NFS Locking and Submission Service Authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

NFS Locking and Submission Service Authentication

Dovecot mailing list

Greetings,

We're in the process of upgrading our Dovecot server to new hardware and new expanded storage.  We planned on using an NFS share for the mail storage, as we're running Postfix / Dovecot on a VM and wanted to separate out the mail storage from the VM for backup reasons.

I read as much as I could find on line regarding configuring Dovecot to use NFS, and set it up as best I could, but I'm still running into lock errors e.g.:

Sep 25 10:30:35 triata4 dovecot: imap([hidden email])<75580><enQ/AWSTkQkKCgDu>: Error: fcntl(/vmail/triata.globalchange.media/user/dovecot.index.log, write-lock, F_SETLKW) locking failed: No locks available
Sep 25 10:30:35 triata4 dovecot: imap([hidden email])<75580><enQ/AWSTkQkKCgDu>: Error: mail_index_wait_lock_fd() failed with file /vmail/triata.globalchange.media/user/dovecot.index.log: No locks available

Also, I have been trying to configure the Dovecot submission service to authenticate with Postfix, but I keep running into errors which are related to how I'm configuring the authentication.  How do we set the user@domain and password string for submission in the configs?

Thank you.

Please see doveconf -n below, if you see any other errors in this config, I'd be grateful if you pointed them out:

# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 (7372921a)
# OS: Linux 3.10.0-957.27.2.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)  nfs
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot-debug.log
deliver_log_format = msgid=%m: from=%f: %$
hostname = triata.globalchange.media
mail_debug = yes
mail_fsync = always
mail_home = /vmail/%d/%n/home
mail_location = maildir:/vmail/%d/%n
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
plugin {
  mail_log_fields = uid box msgid from flags
  sieve = <a class="moz-txt-link-freetext" href="file:/vmail/%d/%n/sieve;active=/vmail/%d/%n/.dovecot.sieve">file:/vmail/%d/%n/sieve;active=/vmail/%d/%n/.dovecot.sieve
}
protocols = imap lmtp submission sieve
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  unix_listener auth-userdb {
    group = vmail
    mode = 0666
    user = vmail
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  unix_listener lmtp {
    mode = 0666
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
}
service managesieve {
  process_limit = 1024
}
service submission-login {
  inet_listener submission {
    port = 587
  }
}
ssl_cert = </etc/letsencrypt/live/triata.globalchange.media/fullchain.pem
ssl_key = # hidden, use -P to show it
submission_relay_host = triata.globalchange.media
submission_relay_password = # hidden, use -P to show it
submission_relay_port = 587
submission_relay_ssl = starttls
submission_relay_trusted = yes
submission_relay_user = %u
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
protocol lda {
  mail_plugins =
}

Reply | Threaded
Open this post in threaded view
|

Re: NFS Locking and Submission Service Authentication

Dovecot mailing list
For the record, ever since the last patches for NFS got committed, we
don't see locking issues over NFS in general across all our platforms,
but it also depends on how you configure your NFS server.

You might find that this is not a dovecot issue, but an NFS issue.

You might want to post more about your NFS setup(s) and then someone on
the list might better assist you.

        -- Michael --

On 2019-09-25 10:44 a.m., Asai via dovecot wrote:

> Greetings,
>
> We're in the process of upgrading our Dovecot server to new hardware and
> new expanded storage.  We planned on using an NFS share for the mail
> storage, as we're running Postfix / Dovecot on a VM and wanted to
> separate out the mail storage from the VM for backup reasons.
>
> I read as much as I could find on line regarding configuring Dovecot to
> use NFS, and set it up as best I could, but I'm still running into lock
> errors e.g.:
>
> Sep 25 10:30:35 triata4 dovecot: imap([hidden email])<75580><enQ/AWSTkQkKCgDu>: Error: fcntl(/vmail/triata.globalchange.media/user/dovecot.index.log, write-lock, F_SETLKW) locking failed: No locks available
> Sep 25 10:30:35 triata4 dovecot: imap([hidden email])<75580><enQ/AWSTkQkKCgDu>: Error: mail_index_wait_lock_fd() failed with file /vmail/triata.globalchange.media/user/dovecot.index.log: No locks available
>
> Also, I have been trying to configure the Dovecot submission service to
> authenticate with Postfix, but I keep running into errors which are
> related to how I'm configuring the authentication.  How do we set the
> user@domain and password string for submission in the configs?
>
> Thank you.
>
> Please see doveconf -n below, if you see any other errors in this
> config, I'd be grateful if you pointed them out:
>
> # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.2 (7372921a)
> # OS: Linux 3.10.0-957.27.2.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core)  nfs
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> debug_log_path = /var/log/dovecot-debug.log
> deliver_log_format = msgid=%m: from=%f: %$
> hostname = triata.globalchange.media
> mail_debug = yes
> mail_fsync = always
> mail_home = /vmail/%d/%n/home
> mail_location = maildir:/vmail/%d/%n
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart extracttext
> namespace inbox {
>    inbox = yes
>    location =
>    mailbox Drafts {
>      special_use = \Drafts
>    }
>    mailbox Junk {
>      special_use = \Junk
>    }
>    mailbox Sent {
>      special_use = \Sent
>    }
>    mailbox "Sent Messages" {
>      special_use = \Sent
>    }
>    mailbox Trash {
>      special_use = \Trash
>    }
>    prefix =
>    separator = /
>    type = private
> }
> passdb {
>    args = /etc/dovecot/dovecot-mysql.conf
>    driver = sql
> }
> plugin {
>    mail_log_fields = uid box msgid from flags
>    sieve = file:/vmail/%d/%n/sieve;active=/vmail/%d/%n/.dovecot.sieve
> }
> protocols = imap lmtp submission sieve
> service auth {
>    unix_listener /var/spool/postfix/private/auth {
>      mode = 0666
>    }
>    unix_listener auth-userdb {
>      group = vmail
>      mode = 0666
>      user = vmail
>    }
> }
> service imap-login {
>    inet_listener imap {
>      port = 143
>    }
>    inet_listener imaps {
>      port = 993
>      ssl = yes
>    }
> }
> service lmtp {
>    unix_listener lmtp {
>      mode = 0666
>    }
> }
> service managesieve-login {
>    inet_listener sieve {
>      port = 4190
>    }
>    process_min_avail = 0
>    service_count = 1
>    vsz_limit = 64 M
> }
> service managesieve {
>    process_limit = 1024
> }
> service submission-login {
>    inet_listener submission {
>      port = 587
>    }
> }
> ssl_cert = </etc/letsencrypt/live/triata.globalchange.media/fullchain.pem
> ssl_key = # hidden, use -P to show it
> submission_relay_host = triata.globalchange.media
> submission_relay_password = # hidden, use -P to show it
> submission_relay_port = 587
> submission_relay_ssl = starttls
> submission_relay_trusted = yes
> submission_relay_user = %u
> userdb {
>    args = /etc/dovecot/dovecot-mysql.conf
>    driver = sql
> }
> protocol lda {
>    mail_plugins =
> }
>



--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
Reply | Threaded
Open this post in threaded view
|

Re: NFS Locking and Submission Service Authentication

Dovecot mailing list
On 9/25/2019 2:06 PM, Michael Peddemors via dovecot wrote:
For the record, ever since the last patches for NFS got committed, we don't see locking issues over NFS in general across all our platforms, but it also depends on how you configure your NFS server.

You might find that this is not a dovecot issue, but an NFS issue.

You might want to post more about your NFS setup(s) and then someone on the list might better assist you.

Thank you, Michael, for the advice.  Turns out the NFS locking problem was a firewall issue on the Dovecot server, which is now fixed.

Does anyone have any advice on the the Submission Service authentication?

For example, this is what's coming up in the logs:

Sep 25 14:39:04 triata4 dovecot: submission-login: Client has quit the connection (auth failed, 1 attempts in 2 secs): user=<%u>, method=PLAIN, rip=10.1.1.99, lip=10.1.1.99, TLS, session=<mrNJe2eTDMUKAQFj>

As you can see, it's choking on user=<%u>, which it's not expanding, so is there a variable I can put in there, or is it strictly hard coded authentication?

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: NFS Locking and Submission Service Authentication

Dovecot mailing list
In reply to this post by Dovecot mailing list
On 2019-09-26 03:44, Asai via dovecot wrote:

> Greetings,
>
> We're in the process of upgrading our Dovecot server to new hardware
> and new expanded storage.  We planned on using an NFS share for the
> mail storage, as we're running Postfix / Dovecot on a VM and wanted to
> separate out the mail storage from the VM for backup reasons.
>
> I read as much as I could find on line regarding configuring Dovecot
> to use NFS, and set it up as best I could, but I'm still running into
> lock errors e.g.:
>
> Sep 25 10:30:35 triata4 dovecot:
> imap([hidden email])<75580><enQ/AWSTkQkKCgDu>: Error:
> fcntl(/vmail/triata.globalchange.media/user/dovecot.index.log,
> write-lock, F_SETLKW) locking failed: No locks available
> Sep 25 10:30:35 triata4 dovecot:
> imap([hidden email])<75580><enQ/AWSTkQkKCgDu>: Error:
> mail_index_wait_lock_fd() failed with file
> /vmail/triata.globalchange.media/user/dovecot.index.log: No locks
> available

How is your NFS export mounted on the client? Can you post the output of
"egrep nfs /proc/mounts"?

--
Adi Pircalabu
Reply | Threaded
Open this post in threaded view
|

Re: NFS Locking and Submission Service Authentication

Dovecot mailing list
On 9/25/2019 4:17 PM, Adi Pircalabu via dovecot wrote:
>
> How is your NFS export mounted on the client? Can you post the output
> of "egrep nfs /proc/mounts"?
>
Hi Adi, thank you for your reply.

Turns out that the problem was that the firewall on the Dovecot server
needed to be opened to allow the NFS server to communicate lock
commands, so I made a firewall exception and it's working now.

Asai