dovecot 2 in ubuntu 12.04 or Debian Squeeze

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja
Dear sir,
 
I have to set up a mail gateway which will be explored to Internet and a secure mail server in the Intranet.
I need a smart imap proxy in the mail gateway which will fetch the mail from server and present to user through either a stand alone mail client or a web mail client.
All authentication is through ldap server.
 
I have installed Dovecot 2.2 Unstable in my Ubuntu 12.04 with ssl enabled
But when I am starting dovecot, I am getting the following error

doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting: ssl_cert
 
I couldn't figure out what is wrong. Please help me to sort it out.
 
Thanks & Regards,
 
Suja PV
LEOS
 
Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Steffen Kaiser-9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 5 Mar 2013, pvsuja wrote:

> I have installed Dovecot 2.2 Unstable in my Ubuntu 12.04 with ssl enabled
> But when I am starting dovecot, I am getting the following error
>
> *doveconf: Fatal: Error in configuration file
> /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting:
> ssl_cert*

What's line #12 in /usr/local/etc/dovecot/conf.d/10-ssl.conf ?
Does it match http://wiki2.dovecot.org/SSL ?

What's your doveconf -n output?

Does ./sbin/dovecot --build-options tells you that SSL is build in at all?

Are you sure that you try to start Dovecot v2 rather than Dovecot v1? I
mean, maybe you have multiple versions of Dovecot on your system and the
init script starts another binary with the new config.

- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUTbkwF3r2wJMiz2NAQIx2wf+J4Jl2j6V45T+F7wrezB4Da4O3oimHgN3
7MKwi07kxFcsXyexmvEPQFBJGZuit6Kh7fsr/HQ06LD1+mMNOQbQKKpQPR9Ohc6M
VQ6GrVC0geHYRLohUkvUoU450HqXWwa3bM5w57phlAaWp4js6+orQ/OcY+hO1x1U
f0SR0P6dmJa9pelbarqRvWzACpVWzOd3WVB8LB43S08tI/dY2bxRjmEuQPUcwdfh
J5CX1YeJ3JZyQr5kp95+KWvUXnLM2jHU8VQXaOTn7dWC3+dZ/FgYUMgcD1cgQmDt
v+Q0ceyID7N/A/c1tAzq8BbNu3MbOLunCMjIIW4JyJFHryOgP7UGfQ==
=RHx6
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja
This post was updated on .
Thanks for the reply.

Line #12 is
ssl_cert = </etc/ssl/certs/dovecot.pem

doveconf -n gives the error:

<b>doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting: ssl_cert

./sbin/dovecot --build-options gives:
Build options: ioloop=epoll notify=inotify ipv6 openssl io_block_size=8192
Mail storages: shared mdbox sdbox maildir mbox cydir imapc_stub pop3c_stub raw
SQL drivers:
Passdb: checkpassword passwd passwd-file shadow
Userdb: checkpassword nss passwd prefetch passwd-file


Note: I have not changed any settings. Simply copied from example_config and tried doveconf and getting this error.
I dont have any other versions of dovecot running on my system.
Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Jan Phillip Greimann
Am 06.03.2013 09:01, schrieb pvsuja:
> Line #12 is
> ssl_cert = </etc/ssl/certs/dovecot.pem
>
> doveconf -n gives the error:
>
> &lt;b>doveconf: Fatal: Error in configuration file
> /usr/local/etc/dovecot/conf.d/10-ssl.conf line 12: Unknown setting:
> ssl_cert*
>

Please post your 10-ssl.conf file on Pastebin and add the link.

Greetings, Jan

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja


I installed the stable version 2.1 and its working fine.
Now there is  a separate issue.
I have set up my mail server to disable all plaintext auth.
Now when i am trying to login with the imapcproxy, its giving error Unknown user/password

The log says:

In proxy:
mailproxy dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxx>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS, session=<1pBG/03XogB/AAAB>

In server:
mailserver dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): rip=10.x.x.x, lip=10.x.x.y


Regards,
Suja

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Jan Phillip Greimann
Am 07.03.2013 05:26, schrieb pvsuja:
>
>
> In proxy:
> /mailproxy dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2
> secs): user=<xxx>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS,
> session=<1pBG/03XogB/AAAB>

Well....as you see, your mail-client tries to speak PLAIN, so it
shouldn't work.

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja
Hi Jan,

Thanks for your response and Sorry for this late reply. I was out of station.

And my question is why my mail client is sending the auth details in plain text?
how will i make sure, auth is done after starttls only?
Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Jan Phillip Greimann
Am 14.03.2013 06:41, schrieb pvsuja:
> Hi Jan,
>
> Thanks for your response and Sorry for this late reply. I was out of
> station.
>
> And my question is why my mail client is sending the auth details in plain
> text?
Configuration? I don't know which client you use, but in my Thunderbird
you can configure between "Password, normal (plain), Crypted, Kerberos,
NTLM, TLS-Certificate" (Hope this is correctly translated).

Here i use "Password, normal".

Also i can configure how the client talk the server
"Connection Security: Unsecure, STARTTLS, SSL/TLS"
which is set to "SSL / TLS".


> how will i make sure, auth is done after starttls only?

Trust your client? Don't trust your client and listen with wireshark?
Use "SSL / TLS" from the beginning?

Tell us your client, I think that would help.


Greetings, Jan

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Jan Phillip Greimann
In reply to this post by pvsuja
Small correction:

Am 14.03.2013 06:41, schrieb pvsuja:
> how will i make sure, auth is done after starttls only?

 > In proxy:
 > /mailproxy dovecot: imap-login: Aborted login (auth failed, 1
attempts in 2
 > secs): user=<xxx>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS,
session=<1pBG/03XogB/AAAB>

your proxy says that the authentication was going over TLS. :)

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja

Yes,
proxy log says that its over TLS.
but the server is receiving username and password in plain text. I verified it in wireshark.
I am using squirrelmail web client n had configured it for STARTTLS.


My dovecot settings for Server:

suja@mailserver:/etc/dovecot# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.6 ext3
log_timestamp: %Y-%m-%d %H:%M:%S
ssl: required
ssl_cert_file: /etc/postfix/certs/public_cert.pem
ssl_key_file: /etc/postfix/certs/private_key.pem
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:/email/%n:INBOX=/email/%n/INBOX
mbox_write_locks: fcntl dotlock
auth default:
  mechanisms: plain login
  passdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap.conf
  userdb:
    driver: ldap
    args: /etc/dovecot/dovecot-ldap-userdb.conf




My dovecot settings for Proxy:

suja@mailproxy:/usr/local/etc/dovecot# dovecot -n
# 2.1.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-35-generic-pae i686 Ubuntu 12.04.1 LTS
auth_mechanisms = plain login
imapc_host = 10.131.1.16
mail_gid = imapproxy
mail_home = /home/imapproxy/%u
mail_location = imapc:~/imapc
mail_uid = imapproxy
passdb {
  args = host=10.131.1.16
  default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
  driver = imap
}
protocols = imap
service auth {
  inet_listener {
    port = 12345
  }
}
ssl = required
ssl_ca = </usr/lib/ssl/misc/demoCA/cacert.pem
ssl_cert = </usr/lib/ssl/misc/public_cert.pem
ssl_key = </usr/lib/ssl/misc/private_key.pem
userdb {
  driver = prefetch
}


Thanks & regards,

Suja
Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Jan Phillip Greimann


Am 18.03.2013 10:36, schrieb pvsuja:
> passdb {
>    args = host=10.131.1.16
>    default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
>    driver = imap
> }

Well, I dunno where you listened with wireshark, but as far as I see you
communicate between your proxy and the other server with IMAP without
SSL/TLS or STARTTLS, see http://wiki2.dovecot.org/PasswordDatabase/IMAP 
for more.

Can't say anything specific about squirrelmail to dovecot-proxy, is that
the full doveconf -n? Please add the full one, if possible from both
dovecot servers.

Greetings,
Jan

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Patrick Domack
In reply to this post by pvsuja
Are you sure you wheren't looking at the ldap communication for the  
username+password instead of imap?

Is ldap configured to use ssl?


Quoting pvsuja <[hidden email]>:

> Yes,
> proxy log says that its over TLS.
> but the server is receiving username and password in plain text. I verified
> it in wireshark.
> I am using squirrelmail web client n had configured it for STARTTLS.
>
>
> *My dovecot settings for Server:*
>
> suja@mailserver:/etc/dovecot# dovecot -n
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.6 ext3
> log_timestamp: %Y-%m-%d %H:%M:%S
> ssl: required
> ssl_cert_file: /etc/postfix/certs/public_cert.pem
> ssl_key_file: /etc/postfix/certs/private_key.pem
> login_dir: /var/run/dovecot/login
> login_executable: /usr/lib/dovecot/imap-login
> mail_privileged_group: mail
> mail_location: maildir:/email/%n:INBOX=/email/%n/INBOX
> mbox_write_locks: fcntl dotlock
> auth default:
>   mechanisms: plain login
>   passdb:
>     driver: ldap
>     args: /etc/dovecot/dovecot-ldap.conf
>   userdb:
>     driver: ldap
>     args: /etc/dovecot/dovecot-ldap-userdb.conf
>
>
>
>
> *My dovecot settings for Proxy:*
>
> suja@mailproxy:/usr/local/etc/dovecot# dovecot -n
> # 2.1.15: /usr/local/etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-35-generic-pae i686 Ubuntu 12.04.1 LTS
> auth_mechanisms = plain login
> imapc_host = 10.131.1.16
> mail_gid = imapproxy
> mail_home = /home/imapproxy/%u
> mail_location = imapc:~/imapc
> mail_uid = imapproxy
> passdb {
>   args = host=10.131.1.16
>   default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
>   driver = imap
> }
> protocols = imap
> service auth {
>   inet_listener {
>     port = 12345
>   }
> }
> ssl = required
> ssl_ca = </usr/lib/ssl/misc/demoCA/cacert.pem
> ssl_cert = </usr/lib/ssl/misc/public_cert.pem
> ssl_key = </usr/lib/ssl/misc/private_key.pem
> userdb {
>   driver = prefetch
> }
>
>
> Thanks & regards,
>
> Suja
>
>
>
>
> --
> View this message in context:  
> http://dovecot.2317879.n4.nabble.com/dovecot-2-in-ubuntu-12-04-or-Debian-Squeeze-tp40634p40862.html
> Sent from the Dovecot mailing list archive at Nabble.com.



Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja

I am using imap passwd driver for proxy and ldap for server.
proxy will contact mail server for authentication which in turn will contact ldap server.
the server auth with ldap is already tested and its working fine.

now i guess i got the auth working properly; but not the mail retrieval through imapc from the logs:

Mar 19 09:33:16 mailspace dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [127.0.0.1]
Mar 19 09:33:16 mailspace dovecot: imap-login: Login: user=<suja>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=26029, TLS, session=<P5ZiLz/YsQB/AAAB>
Mar 19 09:33:16 mailspace dovecot: imap(suja): Invalid certificate: self signed certificate in certificate chain: /C=IN/ST=Karnataka/O=xxx/OU=YYY CA/CN=mailserver.domain.com/emailAddress=sysadm@domain.com
Mar 19 09:33:16 mailspace dovecot: imap(suja): Error: imapc(10.131.1.16:143): Received invalid SSL certificate
Mar 19 09:33:16 mailspace dovecot: imap(suja): Error: imapc(10.131.1.16:143): Authentication failed: Disconnected from server
Mar 19 09:33:16 mailspace dovecot: imap(suja): Error: imapc: Command failed: Disconnected from server
Mar 19 09:33:16 mailspace dovecot: imap(suja): Error: user suja: Initialization failed: Initializing mail storage from mail_location setting failed: imapc: LIST failed: Internal error occurred. Refer to server log for more information. [2013-03-19 09:33:16]
Mar 19 09:33:16 mailspace dovecot: imap(suja): Error: Invalid user settings. Refer to server log for more information.
Mar 19 09:33:16 mailspace dovecot: imap-login: Warning: SSL alert: where=0x4008, ret=256: warning close notify [127.0.0.1]


with the following dovecot conf:

root@mailspace:/usr/local/etc/dovecot# dovecot -n
# 2.1.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-35-generic-pae i686 Ubuntu 12.04.1 LTS
auth_mechanisms = plain login
imapc_host = 10.131.1.16
imapc_ssl = starttls
imapc_ssl_ca_dir = /usr/local/etc/dovecot/certs
mail_gid = imapproxy
mail_home = /home/imapproxy/%u
mail_location = imapc:~/imapc
mail_uid = imapproxy
passdb {
  args = host=10.131.1.16 ssl=starttls ssl_ca_dir=/usr/local/etc/dovecot/certs
  default_fields = userdb_imapc_user=%u userdb_imapc_password=%w ssl=starttls
  driver = imap
}
protocols = imap
service auth {
  inet_listener {
    port = 12345
  }
}
ssl = required
ssl_ca = </usr/local/etc/dovecot/certs/cacert.pem
ssl_cert = </usr/local/etc/dovecot/certs/public_cert.pem
ssl_key = </usr/local/etc/dovecot/certs/private_key.pem
userdb {
  driver = prefetch
}
verbose_ssl = yes


I guess my SSL certificate configuration is not done properly.

Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

Noel Butler
On Mon, 2013-03-18 at 22:56 -0700, pvsuja wrote:


> Mar 19 09:33:16 mailspace dovecot: imap(suja): Invalid certificate: self
> signed certificate in certificate chain: /C=IN/ST=Karnataka/O=xxx/OU=YYY
> CA/CN=mailserver.domain.com/emailAddress=[hidden email]
> Mar 19 09:33:16 mailspace dovecot: imap(suja): Error:



> ssl = required


to ensure things are working, change this to "no", if you can get mail
then, change it to "yes", dont absolute force until you have everything
fixed.


> ssl_ca = </usr/local/etc/dovecot/certs/cacert.pem
> ssl_cert = </usr/local/etc/dovecot/certs/public_cert.pem
> ssl_key = </usr/local/etc/dovecot/certs/private_key.pem



>
> I guess my SSL certificate configuration is not done properly.


How did you generate this? is it really self signed, or is it a CA
signed (you can get free certs)

If it's CA signed, ensure you created it like this (the order *is*
important):
cat mail.crt sub.crt  ca.crt > dovecot.pem

*remove ssl_ca =  ....stuff*
ssl_cert_file = </path/to/dovecot.pem
ssl_key_file = </path/to/mail/mail.key


Been loooong time since I use self signed, but from memory

openssl req -x509 -days 999 -nodes -newkey rsa:2048 -keyout domain.key
-out domain.crt
(and IIRC tou need to ssl_ca = stuff)
dovecot wiki should have the correct format for self signed

signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dovecot 2 in ubuntu 12.04 or Debian Squeeze

pvsuja


I got it working with the configuration i sent in last mail (without ssl_ca setting)
And i had to give the hostname in place of ip address of server since the ssl certificates were having the host name.

Thanks to all of you for your time and support..
Thanks a bunch