[Postfixbuch-users] (OT) Dovecot2 Auth Problem
Jim Knuth
jk at jkart.de
Fr Mär 11 10:52:57 CET 2011
Hallo,
ich hab lange gelesen (1) (2) und die Suchmaschine
befragt und viel ausprobiert. Doch jetzt muss ich
doch die Fachleute befragen. Sorry für OT und VIEL
Text.
Es geht um Dovecot, aktuell um Version 2.0.11 auf
# OS: Linux 2.6.29.4 i686 Debian wheezy/sid.
Ich schaffe es ums Verrecken nicht, mich beim Postfach anzumelden.
Log spricht dann:
Mar 11 10:05:11 server2 dovecot: master: Dovecot v2.0.11
(2ac35ed2f943) starting up (core dumps disabled)
(..)
Mar 11 10:05:40 server2 dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Mar 11 10:05:40 server2 dovecot: auth: Debug: auth client connected
(pid=10757)
Mar 11 10:05:40 server2 dovecot: auth: Debug: client in:
AUTH^I1^IPLAIN^Iservice=imap^Isecured^Ilip=127.0.0.1^Irip=127.0.0.1^Ilport=143^Irport=55105^Iresp=AHdlYjdwMQBBQkNnWEQxMA==
Mar 11 10:05:40 server2 dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
Mar 11 10:05:40 server2 dovecot: auth: Debug: pam(web7p1,127.0.0.1):
lookup service=dovecot
Mar 11 10:05:40 server2 dovecot: auth: Debug: pam(web7p1,127.0.0.1):
#1/1 style=1 msg=Password:
Mar 11 10:05:42 server2 dovecot: auth: pam(web7p1,127.0.0.1):
pam_authenticate() failed: Authentication failure (password mismatch?)
(given password: password)
Mar 11 10:05:42 server2 dovecot: auth: Debug:
shadow(web7p1,127.0.0.1): lookup
Mar 11 10:05:42 server2 dovecot: auth: shadow(web7p1,127.0.0.1):
unknown user
Mar 11 10:05:42 server2 dovecot: auth: Debug: cache(web7p1,127.0.0.1):
miss
Mar 11 10:05:44 server2 dovecot: auth: Debug: client out:
FAIL^I1^Iuser=web7p1
Mar 11 10:05:44 server2 dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=<web7p1>, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured
web7p1 ist ein User und das PW stimmt!
Wie kann ich das lösen? Bei Courier, was vorher lief, gabs da nie
Probleme.
Hier die dovecot -n, postconf -n und master.cf
server2:~/tools# dovecot -n
# 2.0.11 (2ac35ed2f943): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.29.4-default i686 Debian wheezy/sid
auth_cache_size = 10 M
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_verbose = yes
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *
login_greeting = Mailserver ready.
mail_access_groups = mail
mail_debug = yes
mail_gid = mail
mail_location = maildir:~/Maildir
mail_plugins = quota
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
namespace {
inbox = yes
location =
prefix = INBOX.
separator = .
}
passdb {
args = dovecot
driver = pam
}
passdb {
driver = shadow
}
plugin/autocreate = Trash
plugin/autocreate2 = Spam
plugin/autocreate3 = Ablage
plugin/autocreate4 = Papierkorb
plugin/autocreate5 = Entwurf
plugin/autosubscribe = Trash
plugin/autosubscribe2 = Spam
plugin/autosubscribe3 = Ablage
plugin/autosubscribe4 = Papierkorb
plugin/autosubscribe5 = Entwurf
plugin/sieve = ~/.dovecot.sieve
plugin/sieve_dir = ~/sieve
postmaster_address = postmaster at domain.de
protocols = imap pop3 sieve lmtp
service auth-worker {
unix_listener auth-worker {
user = vmail
}
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = vmail
}
service imap-login {
service_count = 0
vsz_limit = 64 M
}
service managesieve-login {
service_count = 0
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = dovecot
}
ssl = no
userdb {
driver = passwd
}
verbose_proctitle = yes
protocol lmtp {
mail_plugins = quota sieve
}
protocol lda {
mail_plugins = quota
}
protocol imap {
mail_plugins = acl imap_acl
}
protocol pop3 {
mail_plugins = quota
pop3_lock_session = yes
pop3_uidl_format = %v-%u
}
##################
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
body_checks = regexp:$filter/body_checks.regexp
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_privs = mail
delay_warning_time = 5h
disable_vrfy_command = yes
header_checks = regexp:$filter/header_checks.regexp
pcre:$filter/header_checks.pcre
home_mailbox = Maildir/
inet_interfaces = 77.236.98.239, 127.0.0.1
local_destination_concurrency_limit = 1
local_header_rewrite_clients =
local_recipient_maps = proxy:unix:passwd.byname
mail_name = Postfix-Amavis
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 102400000
mailq_path = /usr/bin/mailq
maximal_queue_lifetime = 3d
message_size_limit = 51200000
mime_header_checks = pcre:$filter/mime_header_checks
mydestination = $myhostname
myhostname = server1.art-domains.de
mynetworks = 127.0.0.0/8
myorigin = $myhostname
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = black.uribl.com zen.spamhaus.org
bl.spamcop.net dnsbl.njabl.org ix.dnsbl.manitu.net
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
postscreen_helo_required = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = drop
postscreen_pipelining_enable = yes
proxy_read_maps = proxy:mysql:$mysql/client_access.cf
proxy:mysql:$mysql/sender_access.cf proxy:unix:passwd.byname
queue_directory = /var/spool/postfix
recipient_delimiter = +
remote_header_rewrite_domain =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_bind_address = 77.236.98.239
smtp_connect_timeout = 90s
smtp_connection_cache_on_demand = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 100
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 100
smtpd_data_restrictions = reject_multi_recipient_bounce
reject_unauth_pipelining
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_junk_command_limit = 50
smtpd_policy_service_max_idle = 3600s
smtpd_policy_service_max_ttl = 3600s
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_mynetworks
reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unknown_sender_domain
permit_sasl_authenticated reject_unauth_destination
reject_invalid_hostname reject_unlisted_sender
reject_unlisted_recipient check_recipient_access
hash:$filter/verbotene_empfaenger check_client_access
pcre:$filter/dynip check_client_access
proxy:mysql:$mysql/client_access.cf check_sender_access
proxy:mysql:$mysql/sender_access.cf
check_sender_mx_access hash:$filter/wildcard_mx
check_sender_mx_access cidr:$filter/bogon_networks.cidr
check_policy_service inet:127.0.0.1:12525 check_policy_service
inet:127.0.0.1:10031
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = mail.server1.art-domains.de
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /usr/share/ssl-cert/ca-bundle.crt
smtpd_tls_cert_file = $certs/postfix_public_cert.pem
smtpd_tls_key_file = $certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 7200s
smtpd_use_tls = yes
strict_mime_encoding_domain = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/confixx_virtualUsers
hash:/etc/postfix/confixx_localDomains
########
smtp inet n - n - 1 postscreen
-o myhostname=server1.art-domains.de
smtpd pass - - n - - smtpd
-o receive_override_options=no_address_mappings
-o content_filter=lmtp-amavis:[127.0.0.1]:10024
195.137.213.14:submission inet n - n 0 -
smtpd
-o myhostname=server2.art-domains.de
-o smtpd_sasl_auth_enable=yes
-o receive_override_options=no_address_mappings
-o
smtpd_recipient_restrictions=$submission_smtpd_recipient_restrictions
-o content_filter=lmtp-amavis:[127.0.0.1]:10026
-o anvil_rate_time_unit=120s
-o milter_macro_daemon_name=ORIGINATING
195.137.213.14:smtp inet n - n 0 - smtpd
-o myhostname=server2.art-domains.de
-o smtpd_sasl_auth_enable=yes
-o receive_override_options=no_address_mappings
-o
smtpd_recipient_restrictions=$submission_smtpd_recipient_restrictions
-o content_filter=lmtp-amavis:[127.0.0.1]:10026
-o anvil_rate_time_unit=120s
-o milter_macro_daemon_name=ORIGINATING
195.137.213.14:smtps inet n - n 0 - smtpd
-o myhostname=server2.art-domains.de
-o smtpd_sasl_auth_enable=yes
-o receive_override_options=no_address_mappings
-o
smtpd_recipient_restrictions=$submission_smtpd_recipient_restrictions
-o content_filter=lmtp-amavis:[127.0.0.1]:10026
-o anvil_rate_time_unit=120s
-o milter_macro_daemon_name=ORIGINATING
lmtp-amavis unix - - n - 6 lmtp
-o lmtp_data_done_timeout=1200s
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
127.0.0.1:10027 inet n - n - - smtpd
-o content_filter=
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop
-f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
#tlsmgr fifo - - - 300 1 tlsmgr
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o
smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes
scache unix - - - - 1 scache
discard unix - - - - - discard
tlsmgr unix - - - 1000? 1 tlsmgr
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
Danke schon mal. Auth über MySQL ist leider viel zu aufwändig,
da das nur über die "Blackbox" DB von Confixx ginge.
Es sollte also über PAM gehen, was es ja bei Courier wohl
auch tut.
(1) http://www.arschkrebs.de/slides/dovecot-slides.pdf
(2) Linux Magazin 09/10 "Senkrechtstarter" v. Peer Heinlein
--
Mit freundlichen Grüßen,
Jim Knuth
P.S.: Bitte senden Sie KEINE HTML-Mails!
#####
Zufallszitat:
Wenn zwei Menschen immer dasselbe denken,
ist einer von ihnen überflüssig. [Churchill]
Mehr Informationen über die Mailingliste Postfixbuch-users