1

Topic: iRedMail with SAML2

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 2019090601
- Deployed with iRedMail Easy or the downloadable installer? iRedMail Easy
- Linux/BSD distribution name and version:  CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi EveryOne,

I have tried to configure my iRedMail instance to connect through SAML2 (With KeyCloack)
I think that the Sogo Configuration is Ok
I have a problem with Dovecot configuration

I used pam_script --> https://github.com/ck-ws/pam-script-saml
But without success, I always have this errors :

auth failed, 1 attempts in 9 secs): user=<***@domain.net>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS: Disconnected, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=<DvMj73eenoN/AAAB>

I also tried other pam method

Is AnyOne already configure Dovecot with SAML ?

Thnak you !

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedMail with SAML2

- I didn't try SAML before, i'm afraid that you're on your own.
- You may want to turn on debug mode in Dovecot to figure out why Dovecot auth failed. FYI: https://docs.iredmail.org/debug.dovecot.html

3 (edited by rgt 2020-03-04 00:16:44)

Re: iRedMail with SAML2

Hi,

Here an extract of the debug logs :

Mar  3 17:11:21 srv-mbx-01p dovecot: auth: Debug: client in: CONT#0111#011ci5ndWlkYXRAZGlvY2VzZWJvcmRlYXV4LmNvbQByLmd1aWRhdEBkaW9jZXNlYm9yZGVhdXguY29tAGVGN1ZWazF2MnpnUS9TdUM3cEpJeWJFK0VCdXJ4TzNDUU5NQWNWRVVld2xvY21TemxVZ3ZTY1h1dis5SWxodzM2Nlk5TFJEQUI0TkR6cnozWnVaQjE1WTFkVkZhQzhaSnJieERVeXRiZEljenZ6V3EwTXhLV3lqV2dDMGNMMWJsM1ljaURrbkJ4aGYrOEVSWk92TzN6dTJLS05ydjkrRStDYlhaUkRFaE5QcHk5MkhGdDlDd1FDcnJtT0xnZTUvQldDdzQ4ekdiN3kwWE0zKzVlRXpXSWljVGdLRGlDUXNtTUowRStZVFFRSkNFa1N4UGM1RjFsNjF0WWRsbmN2aWV4Q1FnQ2Y0KzBXbEJhVUh5TU0vemYvejVkYyt0djIzbUhUU0wyR3E5a1Nwa05YeXpPcXhNeEZxM2pReXd1ckVSSjRpVzVOZlIrY05qbGxXNy9ncmNEVGsvb2g3TGhmZGVtNFloaEY4SlJVUGFTeWRGVVBWWEM5UkExcVVRQnF6MTV5YmN0Rkl3OTVlUW1vT0Z0VFlDV0hzSXVXNEdFTWRLUTlrQnhLMVdsZXpTZFEyN0E3ZlY0dlZtOGFaWUF6TmdSazB1SkZvd3g3eVAydDJyZTFOV0RzeC9sSjBXSkQwcTZ6MEFsenNKbmZ5anJwU1FNS05oRXRKa0dxM3UvOWE5aUhGZzVVWnBGZXkwZGRnNTlRQjJwNVdGVDNybVB5N0tKRnVVdCs5dlNFTEl1enlqY1RxbGFacGw4YzFra2QxTy9XZyt5SEFCOEl2UUlCRnFJMlFuak8zSTNBRHFEcGRtWkdUeUt1UDR4SGpJWHJZQ1dYTkFGczVJM3RWNUVUbk5HZGV0TVJMcThFSnZ6L1Zwd0RFY0FUWVFIU3VNN0M1V1BNN25NOVVUQnJkVks4Y2NOTmdhcjhUSlZyOWZFMitGczRoRWxrckFZZVpQcHVJS2x5OE5ZaXBFTUVseUdxd3J6b0tVVWw2UkhGZ2E1MFdSVlZjWnY2SjVRUE1VRjNXZEpuaUxRY0NtMDBya1ZTWWdvZU93OVRnUXJJUER1RC9uUjdjMWVza0RWUE5YN1lZWHZMdUhMdFFxdThQeHF5U0lrMmJQQlU3WkxzU2VOVDNYYVJUUFlVZlhyWU9UZ0M4RFhyZUxNNy9iWUwvLy83djE3MzBTMDNZV01CckFHdjJVbjVRWmEzNW1kUXNlV21qaHZ1K3d4Z0V0R09Hb3pSOTVSUGxUbWhQTDhmUVhQQjUwalRiOHYvRjRrckFQZGtaWHNvYXhOMjhCZDhNVTIrQmdjMXhvNWQ0UzhuOWIrU1NmSG0yNzIybnpwcEQvckhsUVMvWE52bDNsSC9FNzZFL1JINTM5dE5CblhqUkV4cyt1K1E5cGRXVGo= (previous base64 data may contain sensitive data)
Mar  3 17:11:21 srv-mbx-01p dovecot: auth: Debug: ldap(user@domain.net,127.0.0.1,<0FbAjfWf/Lp/AAAB>): bind search: base=ou=Bordeaux,dc=c000109,dc=intra filter=(&(mail=user@domain.net)(objectClass=inetOrgPerson))
Mar  3 17:11:21 srv-mbx-01p dovecot: auth: Debug: ldap(user@domain.net,127.0.0.1,<0FbAjfWf/Lp/AAAB>): result: objectClass=posixAccount,posixAccount,posixAccount givenName=user sn=TEST displayName=user TEST homeDirectory=/home/rTEST uidNumber=33408 gidNumber=24066 uid=r.TEST userPassword={SSHA}n+3lAlYYESxWpg0nVZyvl6DXcYd09KjH mail=user@domain.net cn=user@domain.net jpegPhoto=<no values>; homeDirectory,uidNumber,objectClass,cn,givenName,uid,mail,jpegPhoto,gidNumber,displayName,userPassword,sn unused
Mar  3 17:11:21 srv-mbx-01p dovecot: auth: Debug: ldap(user@domain.net,127.0.0.1,<0FbAjfWf/Lp/AAAB>): result: objectClass=posixAccount,posixAccount,posixAccount givenName=user sn=TEST displayName=user TEST homeDirectory=/home/rTEST uidNumber=33408 gidNumber=24066 uid=r.TEST userPassword={SSHA}n+3lAlYYESxWpg0nVZyvl6DXcYd09KjH mail=user@domain.net cn=user@domain.net jpegPhoto=<no values>; homeDirectory,uidNumber,objectClass,cn,givenName,uid,mail,jpegPhoto,gidNumber,displayName,userPassword,sn unused
Mar  3 17:11:21 srv-mbx-01p dovecot: auth: ldap(user@domain.net,127.0.0.1,<0FbAjfWf/Lp/AAAB>): invalid credentials (given password: eF7VVk1v2zgQ/SuC7pJIybE+EBurxO3CQNMAcVEUewlocmSzlUgvScXuv+9Ilhw366Y9LRDAB4NDzrz3ZuZB15Y1dVFaC8ZJrbxDUytbdIczvzWq0MxKWyjWgC0cL1bl3YciDknBxhf+8ERZOvO3zu2KKNrv9+E+CbXZRDEhNPpy92HFt9CwQCrrmOLge5/BWCw48zGb7y0XM3+5eEzWIicTgKDiCQsmMJ0E+YTQQJCEkSxPc5F1l61tYdlncviexCQgCf4+0WlBaUHyMM/zf/z5dc+tv23mHTSL2Gq9kSpkNXyzOqxMxFq3jQywurERJ4iW5NfR+cNjllW7/grcDTk/oh7Lhfdem4YhhF8JRUPaSydFUPVXC9RA1qUQBqz15ybctFIw95eQmoOFtTYCWHsIuW4GEMdKQ9kBxK1WlezSdQ27A7fV4vVm8aZYAzNgRk0uJFowx7yP2t2re1NWDsx/lJ0WJD0q6z0AlzsJnfyjrpSQMKNhEtJkGq3u/9a9iHFg5UZpFey0ddg59QB2p5WFT3rmPy7KJFuUt+9vSELIuzyjcTqlaZpl8c1kkd1O/Wg+yHAB8IvQIBFqI2QnjO3I3ADqDpdmZGTyKuP4xHjIXrYCWXNAFs5I3tV5ETnNGdetMRLq8EJvz/VpwDEcATYQHSuM7C5WPM7nM9UTBrdVK8ccNNgar8TJVr9fE2+Fs4hElkrAYeZPpuIKly8NYipEMElyGqwrzoKUUl6RHFga50WRVVcZv6J5QPMUF3WdJniLQcCm00rkVSYgoeOw9TgQrIPDuD/nR7c1eskDVPNX7YYXvLuHLtQqu8PxqySIk2bPBU7ZLsSeNT3XaRTPYUfXrYOTgC8DXreLM7/bYL///7v1730S03YWMBrAGv2Un5QZa35mdQseWmjhvu+wxgEtGOGozR95RPlTmhPL8fQXPB50jTb8v/F4krAPdkZXsoaxN28Bd8MU2+Bgc1xo5d4S8n9b+SSfHm2722nzppD/rHlQS/XNvl3lH/E76E/RH539tNBnXjRExs+u+Q9pdWTj)
Mar  3 17:11:23 srv-mbx-01p dovecot: auth: Debug: client passdb out: FAIL#0111#011user=user@domain.net

Maybe it's using LDAP because Before, I was using LDAP authentication. Maybe I have to change dovecot-ldap.conf

Here my /etd/pam.d/dovecot conf :

#%PAM-1.0
auth required pam_scrript.so grace=900 dir=/etc userid=mail idp=/etc/sogo/idp-metadata.xml trusted_sp=https://webmail.*****/SOGo/saml2-metadata
account required                        pam_permit.so
session required                        pam_permit.so

4

Re: iRedMail with SAML2

rgt wrote:

Mar  3 17:11:21 srv-mbx-01p dovecot: auth: ldap(user@domain.net,127.0.0.1,<0FbAjfWf/Lp/AAAB>): invalid credentials (given password: eF7VVk1v2zgQ/SuC7...

It says "invalid credentials", which means incorrect username or password.

5

Re: iRedMail with SAML2

Yes because Dovecot try to authenticate against LDAP and the password is Encrypted
I know that I'm using correct credentials, because, I can connect to Sogo with SAML credentials, but after, Dovecot cannot connect.

Is anyone success iRedMail with SAML ?

6

Re: iRedMail with SAML2

Hi,

Does anybody can help me ?