1 Topic by jobu (edited by jobu 2021-08-20 17:29:38)

  • jobu
  • Member
  • Offline
  • Registered: 2011-08-01
  • Posts: 122

Topic: dovecot auth ldap unknown user if not from localhost

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Debian Buster
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

after restoring iRedMail on a new server i started service on after another to see if anything would work.
Right now nginx, dovecot and amavis are up and running, fail2ban is down, no firewall rules are in use.
Roundcube, SOGo an iredadmin works as expected and fine.
But ... you can't use imap from another client like thunderbird, users always are unknown ...

Aug 20 07:59:36 mail dovecot: auth: Debug: client in: AUTH#0112#011PLAIN#011service=imap#011secured=tls#011session=13T2XvfJO/Nf30tA#011lip=123.45.67.89#011rip=98.76.54.123#011lport=993#011rport=62267#011local_name=mail.example.com#011ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384#011ssl_cipher_bits=256#011ssl_pfs=KxECDHE#011ssl_protocol=TLSv1.2#011resp=<hidden>
Aug 20 07:59:37 mail dovecot: auth: Debug: ldap(user@mail.example.com,98.76.54.123,<lsEYX/fJWfNf30tA>): bind search: base=o=domains,dc=mail,dc=example,dc=com filter=(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail)(enabledService=imaptls)(|(mail=user@mail.example.com)(&(enabledService=shadowaddress)(shadowAddress=user@mail.example.com))))
Aug 20 07:59:37 mail dovecot: auth: Debug: ldap(user@mail.example.com,98.76.54.123,<lsEYX/fJWfNf30tA>): no fields returned by the server
Aug 20 07:59:37 mail dovecot: auth: ldap(user@mail.example.com,98.76.54.123,<lsEYX/fJWfNf30tA>): unknown user

As said before, the user is able to login via Roundcube etc and has access to the maildir, sieve ... but authentication via thunderbird/outlook fails.

Any idea is welcome.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by jobu (edited by jobu 2021-08-20 21:38:26)

  • jobu
  • Member
  • Offline
  • Registered: 2011-08-01
  • Posts: 122

Re: dovecot auth ldap unknown user if not from localhost

/var/log/openldap/openldap.log shows this ...

Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=7 BIND anonymous mech=implicit ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=7 BIND dn="cn=vmail,dc=mail,dc=example,dc=com" method=128
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=7 BIND dn="cn=vmail,dc=mail,dc=example,dc=com" mech=SIMPLE ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=7 RESULT tag=97 err=0 text=
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=8 SRCH base="o=domains,dc=mail,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus
=disabled))(enabledService=mail)(enabledService=imapsecured)(|(mail=user@mail.example.com)(&(enabledService=shadowaddress)(shadowAddress=user@mail.example.com))))"
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=8 SRCH attr=mail mail homeDirectory mailboxFormat mailboxFolder mailQuota
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=9 SRCH base="o=domains,dc=mail,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus
=disabled))(enabledService=mail)(enabledService=imapsecured)(|(mail=user@mail.example.com)(&(enabledService=shadowaddress)(shadowAddress=user@mail.example.com))))"
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=9 SRCH attr=mail allowNets
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=10 BIND anonymous mech=implicit ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=10 BIND dn="mail=user@mail.example.com,ou=Users,domainName=mail.example.com,o=domains,dc=mail,dc=example,dc=com" method=128
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=10 BIND dn="mail=user@mail.example.com,ou=Users,domainName=mail.example.com,o=domains,dc=mail,dc=example,dc=com" mech=SIMPLE ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=10 RESULT tag=97 err=0 text=

Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 BIND anonymous mech=implicit ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 BIND dn="cn=vmail,dc=mail,dc=example,dc=com" method=128
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 BIND dn="cn=vmail,dc=mail,dc=example,dc=com" mech=SIMPLE ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=10 RESULT tag=97 err=0 text=
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 BIND anonymous mech=implicit ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 BIND dn="cn=vmail,dc=mail,dc=example,dc=com" method=128
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 BIND dn="cn=vmail,dc=mail,dc=example,dc=com" mech=SIMPLE ssf=0
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=11 RESULT tag=97 err=0 text=
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=12 SRCH base="o=domains,dc=mail,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(!(domainStatu
s=disabled))(enabledService=mail)(enabledService=imapsecured)(|(mail=user@mail.example.com)(&(enabledService=shadowaddress)(shadowAddress=user@mail.example.com))))"
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=12 SRCH attr=mail mail homeDirectory mailboxFormat mailboxFolder mailQuota
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=12 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=13 SRCH base="o=domains,dc=mail,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(!(domainStatu
s=disabled))(enabledService=mail)(enabledService=imapsecured)(|(mail=user@mail.example.com)(&(enabledService=shadowaddress)(shadowAddress=user@mail.example.com))))"
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=13 SRCH attr=mail allowNets
Aug 20 09:47:00 mail slapd[1043]: conn=1002 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text=

The initial installation is quite old, but got all updates.
I can see differences between my old /etc/ldap/slapd and the new one, especially for "access to attrs". As said before the new installation works via Roundcube without noticeable errors or warnings and without changing the values (i guess the changes for that values came with version 0.9.6). Even changing those to the values from the previous version seems to make no difference.

Did i miss something here, do i have to restore some other settings in /etc/lapd/... ?

Restoring the backup following the guide https://docs.iredmail.org/backup.restore.html worked fine so far, but right now i'm kind of lost ...

3 Reply by jobu

  • jobu
  • Member
  • Offline
  • Registered: 2011-08-01
  • Posts: 122

Re: dovecot auth ldap unknown user if not from localhost

# dovecot -n

# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-17-amd64 x86_64 Debian 10.10 
# Hostname: mail.mail.example.com
auth_debug = yes
auth_default_realm = mail.example.com
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
auth_verbose = yes
default_process_limit = 600
deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, delivery_time=%{delivery_time}ms, %$
dict {
  acl = mysql:/etc/dovecot/dovecot-share-folder.conf
  lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf
  quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = * [::]
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
mail_debug = yes
mail_gid = 2000
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
mail_plugins = quota mailbox_alias acl mail_log notify
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
metric imap_command_finished {
  event_name = imap_command_finished
}
namespace {
  inbox = yes
  location = 
  mailbox Archive {
    auto = no
    special_use = \Archive
  }
  mailbox Archives {
    auto = no
    special_use = \Archive
  }
  mailbox "Deleted Messages" {
    auto = no
    special_use = \Trash
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox "Junk E-mail" {
    auto = no
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Items" {
    auto = no
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = no
    special_use = \Sent
  }
  mailbox Spam {
    auto = no
    special_use = \Junk
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
namespace {
  list = children
  location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%u
  prefix = Shared/%%u/
  separator = /
  subscriptions = yes
  type = shared
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
passdb {
  args = /etc/dovecot/dovecot-master-users
  driver = passwd-file
  master = yes
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  auth_socket_path = /var/run/dovecot/auth-master
  last_login_dict = proxy::lastlogin
  last_login_key = # hidden, use -P to show it
  mail_log_events = delete undelete expunge copy mailbox_create mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size from subject flags
  mailbox_alias_new = Sent Messages
  mailbox_alias_new2 = Sent Items
  mailbox_alias_old = Sent
  mailbox_alias_old2 = Sent
  quota = dict:user::proxy::quotadict
  quota_grace = 50MB
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is full
  quota_status_success = DUNNO
  quota_warning = storage=100%% quota-warning 100 %u
  quota_warning2 = storage=99%% quota-warning 99 %u
  quota_warning3 = storage=98%% quota-warning 98 %u
  sieve = /var/vmail/sieve/%Ld/%Ln/dovecot.sieve
  sieve_before = /var/vmail/sieve/dovecot.sieve
  sieve_dir = /var/vmail/sieve/%Ld/%Ln
  sieve_global_dir = /var/vmail/sieve
  sieve_max_redirects = 30
  sieve_vacation_send_from_recipient = yes
}
protocols = pop3 imap sieve lmtp
service anvil {
  client_limit = 2903
}
service auth {
  client_limit = 3500
  unix_listener /var/spool/postfix/private/dovecot-auth {
    group = postfix
    mode = 0666
    user = postfix
  }
  unix_listener auth-master {
    group = vmail
    mode = 0666
    user = vmail
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service dict {
  unix_listener dict {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 1200
  process_min_avail = 3
  service_count = 1
}
service lmtp {
  executable = lmtp -L
  inet_listener lmtp {
    address = 127.0.0.1
    port = 24
  }
  process_min_avail = 5
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
  user = vmail
}
service managesieve-login {
  inet_listener sieve {
    address = 127.0.0.1
    port = 4190
  }
}
service pop3-login {
  process_limit = 500
  service_count = 1
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
    address = 127.0.0.1
    port = 12340
  }
}
service quota-warning {
  executable = script /usr/local/bin/dovecot-quota-warning.sh
  unix_listener quota-warning {
    group = vmail
    mode = 0660
    user = vmail
  }
}
service stats {
  fifo_listener stats-mail {
    mode = 0644
    user = vmail
  }
  inet_listener {
    address = 127.0.0.1
    port = 24242
  }
  unix_listener stats-writer {
    group = vmail
    mode = 0660
    user = vmail
  }
}
ssl_ca = </etc/ssl/certs/chain.pem
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
syslog_facility = local5
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  lda_mailbox_autocreate = yes
  lda_mailbox_autosubscribe = yes
  mail_plugins = quota mailbox_alias acl mail_log notify sieve
}
protocol lmtp {
  lmtp_save_to_detail_mailbox = yes
  mail_plugins = quota mailbox_alias acl mail_log notify sieve
  recipient_delimiter = +
}
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
  mail_max_userip_connections = 40
  mail_plugins = quota mailbox_alias acl mail_log notify imap_quota imap_acl last_login
}
protocol pop3 {
  mail_max_userip_connections = 30
  mail_plugins = quota mailbox_alias acl mail_log notify last_login
  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
  pop3_uidl_format = %08Xu%08Xv
}

I tried upgrading the old installation from stretch to buster a while ago and experienced problems with external clients, too (aware of this infos https://docs.iredmail.org/upgrade.debian.9-10.html. There was no time to get deeper into it and so i decided to use a fresh VM.

# telnet mail.example.org 110
Trying mail.example.org...
Connected to mail.example.org.
Escape character is '^]'.
+OK Dovecot (Debian) ready

... and ...

# telnet mail.example.org 143
Trying mail.example.org...
Connected to mail.example.org.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready.

... works.

So it seems to be a LDAP problem - but i don't see where to dig further ...

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: dovecot auth ldap unknown user if not from localhost

Seems you missed some LDAP data updates, please check our upgrade tutorials again and apply missed update steps: https://docs.iredmail.org/iredmail.releases.html

Paid support is available as an option too: https://www.iredmail.org/support.html

5 Reply by jobu

  • jobu
  • Member
  • Offline
  • Registered: 2011-08-01
  • Posts: 122

Re: dovecot auth ldap unknown user if not from localhost

Thanks Zhang, you were right, i missed some optional updates for LDAP and MySQL (user last login) and applied them now.
It seems to work now. cool