From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mav@elserv.msk.su>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 sa.local.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
 T_FILL_THIS_FORM_SHORT autolearn=ham autolearn_force=no version=3.4.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
Date: Wed, 25 Jul 2018 17:12:35 +0300
From: =?UTF-8?Q?=D0=9C=D0=BE=D1=81=D0=BA=D0=B0=D0=BB=D0=B5=D0=BD=D0=BA?=
 =?UTF-8?Q?=D0=BE_=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B5=D0=B9_=D0=92=D0=BB?=
 =?UTF-8?Q?=D0=B0=D0=B4=D0=B8=D0=BC=D0=B8=D1=80=D0=BE=D0=B2=D0=B8=D1=87?=
 <mav@elserv.msk.su>
To: sysadmins@lists.altlinux.org
In-Reply-To: <7152466.G7TKxFiOou@zerg.malta.altlinux.ru>
References: <aef8354f0713b76d62d4c13f31400f6c@elserv.msk.su>
 <1789922.odM1gfhK1E@zerg.malta.altlinux.ru>
 <c2f7bd4697a812275828356d8de7513a@elserv.msk.su>
 <7152466.G7TKxFiOou@zerg.malta.altlinux.ru>
Message-ID: <c2bfe1d54c1f0057d2a36c027abdda59@elserv.msk.su>
X-Sender: mav@elserv.msk.su
Subject: Re: [Sysadmins] =?utf-8?b?0J/QtdGA0LjQvtC00LjRh9C10YHQutC40LUg0L8=?=
 =?utf-8?b?0LDQtNC10L3QuNGPIGRvdmVjb3QtYXV0aCDQuCBudGxtX2F1dGggLSBQOA==?=
X-BeenThere: sysadmins@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux sysadmins' discussion <sysadmins@lists.altlinux.org>
List-Id: ALT Linux sysadmins' discussion <sysadmins.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/sysadmins>,
 <mailto:sysadmins-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sysadmins>
List-Post: <mailto:sysadmins@lists.altlinux.org>
List-Help: <mailto:sysadmins-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
 <mailto:sysadmins-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 14:12:38 -0000
Archived-At: <http://lore.altlinux.org/sysadmins/c2bfe1d54c1f0057d2a36c027abdda59@elserv.msk.su/>
List-Archive: <http://lore.altlinux.org/sysadmins/>

Sergey V Turchin писал 25.07.2018 16:18:
>> С новым dovecot ntlm_auth (ожидаемо) один раз уже упал.
> А можно ли описать примерный сценарий, чтоб попробовать воспроизвести?

Сценарий довольно обычный. Есть домен на самбе (все еще в режиме NT4) с 
пользователями в openLDAP. Dovecot берет пользователей из доменного 
LDAP, авторизуя их самостоятельно с помощью LDAP bind по алгоритмам 
PLAIN и LOGIN и используя ntlm_auth для авторизации их же по NTLM. На 
той же машине установлен winbind, введенный в домен. Вся почтовая 
система работает под одним пользователем vmail. Используется sieve. 
Вроде никаких особенностей...

smb.conf
[global]
	netbios name = MAIL
	server string = Mail server
	workgroup = DOMAIN
	domain master = No
	local master = No
	os level = 1
	preferred master = No
	log file = /var/log/samba/log.%m
	max log size = 50
	load printers = No
	printcap name = /dev/null
	client ipc signing = if_required
	client signing = if_required
	password server = 192.168.0.1
	security = DOMAIN
	server signing = if_required
	smb passwd file = /etc/samba/smbpasswd
	idmap gid = 10000-20000
	idmap uid = 10000-20000
	template shell = /sbin/nologin
	winbind sealed pipes = No
	winbind use default domain = Yes
	dns proxy = No
	wins server = 192.168.0.1
	idmap config * : range = 10000-20000
	idmap config * : backend = tdb
	printing = lprng
	use sendfile = Yes

doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
default_client_limit = 4096
default_process_limit = 512
default_vsz_limit = 512 M
hostname = mail.example.com
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *
login_greeting = Mail server ready.
login_trusted_networks = 127.0.0.1/32 192.168.0.0/16
mail_gid = vmail
mail_location = maildir:%h/private
mail_plugins = quota acl listescape zlib
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext editheader
mbox_write_locks = fcntl
namespace {
   inbox = no
   list = children
   location = maildir:/var/spool/vmail/_Public/:INDEX=%h/public
   prefix = Public Mailboxes/
   separator = /
   subscriptions = no
   type = public
}
namespace {
   inbox = no
   list = children
   location = maildir:%%h/private/:INDEX=%h/shared/%%n
   prefix = Shared Mailboxes/%%n/
   separator = /
   subscriptions = no
   type = shared
}
namespace inbox {
   inbox = yes
   list = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox "INBOX/Probably SPAM" {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
   separator = /
   subscriptions = yes
   type = private
}
passdb {
   args = /etc/dovecot/passwd.masters
   driver = passwd-file
   master = yes
   pass = yes
}
passdb {
   args = /etc/dovecot/passdb.conf
   driver = ldap
}
plugin {
   acl = vfile:/etc/dovecot/acls:cache_secs=300
   acl_anyone = allow
   acl_shared_dict = file:/var/spool/vmail/_shared-mailboxes-list.db
   quota = maildir:Your Mailbox Quota
   quota_rule = *:storage=16G
   quota_rule2 = Trash:storage=+128M
   quota_status_nouser = DUNNO
   quota_status_overquota = 552 5.2.2 Mailbox is full
   quota_status_success = DUNNO
   quota_warning = storage=98%% quota-warning 98 %u
   quota_warning2 = storage=90%% quota-warning 90 %u
   sieve = file:%h/sieve;active=%h/active.sieve
   sieve_default = /etc/dovecot/default.sieve
   sieve_default_name = SystemDefault
   sieve_extensions = +editheader
   sieve_global = /etc/dovecot/sieve
   stats_refresh = 30 secs
   stats_track_cmds = yes
   zlib_save = gz
   zlib_save_level = 6
}
postmaster_address = postmaster@example.com
protocols = imap lmtp sieve
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
     user = postfix
   }
   unix_listener auth-client {
     group = mail
     mode = 0660
     user = vmail
   }
   unix_listener auth-master {
     group = mail
     mode = 0660
     user = vmail
   }
   unix_listener auth-userdb {
     group = mail
     mode = 0660
     user = vmail
   }
   user = root
}
service config {
   unix_listener config {
     mode = 0660
     user = vmail
   }
}
service imap {
   vsz_limit = 512 M
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
     mode = 0660
     user = postfix
   }
   user = vmail
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
   inet_listener sieve_deprecated {
     port = 2000
   }
}
service quota-status {
   client_limit = 1
   executable = quota-status -p postfix
   unix_listener /var/spool/postfix/private/dovecot-quota-status {
     group = postfix
     mode = 0660
     user = postfix
   }
}
service quota-warning {
   executable = script /usr/local/bin/dovecot-quota-warning.sh
   unix_listener quota-warning {
     user = vmail
   }
   user = vmail
}
ssl_cert = </etc/dovecot/cert.pem
ssl_cipher_list = 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
   driver = prefetch
}
userdb {
   args = /etc/dovecot/userdb.conf
   driver = ldap
}
protocol lmtp {
   mail_fsync = optimized
   mail_plugins = quota acl listescape zlib sieve
}
protocol lda {
   auth_socket_path = /var/run/dovecot/auth-master
   mail_fsync = optimized
   mail_plugins = quota acl listescape zlib sieve
}
protocol imap {
   imap_client_workarounds = delay-newmail
   mail_max_userip_connections = 64
   mail_plugins = quota acl listescape zlib imap_quota imap_acl imap_zlib
}


/etc/dovecot/passdb.conf
hosts = ldap.example.com
dn = cn=mail,ou=Daemons,dc=example,dc=com
dnpass = PASSW0RD
sasl_bind = no
tls = no
auth_bind = no
ldap_version = 3
base = ou=Accounts,dc=example,dc=com
user_attrs = uid=home=/var/spool/vmail/%$, 
internationalISDNNumber=quota_rule=*:bytes=%$
user_filter = 
(&(objectClass=inetOrgPerson)(|(&(uid=%n)(mail=*))(mail=%u)))
pass_attrs = uid=user,userPassword=password
pass_filter = 
(&(objectClass=inetOrgPerson)(uid=%u)(mail=*)(!(mail=*.local))(|(!(sambaAcctFlags=*))(sambaAcctFlags=[U 
          ])(sambaAcctFlags=[UX         ])(sambaAcctFlags=[HU         
])(sambaAcctFlags=[HUX        ]))(!(postOfficeBox=disabled)))
default_pass_scheme = SSHA
iterate_attrs = uid=user
iterate_filter = (&(objectClass=inetOrgPerson)(mail=*))

/etc/dovecot/userdb.conf - симлинк на passdb.conf