I have followed both the iRedMail install guide, and the Active Directory guide (found here:https://docs.iredmail.org/active.directory.html).
My /etc/dovecot/dovecot.conf file is pointing to dovecot-ldap.conf like the guide says, and the filter defined in this file runs correctly. However, when I try to login with the telnet command my dovecot.log says another filter is being used and is failing.
I have run recursive grep commands trying to find this filter in some unknown file, but nothing is returning. No instances of this filter in my files. I don't understand where it is coming from.
//output from dovecot -n
//
# Pigeonhole version 0.4.21 (92477967)
doveconf: Warning: SSLv2 not supported by OpenSSL. Please consider removing it from ssl_protocols.
doveconf: Warning: SSLv2 not supported by OpenSSL. Please consider removing it from ssl_protocols.
doveconf: Warning: service auth { client_limit=1000 } is lower than required under max. load (1400)
doveconf: Warning: service anvil { client_limit=1000 } is lower than required under max. load (1203)
# OS: Linux 5.0.0-1023-azure x86_64 Ubuntu 18.04.3 LTS
auth_debug = yes
auth_debug_passwords = yes
auth_default_realm = team39.domain
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
auth_verbose = yes
auth_verbose_passwords = yes
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, %$
dict {
acl = mysql:/etc/dovecot/dovecot-share-folder.conf
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
disable_plaintext_auth = no
first_valid_uid = 2000
last_valid_uid = 2000
listen = * [::]
mail_debug = yes
mail_gid = 2000
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
mail_plugins = quota mailbox_alias acl mail_log notify stats
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace {
inbox = yes
location =
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox Spam {
auto = no
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
namespace {
list = children
location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
prefix = Shared/%%u/
separator = /
subscriptions = yes
type = shared
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
master = yes
}
plugin {
acl = vfile
acl_shared_dict = proxy::acl
mail_log_events = delete undelete expunge mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size from subject
mailbox_alias_new = Sent Messages
mailbox_alias_new2 = Sent Items
mailbox_alias_old = Sent
mailbox_alias_old2 = Sent
quota = dict:user::proxy::quotadict
quota_grace = 10%%
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
sieve = ~/sieve/dovecot.sieve
sieve_before = /var/vmail/sieve/dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /var/vmail/sieve
sieve_max_redirects = 30
sieve_vacation_send_from_recipient = yes
stats_refresh = 30 secs
stats_track_cmds = yes
}
protocols = pop3 imap sieve lmtp
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service dict {
unix_listener dict {
group = vmail
mode = 0660
user = vmail
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
process_limit = 500
service_count = 1
}
service lmtp {
executable = lmtp -L
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
process_min_avail = 5
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
user = vmail
}
service managesieve-login {
inet_listener sieve {
address = 127.0.0.1
port = 4190
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
process_limit = 500
service_count = 1
}
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
group = vmail
mode = 0660
user = vmail
}
}
service stats {
fifo_listener stats-mail {
mode = 0644
user = vmail
}
inet_listener {
address = 127.0.0.1
port = 24242
}
}
ssl = required
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
syslog_facility = local5
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
protocol lda {
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_plugins = quota mailbox_alias acl mail_log notify stats sieve
}
protocol lmtp {
lmtp_save_to_detail_mailbox = yes
mail_plugins = quota sieve
recipient_delimiter = +
}
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
mail_max_userip_connections = 30
mail_plugins = quota mailbox_alias acl mail_log notify stats imap_quota imap_acl imap_stats
}
protocol pop3 {
mail_max_userip_connections = 30
mail_plugins = quota mailbox_alias acl mail_log notify stats
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
}//contents of dovecot-ldap.conf
//
hosts = 10.0.39.13:389
ldap_version = 3
auth_bind = yes
dn = vmail
dnpass = Password1!
base = cn=users,dc=team39,dc=domain
scope = subtree
deref = never
pass_filter = (&(sAMAccountName=%n)(userPrincipalName=%u))
pass_attrs = userPassword=password
default_pass_scheme = CRYPT//output of dovecot.log
Nov 13 19:50:38 mail dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=Ev/PrT+XGth/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=55322#011resp=AHZtYWlsQHRlYW0zOS5kb21haW4AUGFzc3dvcmQxIQ== (previous base64 data may contain sensitive data)
Nov 13 19:50:38 mail dovecot: auth: Debug: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): bind search: base=cn=users,dc=team39,dc=domain filter=(&(sAMAccountName=vmail)(userPrincipalName=vmail@team39.domain))
Nov 13 19:50:38 mail dovecot: auth: Debug: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): result: objectClass=top,top,top,top cn=vmail givenName=vmail distinguishedName=CN=vmail,CN=Users,DC=team39,DC=domain instanceType=4 whenCreated=20191106152533.0Z whenChanged=20191113005726.0Z displayName=vmail uSNCreated=16497 memberOf=CN=testgroup,CN=Users,DC=team39,DC=domain,CN=testgroup,CN=Users,DC=team39,DC=domain,CN=testgroup,CN=Users,DC=team39,DC=domain uSNChanged=24714 name=vmail objectGUID=Kɺe#030-#013G▒▒q▒b▒%▒ userAccountControl=66048 badPwdCount=0 codePage=0 countryCode=0 badPasswordTime=132179917627080197 lastLogoff=0 lastLogon=132179917757446688 pwdLastSet=132175275337284414 primaryGroupID=513 objectSid=<no values> adminCount=1 accountExpires=9223372036854775807 logonCount=0 sAMAccountName=vmail sAMAccountType=805306368 userPrincipalName=vmail@team39.domain objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=team39,DC=domain dSCorePropagationData=20191113005726.0Z,20191113005726.0Z lastLogonTimestamp=132175676397109619; objectGUID,uSNCreated,objectCategory,objectClass,primaryGroupID,cn,givenName,objectSid,sAMAccountType,dSCorePropagationData,userAccountControl,name,codePage,lastLogon,logonCount,countryCode,lastLogoff,uSNChanged,pwdLastSet,distinguishedName,sAMAccountName,memberOf,whenChanged,userPrincipalName,instanceType,badPwdCount,accountExpires,adminCount,whenCreated,displayName,badPasswordTime,lastLogonTimestamp unused
Nov 13 19:50:38 mail dovecot: auth: Debug: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): result: objectClass=top,top,top,top cn=vmail givenName=vmail distinguishedName=CN=vmail,CN=Users,DC=team39,DC=domain instanceType=4 whenCreated=20191106152533.0Z whenChanged=20191113005726.0Z displayName=vmail uSNCreated=16497 memberOf=CN=testgroup,CN=Users,DC=team39,DC=domain,CN=testgroup,CN=Users,DC=team39,DC=domain,CN=testgroup,CN=Users,DC=team39,DC=domain uSNChanged=24714 name=vmail objectGUID=Kɺe#030-#013G▒▒q▒b▒%▒ userAccountControl=66048 badPwdCount=0 codePage=0 countryCode=0 badPasswordTime=132179917627080197 lastLogoff=0 lastLogon=132179917757446688 pwdLastSet=132175275337284414 primaryGroupID=513 objectSid=<no values> adminCount=1 accountExpires=9223372036854775807 logonCount=0 sAMAccountName=vmail sAMAccountType=805306368 userPrincipalName=vmail@team39.domain objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=team39,DC=domain dSCorePropagationData=20191113005726.0Z,20191113005726.0Z lastLogonTimestamp=132175676397109619; objectGUID,uSNCreated,objectCategory,objectClass,primaryGroupID,cn,givenName,objectSid,sAMAccountType,dSCorePropagationData,userAccountControl,name,codePage,lastLogon,logonCount,countryCode,lastLogoff,uSNChanged,pwdLastSet,distinguishedName,sAMAccountName,memberOf,whenChanged,userPrincipalName,instanceType,badPwdCount,accountExpires,adminCount,whenCreated,displayName,badPasswordTime,lastLogonTimestamp unused
Nov 13 19:50:38 mail dovecot: auth: Debug: client passdb out: OK#0111#011user=vmail@team39.domain
Nov 13 19:50:38 mail dovecot: auth: Debug: master in: REQUEST#0114113956865#01110353#0111#0110d4411e25b8539792116eea2963c2b30#011session_pid=10417#011request_auth_token
Nov 13 19:50:38 mail dovecot: auth: Debug: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): user search: base=cn=users,dc=team39,dc=domain scope=subtree filter=(&(objectClass=posixAccount)(uid=vmail@team39.domain)) fields=homeDirectory,uidNumber,gidNumber
Nov 13 19:50:38 mail dovecot: auth: Debug: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): no fields returned by the server
Nov 13 19:50:38 mail dovecot: auth: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): unknown user (given password: Password1!)
Nov 13 19:50:38 mail dovecot: auth: Error: ldap(vmail@team39.domain,127.0.0.1,<Ev/PrT+XGth/AAAB>): user not found from userdb
Nov 13 19:50:38 mail dovecot: auth: Debug: master userdb out: NOTFOUND#0114113956865
Nov 13 19:50:38 mail dovecot: imap: Error: Authenticated user not found from userdb, auth lookup id=4113956865 (client-pid=10353 client-id=1)Any help would be greatly appreciated, I'm at a loss.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.