[dovecot] Re: Trouble setting up dovecot

Mon Feb 24 00:42:56 EET 2003

Thanks Timo, turns out I'm more of a rookie at sysconfiguring than I
thought, so perhaps this helps identify stuff that a rookie wouldn't
already know...<G>

On Thu, 2003-02-20 at 19:46, Timo Sirainen wrote:
> 
> > I've not configured up LDAP on my server yet, so it's just plain PAM for
> > now. I'm able to login fine with all my other apps, so I doubt it's a
> > problem with PAM, but not impossible. I haven't done anything with PAM
> > on this machine yet as it's live. I've been testing things out on
> > another machine(NON-SMP/RH8), which I'll try tomorrow if I get a
> > chance.)
> 
> You have to have it configured in /etc/pam.d/imap. For example:
> 
> auth    required        pam_unix.so nullok
> account required        pam_unix.so

Thanks this makes more sense than the options you provide in
doc/auth.txt, so you may wish to change that. On both RH7.3 and a RH8.0
box here, I don't have pwdfile, it's apparently been replaced by other
functionality.
> 
> > each imap-login is waiting at a read(7,
> 
> That's the problem then. It really shouldn't be blocking there. Could
> you get the backtrace to see where it's hanging? ie. run as root:
> 
> gdb /usr/local/libexec/dovecot/imap-login <pid of the imap-login>
> 
> and "bt" in it.

It's hung up in SSL_CTX_use_PrivateKey() in ssl-proxy-openssl.c, which
as you correctly surmised below, is due to a password protected key. 

I've located and used mkcert.sh. As a note the only docs for
doc/mkcert.sh are halfway through the NEWS file and rapidly receeding as
you add new releases, (congrats on the fast progress by the way!),
however you might consider adding a short note about it to the
doc/auth.txt or doc/configuration.txt file for those new to dovecot.

> > > I do call fflush() after each write to log. Killing with SIGTERM will do
> > > clean exit which may log more things, maybe it's just that? Also killing
> > > child processes makes master process log their exits.
> > 
> > I usually note the messages log (watched by a tail -f) show up after I
> > kill the dovecot master process.(Kill -9)
> 
> Depends on what the messages are I guess. But if you're kill -9ing the
> master process, it's quite likely that the child processes will complain
> about losing it.

After playing a bit, I think that those messages were due to the kill
-9, SIGTERM is nicer. I still end up with little in the way of verbose
debugging messages, by my standards. Usually all I see is login and
logout messages. Otherwise, I get the occasional lockfile message, which
is something that I need to sort out with Exim, and completely on my
end.

> > dovecot: Feb 20 18:11:51 Info: Dovecot starting up
> > imap-login: Dec 31 16:00:00 Fatal: Can't load private key file
> > /usr/local/ssl/private/cedarintkey.pem: error:0906406D:PEM
> > routines:DEF_CALLBACK:problems getting password
> 
> Err, isn't this the reason why your SSL doesn't work? :) Or was that
> just an example? If your private key is crypted with some password,
> Dovecot can't use it at least currently..

Correct! Doh! I have been able to use imaps, since I built a
non-passworded private key. I was using passworded keys that I'd built
for Apache, and would eventually like to have one set of keys that I can
reference for each virtual domain. Were you planning on something like
the Apache startssl option?

I can live with the constraint of one 'connection' key for now. Have you
considered allowing each virtual domain to have it's own keys? Kind of
difficult as the secure pipe to the server is already in place by the
time the login name is seen... Kinda makes it tough for a true virtual
presence without explicit assigned IP's. Hmmm, any plans for at least a
different keys/identity per IP? If I understand the configuration file
for now, it seems to be designed for one cert per machine.

Thanks for the help, I've just got to sort out the lockfile differences
between Exim and Dovecot and I should then be functional. After that
I'll start using LDAP.

TJ