Dovecot

新的 Dovecot 安裝不允許登錄,儘管說權限“顯示正常”,但仍給出權限錯誤

  • March 7, 2016

我正在將 dovecot 安裝到執行 Ubuntu Server 64 位 14.04 來賓的 Virtualbox VM 上。Dovecot 本身被安裝到一個 Docker 容器中(我不確定這是否相關,但我注意到它以防萬一)。我無法讓 dovecot 允許我通過 telnet 登錄以使用 passwd 文件測試使用者身份驗證。

Dovecot 本身似乎安裝得很好。我已經開始使用它sudo dovecot,現在正嘗試按照http://wiki2.dovecot.org/TestInstallation上的 wiki 指南對其進行測試。

在容器內,我輸入telnet localhost 143. Dovecot 與* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready.. 然後我輸入a login "test" "test",但得到以下輸出:a NO [AUTHENTICATIONFAILED] Authentication failed.

我已經確認此命令適用於現有的(工作的)Ubuntu 12.04 dovecot 伺服器,在 /etc/dovecot/users 中具有類似的 passwd 文件。

/etc/dovecot/users文件包含以下行:

test:{SHA512-CRYPT}$6$PHmKiepXqf1vbk7u$.ruON3KVGW7LfuqxAFKG3kG5O0s3tocK5jpbaMH2Qh9scnjj.RENQ230ulYXgp9SEaZbJjFlD9HJdA6o4wVIJ1::::/home/dovecot-user/Maildir/test

這裡的使用者稱為“test”,密碼為“test”。

dovecot 日誌文件包含以下內容:

Aug 04 08:49:18 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 04 08:49:18 imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 04 08:49:18 auth: Error: passwd-file: open(/etc/dovecot/users) failed: Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?))
Aug 04 08:49:18 auth: Error: passwd-file: open(/etc/dovecot/users) failed: Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?))
Aug 04 08:49:23 auth: Error: passwd-file(test,::1,<4V3V0Mn/5QAAAAAAAAAAAAAAAAAAAAAB>): stat(/etc/dovecot/users) failed: Permission denied (euid=102(dovecot) egid=106(dovecot) missing +x perm: /etc/dovecot, UNIX perms appear ok (ACL/MAC wrong?))
Aug 04 08:49:26 imap-login: Info: Disconnected: Too many invalid commands (auth failed, 1 attempts in 3 secs): user=<test>, method=PLAIN, rip=::1, lip=::1, secured, session=<4V3V0Mn/5QAAAAAAAAAAAAAAAAAAAAAB>

我還沒有找到任何解決這個問題的方法,包括更改文件的權限/etc/dovecot//home/dovecot-user/Maildir/儘可能寬鬆,並將chown文件設置為 dovecot:dovecot、root:root 和 dovecot-user:dovecot-user。目前文件權限如下:

ls -lR /etc/dovecot:

/etc/dovecot/dovecot:
-rwxrwx--- 1 dovecot dovecot  116 Aug  3 20:07 README
drwxrwx--- 2 dovecot dovecot 4096 Aug  4 08:45 conf.d
-rwxrwx--- 1 dovecot dovecot  410 Aug  3 20:07 dovecot-db.conf.ext
-rwxrwx--- 1 dovecot dovecot  782 Aug  3 20:07 dovecot-dict-sql.conf.ext
-rwxrwx--- 1 dovecot dovecot 5348 Aug  3 20:07 dovecot-sql.conf.ext
-rwxrwx--- 1 dovecot dovecot 3794 Aug  3 20:07 dovecot.conf
-rwxrwx--- 1 dovecot dovecot 3795 Aug  3 20:07 dovecot.conf.factory_settings
-rw-r--r-- 1 dovecot dovecot 1314 Aug  3 22:02 dovecot.pem
drwx------ 2 dovecot dovecot 4096 Aug  4 03:53 private
-rwxr-xr-x 1 dovecot dovecot  357 Aug  4 08:23 users


/etc/dovecot/conf.d:
total 108
-rwxrwx--- 1 dovecot dovecot  5258 Aug  3 20:07 10-auth.conf
-rwxrwx--- 1 dovecot dovecot  1691 Aug  3 20:07 10-director.conf
-rwxrwx--- 1 dovecot dovecot  2650 Aug  4 03:50 10-logging.conf
-rwxrwx--- 1 dovecot dovecot 14476 Aug  3 20:07 10-mail.conf
-rwxrwx--- 1 dovecot dovecot  2920 Aug  3 20:07 10-master.conf
-rwxrwx--- 1 dovecot dovecot  1654 Aug  3 20:07 10-ssl.conf
-rwxrwx--- 1 dovecot dovecot  1654 Aug  3 20:07 10-ssl.conf.save
-rw-r--r-- 1 dovecot dovecot   291 May 14 18:11 10-tcpwrapper.conf
-rwxrwx--- 1 dovecot dovecot  1607 Aug  3 20:07 15-lda.conf
-rw-r--r-- 1 dovecot dovecot  1137 May 14 18:11 15-mailboxes.conf
-rwxrwx--- 1 dovecot dovecot  2402 Aug  3 20:07 20-imap.conf
-rw-r--r-- 1 dovecot dovecot  4007 May 14 18:11 20-pop3.conf
-rwxrwx--- 1 dovecot dovecot   676 Aug  3 20:07 90-acl.conf
-rwxrwx--- 1 dovecot dovecot   292 Aug  3 20:07 90-plugin.conf
-rwxrwx--- 1 dovecot dovecot  2251 Aug  3 20:07 90-quota.conf
-rw-r--r-- 1 dovecot dovecot   499 May 14 18:11 auth-checkpassword.conf.ext
-rwxrwx--- 1 dovecot dovecot   486 Aug  3 20:07 auth-deny.conf.ext
-rwxrwx--- 1 dovecot dovecot   558 Aug  3 20:07 auth-master.conf.ext
-rwxrwx--- 1 dovecot dovecot   329 Aug  4 03:45 auth-passwdfile.conf.ext
-rw-r--r-- 1 dovecot dovecot   788 May 14 18:11 auth-sql.conf.ext
-rwxrwx--- 1 dovecot dovecot   608 Aug  3 20:07 auth-static.conf.ext
-rwxrwx--- 1 dovecot dovecot  2106 Aug  3 20:07 auth-system.conf.ext
-rwxrwx--- 1 dovecot dovecot   327 Aug  3 20:07 auth-vpopmail.conf.ext

ls -lR /home/dovecot-user/Maildir/:

/home/dovecot-user/Maildir/:
total 4
drwx------ 10 dovecot-user dovecot-user 4096 Aug  4 03:45 test

/home/dovecot-user/Maildir/test:

total 12
drwx------ 2 dovecot-user dovecot-user 4096 Aug  4 03:45 cur
drwx------ 2 dovecot-user dovecot-user 4096 Aug  4 03:45 new
drwx------ 2 dovecot-user dovecot-user 4096 Aug  4 03:45 tmp

輸出dovecot -n

# 2.2.9: /etc/dovecot/dovecot.conf  
doveconf: Error: setmntent(/etc/mtab) failed: No such file or directory  
# OS: Linux 3.13.0-32-generic x86_64 Ubuntu 14.04.1 LTS  
first_valid_uid = 8
last_valid_uid = 1001
log_path = /testout
mail_gid = 1000
mail_location = maildir:/home/dovecot-user/Maildir/%u
mail_privileged_group = mail
mail_uid = 1000
namespace {
 inbox = yes
 location = 
 prefix = 
 separator = /
 type = private
}
namespace inbox {
 location = 
 mailbox Drafts {
   special_use = \Drafts
 }
 mailbox Junk {
   special_use = \Junk
 }
 mailbox Sent {
   special_use = \Sent
 }
 mailbox "Sent Messages" {
   special_use = \Sent
 }
 mailbox Trash {
   special_use = \Trash
 }
 prefix = 
}
passdb {
 args = scheme=CRYPT username_format=%u /etc/dovecot/users
 driver = passwd-file
}
protocols = " imap pop3"
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
 args = username_format=%u /etc/dovecot/users
 driver = passwd-file
}
verbose_ssl = yes

我不確定這是文件權限問題,apparmor還是selinux問題,以及如何進行調試和修復。在過去的幾年裡,我已經看到了近十幾個關於此的論壇文章,但沒有詳細記錄的修復。因此,我認為這個問題並不是我獨有的,我希望在這裡得到一些幫助,將來會有很好的記錄。

我不確定這是否確實是 AppArmor 問題(在上面@André-Daniel 的評論之後),因為關閉/解除安裝 AppArmor 對錯誤消息沒有幫助。不過,作為記錄,我找到了一種解決問題的方法。該修復涉及幾個組件:

  1. 確保在 /etc/dovecot/conf.d/10-mail.conf 中設置了有效的 uid 和 gid(例如,Maildir 目錄儲存在其主目錄中的使用者)
  2. 確保 Maildir 目錄中的所有文件都歸該 uid 和 gid ( chown --recursive $(id -u):$(id -g) /home/username/Maildir)所有
  3. 將使用者/密碼文件儲存在 /etc/dovecot 之外,上面 (1) 中的使用者可以訪問它。完成此操作並chown按照上面的 (2) 進行編輯後,我開始在 dovecot 日誌中收到一條單獨的錯誤消息,關於重複的命名空間。
  4. 我按照https://workaround.org/comment/3326#comment-3326解決了上面 (3) 的錯誤,建議添加inbox = yesnamespace inbox {.../etc/dovecot/conf.d/15-mailboxes.conf 的部分,並發表評論namespace在 /etc/dovecot/conf.d/10-mail.conf中的整個部分

引用自:https://serverfault.com/questions/617715