From: "Москаленко Алексей Владимирович" <mav@elserv.msk.su>
To: sysadmins@lists.altlinux.org
Subject: Re: [Sysadmins] Периодические падения dovecot-auth и ntlm_auth - P8
Date: Wed, 25 Jul 2018 17:12:35 +0300
Message-ID: <c2bfe1d54c1f0057d2a36c027abdda59@elserv.msk.su> (raw)
In-Reply-To: <7152466.G7TKxFiOou@zerg.malta.altlinux.ru>
Sergey V Turchin писал 25.07.2018 16:18:
>> С новым dovecot ntlm_auth (ожидаемо) один раз уже упал.
> А можно ли описать примерный сценарий, чтоб попробовать воспроизвести?
Сценарий довольно обычный. Есть домен на самбе (все еще в режиме NT4) с
пользователями в openLDAP. Dovecot берет пользователей из доменного
LDAP, авторизуя их самостоятельно с помощью LDAP bind по алгоритмам
PLAIN и LOGIN и используя ntlm_auth для авторизации их же по NTLM. На
той же машине установлен winbind, введенный в домен. Вся почтовая
система работает под одним пользователем vmail. Используется sieve.
Вроде никаких особенностей...
smb.conf
[global]
netbios name = MAIL
server string = Mail server
workgroup = DOMAIN
domain master = No
local master = No
os level = 1
preferred master = No
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
printcap name = /dev/null
client ipc signing = if_required
client signing = if_required
password server = 192.168.0.1
security = DOMAIN
server signing = if_required
smb passwd file = /etc/samba/smbpasswd
idmap gid = 10000-20000
idmap uid = 10000-20000
template shell = /sbin/nologin
winbind sealed pipes = No
winbind use default domain = Yes
dns proxy = No
wins server = 192.168.0.1
idmap config * : range = 10000-20000
idmap config * : backend = tdb
printing = lprng
use sendfile = Yes
doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
default_client_limit = 4096
default_process_limit = 512
default_vsz_limit = 512 M
hostname = mail.example.com
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *
login_greeting = Mail server ready.
login_trusted_networks = 127.0.0.1/32 192.168.0.0/16
mail_gid = vmail
mail_location = maildir:%h/private
mail_plugins = quota acl listescape zlib
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext editheader
mbox_write_locks = fcntl
namespace {
inbox = no
list = children
location = maildir:/var/spool/vmail/_Public/:INDEX=%h/public
prefix = Public Mailboxes/
separator = /
subscriptions = no
type = public
}
namespace {
inbox = no
list = children
location = maildir:%%h/private/:INDEX=%h/shared/%%n
prefix = Shared Mailboxes/%%n/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox "INBOX/Probably SPAM" {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/passwd.masters
driver = passwd-file
master = yes
pass = yes
}
passdb {
args = /etc/dovecot/passdb.conf
driver = ldap
}
plugin {
acl = vfile:/etc/dovecot/acls:cache_secs=300
acl_anyone = allow
acl_shared_dict = file:/var/spool/vmail/_shared-mailboxes-list.db
quota = maildir:Your Mailbox Quota
quota_rule = *:storage=16G
quota_rule2 = Trash:storage=+128M
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_warning = storage=98%% quota-warning 98 %u
quota_warning2 = storage=90%% quota-warning 90 %u
sieve = file:%h/sieve;active=%h/active.sieve
sieve_default = /etc/dovecot/default.sieve
sieve_default_name = SystemDefault
sieve_extensions = +editheader
sieve_global = /etc/dovecot/sieve
stats_refresh = 30 secs
stats_track_cmds = yes
zlib_save = gz
zlib_save_level = 6
}
postmaster_address = postmaster@example.com
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-client {
group = mail
mode = 0660
user = vmail
}
unix_listener auth-master {
group = mail
mode = 0660
user = vmail
}
unix_listener auth-userdb {
group = mail
mode = 0660
user = vmail
}
user = root
}
service config {
unix_listener config {
mode = 0660
user = vmail
}
}
service imap {
vsz_limit = 512 M
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
user = vmail
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/dovecot-quota-status {
group = postfix
mode = 0660
user = postfix
}
}
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = vmail
}
ssl_cert = </etc/dovecot/cert.pem
ssl_cipher_list =
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/userdb.conf
driver = ldap
}
protocol lmtp {
mail_fsync = optimized
mail_plugins = quota acl listescape zlib sieve
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
mail_fsync = optimized
mail_plugins = quota acl listescape zlib sieve
}
protocol imap {
imap_client_workarounds = delay-newmail
mail_max_userip_connections = 64
mail_plugins = quota acl listescape zlib imap_quota imap_acl imap_zlib
}
/etc/dovecot/passdb.conf
hosts = ldap.example.com
dn = cn=mail,ou=Daemons,dc=example,dc=com
dnpass = PASSW0RD
sasl_bind = no
tls = no
auth_bind = no
ldap_version = 3
base = ou=Accounts,dc=example,dc=com
user_attrs = uid=home=/var/spool/vmail/%$,
internationalISDNNumber=quota_rule=*:bytes=%$
user_filter =
(&(objectClass=inetOrgPerson)(|(&(uid=%n)(mail=*))(mail=%u)))
pass_attrs = uid=user,userPassword=password
pass_filter =
(&(objectClass=inetOrgPerson)(uid=%u)(mail=*)(!(mail=*.local))(|(!(sambaAcctFlags=*))(sambaAcctFlags=[U
])(sambaAcctFlags=[UX ])(sambaAcctFlags=[HU
])(sambaAcctFlags=[HUX ]))(!(postOfficeBox=disabled)))
default_pass_scheme = SSHA
iterate_attrs = uid=user
iterate_filter = (&(objectClass=inetOrgPerson)(mail=*))
/etc/dovecot/userdb.conf - симлинк на passdb.conf
next prev parent reply other threads:[~2018-07-25 14:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-24 10:17 Москаленко Алексей Владимирович
2018-07-24 12:18 ` Sergey V Turchin
2018-07-24 19:33 ` Alex Moskalenko
2018-07-25 7:35 ` Москаленко Алексей Владимирович
2018-07-25 13:18 ` Sergey V Turchin
2018-07-25 14:12 ` Москаленко Алексей Владимирович [this message]
2018-07-27 6:57 ` Москаленко Алексей Владимирович
2018-07-27 19:49 ` Москаленко Алексей Владимирович
2018-07-28 3:52 ` Andrey Cherepanov
2018-07-30 7:41 ` Sergey V Turchin
2018-07-30 19:02 ` Москаленко Алексей Владимирович
2018-08-01 9:07 ` Sergey V Turchin
2018-08-01 10:17 ` Sergey V Turchin
2018-08-09 13:22 ` Sergey V Turchin
2018-08-09 13:32 ` Москаленко Алексей Владимирович
2018-08-09 15:10 ` Sergey V Turchin
2018-08-14 8:47 ` Москаленко Алексей Владимирович
2018-08-15 13:52 ` Sergey V Turchin
2018-08-20 10:44 ` [Sysadmins] Периодические падения dovecot-auth и ntlm_auth - P8 -- результаты Москаленко Алексей Владимирович
2018-08-20 12:15 ` Sergey V Turchin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2bfe1d54c1f0057d2a36c027abdda59@elserv.msk.su \
--to=mav@elserv.msk.su \
--cc=sysadmins@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git