Mailserver, Dovecot autentisering mot WindowsAD

Konfiguration av nätverk, hur man använder Ubuntu som server, och håller sin dator säker
Brasse83
Inlägg: 4
Blev medlem: 01 feb 2017, 12:28
OS: Ubuntu
Utgåva: 18.04 Bionic Beaver LTS

Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av Brasse83 »

Hej!

Jag har satt upp en mailserver med Postfix/Dovecot i Ubuntu 16.04LTS.
Denna server är medlem i min Windows 2012 AD via Samba/kerberos/pam

Allt fungerar bra förutom att det inte går att logga in med hela sin mailadress.
Dvs inloggning med: användarnamn fungerar fint, men användarnamn@domän.se fungerar inte.

Jag har försökt att styra detta via Dovecot's konfigurationsflagga "auth_username_format", men det hjälper inte.

Jag vill alltså att båda alternativen som användarnamn ska vara giltiga. Är det någon som vet hur det går att lösa?


Såhär ser min Dovecot-konfiguration ut:

Kod: Markera allt

root@server:/etc/dovecot # : doveconf -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-59-generic x86_64 Ubuntu 16.04.1 LTS ext4
auth_cache_negative_ttl = 30 secs
auth_cache_size = 50000 B
auth_cache_ttl = 5 mins
auth_debug = yes
auth_master_user_separator = *
auth_mechanisms = plain ntlm login
auth_use_winbind = yes
auth_username_format = %Ln
debug_log_path = /var/log/dovecot-debug.log
listen = *
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_gid = vmail
mail_home = /var/vmail/%Ln/Maildir
mail_location = maildir:/var/vmail/%Ln/Maildir
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foeverypart extracttext
namespace inbox {
	inbox = yes
	location =
	mailbox Drafts {
		auto = subscribe
		special_use = \Drafts
	}
	mailbox Junk {
		auto = subscribe
		special_use = \Junk
	}
	mailbox Sent {
		auto = subscribe
		special_use = \Sent
	}
	mailbox Trash {
		auto = subscribe
		special_use = \Trash
	}
	prefix =
}
passdb {
	driver = pam
}
plugin {
	sieve = ~/.dovecot.sieve
	sieve_before = /var/vmail/sieve/before.d
	sieve_dir = ~/sieve
}
postmaster_address = postmaster@server
protocols = imap sieve
service auth {
	unix_listener /var/spool/postfix/private/auth_dovecot {
		group = postfix
		mode = 0660
		user = postfix
	}
	unix_listener auth-userdb {
		mode = 0600
		user = vmail
	}
	user = root
}
service dict {
	unix_listener dict {
		group = vmail
		mode = 0660
		user = vmail
	}
}
ssl = required
ssl_cert = </etc/ssl/certs/startssl/cert.crt
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:AMELLIA128-SHA:AES128-SHA
ssl_key = </etc/ssl/certs/startssl/key.key
ssl_protocols = !SSLv3 !SSLv2
userdb {
	args = /etc/dovecot/dovecot-ldap-userdb.conf
	driver = ldap
	name = ldap
}
protocol lda {
	mail_plugins = " sieve"
}
Användarvisningsbild
johanre
Serveradmin
Inlägg: 3888
Blev medlem: 22 okt 2006, 09:13
OS: Ubuntu
Utgåva: 22.04 Jammy Jellyfish LTS
Ort: Malmö

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av johanre »

Fick du rätt på det? Testa gärna med enbart:

Kod: Markera allt

auth_username_format = %n

för att se om det gör skillnad.

Vad får du för felmeddelande i loggarna vid inloggningsförsök?
Brasse83
Inlägg: 4
Blev medlem: 01 feb 2017, 12:28
OS: Ubuntu
Utgåva: 18.04 Bionic Beaver LTS

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av Brasse83 »

Hej, det gör ingen skilnad med endast %n
Flaggan %L omvandlar endast inloggningsnamnet till lower case.

Med auth_debug på i Dovecot så ser jag detta.

Kod: Markera allt

==> dovecot-debug.log <==
2017-02-03 11:32:28 auth: Debug: client in: AUTH        1       NTLM    service=imap    secured session=Pxts46saxgpL        lip=<osbscured>       rip=<osbscured>       lport=143       rport=25593
2017-02-03 11:32:28 auth: Debug: client passdb out: CONT        1
2017-02-03 11:32:28 auth: Debug: client in: CONT<hidden>
2017-02-03 11:32:28 auth: Debug: client passdb out: CONT        1       TlRMTVNTUAACAAAADgAOAhDgAAAAFgokCVIt+hBLBar4AA5AAAAGgAaABGAAAABgEAAAAAAA9XAEkATgBUAEUAQwBIAAIADgBXAEkATgBUAEUAQwBIAAEACABNAEEASQBMAAQAFAB3AGkAbgB0AGUAYwBoAC4AcwBlAAMAHgBtAGEAaQBsAC4AdwBpAG4AdABlAGMAaAAuAHMAZQAHAAgArOtZ0Qh+0gEAAAAA
2017-02-03 11:32:28 auth: Debug: client in: CONT<hidden>


==> dovecot.log <==
2017-02-03 11:32:28 auth: Info: ntlm(?, ,<Hha89thiag7>): user not authenticated: NT_STATUS_LOGON_FAILURE
Användarvisningsbild
johanre
Serveradmin
Inlägg: 3888
Blev medlem: 22 okt 2006, 09:13
OS: Ubuntu
Utgåva: 22.04 Jammy Jellyfish LTS
Ort: Malmö

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av johanre »

OK, jag var mest ute efter att se om det blev en skillnad. MEN; eftersom autentiseringen sker mot AD servern, är det där du får kolla loggningen. På din AD server bör du kunna se hur din autentiseringsfråga skickas från din klient, och därmed förhoppningsvis hitta en förklaring till varför inloggningen inte fungerar.
Brasse83
Inlägg: 4
Blev medlem: 01 feb 2017, 12:28
OS: Ubuntu
Utgåva: 18.04 Bionic Beaver LTS

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av Brasse83 »

Vid närmare testande så har jag kommit fram till att det är endast vid utgående mail (SMTP) som user@domain inte funkar.


Jag har kollat loggen på AD't, vad jag kan se där så går inloggningen igenom rätt.

Jag tror att det kan vara någon missmatch i smtpd_sender_maps i postfix, men jag vet inte riktigt hur jag ska sätta upp det.

Kod: Markera allt

## smtpd_sender_login_maps i postfixs main.cf
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap_smtpd_login_maps.cf

## ldap_smtpd_login_maps.cf
server_host = adserver.host.se
server_port = 389
version = 3
search_base = dc=host,dc=se
start_tls = no
bind = yes
bind_dn = vmail_user
bind_pw = vmail_user_password
query_filter = (&(|(mail=%s)(otherMailbox=%s))(objectClass=user))
result_attribute = sAMAccountName

Här är en detaljerad debug-log från Postfix vid felaktig inloggning, men jag blir inte riktigt hjälpt av den

Kod: Markera allt

Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: ipv4
Feb  5 17:50:15 mail postfix/smtpd[7263]: inet_addr_local: configured 3 IPv4 addresses
Feb  5 17:50:15 mail postfix/smtpd[7263]: process generation: 3 (3)
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? mynetworks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? permit_mx_backup_networks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? qmqpd_authorized_clients
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? relay_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_client_event_limit_exceptions ~? smtpd_access_maps
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: smtpd_client_event_limit_exceptions: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: mynetworks ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: mynetworks ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: mynetworks ~? mynetworks
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: host
Feb  5 17:50:15 mail postfix/smtpd[7263]: been_here: 127.0.0.1/32: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: been_here: 192.168.30.44/32: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: been_here: <obscured>.76/32: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: mynetworks_core: 127.0.0.1/32 192.168.30.44/32 <obscured>.76/32
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: mynetworks ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: mynetworks ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: mynetworks ~? mynetworks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: relay_domains ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: relay_domains ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: relay_domains ~? mynetworks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: relay_domains ~? permit_mx_backup_networks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: relay_domains ~? qmqpd_authorized_clients
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: relay_domains ~? relay_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? mynetworks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: permit_mx_backup_networks ~? permit_mx_backup_networks
Feb  5 17:50:15 mail postfix/smtpd[7263]: connect to subsystem private/proxymap
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = open
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr table = unix:passwd.byname
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr flags = 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 16
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=fixed
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_open: proxy:unix:passwd.byname
Feb  5 17:50:15 mail postfix/smtpd[7263]: Compiled against Berkeley DB: 5.3.28?
Feb  5 17:50:15 mail postfix/smtpd[7263]: Run-time linked against Berkeley DB: 5.3.28?
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_open: hash:/etc/aliases
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = open
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr table = ldap:/etc/postfix/ldap_useraliases.cf
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr flags = 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 16
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_proxy_open: connect to map=ldap:/etc/postfix/ldap_useraliases.cf status=0 server_flags=fixed
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_open: proxy:ldap:/etc/postfix/ldap_useraliases.cf
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = open
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr table = ldap:/etc/postfix/ldap_mailbox.cf
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr flags = 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 16
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_proxy_open: connect to map=ldap:/etc/postfix/ldap_mailbox.cf status=0 server_flags=fixed
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_open: proxy:ldap:/etc/postfix/ldap_mailbox.cf
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? mynetworks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? permit_mx_backup_networks
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? qmqpd_authorized_clients
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? relay_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: smtpd_access_maps ~? smtpd_access_maps
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = open
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr table = ldap:/etc/postfix/ldap_smtpd_login_maps.cf
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr flags = 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: flags
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 16
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/proxymap socket: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_proxy_open: connect to map=ldap:/etc/postfix/ldap_smtpd_login_maps.cf status=0 server_flags=fixed
Feb  5 17:50:15 mail postfix/smtpd[7263]: dict_open: proxy:ldap:/etc/postfix/ldap_smtpd_login_maps.cf
Feb  5 17:50:15 mail postfix/smtpd[7263]: unknown_helo_hostname_tempfail_action = defer_if_permit
Feb  5 17:50:15 mail postfix/smtpd[7263]: unknown_address_tempfail_action = defer_if_permit
Feb  5 17:50:15 mail postfix/smtpd[7263]: unverified_recipient_tempfail_action = defer_if_permit
Feb  5 17:50:15 mail postfix/smtpd[7263]: unverified_sender_tempfail_action = defer_if_permit
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: 1
Feb  5 17:50:15 mail postfix/smtpd[7263]: auto_clnt_create: transport=local endpoint=private/tlsmgr
Feb  5 17:50:15 mail postfix/smtpd[7263]: auto_clnt_open: connected to private/tlsmgr
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = seed
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr size = 32
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: seed
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: seed
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: Gq7vPQZpg9HKiEAhcZzPq3q0rdGzYtWh5J7trhjZq8E=
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = policy
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr cache_type = smtpd
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: cachable
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: cachable
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: timeout
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: timeout
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 3600
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: fast_flush_domains ~? debug_peer_list
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_string: parent_domain_matches_subdomains: fast_flush_domains ~? fast_flush_domains
Feb  5 17:50:15 mail postfix/smtpd[7263]: auto_clnt_create: transport=local endpoint=private/anvil
Feb  5 17:50:15 mail postfix/smtpd[7263]: connection established
Feb  5 17:50:15 mail postfix/smtpd[7263]: master_notify: status 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: resource
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: software
Feb  5 17:50:15 mail postfix/smtpd[7263]: warning: hostname host.host.se does not resolve to address <obscured>.74: Name or service not known
Feb  5 17:50:15 mail postfix/smtpd[7263]: connect from unknown[<obscured>.74]
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: unknown: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: <obscured>.74: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: unknown: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: <obscured>.74: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: smtp_stream_setup: maxtime=300 enable_deadline=0
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? 127.0.0.0/8
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_hostaddr: smtpd_client_event_limit_exceptions: <obscured>.74 ~? 127.0.0.0/8
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? [::ffff:127.0.0.0]/104
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_hostaddr: smtpd_client_event_limit_exceptions: <obscured>.74 ~? [::ffff:127.0.0.0]/104
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_hostname: smtpd_client_event_limit_exceptions: unknown ~? [::1]/128
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_hostaddr: smtpd_client_event_limit_exceptions: <obscured>.74 ~? [::1]/128
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: unknown: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: <obscured>.74: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: auto_clnt_open: connected to private/anvil
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = connect
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr ident = submission:<obscured>.74
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/anvil: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/anvil: wanted attribute: count
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: count
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 1
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/anvil: wanted attribute: rate
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: rate
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 1
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/anvil: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 220 mail.host.se ESMTP Postfix
Feb  5 17:50:15 mail postfix/smtpd[7263]: < unknown[<obscured>.74]: EHLO [192.168.50.34]
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: unknown: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: <obscured>.74: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-mail.host.se
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-PIPELINING
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-SIZE 52428800
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-ETRN
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-STARTTLS
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-ENHANCEDSTATUSCODES
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-8BITMIME
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250 DSN
Feb  5 17:50:15 mail postfix/smtpd[7263]: < unknown[<obscured>.74]: STARTTLS
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 220 2.0.0 Ready to start TLS
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = seed
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr size = 32
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: seed
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: seed
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: mEMb+7CWde21bxikPIPW7a8dQ7CKk9ldC8O6W6f/AxM=
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = tktkey
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr keyname = [data 16 bytes]
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 4294967295
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: keybuf
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: keybuf
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 7k/zwM7z1t5glA+aQ6qpbQ==
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr request = tktkey
Feb  5 17:50:15 mail postfix/smtpd[7263]: send attr keyname = [data 0 bytes]
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: status
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: 0
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: keybuf
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: keybuf
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute value: HoSxgzLZOzWJoAq/ihHyX7uNxSuJQxL6KovQ1x0l/F4A3wJMY3eOghUsZy8E6RIuyUmOFMB4D3S/UgfXTABnnizDCdDvTLvP6IrrK7jH5YrOXpdYAAAAAA==
Feb  5 17:50:15 mail postfix/smtpd[7263]: private/tlsmgr: wanted attribute: (list terminator)
Feb  5 17:50:15 mail postfix/smtpd[7263]: input attribute name: (end)
Feb  5 17:50:15 mail postfix/smtpd[7263]: Anonymous TLS connection established from unknown[<obscured>.74]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_create: SASL service=smtp, realm=host.se
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: noanonymous
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: Connecting
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: plaintext
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: MECH?NTLM?dictionary?active
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: dictionary
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: active
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Feb  5 17:50:15 mail postfix/smtpd[7263]: name_mask: plaintext
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: SPID?7097
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: CUID?4
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: COOKIE?edb765f26f0a5dc56ee91b2b93bd82d5
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_connect: auth reply: DONE
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_mech_filter: keep mechanism: NTLM
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
Feb  5 17:50:15 mail postfix/smtpd[7263]: < unknown[<obscured>.74]: EHLO [192.168.50.34]
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: unknown: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: match_list_match: <obscured>.74: no match
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-mail.host.se
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-PIPELINING
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-SIZE 52428800
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-ETRN
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-AUTH PLAIN NTLM LOGIN
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-AUTH=PLAIN NTLM LOGIN
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-ENHANCEDSTATUSCODES
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250-8BITMIME
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 250 DSN
Feb  5 17:50:15 mail postfix/smtpd[7263]: < unknown[<obscured>.74]: AUTH NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAABAAA=
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_server_first: sasl_method NTLM, init_response TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAABAAA=
Feb  5 17:50:15 mail postfix/smtpd[7263]: xsasl_dovecot_handle_reply: auth reply: CONT?1?TlRMTVNTUAACAAAADgAOADgAAAAFgogkCwBZBgkkru/8AAAAAAAAAAGgAaABGAAAABgEAAAAAAA9XAEkATgBUAEUAQwBIAAIADgBXAEkATgBUAEUAQwBIAAEACABNAEEASQBMAAQAFAB3AGkAbgB0AGUAYwBoAC4AcwBlAAMAHgBtAGEAaQBsAC4AdwBpAG4AdABlAGMAaAAuAHMAZQAHAAgAVKTO7M9/0gEAABAAA
Feb  5 17:50:15 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 334 TlRMTVNTUAACAAAADgAOADgAAAAFgokCwBZBgkkru/8AAAAgAAAAAAGgAaABGAAAABgEAAAAAAA9XAEkATgBUAEUAQwBIAAIADgBXAEkATgBUAEUAQwBIAAEACABNAEEASQBMAAQAFAB3AGkAbgB0AGUAYwBoAC4AcwBlAAMAHgBtAGEAaQBsAC4AdwBpAG4AdABlAGMAaAAuAHMAZQAHAAgAVKTO7M9/0gEAABAAA
Feb  5 17:50:15 mail postfix/smtpd[7263]: < unknown[<obscured>.74]: TlRMTVNTUAADAAAAGAAYAHYAAACUAJQAjgAAAAAAAABAAAAAIAAggAEAAAAAWABYAYAAAAAAAAAAAAAAABYIIAGwAYQBlAHIAaQBAAHcAaQBuAHQAZQBjAGgALgBzAGUAVwBPAFIASwBTAFQAQQBUAEkATwBOAJHt/KWZJfgQsOWTCzHQ6nu0Ye+3WK+yUGI38cRtEmjtgHkkI1jia8QBAQAAAAAAAIBX4+7Pf9IBD81YmRPtTwcAAAAAAgAOAFcASQBOAFBQARQBDAEgAAQAIAE0AQQBJAEwABAAUAHcAaQBuAHQAZQBjAGgALgBzAGUAAwAeAG0AYQBpAGwALgB3AGkAbgB0AGUAYwBoAC4AcwBlAAcACABUpM7sz3/SAQAABAAA=
Feb  5 17:50:17 mail postfix/smtpd[7263]: xsasl_dovecot_handle_reply: auth reply: FAIL?1
Feb  5 17:50:17 mail postfix/smtpd[7263]: warning: unknown[<obscured>.74]: SASL NTLM authentication failed: TlRMTVNTUAACAAAADgAOAgDgAAAAFgokCwBZBgkkru/8AAAAAAAAAAGgAaABGAAAABgEAAAAAAA9XAEkATgBUAEUAQwBIAAIADgBXAEkATgBUAEUAQwBIAAEACABNAEEASQBMAAQAFAB3AGkAbgB0AGUAYwBoAC4AcwBlAAMAHgBtAGEAaQBsAC4AdwBpAG4AdABlAGMAaAAuAHMAZQAHAAgAVKTO7M9/0gEAABAAA
Feb  5 17:50:17 mail postfix/smtpd[7263]: > unknown[<obscured>.74]: 535 5.7.8 Error: authentication failed: TlRMTVNTUAACAAAADgAOgADgAAAAFgokCwBZBgkkru/8AAAAAAAAAAGgAaABGAAAABgEAAAAAAA9XAEkATgBUAEUAQwBIAAIADgBXAEkATgBUAEUAQwBIAAEACABNAEEASQBMAAQAFAB3AGkAbgB0AGUAYwBoAC4AcwBlAAMAHgBtAGEAaQBsAC4AdwBpAG4AdABlAGMAaAAuAHMAZQAHAAgAVKTO7M9/0gEAABAAA
Användarvisningsbild
johanre
Serveradmin
Inlägg: 3888
Blev medlem: 22 okt 2006, 09:13
OS: Ubuntu
Utgåva: 22.04 Jammy Jellyfish LTS
Ort: Malmö

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av johanre »

Brasse83 skrev:Vid närmare testande så har jag kommit fram till att det är endast vid utgående mail (SMTP) som user@domain inte funkar.

Jag har kollat loggen på AD't, vad jag kan se där så går inloggningen igenom rätt.

Jag tror att det kan vara någon missmatch i smtpd_sender_maps i postfix, men jag vet inte riktigt hur jag ska sätta upp det.
]
Bl.a. detta antyder ett konfigurationsfel:

Kod: Markera allt

Feb  5 17:50:15 mail postfix/smtpd[7263]: warning: hostname host.host.se does not resolve to address <obscured>.74: Name or service not known
Autentiseringsfelmeddelandet "SASL NTLM authentication failed" antyder att det fortfarande är i AD loggarna du får leta efter orsaken till inloggningsfelen:

Kod: Markera allt

Feb  5 17:50:17 mail postfix/smtpd[7263]: warning: unknown[<obscured>.74]: SASL NTLM authentication failed: TlRMTVNTUAACAAAADgAOAgDgAAAAFgokCwBZBgkkru/8AAAAAAAAAAGgAaABGAAAABgEAAAAAAA9XAEkATgBUAEUAQwBIAAIADgBXAEkATgBUAEUAQwBIAAEACABNAEEASQBMAAQAFAB3AGkAbgB0AGUAYwBoAC4AcwBlAAMAHgBtAGEAaQBsAC4AdwBpAG4AdABlAGMAaAAuAHMAZQAHAAgAVKTO7M9/0gEAABAAA
Brasse83
Inlägg: 4
Blev medlem: 01 feb 2017, 12:28
OS: Ubuntu
Utgåva: 18.04 Bionic Beaver LTS

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av Brasse83 »

Lyckades lösa det genom att ändra från PAM -> LDAP-drivrutinen i dovecot-conf
Nu fungerar också inloggning med eventuella mail-alias via AD-attributet otherMailbox

Kod: Markera allt

#dovecot.conf
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap-passdb.conf
}

#passdb {
#  driver = pam
#}
Med denna ldap-conf:

Kod: Markera allt

#dovecot-ldap-passdb.conf
hosts           = ad.host.se:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail_user
dnpass          = adpassword
base            = cn=users,dc=host,dc=se
scope           = subtree
deref           = never
user_filter     = (&(objectclass=person)(|(sAMAccountName=%Ln)(otherMailbox=%Ln@host.se)))
pass_filter     = (&(objectclass=person)(|(sAMAccountName=%Ln)(otherMailbox=%Ln@host.se)))
pass_attrs      = userPassword=password,sAMAccountName=user
default_pass_scheme = CRYPT
Varför jag inte fick det att funka via PAM vet jag inte, men det funkar ju nu så.

Tack för hjälpen.


Vad detta beror på vet jag inte, felet(varningen) har uppstått endast 16 gånger på en vecka, jag tror att det är när jag ansluter från en specifik server i nätverket. förmodligen något värdnamn eller någon DNS-inställning som är galen.
Tips på hur jag felsöker?
johanre skrev: Bl.a. detta antyder ett konfigurationsfel:

Kod: Markera allt

Feb  5 17:50:15 mail postfix/smtpd[7263]: warning: hostname host.host.se does not resolve to address <obscured>.74: Name or service not known
Användarvisningsbild
johanre
Serveradmin
Inlägg: 3888
Blev medlem: 22 okt 2006, 09:13
OS: Ubuntu
Utgåva: 22.04 Jammy Jellyfish LTS
Ort: Malmö

Re: Mailserver, Dovecot autentisering mot WindowsAD

Inlägg av johanre »

Brasse83 skrev:Lyckades lösa det genom att ändra från PAM -> LDAP-drivrutinen i dovecot-conf
Nu fungerar också inloggning med eventuella mail-alias via AD-attributet otherMailbox

Varför jag inte fick det att funka via PAM vet jag inte, men det funkar ju nu så.
Med hög sannolikhet så var det något i PAM konfigurationen. :) Vi kan titta på det om du vill men som du säger; det funkar ju nu.
Brasse83 skrev: Vad detta beror på vet jag inte, felet(varningen) har uppstått endast 16 gånger på en vecka, jag tror att det är när jag ansluter från en specifik server i nätverket. förmodligen något värdnamn eller någon DNS-inställning som är galen.
Tips på hur jag felsöker?
johanre skrev: Bl.a. detta antyder ett konfigurationsfel:

Kod: Markera allt

Feb  5 17:50:15 mail postfix/smtpd[7263]: warning: hostname host.host.se does not resolve to address <obscured>.74: Name or service not known
Det är ju när mail skickas som det uppstår, du skulle kunna kolla i postfix mail loggen vid samma tidpunkt för att se vem som skickade ett mail då. Loggen hittar du i /var/log/mail.log
Skriv svar

Återgå till "Nätverk, säkerhet och servrar"