asked on

dovecot setup - need step by step

What I have: Slackware64 14.1 with working Samba4 Domain Controller/Active Directory. I have downloaded the most recent dovecot-2.2.15.tar.gz sources.

What I want: to configure dovecot to use Active Directory authentication from Windows domain workstations using Outlook.

I am using the dovecot wiki http://wiki2.dovecot.org/ for installation instructions, but it is focused more on describing settings than explaining which you would need an why. I need some step-by-step guidance.

In section 1. Installing / Compiling from sources, options are listed. The list of ones I *might* be interested in are:

--with-storages=FORMATS

Specifies what mailbox formats to support. Note: Independent of this option, the formats raw and shared will be always built. 

--with-solr Build with Solr full text search support 

--with-zlib Build with zlib compression support (default if detected) 

--with-bzlib  Build with bzip2 compression support (default if detected) 

SQL Driver Options

SQL drivers are typically used only for authentication, but they may be used as a lib-dict backend too, which can be used by plugins for different purposes. 

--with-sql-drivers  Build with specified SQL drivers. Defaults to all that were found with autodetection. 

--with-pgsql  Build with PostgreSQL support (requires pgsql-devel, libpq-dev or similar package) 

--with-MySQL  Build with MySQL support (requires mysql-devel, libmysqlclient15-dev or similar package) 

--with-SQLite  Build with SQLite3 driver support (requires sqlite-devel, libsqlite3-dev or similar package) 

Authentication Backend Options

The basic backends are built if the system is detected to support them: 

--with-shadow  Build with shadow password support 

--with-pam  Build with PAM support 

--with-nss  Build with NSS support 

--with-sia  Build with Tru64 SIA support 

--with-bsdauth  Build with BSD authentication support (if supported by your OS) 

Some backends require extra libraries and are not necessarily wanted, so they are built only if specifically enabled: 

--with-sql  Build with generic SQL support (drivers are enabled separately) 

--with-ldap  Build with LDAP support (requires openldap-devel, libldap2-dev or similar package) 

--with-gssapi  Build with GSSAPI authentication support (requires krb5-devel, libkrb5-dev or similar package) 

--with-vpopmail  Build with vpopmail support (requires vpopmail sources or a devel package) 

It's also possible to build these as plugins by giving e.g. --with-sql=plugin.

Open in new window

So, I'm a bit stumped getting started ...

As I understand it dovecot/IMAP is able to keep mail on the servers in the folder structures that Outlook users create. So, which --with-storages FORMAT(S) do I want? There is no link from this wiki to describe my possible choices, but other research indicates that dbox does folders. Is that what I want?

Do I care about Solr, zlib, bzlib options?

SQL Driver Options ... why would I need any of these?

Authentication Backend Options. I want to have users authenticate automatically from Outlook using their Windows AD authentication. Which option would I pick? --with-ldap?

The wiki comments that "It's also possible to build these as plugins by giving e.g. --with-sql=plugin". Why would I need to do that?

The last paragraph in this section says:

Dynamic IMAP and POP3 Modules

The mail_plugins setting lists all plugins that Dovecot is supposed to load from the mail_plugin_dir directory at program start. These plugins can do anything they want. They are only expected to contain the <plugin name>_init and <plugin name>_deinit functions which are called at startup and at exit. 

The plugin filename is prefixed with a number which specifies the order in which the plugins are loaded. This is important if one plugin depends on another.

Open in new window

I do want IMAP, but I honestly have no idea what this section is talking about. Is this something I need?

Thanks! I'm sure the EExperts will come through again!

arnold

If you have openldap install you will want the --with-ldap --with-shadow --with-pam
Including the SQL options, vpopmail, etc. depends on the scope of what you want your mail server to do. i.e. add/intergrate anti-virus/filtering schemes .....
i.e. multiple domains with virtual mailboxes.

I believe zlib and bzlib2 are included in all distribution

A Maildir format for storage is seen as better, but depends on what you are using as your mailserver and you would need to include its storage options.

presumably your /etc/nsswitch.conf reflects users/passwd as files, ldap, etc. such that dovcot will use the system calls to authenticate as well. with the --with-shadow --with-pam
the --with-ldap deals with configuring dovcot to query the openLDAP directly.

While the size of the binary will be larger, if this is your first attempt, you should include everything all the bells and whistles.
Once you start using it, you can decide down the line not to include certain options.

While not too complicated, it might be easier to include everything and not use it, then exclude something and need it.

Mark

ASKER

While the size of the binary will be larger, if this is your first attempt, you should include everything all the bells and whistles.

No problem with that, will probably do so. At the same time, I want to know what things do and are for and not just monkey-type commands/options.

If you have openldap install you will want the --with-ldap --with-shadow --with-pam

I do have DC/AD and therefore I believe I have LDAP (though I don't really know how to confirm that). Samba4 uses Kerberos (Heimdal), so do I still want --with-pam?

Including the SQL options, vpopmail, etc. depends on the scope of what you want your mail server to do. i.e. add/intergrate anti-virus/filtering schemes .....
i.e. multiple domains with virtual mailboxes.

All I want at the moment is for Windows domain workstation users to do automatic authentication when opening outlook. All spam/anti-virus, etc. will be done upstream. There are no multiple domain -- not sure what you mean by virtual mailboxes (/etc/mail/aliases?), but that would probably also be handled elsewhere. Therefore, probably don't need SQL options, but as you suggest, might go ahead and build with them to start.

presumably your /etc/nsswitch.conf reflects users/passwd as files, ldap, etc. such that dovcot will use the system calls to authenticate as well. with the --with-shadow --with-pam
the --with-ldap deals with configuring dovcot to query the openLDAP directly.

OK, probably need some adjusting in /etc/nsswitch.conf. Below is my nsswitch.conf file, untouched since installing the OS. passwd appears to be "compat". users and ldap not listed at all. Do I need to make some changes? If so, what?

# passwd:       files nis
# shadow:       files nis
# group:        files nis

passwd:         compat
group:          compat

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files

Open in new window

arnold

Have not used Slackware in a long while, is this system member of the ad such that you can query the ad?
You should still have both pam and shadow just in case you lose access to the DC you still want to have the ability to login and repoint to the new ip of the dc ...

Pam is a module based authentication into which other methods are integrated, another feature of pam is that it can be configured with modules that will create a user's home stracture on first login if it is not present.

A DC can be queried using ldap (some changes registry/firewall might be needed)
There are different ways to integrate Linux into AD authentication.

Not sure the automatically authenticate part, you could pass configuration using GPO's.

Sounds as though you want the same behavior as exists with exchange/outlook integration with this setup.

There are two types of mailboxes, one based on users in users, or in a directory service such as ldap, the other uses virtual mailboxes I.e. The information is stord within a directory stracture
/path/vpopmail as the top
Domain1.com with subfolders consisting of usernames on this domain
Since you only handle one domain, and you have a directory service multiple domains/email addresses can be handled within that.

What mailserver are you using to handle the incoming email, postfix, exim, etc?
Dovecot is an interface to access received emails and an interface through which emails can be sent out to the internal mailserver that will then distribute it as appropriate.

Back to nsswitch, will have to look at the meaning of compat in Slackware.
It could mean which ever option is available through the system's available authentication methods, but not sure.

Mark

ASKER

is this system member of the ad such that you can query the ad?

I believe it is, but how would I query the ad on Linux? I'm new to DC/AD outside of Windows SBS. `man ldap` doesn't give me any direction on this. There is a /etc/openldap/ldap.conf file with only "TLS_REQCERT allow" set, but otherwise I have no idea how to "query" ad. I do have `samba-tool` with the following commands available, perhaps one of those is the ad query you mention?

Available subcommands:
  dbcheck     - Check local AD database for errors.
  delegation  - Delegation management.
  dns         - Domain Name Service (DNS) management.
  domain      - Domain management.
  drs         - Directory Replication Services (DRS) management.
  dsacl       - DS ACLs manipulation.
  fsmo        - Flexible Single Master Operations (FSMO) roles management.
  gpo         - Group Policy Object (GPO) management.
  group       - Group management.
  ldapcmp     - Compare two ldap databases.
  ntacl       - NT ACLs manipulation.
  processes   - List processes (to aid debugging on systems without setproctitle).
  rodc        - Read-Only Domain Controller (RODC) management.
  sites       - Sites management.
  spn         - Service Principal Name (SPN) management.
  testparm    - Syntax check the configuration file.
  time        - Retrieve the time on a server.
  user        - User management.
  vampire     - Join and synchronise a remote AD domain to the local server.

Open in new window

You should still have both pam and shadow just in case you lose access to the DC you still want to have the ability to login and repoint to the new ip of the dc

Good suggestion, but probably not critical at the moment - I'll need to get the DC back up ASAP in such a circumstance and not really worry about user's access to email sans-DC.

Pam ... can be configured with modules that will create a user's home stracture on first login if it is not present.

Certainly a useful feature ... eventually. Not my immediate priority.

Sounds as though you want the same behavior as exists with exchange/outlook integration with this setup.

Exactly!

What mailserver are you using to handle the incoming email, postfix, exim, etc?

I'd like to use sendmail, if possible. I have lots of milters and other customizations for that, but will change if I have to.

Dovecot is an interface to access received emails and an interface through which emails can be sent out to the internal mailserver that will then distribute it as appropriate.

That is my understanding. I was thinking the "access received emails" bit would be more of a Step-2 in this process, but this is where I'm very fuzzy. I would assume that most smtp servers receive mail from the "outside" and save them in a mbox file on a per-user basis (as does sendmail), and that dovecot is able to reference these mbox files (usually in /var/spool/mail/{username}) as the user's 'inbox'. A user using Outlook can move messages from inbox to folders which are created/maintained via dovecot IMAP. This is all conjecture on my part. I've found no place that really explains the process.

Back to nsswitch, will have to look at the meaning of compat in Slackware.

Ok, let me know what you find. Meanwhile, I'll research that too. If I can get the build options set up correctly I can at least make my dovecot installation.

Mark

ASKER

Perhaps this answers the question on nsswitch compat? http://serverfault.com/questions/532008/what-is-nsswitch-compat-mode

or this: http://serverfault.com/questions/331440/what-do-compat-mean-in-name-service-switch

Perhaps it is not necessary? If not should I change to 'files' or 'files compat', or 'files nis compat'?

Do I need to add an entry for 'users'?

arnold

As the post question and answers get long, it is harder and harder to keep track.
1) is this system functions as the DC in your environment using samba4 with the backend served by openldap, mysql, PostgreSQL , tdbam?
Depending on your answer above, the the means to query will reveal itself.

If you prefer sendmail as your MTA, the decision you have to make deals with where the received emails will be stored I.e. /var/spool/mail/ as a mailbox format or in /hone/username/Maildir.
This decision is what will guide your storage option on the dovecot side.

Pam is a system integrated process which provides seemless/transparent access to user validation without regard to where that data is I.e. In the passwd file or in a directory service such as ldap.

Exchange is ADminegrated and publishes the info outlook loads within AD, you could explore loading the exchange schema into your setup if you use openLDAP. As the backend.

I am not sure whether using mbox format with IMAP and folder creation is .... Dealt with. Mbox format I think is not advisable since an mbox can have only one instance updating it at a time or it might become corrupted if multiple attempt to modify at the same time.

I hope I undressed all your comments/questions.

arnold

On nsswitch.conf passwd shadow would usually be files ldap if have ldap, NIS if you have NIs etc.

Mark

ASKER

As the post question and answers get long, it is harder and harder to keep track.

Sorry, I very much intended to post multiple questions. This one was supposed to merely help me decide on configure options for dovecot. We can certainly defer the question of smtp server.

1) is this system functions as the DC in your environment using samba4 with the backend served by openldap, mysql, PostgreSQL , tdbam?
Depending on your answer above, the the means to query will reveal itself.

Not sure. I used the vanilla, as-shipped samba4 4.1.11. I followed the instructions at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO. This link says, "Samba has its own LDAP and Kerberos implementation, using external LDAP and Kerberos server is not recommended." I provisioned the DC as follows:

$ /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
  --server-role='dc' --realm=hprs.local --domain=HPRS \
  --adminpass='password' --dns-backend=BIND9_FLATFILE \
  --option="interfaces=lo eth1" --option="bind interfaces only=yes"

Open in new window

The output of the provision step was:

Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=hprs,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=hprs,DC=local
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
See /etc/samba/private/named.conf for an example configuration include file for BIND
and /etc/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/etc/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              mail
NetBIOS Domain:        HPRS
DNS Domain:            hprs.local
DOMAIN SID:            S-1-5-21-2436648053-3172466862-1871027800

Open in new window

One of the tests I ran to verify the DC was working was:

$ host -t SRV _ldap._tcp.HPRS.LOCAL.
_ldap._tcp.HPRS.LOCAL has SRV record 0 100 389 mail.hprs.local.

Open in new window

Does this indicate ldap? Does it imply OpenLDAP? Nothing I did in the provisioning step asked me specifically about LDAP, mysql, PostgreSQL or tdbam. I am certain MySQL is not involved because I installed MySQL weeks later for something else.

I do know that DC/AD is working just fine. I've successfully connected domain workstations, added users and enabled redirected folders. I use Microsoft RSAT (Remote Server Administration Tools) for administering DC and Active Directory.

Did this answer your question? We're talking LDAP, right?

As to the SMTP server, let's assume I'm going to use something like postfix which, as I understand, can save incoming mail in Maildir (and dbox?) format(s). This is a test platform, so I can do whatever right now.

As to the mailbox format, you recommend Maildir; docs say this stores one file per message whereas dbox potentially stores multiple messages per file. If I have 10 users with +2GB mail folders each spanning 10+ years, do you still recommend Maildir?

Mark

ASKER

On nsswitch.conf passwd shadow would usually be files ldap if have ldap, NIS if you have NIs etc.

This link http://arthurdejong.org/nss-pam-ldapd/setup says,

Add ldap to at least the passwd, group and shadow maps. Whether you should also change the other maps depends on the information in your LDAP directory. You should include ldap after local lookups.

It is better to use files than compat unless you use the special +/- syntax in /etc/passwd or are also using NIS

So, would this below be the best config?

passwd:       files ldap nis
shadow:       files ldap nis
group:        files ldap nis

Open in new window

SOLUTION

arnold

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Mark

ASKER

OK, sendmail set up as MTA. I've created a user in /etc/passwd with the same name as a domain user. Home directory is /domainusers/mark. I've sent a message from the outside. It was received and delivered OK and is sitting in /var/spool/mail/mark.

In doing some more research it appears that I can configure a mbox INBOX with maildir location using namespace. See http://wiki2.dovecot.org/Namespaces, section on "Mixed mbox and Maildir".

For the moment, I'll go with that since, if nothing else, it will save me having to learn to configure e.g. postfix. I'll explore the various locking methods available for mbox ... later.

Dovecot is the fourth floor ...

You skipped the 3rd floor! :)

Now, ready to install dovecot? What config options do you suggest?

./configure --with-storages=maildir,mbox --with-ldap

Open in new window

nss, shadow, pam and bsdauth are allegedly automatic

I assume the --with-storages accepts a comma-delimited list, but the help doesn't excplicitly say so, nor does it say what is enabled by default.

arnold

Other things exist on the third floor. Top Secret.

You should have two separate users to make sure sendmail is using both passwd and samba to deliver the mail to the respective user. The user in the samba directory should have the requisite data populated dealing with its mail handling I.e. If you have multiple domains, the email addresses should be there.

I see you are choosing to use mbox format with sendmail.

Once you install Dovecot see if you can access the mailbox using the user defined in passwd and then a user that only exists in samba.

The IMAP or POP should work the same way.

If one does not work enable debug logging if Dovecot to see where the failure is.

arnold

Sendmail through a use of a Local Delivery agent (LDA) such as procmail can deliver messages to a Maildir style format.

Did you use main.cf to configure the local domain, or is sendmail reading its config from the directory managed samba/ldap?

Mark

ASKER

I see you are choosing to use mbox format with sendmail.

Yes, but as you wrote ...

Sendmail through a use of a Local Delivery agent (LDA) such as procmail can deliver messages to a Maildir style format.

Totally awesome! I've used .procmailrc for spam and folder filtering -- didn't know I could change message format! I've put the following into the AD user's $HOME/.procmailrc, and it works! So, I can use sendmail as my MTA and deliver to Maildir format and not have to worry about mixed mbox/maildir format!

DEFAULT=$HOME/Maildir/

Open in new window

You should have two separate users to make sure sendmail is using both passwd and samba to deliver the mail to the respective user. ... Once you install Dovecot see if you can access the mailbox using the user defined in passwd and then a user that only exists in samba.

I may have done this a bit differently. Other web research on my part recommends creating actual local user accounts for the domain users. I've done that so, yes I can send mail to local (non-AD) users and to AD users. The local users' mail is delivered to /var/spool/mail/$USER and the AD users' mail is delivered to /domainusers/$USER/Maildir. Sendmail/procmail is delivering both types of users, passwd does not come into play at this point.

Did you use main.cf to configure the local domain, or is sendmail reading its config from the directory managed samba/ldap?

I used a mail.mc file I created to generate sendmail.cf. Sendmail gets nothing from samba/ldap -- don't think it needs to, do you? I'm expecting ldap to come into play when a client workstation Outlook attempts to connect.

So, I went ahead and built dovecot with:

./configure --with-storages=maildir,mbox --with-ldap
make
make install

Open in new window

Now, I'll see if I can figure out a 1st pass at creating the dovecot.conf and I'll post back.

arnold

Instead of placing a .procmailrc in each user's home as long as you install procmail with suid/said you can have /etc/procmailrc. Main within which you would apply system wide rules if any and then downshift privilege
Set the DEFAULT as you have.
And then have a rule to load in the user .procmailrc if exists
.........

Mark

ASKER

Instead of placing a .procmailrc in each user's home as long as you install procmail with suid/said you can have /etc/procmailrc ...

Yes, I considered that, but that would send ALL mail to $HOME/Maildir and I want to keep local (non-domain) users including root as mbox format in /var/spool/mail/. So I can either a) use $HOME/.procmailrc in the domain users' home directory specifying Maildir format, b) use $HOME/.procmailrc in the local users' home directory (root, etc.) specifying mbox format. c) come up with a /etc/procmail rule that will send mail for members of group domainusers to $HOME/Maildir and all other users to /var/spool/mail. Right now, the simplest solution is to put a .procmailrc in the domain users home directory since I am testing with only one or two domain users at the moment. I'll figure out option c) later.

Meanwhile, back to dovecot. Following the instructions in http://wiki2.dovecot.org/BasicConfiguration, I've built dovecot configured as previously described, installed dovecot, created the dovecot and dovenull groups and users and, following the example in https://help.ubuntu.com/community/DovecotLDAP, I've created a /usr/local/etc/dovecot/dovecot.conf file (shown below).

I've tried running doveconf -n to verify this file, but am getting an error with the 1st directive:

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/dovecot.conf line 22: Unknown setting: hosts

Open in new window

So, I'm stumped right off the bat. hosts is a legit directive and, in fact, if I comment that one out, the next one in the .conf file gives me the same error. It appears that ALL statements in that file give the "Unknown setting" error and it aborts on the 1st one found. I've not found anything on the web about this so far, but I'll keep looking.

Meanwhile, here's what I've come up with for dovecot.conf. I'm unsure of some of the setting values (for example the ou in auth_bind_userdn) and, typically, the website and internal documentation doesn't really tell me under what conditions I should use sasl_bind versus auth_bind, and so on, but first things first. Why is doveconf giving me the "Unknown setting" error?

Settings in my current dovecot.conf, without comments.

hosts = mail.hprs.local

dn = cn=Administrator,dc=hprs,dc=local

dnpass = {secret}

auth_bind = yes

auth_bind_userdn = cn=%u,ou=Users,dc=hprs,dc=local

ldap_version = 3

base = ou=Users,dc=hprs,dc=local

scope = subtree

user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid

user_filter = (&(objectClass=posixAccount)(uid=%u))

pass_attrs = uid=user,userPassword=password

pass_filter = (&(objectClass=posixAccount)(uid=%u))

Open in new window

arnold

It seems you are configuring dovecot to interact with LDAP, which I am not certain you need or want to do.
Because of that you are adding LDAP configuration settings which would go into dovecot-ldap.conf into the dovecot.conf file

dovecot.conf
needs to look like the one referened on their site dovecot-example.conf
http://www.dovecot.org/doc/dovecot-example.conf

arnold

Oh,

I think you should maintain the delivery uniform.
Presumably whether the user is an AD user or one that you add in /etc/passwd you would want access to the underlying emails using dovecot versus limiting the /etc/passwd to local access only.

I believe you can use /home/users for /etc/passwd based user storage while /home/domain/ for ad users.

the confusion of having username and username in the AD is which or how you manage the mapping and how sendmail will resolve it.
in the nsswitch format I am used to where each test is enumerate file ldap
sendmail will check ldap first thus storing the email to username@yourdomain.com into the /home/domain/username/Maildir/
so .......
compat is possibly the same it has to have a hierarchy of steps that sendmail will check i.e. a system call to identify the homedir of username pam will likely check ldap first and only on a failure will fallthrough to checking the /etc/passwd.

Password is of no consequence on delivery of email, it is only needed to check.

If you use the same user you created in both passwd and AD and have each with a different password, you can check dovecot i.e. login using the password from /etc/passwd user and see what mail you see and then try the other and see what happens.

Mark

ASKER

I think you should maintain the delivery uniform.

I appreciate your logic on this, but I think I'll worry about such details when I've got things working. Right now I have messages in /domainusers/mark/Maildir where, regardless of SMTP configuration is where they should end up. Now the trick is to get dovecot working, then hopefully Outlook will be able to get these messages via dovecot/IMAP, right?

So, first to focus on dovecot ...

It seems you are configuring dovecot to interact with LDAP, which I am not certain you need or want to do.

OK ... I'll take your word for that at the moment, but I am highly confused. I thought that would be the mechanism for Outlook to do AD authentication ...

adding LDAP configuration settings which would go into dovecot-ldap.conf into the dovecot.conf file

Hmm, that http://wiki2.dovecot.org/BasicConfiguration site says,

The default configuration starts from dovecot.conf, which contains an !include conf.d/*.conf statement to read the rest of the configuration. This split of configuration files isn't a requirement to use, and it doesn't really matter which .conf file you add any particular setting, just as long as it isn't overridden in another file.

So I wasn't thinking about using the whole !include mechanism.

dovecot.conf / needs to look like the one referened on their site dovecot-example.conf

OK, I'll give that a shot, then post back results ...

arnold

While the username/password used in outlook would likely be the same one as stored in the Mailserver/Samba4/ADDC, the outlook and dovecot IMAP will exchange credentials username/password.
Once dovecot gets the pair username/password it will run a system check to confirm username/password are valid and if so will get the HOMEDIR for username at which point it will access HOMEDIR/MAILDIR and will feed back the headers of the messages to outlook.

outlook does not authenticate to AD I am not sure it will actually access the AD, I think when accessing exchange it uses windows Intergrated means of authentication i.e. based on the network login.

Not sure integrated authentication of outlook with dovecot is possible.

Mark

ASKER

more info ...

Wow! and they say sendmail is confusing! ...

OK, I've modified the sample dovecot.conf. Basically I made the 2 following changes:

protocols = imap (I removed pop3 and lmtp)

listen = 192.168.0.100 -- this is the IP of the Win7 host I will use to connect from Outlook. Is 192.168.0.0/24 legal? If so, I'd rather use that to permit all domain hosts

That's all I changed, plus I copied the contents of /usr/local/share/doc/dovecot/example-config/conf.d/* to /usr/local/etc/dovecotconf.d/. There are 24 conf.d files! Do these all have to be configured?

When I ran doveconf -n it worked this time (i.e. no error) and it generated the following output:

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
listen = 192.168.0.100
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = imap
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}

Open in new window

I don't think I need ssl at this point and using the passwd db doesn't see right for AD authentication, but I am will to follow your lead. What's next?

Mark

ASKER

Not sure integrated authentication of outlook with dovecot is possible.

Well, this my main purpose. If the user has to enter the ID and Password I gain nothing over using POP3. I understood that dovecot could authenticate via AD. I'll do some more checking on that and see where I got that idea.

arnold

Starting with the last first, the dovecot authentication deals with the server access to the means to identify/confirm the user access to data.
IMAP helps in reducing loss of email because of workstation hardware failure and centralize the backup scheme to the server to preserve email versus having to backup individual workstation to achieve the same goal.

POP3/IMAP are means to access messages. Whether outlook and dovecot can be configured to mimic outlook/exchange interaction is a something I have not looked at recently. The user account is either loaded in from the AD exchange portion of the schema at which time, the outlook/exchange authentication would be using integrated windows scheme.

Back to your listen directive.

this tells your dovecot service on which IP it should listen for connection. usually the listen directive should reflect all interfaces which is done by
listen=0.0.0.0

you seem to have told it to listen on an IP, 192.168.0.100, the mail server system does not have (ifconfig -a) which should result in an error when you try to start it with an error failed to bind to IP .

One need only configure the ones one needs.
each conf.d/ file corresponds to a feature.

Best to only start with one and add as you need based on the description/feature you are looking to add. Adding all of them means you will be troubleshooting issues for services/components you neither need nor want.

Mark

ASKER

usually the listen directive should reflect all interfaces which is done by listen=0.0.0.0 ... you seem to have told it to listen on an IP, 192.168.0.100,

Gotcha! Interface, not client. The LAN interface is 192.168.0.2 so I'll change to that. I don't want to listen for Internet connections at this point, just LAN connections.

One need only configure the ones one needs. each conf.d/ file corresponds to a feature.

OK, so pending more info on what features I should use, I've removed the conf.d files. My new doveconf output is:

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
listen = 192.168.0.2
protocols = imap

Open in new window

Probably not enough to work with. No authentication method, mail folders, etc. are not specified yet. The complete list of examples is:

10-auth.conf      15-lda.conf        90-plugin.conf               auth-master.conf.ext
10-director.conf  15-mailboxes.conf  90-quota.conf                auth-passwdfile.conf.ext
10-logging.conf   20-imap.conf       auth-checkpassword.conf.ext  auth-sql.conf.ext
10-mail.conf      20-lmtp.conf       auth-deny.conf.ext           auth-static.conf.ext
10-master.conf    20-pop3.conf       auth-dict.conf.ext           auth-system.conf.ext
10-ssl.conf       90-acl.conf        auth-ldap.conf.ext           auth-vpopmail.conf.ext

Open in new window

I suppose I should at least look at 10-auth.conf and 10-mail.conf. Other suggestions?

Here are a few links that talk about dovecot and Active Directory, so I think it's doable. I'm still not clear about the connection/difference between ActiveDirectory and LDAP. My understanding is that LDAP is part of Active Directory.
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
http://wiki2.dovecot.org/AuthDatabase/LDAP

Mark

ASKER

Anyway, for the sake of eating the elephant one bite at a time, let's just get dovecot and Outlook working the simplest way possible with the user configuring the ID/PW in Outlook. If I can get Outlook to read the messages I've put in /domainusers/mark/Maildir, I think that's enough for this question I'll move on to the LDAP/AD problem in another question. No sense your making a career out of this questions, even if I must!

arnold

Guess my prior suggestion to limit what it is you copy into the conf.d for dovecot configs was not right.
http://wiki2.dovecot.org/BasicConfiguration

Copy the ones that are missing.
Auth should be using pam so it should (hopefully) work right using the passwd file username/password then you can check whether it can without making any changes query the username/password from samba ad/dc via the compat directive in nsswitch.conf.

The listen part only deals with what IPs on the local system dovecot will connect on port 143 IMAP or 993 for Secure IMAP if you want to configure it
As far as dovecot is concerned the source of the connection is determined by the firewall rules you place i.e. port forward internet requests on port 143 to the 192.168.0.2 port 143 similar to your existing port 25 forward rule.
If there is no firewall rule allowing port 143 through it, there will be no internet connection attempts that get through on port 143.

with that said, I suggest you set listen to 0.0.0.0 all available interfaces/Ips on this system.

The links you posted for dovecot AD I believe are not valid as those deal with setup where there is a windows AD DC and how to configure the linux/unix based system to access the information there in.

In your case, the AD DC functionality is within samba/ldap and integrated into your existing system.

mailbox_location=maildir....... see link below for additional options
http://wiki2.dovecot.org/MailLocation/Maildir
It seems that you have to be uniform, you can only specify the mailbox_location once

Often, once you get through this the rest will be like warm knife through butter.

Mark

ASKER

The links you posted for dovecot AD I believe are not valid as those deal with setup where there is a windows AD DC and how to configure the linux/unix based system to access the information there in.

Supposedly Samba4 mimics Windows DC/AD 100%. So far that has been true including redirected folders. HOWEVER ... later for all that.

I continued to follow the directions in http://wiki2.dovecot.org/BasicConfiguration and think I might be there. Here is what I get with doveconf:

$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
disable_plaintext_auth = no
first_valid_gid = 200
first_valid_uid = 1100
last_valid_gid = 200
listen = 192.168.0.2
mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
  location =
  prefix =
}
passdb {
  driver = shadow
}
protocols = imap
userdb {
  driver = passwd
}

Open in new window

Do these look OK to you? I'll change the listen to 0.0.0.0 before I fire this up.

I have set up my domain users as group 200 and the first such user is uid 1100.

Not sure I need the namespace directive since the inbox is essentially $HOME/Maildir/new. What do you think?

For the moment, I'm not even using PAM (I think) so I don't have to mess with creating /etc/pam.d/dovecot and I don't have to mess with SSL. I assume the "disable_plaintext_auth = no" and the passdb and userdb I've configured will simply go against the /etc/passwd and/or /etc/shadow files directly, right? The disable_plaintext_auth was a startup suggestion from the http://wiki2.dovecot.org/BasicConfiguration site.

Does all this look good to you? Should I try firing up dovecot? Changes?

arnold

The namespace deals with when within the IMAP interface you create additional folders I.e.
Inbox
Sent mail
Drafts
Important emails
Etc
They all fit within the homedir/Maildir/
Here the pattern varies depending on your selections outlined in the last Mailconnect/Maildir

The UID/GID deal with limits I.e. Root (uid 0) will not be allowed to login using IMAP.
If you create a group whose gID is larger than 200 it too will not be allowed to login.

Yes, fire up and see.
Then post entries from the log which should indicate what issue it may have.

Mark

ASKER

Not much luck so far. I fired up dovecot and the following messages were logged to /var/log/maillog

Jan  9 01:38:35 mail dovecot: ssl-params: Generating SSL parameters
Jan  9 01:38:48 mail dovecot: ssl-params: SSL parameters regeneration completed

Open in new window

I then configured Outlook as follows:

Then I attempted to send/receive mail and got the errors:

On the server, the following messages were logged to /var/log/maillog

Jan  9 01:49:51 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan  9 01:49:51 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 2 secs
Jan  9 01:49:53 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan  9 01:49:53 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 4 secs
Jan  9 01:49:57 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan  9 01:49:57 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 8 secs
Jan  9 01:50:05 mail dovecot: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Jan  9 01:50:05 mail dovecot: master: Error: service(imap-login): command startup failed, throttling for 16 secs

Open in new window

Subsequent attempts generated the same messages, but the throttling interval stretched to 60 seconds (is there a way to turn off this effect? It makes it tough to run tests when I have to wait 60 seconds for each of 5 attempts -- 5 minutes between tests).

So, I must not have properly disabled SSL in my dovecot.conf. Either I have to figure out how to properly disable SSL or properly enable it. I'll do some research on this, but suggestions are welcome.

ASKER CERTIFIED SOLUTION

Mark

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

arnold

Glad to hear.

For ssl double check that the key/certificate are referenced correctly.

Dovecot is authenticating users against AD.

I think what you are looking is auto population/distribution of email users' settings via AD.

You may have to look at GPOs using office adm to push these settings which ......

arnold

Here is a reference that deals with auto configuring outlook for user email account settings.
http://technet.microsoft.com/en-us/library/cc511507(v=office.14).aspx

Mark

ASKER

Thanks Arnold. Here's the question about AD Authentication if you want to take a crack at that:

https://www.experts-exchange.com/questions/28593992/get-dovecot-working-with-samba4-LDAP.html

I'll check out your link

Mark

ASKER

Arnold let me through getting this running, but my selected post is the final working configuration