针对传递文件的 Dovecot 身份验证

tag-icon tag-icon centos authentication imap
针对传递文件的 Dovecot 身份验证

目前,我面临一些有关 dovecot 和针对传递文件进行身份验证的问题。

以下是有关环境的一些详细信息:

  • Centos 7 (3.10.0-042stab142.1)
  • 后缀 (2:2.10.1-9.el7)
  • 鸽舍 (1:2.2.36-6.el7)

后缀部分看起来很好,本地发送/接收邮件以及转发到外部域正在工作。对于少数用户,我需要启用 imap 功能。

“doveconf -n”摘录:

auth_debug_passwords = yes
auth_mechanisms = plain login
first_valid_uid = 1000

mail_debug = yes
mail_location = maildir:/var/mail/vhosts/<mydomain>/
mbox_write_locks = fcntl

namespace inbox { 
  inbox = yes
   location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk 
  }
  mailbox Sent {
    special_use = \Sent 
  }
  mailbox "Sent Messages" {
    special_use = \Sent 
  } 
  mailbox Trash {
    special_use = \Trash 
  } 
 prefix = 
 } 

passdb { 
  args = scheme=SHA512-CRYPT username_format=%Lu /etc/dovecot/mydomain_passwd 
  driver = passwd-file 
} 

service auth { 
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix 
  } 
  unix_listener auth-userdb {
    group = vmail
    mode = 0666 
  }
 } 
service imap-login { 
  inet_listener imap {
    port = 143 
  } 
  inet_listener imaps {
    port = 993
    ssl = yes 
  }
 }
ssl = required 
ssl_cert = </etc/letsencrypt/live/mydomain/fullchain.pem

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_dh_parameters_length = 2048
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes

userdb { 
  args = username_format=%Lu /etc/dovecot/mydomain_passwd 
  default_fields = uid=5000 gid=5000 home=/var/mail/vhosts/mydomain/%Ln 
  driver = passwd-file
}

内容“mydomain_passwd”:

Zelestra@mydomain:{SHA512-CRYPT}$6$69/Qa2lPaBz3q6Gy$2zL7zAsgp6JckiziPUxJc927p.YSAyQlAYCKIJ2uvA.uR6pPfktEcHO4mbnAO3LEVVYT6jNrSPykO.STuTJJH0:5000:5000::/var/mail/vhosts/mydomain/zelestra::

如果我尝试使用“doveadm user”测试用户,我会得到以下结果:

Jul  6 13:56:36 h2891775 dovecot: auth: Debug: master in: USER#0111#011zelestra#011service=doveadm
Jul  6 13:56:36 h2891775 dovecot: auth: Debug: passwd-file(zelestra): lookup: user=zelestra file=/etc/dovecot/mydomain_passwd
Jul  6 13:56:36 h2891775 dovecot: auth: passwd-file(zelestra): unknown user
Jul  6 13:56:36 h2891775 dovecot: auth: Debug: userdb out: NOTFOUND#0111
Jul  6 13:56:43 h2891775 dovecot: auth: Debug: master in: USER#0111#011zelestra@mydomain#011service=doveadm
Jul  6 13:56:43 h2891775 dovecot: auth: Debug: passwd-file(zelestra@mydomain): lookup: user=zelestra@mydomain file=/etc/dovecot/mydomain_passwd
Jul  6 13:56:43 h2891775 dovecot: auth: passwd-file(zelestra@mydomain): unknown user
Jul  6 13:56:43 h2891775 dovecot: auth: Debug: userdb out: NOTFOUND#0111

如果我从邮件客户端(测试期间内置的 mac)测试它:

Jul  6 14:03:03 h2891775 postfix/smtpd[14258]: disconnect from tmo-081-218.customers.d1-online.com[<some IP>]
Jul  6 14:03:03 h2891775 dovecot: auth: Debug: client in: AUTH#0115#011PLAIN#011service=imap#011secured#011session=5GStp8SpXxJQu1Ha#011lip=<some IP>#011rip=<some IP>#011lport=143#011rport=4703#011local_name=mail.mydomain#011resp=AFplbGVzdHJhQGtvbnppbGRlcmFzcGVrdGUuZGUARDN2MWwuM3JheQ== (previous base64 data may contain sensitive data)
Jul  6 14:03:03 h2891775 dovecot: auth: Debug: passwd-file(zelestra@mydomain,<some IP>,<5GStp8SpXxJQu1Ha>): lookup: user=zelestra@mydomain file=/etc/dovecot/mydomain_passwd
Jul  6 14:03:03 h2891775 dovecot: auth: passwd-file(zelestra@mydomain,<some IP>,<5GStp8SpXxJQu1Ha>): unknown user
Jul  6 14:03:05 h2891775 dovecot: auth: Debug: client passdb out: FAIL#0115#011user=zelestra@mydomain#011original_user=Zelestra@mydomain
Jul  6 14:03:05 h2891775 dovecot: imap-login: Aborted login (auth failed, 5 attempts in 10 secs): user=<zelestra@kmydomain>, method=PLAIN, rip=<some IP>, lip=<some IP>, TLS: Disconnected, session=<5GStp8SpXxJQu1Ha>

如果我进行像这样的查找“doveadm user *@mydomain” - 我将得到以下输出:

Zelestra@mydomain

我似乎遗漏了一些东西,但目前我不知道去哪里寻找或如何进一步排除故障。

已经做过多次但没有运气:

  • 通读 he dovecot wiki/howto
  • 谷歌 foo 并交换 foo 没有得到任何结果,为该问题的变体提供帮助

我现在想回答的问题是:

a) 为什么 doveadm 的通配符查找得到结果,但特定查找却没有结果

b) 提示如何让 dovecot imap 部分工作并获得对我的客户端的正确身份验证

感谢致敬

答案1

感谢 roaima - 将我的“userdb/passwd”的内容更改为小写条目,它起作用了。

因此,就我而言,它是 userdb 和 passdb 的“隐藏为小写”选项 - 它仅转换输入的信息,而不是数据库中存在的信息。遗憾的是,文档中没有提到这一点,这也不是我期望的行为。

相关内容