1

Topic: AD + Dovecot + Postfix + RoundCube Temporary authentication fail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====


Hello,
I've install mail server with AD authentification:

I've this ERROR when test whith TELNET :


* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
. login user@domaine.com <userpwd>
* OK Waiting for authentication process to respond..
. NO [UNAVAILABLE] Temporary authentication failure.


But POSTMAP TEST is OK

#postmap -q user@domaine.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
domaine.com/user/Maildir/


#dovecot -n

auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = +
auth_mechanisms = plain login
auth_verbose = yes
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
log_path = /var/log/dovecot.log
log_timestamp = %Y-%m-%d %H:%M:%S
mail_debug = yes
mail_gid = 5000
mail_location = mbox:/var/mail/vhosts/%n/
mail_privileged_group = mail
mail_uid = 5000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify enviro
nment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
}
postmaster_address = postmaster@example.com
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service stats {
  unix_listener stats-reader {
    group = vmail
    mode = 0660
    user = vmail
  }
  unix_listener stats-writer {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl = required
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%u
  driver = static
}
userdb {
  args = uid=5000 gid=5000 home=/var/mail/vhosts/%Ld/%Lu
  driver = static
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
default_transport = smtp
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = localhost.$mydomain, localhost
myhostname = icrd-mail
myorigin = /etc/mailname
queue_directory = /var/spool/postfix
readme_directory = no
recipient_bcc_maps =
recipient_delimiter = +
relay_domains =
relay_recipient_maps =
relayhost =
sender_bcc_maps =
sender_dependent_relayhost_maps =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.domaine.com
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = example.domaine.com
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000


###
Please anyone help me, i've wast my time to found the solution.

Help please.

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: AD + Dovecot + Postfix + RoundCube Temporary authentication fail

Enable debug mode in Dovecot, then check what LDAP filter it uses to query the user. Compare the filter with existing user LDAP attribute/value pairs, it should be easy to figure it out.

3

Re: AD + Dovecot + Postfix + RoundCube Temporary authentication fail

Hello ZhangHuangbin,


Thanks for your feedback :

Here Dovecot logs :

2021-04-08 13:24:33auth: Error: ldap_free_request (origid 2, msgid 6)
2021-04-08 13:24:33auth: Error: ldap_free_request (origid 2, msgid 8)
2021-04-08 13:24:33auth: Error: ldap_free_request (origid 2, msgid 2)
2021-04-08 13:24:33auth: Error: ldap_free_connection 1 1
2021-04-08 13:24:33auth: Error: ldap_send_unbind
2021-04-08 13:24:33auth: Error: ldap_free_connection: actually freed
2021-04-08 13:24:33auth: Error: ldap_free_connection 1 1
2021-04-08 13:24:33auth: Error: ldap_send_unbind
2021-04-08 13:24:33auth: Error: ldap_free_connection: actually freed
2021-04-08 13:24:33auth: Debug: client passdb out: FAIL1user=user@example.comcode=temp_fail


2021-04-08 13:25:56lda(user@example.com)<834901><>: Debug: auth-master: userdb lookup(user@example.com): Started userdb lookup
2021-04-08 13:25:56lda(user@example.com)<834901><>: Debug: auth-master: conn unix:/var/run/dovecot//auth-userdb: Connecting
2021-04-08 13:25:56lda(user@example.com)<834901><>: Debug: auth-master: conn unix:/var/run/dovecot//auth-userdb: Client connected (fd=10)
2021-04-08 13:25:56auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
2021-04-08 13:25:56auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
2021-04-08 13:25:56auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
2021-04-08 13:25:56auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
2021-04-08 13:25:56auth: Error: ldap_create
2021-04-08 13:25:56auth: Debug: Read auth token secret from /var/run/dovecot//auth-token-secret.dat
2021-04-08 13:25:56auth: Error: ldap_bind
2021-04-08 13:25:56auth: Error: ldap_simple_bind
2021-04-08 13:25:56auth: Error: ldap_sasl_bind
2021-04-08 13:25:56auth: Error: ldap_send_initial_request
2021-04-08 13:25:56auth: Error: ldap_new_connection 1 1 0
2021-04-08 13:25:56auth: Error: ldap_int_open_connection
2021-04-08 13:25:56auth: Error: ldap_connect_to_host: TCP <IP>:389
2021-04-08 13:25:56auth: Error: ldap_new_socket: 20
2021-04-08 13:25:56auth: Error: ldap_prepare_socket: 20
2021-04-08 13:25:56auth: Error: ldap_connect_to_host: Trying <IP>:389
2021-04-08 13:25:56auth: Error: ldap_pvt_connect: fd: 20 tm: 5 async: 0
2021-04-08 13:25:56auth: Error: ldap_ndelay_on: 20
2021-04-08 13:25:56auth: Error: attempting to connect:
2021-04-08 13:25:56auth: Error: connect errno: 115
2021-04-08 13:25:56auth: Error: ldap_int_poll: fd: 20 tm: 5
2021-04-08 13:25:56auth: Error: ldap_is_sock_ready: 20
2021-04-08 13:25:56auth: Error: ldap_ndelay_off: 20
2021-04-08 13:25:56auth: Error: ldap_pvt_connect: 0
2021-04-08 13:25:56auth: Error: ldap_open_defconn: successful
2021-04-08 13:25:56auth: Error: ldap_send_server_request
2021-04-08 13:25:56auth: Debug: LDAP initialization took 0 msedl
2021-04-08 13:25:56auth: Error: ldap_bind
2021-04-08 13:25:56auth: Error: ldap_simple_bind
2021-04-08 13:25:56auth: Error: ldap_sasl_bind
2021-04-08 13:25:56auth: Error: ldap_send_initial_request
2021-04-08 13:25:56auth: Error: ldap_new_connection 1 1 0
2021-04-08 13:25:56auth: Error: ldap_int_open_connection
2021-04-08 13:25:56auth: Error: ldap_connect_to_host: TCP <IP>:389
2021-04-08 13:25:56auth: Error: ldap_new_socket: 21
2021-04-08 13:25:56auth: Error: ldap_prepare_socket: 21
2021-04-08 13:25:56auth: Error: ldap_connect_to_host: Trying <IP>:389
2021-04-08 13:25:56auth: Error: ldap_pvt_connect: fd: 21 tm: 5 async: 0
2021-04-08 13:25:56auth: Error: ldap_ndelay_on: 21
2021-04-08 13:25:56auth: Error: attempting to connect:
2021-04-08 13:25:56auth: Error: connect errno: 115
2021-04-08 13:25:56auth: Error: ldap_int_poll: fd: 21 tm: 5
2021-04-08 13:25:56auth: Error: ldap_is_sock_ready: 21
2021-04-08 13:25:56auth: Error: ldap_ndelay_off: 21
2021-04-08 13:25:56auth: Error: ldap_pvt_connect: 0
2021-04-08 13:25:56auth: Error: ldap_open_defconn: successful
2021-04-08 13:25:56auth: Error: ldap_send_server_request
2021-04-08 13:25:56auth: Debug: master in: USER1user@example.comservice=lda
2021-04-08 13:25:56auth: Debug: ldap(user@example.com): Performing userdb lookup
2021-04-08 13:25:56auth: Debug: ldap(user@example.com): user search: base=dc=dl,dc=example,dc=com scope=subtree filter=(&(userPrincipalName=user@example.com)(objec
tClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) fields=home
2021-04-08 13:25:56auth: Error: ldap_result ld 0x559520aa2eb0 msgid -1
2021-04-08 13:25:56auth: Error: wait4msg ld 0x559520aa2eb0 msgid -1 (timeout 0 usec)
....
2021-04-08 13:25:56auth: Error: ** ld 0x559520aa2eb0 Outstanding Requests:
2021-04-08 13:25:56auth: Error:  * msgid 8,  origid 8, status InProgress
2021-04-08 13:25:56auth: Error:    outstanding referrals 0, parent count 0
2021-04-08 13:25:56auth: Error:  * msgid 2,  origid 2, status RequestCompleted
2021-04-08 13:25:56auth: Error:    outstanding referrals 3, parent count 0
2021-04-08 13:25:56auth: Error:   ld 0x559520aa2eb0 request count 2 (abandoned 0)
2021-04-08 13:25:56auth: Error: ** ld 0x559520aa2eb0 Response Queue:
2021-04-08 13:25:56auth: Error:  * msgid 6,  type 97
2021-04-08 13:25:56auth: Error:  * msgid 4,  type 97
2021-04-08 13:25:56auth: Error:   ld 0x559520aa2eb0 response count 2
2021-04-08 13:25:56auth: Error: ldap_chkResponseList ld 0x559520aa2eb0 msgid 8 all 1
2021-04-08 13:25:56auth: Error: ldap_chkResponseList returns ld 0x559520aa2eb0 NULL
2021-04-08 13:25:56auth: Error: ldap_int_select
2021-04-08 13:25:56auth: Error: read1msg: ld 0x559520aa2eb0 msgid 8 all 1
2021-04-08 13:25:56auth: Error: read1msg: ld 0x559520aa2eb0 msgid 8 message type bind
2021-04-08 13:25:56auth: Error: read1msg: ld 0x559520aa2eb0 0 new referrals
2021-04-08 13:25:56auth: Error: read1msg:  mark request completed, ld 0x559520aa2eb0 msgid 8
2021-04-08 13:25:56auth: Error: request done: ld 0x559520aa2eb0 msgid 8
2021-04-08 13:25:56auth: Error: res_errno: 0, res_error: <>, res_matched: <>
2021-04-08 13:25:56auth: Error: ldap_free_request (origid 8, msgid 8)
2021-04-08 13:25:56auth: Error: ldap_parse_result
2021-04-08 13:25:56auth: Error: ldap_msgfree
.....
2021-04-08 13:25:56auth: Error: ** ld 0x559520aa2eb0 Outstanding Requests:
2021-04-08 13:25:56auth: Error:  * msgid 3,  origid 2, status InProgress
2021-04-08 13:25:56auth: Error:    outstanding referrals 0, parent count 3
2021-04-08 13:25:56auth: Error:  * msgid 5,  origid 2, status InProgress
2021-04-08 13:25:56auth: Error:    outstanding referrals 0, parent count 2
2021-04-08 13:25:56auth: Error:  * msgid 7,  origid 2, status InProgress
2021-04-08 13:25:56auth: Error:    outstanding referrals 0, parent count 1
2021-04-08 13:25:56auth: Error:  * msgid 2,  origid 2, status RequestCompleted
2021-04-08 13:25:56auth: Error:    outstanding referrals 3, parent count 3
2021-04-08 13:25:56auth: Error:   ld 0x559520aa2eb0 request count 4 (abandoned 0)
2021-04-08 13:25:56auth: Error: ** ld 0x559520aa2eb0 Response Queue:
2021-04-08 13:25:56auth: Error:    Empty
2021-04-08 13:25:56auth: Error:   ld 0x559520aa2eb0 response count 0
2021-04-08 13:25:56auth: Error: ldap_chkResponseList ld 0x559520aa2eb0 msgid -1 all 0
2021-04-08 13:25:56auth: Error: ldap_chkResponseList returns ld 0x559520aa2eb0 NULL
2021-04-08 13:25:56auth: Error: ldap_int_select
2021-04-08 13:25:56auth: Error: read1msg: ld 0x559520aa2eb0 msgid -1 all 0
2021-04-08 13:25:56auth: Error: read1msg: ld 0x559520aa2eb0 msgid 7 message type search-result
2021-04-08 13:25:56auth: Error: ldap_chase_referrals
2021-04-08 13:25:56auth: Error: read1msg:  V2 referral chased, mark request completed, id = 7
2021-04-08 13:25:56auth: Error: read1msg: ld 0x559520aa2eb0 0 new referrals
2021-04-08 13:25:56auth: Error: read1msg:  mark request completed, ld 0x559520aa2eb0 msgid 7
2021-04-08 13:25:56auth: Error: merged parent (id 2) error info:  result errno 1, error <000004DC: LdapErr: DSID-0C090A7D, comment: In order to perform this operation a successful bind must b
e completed on the connection., data 0, v3839>, matched <>


Here dovecot.conf

#Additional Conf
#Debug log
mail_debug = yes

auth_master_user_separator = +                                                                                                                           
auth_verbose = yes                                                                                                                                             
auth_debug = yes                                                                                                                                               
auth_debug_passwords = yes

log_path =  /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S"
protocols = imap pop3
disable_plaintext_auth = no

#listen = *
#ssl = no
auth_mechanisms = plain login
base_dir = /var/run/dovecot/
mail_location = mbox:/var/mail/vhosts/%n/

passdb {
driver = ldap
args =/etc/dovecot/dovecot-ldap.conf
}

userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf
#driver = passwd
#driver = static
#args = uid=5000 gid=5000 home=/var/mail/vhosts/%Ld/%Lu
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
  group = postfix
  mode = 0666
  user = postfix
   }
}

service stats {
    unix_listener stats-reader {
        user = vmail
        group = vmail
        mode = 0660
    }

    unix_listener stats-writer {
        user = vmail
        group = vmail
        mode = 0660
    }
}



Here dovecot-ldap-conf



hosts           = <IP>:389
ldap_version    = 3
auth_bind       = yes
dn              = user@example.domain.com
dnpass          = <pwd>
base            = dc=example,dc=domain,dc=com
scope           = subtree
deref           = never

#auth_bind = yes
#
#auth_bind_userdn = ou=users,dc=example,dc=domain,dc=com

#auth_bind_userdn = cn=users,dc=example,dc=domain,dc=com

# Below two are required by command 'doveadm mailbox ...'
iterate_attrs   = userPrincipalName=user
iterate_filter  = (&(userPrincipalName=*)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

#user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
user_filter     = (&(userPrincipalName=%n@example.domain.com)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%n@example.domain.com)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/mail/vhosts/domain.com/%Ld/%Ln/,=mail=maildir:~/Maildir/


Thanks for your help

4

Re: AD + Dovecot + Postfix + RoundCube Temporary authentication fail

sylvionagios wrote:

2021-04-08 13:25:56auth: Error: attempting to connect:
2021-04-08 13:25:56auth: Error: connect errno: 115

Seems the LDAP related settings in dovecot-ldap.conf is wrong and Dovecot can not connect to the LDAP server.

5

Re: AD + Dovecot + Postfix + RoundCube Temporary authentication fail

It's solved now, i've change AD port port 3268 instead of 389.

Thanks.