![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2017-04-18
Version 1
設定
auth default {
....................
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail # User running Dovecot LDA
#group = vmail # Or alternatively mode 0660 + LDA user in this group
}
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
....................
}Log Username
Postfix 的 log 係沒有 SASL login 時 username
所以在 dovecot 要設定 auth_verbose = yes 才 log 到 login username
... postfix/smtpd[29609]: connect from unknown[59.188.xxx.xxx] ... dovecot: auth-worker(default): sql([email protected],59.188.xxx.xxx): Password mismatch ... postfix/smtpd[29609]: warning: unknown[59.188.xxx.xxx]: SASL PLAIN authentication failed: ... postfix/smtpd[29609]: lost connection after AUTH from unknown[59.188.xxx.xxx] ... postfix/smtpd[29609]: disconnect from unknown[59.188.xxx.xxx]
Troubleshoot
Apr 9 08:23:13 smtpgw2 postfix-12/smtpd[10039]: fatal: no SASL authentication mechanisms
Apr 9 08:24:08 smtpgw2 dovecot: auth: Error: auth worker: Aborted request: Lookup timed out
Apr 9 08:24:09 smtpgw2 dovecot: auth: Error: auth worker: Aborted request: Worker process died unexpectedly解決:
# A entry size about "passdb: 50 bytes, userdb: 200 bytes" # 0 disables caching (default) auth_cache_size = 8M auth_cache_ttl = 48 hour # passdb or userdb lookup didn't return any data (i.e. the user doesn't exist) auth_cache_negative_ttl = 1 hour auth_worker_max_count = 512 auth_failure_delay = 2 secs auth_mechanisms = plain login !include auth-system.conf.ext
pam driver
Setting:
passdb {
driver = pam
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
# [cache_key=<key>] [<service name>]
#args = dovecot
}Default Setting:
/etc/pam.d/dovecot
auth required pam_unix.so nullok
account required pam_unix.soOR
@include common-auth
@include common-account
@include common-sessionUse /etc/pam.d/imap and /etc/pam.d/pop3
passdb {
driver = pam
args = %s
}Use /etc/pam.d/mail
passdb {
driver = pam
args = mail
}Limiting the number of PAM lookups:
# limit the number of lookups done by the auth worker process before it dies
passdb {
driver = pam
args = max_requests=512 dovecot
}* args: Arguments for the passdb backend. The format of this value depends on the passdb driver.
SQL: https://wiki.dovecot.org/AuthDatabase/SQL
If all the passwords are in same format, you can use default_pass_scheme to specify it.
Otherwise each password needs to be prefixed with "{password-scheme}",
for example "{plain}plaintext-password".
Postfix 連 Dovecot 做 SASL 認證
main.cf
smtp_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = ./private/dovecot-auth
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
........................................
reject_unauth_destination
Version 2
dovecot --version
2.1.17
conf.d/10-logging.conf
#log_path = syslog log_path = /var/log/dovecot.log auth_verbose = yes
conf.d/10-master.conf
service auth {
inet_listener {
address = 127.0.0.1
port = 12345
}
}Testing: (要 version 2 才有 doveadm cli)
doveadm user testuser
userdb: testuser system_groups_user: testuser uid : 1001 gid : 1001 home : /home/testuser
doveadm auth testuser
Password: passdb: testuser auth succeeded extra fields: user=testuser
不用 Domain 認證
# /etc/dovecot/dovecot.conf
# Append this domain name if client gives empty realm.
auth_default_realm = datahunter.org
* 用 dovecot 做 SASL 認證後, postfix 不用更改 setting
# /var/www/roundcubemail/config/config.inc.php
$config['username_domain'] = 'datahunter.org';
