dovecot: auth: Error ldap_search failed: Operations error #3785

MohammedNoureldin · 2024-01-16T17:48:59Z

MohammedNoureldin
Jan 16, 2024

Hi,

Have anyone got any similar error? Or do you have any idea how to debug such errors? I have been trying for many hours to figure out what is wrong, but with no luck. The weird thing is that I am using a setup that used to be working (most likely).

This issue happens as soon as I try to login using a mail client to the mail server.

Here is the full log of one of the setups I tried, here I enabled the debug to see the env vars:
UPDATE - I increased the verbosity of Dovecot and updated the log below:

root@control-plane-01:~# kubectl logs -n mail-server -f mailserver-5f5b9c9b7-6xvzz
Defaulted container "mailserver" out of: mailserver, metrics-exporter
[  DEBUG  ]  Handling general environment variable setup
[   INF   ]  Welcome to docker-mailserver 12.1.0
[  DEBUG  ]  Registering functions
[  DEBUG  ]  Setting LDAP-related environment variables now
[  DEBUG  ]  Setting SASLAUTHD-related environment variables now
[   INF   ]  Checking configuration
[  DEBUG  ]  Checking for improper restart
[  DEBUG  ]  Checking that hostname/domainname is provided or overridden
[  DEBUG  ]  Domain has been set to DOMAIN.com
[  DEBUG  ]  Hostname has been set to mail.DOMAIN.com
[   INF   ]  Configuring mail server
[  DEBUG  ]  Setting up general log files
[  DEBUG  ]  Setting timezone to 'Europe/Vienna'
[  DEBUG  ]  Setting up Dovecot
[  DEBUG  ]  Setting up Dovecot dhparam
[  DEBUG  ]  Setting up Dovecot quota
[  DEBUG  ]  Setting up LDAP
[  DEBUG  ]  Setting up SASLAUTHD
[  DEBUG  ]  Disabling OpenDKIM
[  DEBUG  ]  Disabling OpenDMARC
[  DEBUG  ]  Disabling policyd-spf
[  DEBUG  ]  Setting up Security Stack
[  DEBUG  ]  Postgrey is disabled
[  DEBUG  ]  Configuring Postscreen
[  DEBUG  ]  Disabling Postscreen DNSBLs
[  DEBUG  ]  SpamAssassin is disabled
[  DEBUG  ]  Disabling ClamAV
[  DEBUG  ]  Fail2Ban is disabled
[  DEBUG  ]  Disabling Amavis
[  DEBUG  ]  Spam emails will be moved to the Junk folder
sievec: Debug: Effective uid=0, gid=0, home=/root
[  DEBUG  ]  Enabling and configuring Rspamd
[  DEBUG  ]  (Rspamd setup) Found directory '/tmp/docker-mailserver/rspamd/override.d/' - linking it to '/etc/rspamd/override.d'
[  DEBUG  ]  (Rspamd setup) Internal Redis is enabled, adding configuration
[  DEBUG  ]  (Rspamd setup) Adjusting Postfix's configuration
[  DEBUG  ]  (Rspamd setup) Rspamd will not use ClamAV (which has not been enabled)
[  DEBUG  ]  (Rspamd setup) Disabling default modules
[  DEBUG  ]  (Rspamd setup) Intelligent learning of spam and ham is disabled
[  DEBUG  ]  (Rspamd setup) Greylisting is disabled
[  DEBUG  ]  (Rspamd setup) Hfilter (group) module is enabled
[  DEBUG  ]  (Rspamd setup) Found file '/tmp/docker-mailserver/rspamd/custom-commands.conf' - parsing and applying it
[  DEBUG  ]  Setting up SSL
[  DEBUG  ]  TLS configured with 'modern' ciphers
[  DEBUG  ]  Configuring certificates using key /secrets/ssl/rsa/tls.key and cert /secrets/ssl/rsa/tls.crt
[  DEBUG  ]  Setting up PERMIT_DOCKER option
[  DEBUG  ]  Setting up mailname and creating '/etc/mailname'
[  DEBUG  ]  Applying hostname to Dovecot
[  DEBUG  ]  Configuring Postfix (early setup)
[  DEBUG  ]  '/tmp/docker-mailserver/postfix-virtual.cf' not provided - no mail alias/forward created
[  DEBUG  ]  Setting up Postfix dhparam
[  DEBUG  ]  Fetchmail is disabled
[  DEBUG  ]  Fetchmail parallel is disabled
[  DEBUG  ]  Configuring Postfix (late setup)
[  DEBUG  ]  Setting up Postfix Relay Hosts
[  DEBUG  ]  (Postfix setup) Overriding / adjusting configuration with user-supplied values
[  DEBUG  ]  Setting up logrotate
[  DEBUG  ]  Postfix log summary reports disabled
[  DEBUG  ]  Logwatch reports disabled.
[  DEBUG  ]  Consolidating all state onto /var/mail-state
[  DEBUG  ]  Checking /var/mail permissions
[  DEBUG  ]  Removing files and directories from older versions
[  DEBUG  ]  Exporting environment variables now (creating '/etc/dms-settings')
[  DEBUG  ]  Setting up configuration checksum file
[  DEBUG  ]  Printing environment variables. Make sure no sensitive data is copied.
ACCOUNT_PROVISIONER='LDAP'
AMAVIS_LOGLEVEL='0'
CLAMAV_MESSAGE_SIZE_LIMIT='25M'
DEFAULT_RELAY_HOST=''
DOVECOT_INET_PROTOCOLS='all'
DOVECOT_MAILBOX_FORMAT='maildir'
DOVECOT_TLS='yes'
ENABLE_AMAVIS='0'
ENABLE_CLAMAV='0'
ENABLE_DNSBL='0'
ENABLE_FAIL2BAN='0'
ENABLE_FETCHMAIL='0'
ENABLE_MANAGESIEVE='1'
ENABLE_OPENDKIM='0'
ENABLE_OPENDMARC='0'
ENABLE_POLICYD_SPF='0'
ENABLE_POP3='0'
ENABLE_POSTGREY='0'
ENABLE_QUOTAS='0'
ENABLE_RSPAMD='1'
ENABLE_RSPAMD_REDIS='1'
ENABLE_SASLAUTHD='1'
ENABLE_SPAMASSASSIN='0'
ENABLE_SPAMASSASSIN_KAM='0'
ENABLE_SRS='0'
ENABLE_UPDATE_CHECK='1'
FAIL2BAN_BLOCKTYPE='drop'
FETCHMAIL_PARALLEL='0'
FETCHMAIL_POLL='300'
LDAP_BIND_DN='cn=_binder,cn=Users,dc=intra,dc=DOMAIN,dc=com'
LDAP_BIND_PW='changeme'
LDAP_SEARCH_BASE='dc=intra,dc=DOMAIN,dc=com'
LDAP_SERVER_HOST='dc1.domain-controller.svc.cluster.local'
LDAP_START_TLS='yes'
LOGROTATE_INTERVAL='weekly'
LOGWATCH_INTERVAL='none'
LOGWATCH_RECIPIENT='[email protected]'
LOGWATCH_SENDER='[email protected]'
LOG_LEVEL='debug'
MOVE_SPAM_TO_JUNK='1'
NETWORK_INTERFACE='eth0'
ONE_DIR='1'
OVERRIDE_HOSTNAME='mail.DOMAIN.com'
PERMIT_DOCKER='none'
PFLOGSUMM_RECIPIENT='[email protected]'
PFLOGSUMM_SENDER='[email protected]'
PFLOGSUMM_TRIGGER='none'
POSTFIX_DAGENT=''
POSTFIX_INET_PROTOCOLS='all'
POSTFIX_MAILBOX_SIZE_LIMIT='100000000'
POSTFIX_MESSAGE_SIZE_LIMIT='10240000'
POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME='0'
POSTGREY_AUTO_WHITELIST_CLIENTS='5'
POSTGREY_DELAY='300'
POSTGREY_MAX_AGE='35'
POSTGREY_TEXT='Delayed by Postgrey'
POSTMASTER_ADDRESS='[email protected]'
POSTSCREEN_ACTION='enforce'
RELAY_HOST=''
REPORT_RECIPIENT='[email protected]'
REPORT_SENDER='[email protected]'
RSPAMD_GREYLISTING='0'
RSPAMD_HFILTER='1'
RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE='6'
RSPAMD_LEARN='0'
SASLAUTHD_LDAP_AUTH_METHOD='bind'
SASLAUTHD_LDAP_BIND_DN='cn=_binder,cn=Users,dc=intra,dc=DOMAIN,dc=com'
SASLAUTHD_LDAP_FILTER='(&(sAMAccountName=%U)(objectClass=person))'
SASLAUTHD_LDAP_MECH=''
SASLAUTHD_LDAP_PASSWORD='changeme'
SASLAUTHD_LDAP_PASSWORD_ATTR=''
SASLAUTHD_LDAP_SEARCH_BASE='dc=intra,dc=DOMAIN,dc=com'
SASLAUTHD_LDAP_SERVER='dc1.domain-controller.svc.cluster.local'
SASLAUTHD_LDAP_START_TLS='yes'
SASLAUTHD_LDAP_TLS_CACERT_DIR=''
SASLAUTHD_LDAP_TLS_CACERT_FILE=''
SASLAUTHD_LDAP_TLS_CHECK_PEER='no'
SASLAUTHD_MECHANISMS='ldap'
SA_KILL='10.0'
SA_SPAM_SUBJECT='***SPAM*** '
SA_TAG2='6.31'
SA_TAG='2.0'
SMTP_ONLY='0'
SPAMASSASSIN_SPAM_TO_INBOX='1'
SPOOF_PROTECTION='1'
SRS_DOMAINNAME='DOMAIN.com'
SRS_EXCLUDE_DOMAINS=''
SRS_SECRET=''
SRS_SENDER_CLASSES='envelope_sender'
SSL_TYPE='manual'
SUPERVISOR_LOGLEVEL='warn'
TLS_LEVEL='modern'
TZ='Europe/Vienna'
UPDATE_CHECK_INTERVAL='1d'
VIRUSMAILS_DELETE_DELAY='7'
[  DEBUG  ]  Applying user patches
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
[   INF   ]  Starting daemons
[  DEBUG  ]  Starting cron
[  DEBUG  ]  Starting rsyslog
[  DEBUG  ]  Starting dovecot
[  DEBUG  ]  Starting update-check
[  DEBUG  ]  Starting rspamd-redis
[  DEBUG  ]  Starting rspamd
[  DEBUG  ]  Starting postfix
[  DEBUG  ]  Starting saslauthd_ldap
[   INF   ]  mail.DOMAIN.com is up and running
Jan 17 02:58:52 mail postfix/postfix-script[1950]: starting the Postfix mail system
Jan 17 02:58:52 mail postfix/master[1951]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource tempo                                                                   rarily unavailable
Jan 17 02:58:52 mail postfix/master[2325]: warning: process /usr/lib/postfix/sbin/cleanup pid 12367 exit status 1
Jan 17 02:58:52 mail postfix/master[2325]: warning: /usr/lib/postfix/sbin/cleanup: bad command startup -- throttling
Jan 17 02:58:58 mail postfix/postfix-script[2029]: starting the Postfix mail system
Jan 17 02:58:58 mail postfix/master[2030]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource tempo                                                                   rarily unavailable
Jan 17 02:59:04 mail postfix/postfix-script[2108]: starting the Postfix mail system
Jan 17 02:59:04 mail postfix/master[2109]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource tempo                                                                   rarily unavailable
Jan 17 02:59:11 mail postfix/postfix-script[2195]: starting the Postfix mail system
Jan 17 02:59:11 mail postfix/master[2196]: fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource tempo                                                                   rarily unavailable
Jan 17 02:59:17 mail postfix/postfix-script[2283]: starting the Postfix mail system
Jan 17 02:59:17 mail postfix/master[2284]: daemon started -- version 3.5.18, configuration /etc/postfix
Jan 17 02:59:17 mail postfix/pickup[2285]: CAE0088: uid=0 from=<root>
Jan 17 02:59:17 mail postfix/cleanup[2287]: CAE0088: message-id=<[email protected]>
Jan 17 02:59:17 mail postfix/qmgr[2286]: CAE0088: from=<[email protected]>, size=670, nrcpt=1 (queue active)
Jan 17 02:59:17 mail dovecot: lmtp(2290): Connect from local
Jan 17 02:59:17 mail dovecot: lmtp([email protected])<2290><M4ZPOnU0p2XyCAAAZU03Dg>: Debug: auth-master: userdb lookup(administrator                                                                   @DOMAIN.com): Started userdb lookup
Jan 17 02:59:17 mail dovecot: lmtp([email protected])<2290><M4ZPOnU0p2XyCAAAZU03Dg>: Debug: auth-master: conn unix:/run/dovecot/auth                                                                   -userdb: Connecting
Jan 17 02:59:17 mail dovecot: lmtp([email protected])<2290><M4ZPOnU0p2XyCAAAZU03Dg>: Debug: auth-master: conn unix:/run/dovecot/auth                                                                   -userdb (pid=1796,uid=0): Client connected (fd=13)
Jan 17 02:59:17 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Jan 17 02:59:17 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Jan 17 02:59:17 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Jan 17 02:59:17 mail dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so
Jan 17 02:59:17 mail dovecot: auth: Debug: Wrote new auth token secret to /run/dovecot/auth-token-secret.dat
Jan 17 02:59:18 mail dovecot: auth: Debug: master in: USER#0111#[email protected]#011service=lmtp
Jan 17 02:59:18 mail dovecot: auth: Debug: ldap([email protected]): Performing userdb lookup
Jan 17 02:59:18 mail dovecot: auth: Debug: ldap([email protected]): user search: base=dc=intra,dc=DOMAIN,dc=com scope=subtree filter                                                                   =(&(objectclass=person)(sAMAccountName=administrator)) fields=








Jan 17 03:00:39 mail dovecot: auth: Debug: auth client connected (pid=2370)
Jan 17 03:00:39 mail dovecot: auth: Debug: auth client connected (pid=2374)
Jan 17 03:00:39 mail dovecot: auth: Debug: auth client connected (pid=2376)
Jan 17 03:00:39 mail postfix/postscreen[2373]: CONNECT from [213.225.1.157]:34667 to [10.244.171.6]:25
Jan 17 03:00:39 mail postfix/postscreen[2373]: CONNECT from [213.225.1.157]:34668 to [10.244.171.6]:25
Jan 17 03:00:39 mail postfix/postscreen[2373]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=12 dropped=0 entries
Jan 17 03:00:39 mail dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=213.225.1.157, lip=10.244.171.6, session=<RN8fnRoPXK7V4QGd>
Jan 17 03:00:39 mail dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=213.225.1.157, lip=10.244.171.6, session=<A/MfnRoPW67V4QGd>
Jan 17 03:00:39 mail postfix/postscreen[2373]: PREGREET 33 after 0.03 from [213.225.1.157]:34667: EHLO we-guess.mozilla.org\r\nQUIT\r\n
Jan 17 03:00:39 mail postfix/postscreen[2373]: COMMAND PIPELINING from [213.225.1.157]:34667 after EHLO: QUIT\r\n
Jan 17 03:00:39 mail postfix/postscreen[2373]: DISCONNECT [213.225.1.157]:34667
Jan 17 03:00:39 mail postfix/postscreen[2373]: PREGREET 33 after 0.03 from [213.225.1.157]:34668: EHLO we-guess.mozilla.org\r\nQUIT\r\n
Jan 17 03:00:39 mail postfix/postscreen[2373]: COMMAND PIPELINING from [213.225.1.157]:34668 after EHLO: QUIT\r\n
Jan 17 03:00:39 mail postfix/postscreen[2373]: DISCONNECT [213.225.1.157]:34668
Jan 17 03:00:39 mail postfix/submission/smtpd[2378]: connect from 213-225-1-157.nat.highway.a1.net[213.225.1.157]
Jan 17 03:00:39 mail postfix/submission/smtpd[2371]: connect from 213-225-1-157.nat.highway.a1.net[213.225.1.157]
Jan 17 03:00:39 mail postfix/smtps/smtpd[2372]: connect from 213-225-1-157.nat.highway.a1.net[213.225.1.157]
Jan 17 03:00:40 mail postfix/submission/smtpd[2378]: improper command pipelining after EHLO from 213-225-1-157.nat.highway.a1.net[213.225.1.157]: QUIT\r\n
Jan 17 03:00:40 mail postfix/submission/smtpd[2371]: improper command pipelining after EHLO from 213-225-1-157.nat.highway.a1.net[213.225.1.157]: QUIT\r\n
Jan 17 03:00:40 mail postfix/submission/smtpd[2371]: disconnect from 213-225-1-157.nat.highway.a1.net[213.225.1.157] ehlo=1 quit=1 commands=2
Jan 17 03:00:40 mail postfix/submission/smtpd[2378]: disconnect from 213-225-1-157.nat.highway.a1.net[213.225.1.157] ehlo=1 quit=1 commands=2
Jan 17 03:00:40 mail dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=213.225.1.157, lip=10.244.171.6, TLS, session=<0sIjnRoPH1LV4QGd>
Jan 17 03:00:40 mail postfix/smtps/smtpd[2372]: Anonymous TLS connection established from 213-225-1-157.nat.highway.a1.net[213.225.1.157]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 17 03:00:40 mail postfix/smtps/smtpd[2372]: disconnect from 213-225-1-157.nat.highway.a1.net[213.225.1.157] ehlo=1 quit=1 commands=2



Jan 17 03:00:54 mail dovecot: auth: Debug: auth client connected (pid=2388)
Jan 17 03:00:54 mail dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=1u0DnhoPIFLV4QGd#011lip=10.244.171.6#011rip=213.225.1.157#011lport=993#011rport=21024#011real_lip=10.244.37.217#011real_rip=10.244.171.6#011real_rport=43762#011local_name=mail.DOMAIN.com
Jan 17 03:00:54 mail dovecot: auth: Debug: client passdb out: CONT#0111#011
Jan 17 03:00:54 mail dovecot: auth: Debug: client in: CONT#0111#011AGFkbWluaXN0cmF0b3IAQ2hAbjllTWU= (previous base64 data may contain sensitive data)
Jan 17 03:00:54 mail dovecot: auth: Debug: ldap(administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): Performing passdb lookup
Jan 17 03:00:54 mail dovecot: auth: Debug: ldap(administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): bind search: base=dc=intra,dc=DOMAIN,dc=com filter=(&(objectclass=person)(sAMAccountName=administrator))
Jan 17 03:00:54 mail dovecot: auth: Error: ldap(administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): Connection appears to be hanging, reconnecting
Jan 17 03:00:54 mail dovecot: auth: Error: ldap([email protected]): LDAP search returned multiple entries
Jan 17 03:00:54 mail dovecot: auth: Debug: ldap(administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): result: sAMAccountName=Administrator; sAMAccountName unused
Jan 17 03:00:54 mail dovecot: auth: Debug: ldap(administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): username changed administrator -> Administrator
Jan 17 03:00:54 mail dovecot: auth: Error: ldap(Administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): Connection appears to be hanging, reconnecting
Jan 17 03:00:54 mail dovecot: auth: Error: ldap([email protected]): Request lost
Jan 17 03:00:54 mail dovecot: auth: Debug: ldap([email protected]): Finished userdb lookup
Jan 17 03:00:54 mail dovecot: auth: Debug: userdb out: FAIL#0111
Jan 17 03:00:54 mail dovecot: lmtp([email protected])<2290><M4ZPOnU0p2XyCAAAZU03Dg>: Error: auth-master: userdb lookup([email protected]): Auth USER lookup failed
Jan 17 03:00:54 mail dovecot: lmtp([email protected])<2290><M4ZPOnU0p2XyCAAAZU03Dg>: Debug: auth-master: userdb lookup([email protected]): auth USER input:
Jan 17 03:00:54 mail dovecot: lmtp([email protected])<2290><M4ZPOnU0p2XyCAAAZU03Dg>: Debug: auth-master: userdb lookup([email protected]): Userdb lookup failed
Jan 17 03:00:54 mail dovecot: lmtp(2290): Error: lmtp-server: conn unix:pid=2289,uid=101 [1]: rcpt [email protected]: Failed to lookup user [email protected]: Internal error occurred. Refer to server log for more information.
Jan 17 03:00:55 mail postfix/lmtp[2289]: CAE0088: to=<[email protected]>, orig_to=<[email protected]>, relay=mail.DOMAIN.com[/var/run/dovecot/lmtp], delay=123, delays=26/0.04/0.02/97, dsn=4.3.0, status=deferred (host mail.DOMAIN.com[/var/run/dovecot/lmtp] said: 451 4.3.0 <[email protected]> Temporary internal error (in reply to RCPT TO command))
Jan 17 03:00:55 mail dovecot: lmtp(2290): Disconnect from local: Client has quit the connection (state=READY)
Jan 17 03:00:55 mail dovecot: auth: Debug: ldap(Administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): Finished passdb lookup
Jan 17 03:00:55 mail dovecot: auth: Debug: auth(Administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): Auth request finished
Jan 17 03:00:55 mail dovecot: auth: Debug: client passdb out: OK#0111#011user=Administrator#011#011original_user=administrator
Jan 17 03:00:55 mail dovecot: auth: Debug: master in: REQUEST#01172876033#0112388#0111#011b343f50e90df7a299b1c2d36f763f63b#011session_pid=2390#011request_auth_token
Jan 17 03:00:55 mail dovecot: auth: Debug: ldap(Administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): Performing userdb lookup
Jan 17 03:00:55 mail dovecot: auth: Debug: ldap(Administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): user search: base=dc=intra,dc=DOMAIN,dc=com scope=subtree filter=(&(objectclass=person)(sAMAccountName=Administrator)) fields=

I have no clue what I can do more to debug or solve this. Could anyone help please?

Answered by MohammedNoureldin

Jan 19, 2024

Wow, this discussion became a good source for debugging.

I finally got it working.

After the analysis mentioned above that both components, LDAP server and Mail server, work when used with external systems but not with each other, this made me think again about the connection between them. The relationship that connects them is LDAP, DNS and TLS. I checked TLS and seemed to be working properly. LDAP filters were also OK, after testing them with ldapsearch. That leaves DNS of the cluster, particularly CoreDNS.

The biggest confusion came from the log messages of Dovecot actually, as they always were inconsistent and misleading.

In K8s, I configured the CoreDNS to forward all requests that a…

View full answer

MohammedNoureldin · 2024-01-16T17:57:57Z

MohammedNoureldin
Jan 16, 2024
Author

May I ask you, @polarathene, to take a look when you have some time? As you suggested, I disabled the quota, but the messages did not change. If it is needed, I can provide access to DMS and LDAP server.

14 replies

polarathene Jan 18, 2024
Maintainer

Oh and the new VPS, does that work fine with k8s if both run on that? If so might just be something related to your DMS volumes, you could try running without some mounted like mail-state? Sometimes that can be the source of problems if data got messed up there.

MohammedNoureldin Jan 19, 2024
Author

No the volumes are correct. Though, it should work without any persistence.

The summary of tests. Just for me to keep everything documented. You may comment of course if anything comes to your mind :D

Samba LDAP server in k8s cluster exposed to the outside directly (port forwarding) <-> DMS hosted in VPS ---> DMS can connect to this Samba LDAP and works properly.
Samba LDAP server in k8s cluster exposed to the outside directly (port forwarding) <-> DMS hosted inside the same k8s cluster ---> DMS cannot connect properly with this Samba LDAP server even using its external IP address.
OpenLDAP server hosted in VPS <-> DMS hosted in the same VPS ---> DMS can access the OpenLDAP properly.
OpenLDAP server hosted in VPS <-> DMS hosted in k8s cluster ---> DMS cannot access the OpenLDAP properly.

This means:

K8s Samba LDAP server is reachable "directly" from DMS instances hosted outside my cluster.
VPS OpenLDAP server is reachable from DMS instances hosted inside my cluster. However, here SSL was turned off.

Samba does not accept turning encryption off.

Could this mean, that there is a problem when DMS trying to access my Samba LDAP in the cluster because of some encryption issue, but it is only between this specific DMS with this specific Samba?

Can this "version" error be the reason? but why only in the cases I mentioned above. Really annoying..

Jan 19 02:23:13 mail dovecot: auth: Error: ldap(Administrator,10.244.171.6,<msdRUUIPsIAK9KsG>): ldap_search(base=dc=intra,dc=DOMAIN,dc=com filter=(&(objectclass=person)(sAMAccountName=Administrator))) failed: Operations error
Jan 19 02:23:13 mail dovecot: imap: Error: auth-master: login: request [2115371009]: Login auth request failed: Internal auth failure (auth connected 26835 msecs ago, request took 26835 msecs, client-pid=3973 client-id=1)
Jan 19 02:23:13 mail dovecot: imap-login: Internal login failure (pid=3973 id=1): user=<Administrator>, method=PLAIN, rip=10.244.171.6, lip=10.244.37.237, mpid=3974, TLS, session=<msdRUUIPsIAK9KsG>
Jan 19 02:23:13 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.244.171.6, lip=10.244.37.237, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<2cjuUkIPxJQK9KsG>
Jan 19 02:23:14 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.244.171.6, lip=10.244.37.237, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<y2fwUkIPypQK9KsG>

polarathene Jan 19, 2024
Maintainer

Could this mean, that there is a problem when DMS trying to access my Samba LDAP in the cluster because of some encryption issue, but it is only between this specific DMS with this specific Samba?

You could try enabling TLS with the OpenLDAP setup to better compare that and see if it reproduces the same behaviour with Samba.

Do verify that the issue is specific to DMS though. If you install ldap-utils in the DMS container and then use ldapsearch to query, do you get the same failure?

Were your comparisons both against DMS v13 or newer? Do note that configuration changes happened regarding LDAP for v13, notably the LDAP host URI now expects you to be more explicit. 3 ENV would fallback to ldap:// if the URI scheme was omitted.

I'd still advise keeping k8s out of the picture for now, to ensure that's not introducing any additional complications. Along with any other infrastructure not necessary. Focus on a minimal reproduction.

OpenLDAP server hosted in VPS <-> DMS hosted in k8s cluster ---> DMS cannot access the OpenLDAP properly.

These are different hosts? Does the same apply if using Docker Compose instead of k8s?

This should be possible to verify with the reproduction I provided:

# On one host (_ldap will need port 389 published to be reached publicly_):
$ docker compose up ldap

# On another host:
$ docker compose up dms

DNS also becomes relevant for that external connectivity, but you could configure both to use the same DNS service you host yourself, no need to manage actual public domains and DNS records. If you'd like an example, let me know.

It would be good to reproduce with Docker Compose, then I have something I can actually work with :)

MohammedNoureldin Jan 19, 2024
Author

Checking it without K8s would not really be very helpful, because as we saw, it works out of the box when running any of the components outside k8s.

Very strange..

I changed the search base from dc=intra,dc=domain,dc=com to cn=Users,dc=intra,dc=domain,dc=com. Now it works fine without "LDAP returned multiple entries error" :/. And I could send emails.

Though, using the same filter with the same base in ldapsearch tool returns only one entry.

Though what I don't understand is why it works from the external DMS, but not with that in the cluster

My users are located normally in Users, but could be though somewhere else. I do not understand what kind of duplication it finds :/

polarathene Jan 19, 2024
Maintainer

Though what I don't understand is why it works from the external DMS, but not with that in the cluster

My users are located normally in Users, but could be though somewhere else. I do not understand what kind of duplication it finds :/

With the OpenLDAP container enable the debug ENV and perform the reproduction for the working and not working setups and you should get some insights into how the queries and responses differ.

Likewise with postmap -v -q.

It's probably related to DNS? I am not familiar with k8s, so I don't know how that differs from same host vs separate hosts, but if you can identify what differences those introduce it'd probably make it clearer.

I changed the search base from dc=intra,dc=domain,dc=com to cn=Users,dc=intra,dc=domain,dc=com. Now it works fine without "LDAP returned multiple entries error" :/. And I could send emails.

Though, using the same filter with the same base in ldapsearch tool returns only one entry.

If you'd like to try building DMS from my LDAP Config Templates PR, you might have an easier time tweaking configuration. Then again the lacking docs to make that easier probably makes that a no-go right now 😓

Here are the new template files that will replace the current approach. There is a base with defaults, followed by an override template of the full settings supported by the Dovecot, Postfix and SASLAuthd configs:

This shows some implicit defaults that DMS sets, they're possibly messing with your queries? 🤷‍♂️

For Postfix, here is the LDAP config docs which explain each setting.

You can see that we set a result_attribute = mail and in the related test the query is based on mail attribute too (related postmap line).

Checking it without K8s would not really be very helpful, because as we saw, it works out of the box when running any of the components outside k8s.

That wasn't clear to me based on these two statements:

OpenLDAP server hosted in VPS <-> DMS hosted in the same VPS ---> DMS can access the OpenLDAP properly.

OpenLDAP server hosted in VPS <-> DMS hosted in k8s cluster ---> DMS cannot access the OpenLDAP properly.

I guess the cluster is running on a separate system? On the same VPS was k8s used?

If you cannot reproduce failure outside of k8s, then it's clearly a k8s issue not a DMS one and you'll need to figure that out as I don't have experience with k8s. I can only assume it's related to the DNS cluster/routing logic, or the ingress controller which AFAIK operates like a reverse proxy inbetween services and that's known to cause some problems (see the user-proxy: true / IPv6 comments). Those type of issues would not be applicable to an external system which you've verified works properly.

If anything it could be related to the .local TLD used by k8s. I mentioned this before but had no response from you on that. I assume your external system test that works is not via a connection to a .local address? If that's one of the main differentiators I would look into that, quite possibly mDNS issue then. Likewise there's another known one with gai config IIRC for IPv6 which changes the routing precedence. Both of these can vary by host distro on what network configuration they set.

MohammedNoureldin · 2024-01-17T03:11:45Z

MohammedNoureldin
Jan 17, 2024
Author

Shouldn't this be the problem?

Jan 17 03:00:54 mail dovecot: auth: Error: ldap([email protected]): LDAP search returned multiple entries
Jan 17 03:00:54 mail dovecot: auth: Debug: ldap(administrator,213.225.1.157,<1u0DnhoPIFLV4QGd>): result: sAMAccountName=Administrator; sAMAccountName unused

Though I don't know what are the "two" results. I have a very fresh LDAP server. So I am not sure what is going on here. Does any one see something I am missing?

1 reply

polarathene Jan 17, 2024
Maintainer

Though I don't know what are the "two" results.

From the logs it looks like it returned these two:

result: sAMAccountName=Administrator; sAMAccountName unused

You can follow my troubleshooting steps I shared in the other response with postmap -v -q queries if you need more insights. That may differ though vs Dovecot (Postfix has multiple LDAP configs, which mostly differ by the query only, and Dovecot has it's own).

I don't know the command right now, but there is one you could use from ldap-utils package to query LDAP directly, similar to the ldapwhoami command I showed in my troubleshooting steps. That would be a better way to query without DMS / Postfix / Dovecot in the way.

Alternatively with the Bitnami LDAP container you'll also get plenty of insights on the LDAP side through it's logs (you may need to enable the debug env if it's not showing the queries received).

With those insights, you'd know what the multiple results returned are for a query. Clearly the query was expected to return only one result, which presumably is the DN for an account queried?

I did mention there was a gotcha regarding ENABLE_SASLAUTHD=1. IIRC, this is related to the supervisord config we provide. The contribution history has rimap mechanism for saslauthd config use the -r flag, while ldap mechanism for saslauthd does not.

There are additional ways to test the login with credentials is valid, IIRC they're testsaslauthd ... / doveadm auth test ..., but the testsaslauthd was a bit misleading. It also mattered if you did the login via Postfix ports or Dovecot ports, as this issue was specific to Postfix going through SASLAuthd instead of Dovecot. Related to the issue was also some Postfix config in main.cf.

Anyway... given the log output you've shared. Looks like you're trying to authenticate as [email protected], the query returns Administrator for sAMAccountName? Potential case sensitivity issues aside, the auth was likely unsuccessful due to a mismatch in login username vs returned (if valid) username. IIRC there was also a related issue/inconsistency with the default Dovecot LDAP filters, but it'd only be apparent when hitting these issues.

If you login with just the username, and the expectation of that is without the DMS hostname appended, I think Postfix would append this by default to the query. Thus fails to match. If the query would have been successful with your own mail domain appended ([email protected] vs [email protected]). Otherwise if it needs to absolutely be user without anything appended, this bug would be affecting you.

Fixing the supervisor config for saslauthd with -r will properly strip any "realm" from @ and after, thus even if Postfix appends one, or the user provides one that would be ignored (not an issue when you're not juggling multiple mail domains that represent different users (local-part), so long as the username is unique). The related Dovecot issue may still be relevant.

The plan was to fix those months ago with a breaking release that would go with the LDAP refactor I've done. Writing up the docs and other events has just severely delayed that being addressed 😓

MohammedNoureldin · 2024-01-19T16:44:05Z

MohammedNoureldin
Jan 19, 2024
Author

Wow, this discussion became a good source for debugging.

I finally got it working.

After the analysis mentioned above that both components, LDAP server and Mail server, work when used with external systems but not with each other, this made me think again about the connection between them. The relationship that connects them is LDAP, DNS and TLS. I checked TLS and seemed to be working properly. LDAP filters were also OK, after testing them with ldapsearch. That leaves DNS of the cluster, particularly CoreDNS.

The biggest confusion came from the log messages of Dovecot actually, as they always were inconsistent and misleading.

In K8s, I configured the CoreDNS to forward all requests that are specific to my intra domain to Samba's DC DNS server. Removing this configuration from CoreDNS made my mail server works again.

~~intra.DOMAIN.com.:53 { errors cache 30 forward . 10.x.x.x }~~

I am still investigating why this caused my DMS / Samba relationship to fail, because my simple configuration seems to be correct, and everything other than DMS works with it.

NOTE: because of the cache TTLS (30 seconds in this case), after removing the entry from CoreDNS configmap we have to wait about 30 seconds before the changes take effect and DMS starts working again.

I still though do not exactly understand the behavior, that changing the search base solved the issue and how it is directly related to the DNS.

Many thanks to @polarathene for his support!

0 replies

Docker Mailserver

dovecot: auth: Error ldap_search failed: Operations error #3785

Uh oh!

Uh oh!

MohammedNoureldin Jan 16, 2024

Replies: 3 comments · 15 replies

Uh oh!

Uh oh!

MohammedNoureldin Jan 16, 2024 Author

Uh oh!

polarathene Jan 18, 2024 Maintainer

Uh oh!

Uh oh!

MohammedNoureldin Jan 19, 2024 Author

Uh oh!

polarathene Jan 19, 2024 Maintainer

Uh oh!

Uh oh!

MohammedNoureldin Jan 19, 2024 Author

Uh oh!

polarathene Jan 19, 2024 Maintainer

Uh oh!

MohammedNoureldin Jan 17, 2024 Author

Uh oh!

polarathene Jan 17, 2024 Maintainer

Uh oh!

Uh oh!

MohammedNoureldin Jan 19, 2024 Author

MohammedNoureldin
Jan 16, 2024

Replies: 3 comments 15 replies

MohammedNoureldin
Jan 16, 2024
Author

polarathene Jan 18, 2024
Maintainer

MohammedNoureldin Jan 19, 2024
Author

polarathene Jan 19, 2024
Maintainer

MohammedNoureldin Jan 19, 2024
Author

polarathene Jan 19, 2024
Maintainer

MohammedNoureldin
Jan 17, 2024
Author

polarathene Jan 17, 2024
Maintainer

MohammedNoureldin
Jan 19, 2024
Author