Postfix + Dovecot + LDAP password mismatch

Discussion in 'Server Operation' started by Stephen Dragan, Jul 21, 2022.

  1. Stephen Dragan

    Stephen Dragan New Member

    Hello, i am trying to configure a smtp server with postfix and dovecot sasl with LDAP and i have a problem when i try to connect via thunderbird it says in dovecot's log password mismatch while i am logging with the right one. Also it is not creating the mailboxes. I tried to do binding for admin user of LDAP and it is working but for everything else it is not.
    I am not sure what i am doing wrong and i will put postfix + dovecot configs below.
    This is main.cf
    Code:
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    lmtp_tls_verify_cert_match = $myhostname
    smtp_tls_verify_cert_match = $myhostname
    smtp_helo_name = $myhostname
    biff = no
    append_dot_mydomain = yes
    readme_directory = no
    compatibility_level = 2
    smtp_use_tls = yes
    smtpd_tls_security_level = may
    disable_vrfy_command = yes
    smtp_send_xforward_command = yes
    tls_preempt_cipherlist = yes
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
    smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
    smtpd_tls_mandatory_protocols = >=TLSv1.2
    smtpd_tls_cert_file = /etc/letsencrypt/ssl/live/smtp0.my.domain/fullchain.pem
    smtpd_tls_key_file = /etc/letsencrypt/ssl/live/smtp0.my.domain/privkey.pem
    smtp_tls_cert_file = /etc/letsencrypt/ssl/live/smtp0.my.domain/fullchain.pem
    smtp_tls_key_file = /etc/letsencrypt/ssl/live/smtp0.my.domain/privkey.pem
    smtpd_tls_ask_ccert = yes
    #smtpd_tls_chain_files = /etc/postfix/rsachain.pem
    smtpd_tls_ciphers = medium
    smtpd_use_tls = yes
    mailbox_size_limit = 0
    smtp_sasl_auth_enable = no
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    header_size_limit = 4096000
    #smtp_tls_CApath=/etc/ssl/certs
    smtp_tls_security_level=may
    smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_tls_loglevel=3
    smtp_tls_mandatory_exclude_ciphers=3DES
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = smtp0.my.domain
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = $myhostname
    mydestination = $myhostname, my.domain, localhost.localdomain, localhost
    relayhost =
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = 127.0.0.1,10.2.1.98
    inet_protocols = ipv4
    masquerade_domains = my.domain
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = local:opendkim/opendkim.sock
    non_smtpd_milters = $smtpd_milters
    queue_directory = /var/spool/postfix
    meta_directory = /etc/postfix
    setgid_group = postdrop
    command_directory = /usr/sbin
    sample_directory = /etc/postfix
    newaliases_path = /usr/bin/newaliases
    mailq_path = /usr/bin/mailq
    sendmail_path = /usr/sbin/sendmail
    mail_owner = postfix
    daemon_directory = /usr/lib/postfix/sbin/
    manpage_directory = /usr/share/man
    html_directory = no
    data_directory = /var/lib/postfix
    shlib_directory = no
    
    home_mailbox = Maildir/
    mailbox_command =
    
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination
    
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_invalid_helo_hostname,
            reject_non_fqdn_helo_hostname,
            reject_unknown_helo_hostname
    
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_auth_enable = yes
    smtpd_tls_received_header = yes
    master.cf
    Code:
    dovecot   unix  -       n       n       -       -       pipe
             flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
    gnarwl    unix  -       n       n       -       -       pipe
             flags=F  user=vmail argv=/usr/bin/gnarwl -a ${user}@${nexthop} -s ${sender}
    smtp      inet  n       -       y       -       -       smtpd -v
    pickup    unix  n       -       y       60      1       pickup
    cleanup   unix  n       -       y       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    tlsmgr    unix  -       -       y       1000?   1       tlsmgr
    rewrite   unix  -       -       y       -       -       trivial-rewrite
    bounce    unix  -       -       y       -       0       bounce
    defer     unix  -       -       y       -       0       bounce
    trace     unix  -       -       y       -       0       bounce
    verify    unix  -       -       y       -       1       verify
    flush     unix  n       -       y       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       y       -       -       smtp
    relay     unix  -       -       y       -       -       smtp
            -o syslog_name=postfix/$service_name
    showq     unix  n       -       y       -       -       showq
    error     unix  -       -       y       -       -       error
    retry     unix  -       -       y       -       -       error
    discard   unix  -       -       y       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       y       -       -       lmtp
    anvil     unix  -       -       y       -       1       anvil
    scache    unix  -       -       y       -       1       scache
    postlog   unix-dgram n  -       n       -       1       postlogd
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    dovecot.conf

    Code:
    !include_try /usr/share/dovecot/protocols.d/*.protocol
    listen = 127.0.0.1, 10.2.1.98
    login_trusted_networks = 10.0.0.0/8
    dict {
      #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
      #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
    }
    !include conf.d/*.conf
    !include_try local.conf
    dovecot-ldap.conf.ext

    Code:
    hosts = ldap.auth.my.domain:389
    dn = cn=admin,dc=my,dc=domain
    dnpass = adminpass
    debug_level = -1
    auth_bind = yes
    auth_bind_userdn = mail=%u,ou=People,dc=my,dc=domain
    ldap_version = 3
    base = ou=People,dc=my,dc=domain
    pass_attrs = mail=user, userPassword=password
    10-auth.conf
    Code:
    disable_plaintext_auth = yes
    auth_mechanisms = plain login
    !include auth-ldap.conf.ext
    10-master.conf

    Code:
    service auth {
      unix_listener auth-userdb {
        mode = 0666
        user = vmail
        group = vmail
      }
      # Postfix smtp-auth
      #unix_listener /var/spool/postfix/private/auth {
      #  mode = 0666
      #}
      unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix
      }
      # Auth process is run as this user.
      #user = $default_internal_user
    }
    10-ssl.conf
    Code:
    ssl = yes
    ssl_cert = </etc/letsencrypt/ssl/live/smtp0.my.domain/fullchain.pem
    ssl_key = </etc/letsencrypt/ssl/live/smtp0.my.domain/privkey.pem
    ssl_client_ca_dir = /etc/ssl/certs
    ssl_dh = </usr/share/dovecot/dh.pem
    This is my LDAP tree:

    [​IMG]

    And this is my LDAP user:
    [​IMG]

    Dovecot debug log:
    Code:
    Jul 21 11:01:36 auth: Debug: client passdb out: FAIL    2    [email protected]
    Jul 21 11:01:36 auth: Debug: client passdb out: FAIL    2    [email protected]
    Jul 21 11:01:36 auth: Debug: client in: AUTH    3    PLAIN    service=imap    secured=tls    session=+Hfuo07kuv0KAgBn    lip=10.2.1.98    rip=10.2.0.103    lport=143    rport=64954    local_name=smtp0.my.domain    ssl_cipher=TLS_AES_128_GCM_SHA256    ssl_cipher_bits=128    ssl_pfs=KxANY    ssl_protocol=TLSv1.3    resp=AGpvaG4ud2lsbEBpbi5pY25lLmV1AHRlc3QxMjM= (previous base64 data may contain sensitive data)
    Jul 21 11:01:36 auth: Debug: ldap([email protected],10.2.0.103,<+Hfuo07kuv0KAgBn>): Performing passdb lookup
    Jul 21 11:01:36 auth: Debug: client in: AUTH    3    PLAIN    service=imap    secured=tls    session=WWXuo07ku/0KAgBn    lip=10.2.1.98    rip=10.2.0.103    lport=143    rport=64955    local_name=smtp0.my.domain    ssl_cipher=TLS_AES_128_GCM_SHA256    ssl_cipher_bits=128    ssl_pfs=KxANY    ssl_protocol=TLSv1.3    resp=AGpvaG4ud2lsbEBpbi5pY25lLmV1AHRlc3QxMjM= (previous base64 data may contain sensitive data)
    Jul 21 11:01:36 auth: Debug: ldap([email protected],10.2.0.103,<WWXuo07ku/0KAgBn>): Performing passdb lookup
    Jul 21 11:01:36 auth: Debug: ldap([email protected],10.2.0.103,<+Hfuo07kuv0KAgBn>): Finished passdb lookup
    Jul 21 11:01:36 auth: Debug: auth([email protected],10.2.0.103,<+Hfuo07kuv0KAgBn>): Auth request finished
    Jul 21 11:01:36 auth: Debug: ldap([email protected],10.2.0.103,<WWXuo07ku/0KAgBn>): Finished passdb lookup
    Jul 21 11:01:36 auth: Debug: auth([email protected],10.2.0.103,<WWXuo07ku/0KAgBn>): Auth request finished
    Jul 21 11:01:38 auth: Debug: client passdb out: FAIL    3    [email protected]
    Jul 21 11:01:38 auth: Debug: client passdb out: FAIL    3    [email protected]
    Jul 21 11:01:38 imap-login: Debug: SSL alert: close notify
    Jul 21 11:01:38 imap-login: Debug: SSL alert: close notify
    Jul 21 11:01:38 imap-login: Debug: SSL alert: close notify
    Jul 21 11:01:38 imap-login: Debug: SSL alert: close notify
    Dovecot info log:
    Code:
    Jul 21 11:11:43 auth: Info: ldap([email protected],10.2.0.103,<sjtXyE7kN/4KAgBn>): Password mismatch (for LDAP bind) (given password: test123)
    Jul 21 11:11:43 auth: Info: ldap([email protected],10.2.0.103,<ZD9XyE7kOP4KAgBn>): Password mismatch (for LDAP bind) (given password: test123)
    Jul 21 11:11:45 auth: Info: ldap([email protected],10.2.0.103,<ZD9XyE7kOP4KAgBn>): Password mismatch (for LDAP bind) (given password: test123)
    Jul 21 11:11:45 auth: Info: ldap([email protected],10.2.0.103,<sjtXyE7kN/4KAgBn>): Password mismatch (for LDAP bind) (given password: test123)
    Jul 21 11:11:47 auth: Info: ldap([email protected],10.2.0.103,<ZD9XyE7kOP4KAgBn>): Password mismatch (for LDAP bind) (given password: test123)
    Jul 21 11:11:47 auth: Info: ldap([email protected],10.2.0.103,<sjtXyE7kN/4KAgBn>): Password mismatch (for LDAP bind) (given password: test123)
    Jul 21 11:11:49 imap-login: Info: Disconnected (auth failed, 3 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=10.2.0.103, lip=10.2.1.98, TLS, session=<ZD9XyE7kOP4KAgBn>
    Jul 21 11:11:49 imap-login: Info: Disconnected (auth failed, 3 attempts in 6 secs): user=<[email protected]>, method=PLAIN, rip=10.2.0.103, lip=10.2.1.98, TLS, session=<sjtXyE7kN/4KAgBn>
     

    Attached Files:

  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Stephen Dragan

    Stephen Dragan New Member

    This would be much easier but I need postfix and dovecot, this is what i am searching for my further use.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    And that's what ISPConfig is using. Postfix and Dovecot.
     
  5. Stephen Dragan

    Stephen Dragan New Member

    Oh, i will look right into it, thank you.
     
  6. Stephen Dragan

    Stephen Dragan New Member

    The problem was i redeployed the LDAP vm and reset user bind permissions, now it is working. This wasn't a Postfix or Dovecot config issue.
     
    till likes this.

Share This Page