[Sysadmins] Периодические падения dovecot-auth и ntlm_auth - P8
Москаленко Алексей Владимирович
mav на elserv.msk.su
Ср Июл 25 17:12:35 MSK 2018
Sergey V Turchin писал 25.07.2018 16:18:
>> С новым dovecot ntlm_auth (ожидаемо) один раз уже упал.
> А можно ли описать примерный сценарий, чтоб попробовать воспроизвести?
Сценарий довольно обычный. Есть домен на самбе (все еще в режиме NT4) с
пользователями в openLDAP. Dovecot берет пользователей из доменного
LDAP, авторизуя их самостоятельно с помощью LDAP bind по алгоритмам
PLAIN и LOGIN и используя ntlm_auth для авторизации их же по NTLM. На
той же машине установлен winbind, введенный в домен. Вся почтовая
система работает под одним пользователем vmail. Используется sieve.
Вроде никаких особенностей...
smb.conf
[global]
netbios name = MAIL
server string = Mail server
workgroup = DOMAIN
domain master = No
local master = No
os level = 1
preferred master = No
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
printcap name = /dev/null
client ipc signing = if_required
client signing = if_required
password server = 192.168.0.1
security = DOMAIN
server signing = if_required
smb passwd file = /etc/samba/smbpasswd
idmap gid = 10000-20000
idmap uid = 10000-20000
template shell = /sbin/nologin
winbind sealed pipes = No
winbind use default domain = Yes
dns proxy = No
wins server = 192.168.0.1
idmap config * : range = 10000-20000
idmap config * : backend = tdb
printing = lprng
use sendfile = Yes
doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login ntlm
auth_use_winbind = yes
default_client_limit = 4096
default_process_limit = 512
default_vsz_limit = 512 M
hostname = mail.example.com
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = *
login_greeting = Mail server ready.
login_trusted_networks = 127.0.0.1/32 192.168.0.0/16
mail_gid = vmail
mail_location = maildir:%h/private
mail_plugins = quota acl listescape zlib
mail_privileged_group = mail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext editheader
mbox_write_locks = fcntl
namespace {
inbox = no
list = children
location = maildir:/var/spool/vmail/_Public/:INDEX=%h/public
prefix = Public Mailboxes/
separator = /
subscriptions = no
type = public
}
namespace {
inbox = no
list = children
location = maildir:%%h/private/:INDEX=%h/shared/%%n
prefix = Shared Mailboxes/%%n/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox "INBOX/Probably SPAM" {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/passwd.masters
driver = passwd-file
master = yes
pass = yes
}
passdb {
args = /etc/dovecot/passdb.conf
driver = ldap
}
plugin {
acl = vfile:/etc/dovecot/acls:cache_secs=300
acl_anyone = allow
acl_shared_dict = file:/var/spool/vmail/_shared-mailboxes-list.db
quota = maildir:Your Mailbox Quota
quota_rule = *:storage=16G
quota_rule2 = Trash:storage=+128M
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_warning = storage=98%% quota-warning 98 %u
quota_warning2 = storage=90%% quota-warning 90 %u
sieve = file:%h/sieve;active=%h/active.sieve
sieve_default = /etc/dovecot/default.sieve
sieve_default_name = SystemDefault
sieve_extensions = +editheader
sieve_global = /etc/dovecot/sieve
stats_refresh = 30 secs
stats_track_cmds = yes
zlib_save = gz
zlib_save_level = 6
}
postmaster_address = postmaster на example.com
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-client {
group = mail
mode = 0660
user = vmail
}
unix_listener auth-master {
group = mail
mode = 0660
user = vmail
}
unix_listener auth-userdb {
group = mail
mode = 0660
user = vmail
}
user = root
}
service config {
unix_listener config {
mode = 0660
user = vmail
}
}
service imap {
vsz_limit = 512 M
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
user = vmail
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
unix_listener /var/spool/postfix/private/dovecot-quota-status {
group = postfix
mode = 0660
user = postfix
}
}
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = vmail
}
ssl_cert = </etc/dovecot/cert.pem
ssl_cipher_list =
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/userdb.conf
driver = ldap
}
protocol lmtp {
mail_fsync = optimized
mail_plugins = quota acl listescape zlib sieve
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
mail_fsync = optimized
mail_plugins = quota acl listescape zlib sieve
}
protocol imap {
imap_client_workarounds = delay-newmail
mail_max_userip_connections = 64
mail_plugins = quota acl listescape zlib imap_quota imap_acl imap_zlib
}
/etc/dovecot/passdb.conf
hosts = ldap.example.com
dn = cn=mail,ou=Daemons,dc=example,dc=com
dnpass = PASSW0RD
sasl_bind = no
tls = no
auth_bind = no
ldap_version = 3
base = ou=Accounts,dc=example,dc=com
user_attrs = uid=home=/var/spool/vmail/%$,
internationalISDNNumber=quota_rule=*:bytes=%$
user_filter =
(&(objectClass=inetOrgPerson)(|(&(uid=%n)(mail=*))(mail=%u)))
pass_attrs = uid=user,userPassword=password
pass_filter =
(&(objectClass=inetOrgPerson)(uid=%u)(mail=*)(!(mail=*.local))(|(!(sambaAcctFlags=*))(sambaAcctFlags=[U
])(sambaAcctFlags=[UX ])(sambaAcctFlags=[HU
])(sambaAcctFlags=[HUX ]))(!(postOfficeBox=disabled)))
default_pass_scheme = SSHA
iterate_attrs = uid=user
iterate_filter = (&(objectClass=inetOrgPerson)(mail=*))
/etc/dovecot/userdb.conf - симлинк на passdb.conf
Подробная информация о списке рассылки Sysadmins