[Dovecot] IMAP Proxying and SSL Certificates on OpenBSD

dago at quantentunnel.de dago at quantentunnel.de
Thu Aug 15 20:23:10 EEST 2013 

Hi list,
 
I am currently trying to configure dovecot to act as a imap proxy in front of a Groupwise server. Because of a policy no services of the gw server may be directly served to the web. So currently this is only a security measure. Dovecot was previously used for providing sasl-auth capabilities to postfix. IMAP proxy features should be added now. Authentication backend is LDAP. OS is OpenBSD 5.2. Dovecot version is 2.1.8. 
 
Currently I am fighting with the following error in the logs:
 

dovecot: master: Dovecot v2.1.8 starting up
dovecot: auth: Warning: userdb passwd: Move templates args to override_fields setting
dovecot: auth: Error: passwd(username,78.104.X.X,<e9YE/gDkOQBOaKfg>): getpwnam() failed: Operation not permitted
dovecot: imap-login: Login: user=<username>, method=PLAIN, rip=78.104.X.X, lip=5.9.X.X, mpid=1765, session=<e9YE/gDkOQBOaKfg>
dovecot: imap(username): Error: user username: Initialization failed: Initializing mail storage from mail_location setting failed: imapc: missing imapc_password
dovecot: imap(username): Error: Invalid user settings. Refer to server log for more information.
 
I hope to also see therein the cause for not providing STARTTLS:
 

# openssl s_client -connect mail.example.com:143 -starttls imap
CONNECTED(00000003)
didn't found STARTTLS in server response, try anyway...
15096:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_clnt.c:607:
 
As postfix is already using the certificates, they should be okay ….
 

# dovecot -n
# 2.1.8: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.2 i386  
disable_plaintext_auth = no
imapc_host = 10.0.0.2
mail_gid = vmail
mail_home = /home/vmail/%u
mail_location = imapc:~/imapc
mail_uid = vmail
passdb {
  args = scheme=plain-md5 username_format=%n /etc/dovecot/passwd
  driver = passwd-file
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
  driver = ldap
}
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = _postfix
    mode = 0660
    user = _postfix
  }
  user = root
}
service imap-login {
  chroot = login
}
service pop3-login {
  chroot = login
}
ssl = no
ssl_ca = </etc/ssl/ca.crt
ssl_cert = </etc/ssl/pf/mail.example.com.crt
ssl_key = </etc/ssl/pf/mail.example.comkey
userdb {
  args = username_format=%n /etc/dovecot/passwd
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
 
# dovecot-ldap.conf
hosts = 10.0.0.2:389
dn = cn=ldapaccess,o=servercontext
dnpass = secretpass
auth_bind = yes
ldap_version = 3
base = o=usercontext
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(&(objectClass=Person)(cn=%u))(groupMembership=cn=SMTPsender,o=permissiongroups))
pass_attrs = cn=user,userPassword=password
pass_filter = (&(&(objectClass=Person)(cn=%u))(groupMembership=cn=SMTPsender,o=permissiongroups))
 
 
Thanks in advance!
 
Best regards

More information about the dovecot mailing list