Dovecot Module Issues for FreeBSD

Webmin
Jaret
2013-01-17
2013-05-21
  • Jaret
    Jaret
    2013-01-17

    The Dovecot module has some problems with FreeBSD and Dovecot 2.x.

    1.) Configuration settings / options in the Dovecot module do not write to the configuration file itself when the module configuration is set up correctly pointing to the dovecot.conf configuration file. All configuration options must be set up in the dovecot.conf file manually and only then does the Dovecot module itself reflect those settings. Most of these settings too only seem to reflect virtual environment settings stored in the dovecot configuration file to work correctly against the module.

    For example, setting Dovecot User and Login options to use Unix database / Shadow file password file settings doesn't work. Though the settings may be correct in the configuration file, the Dovecot module seemingly does not understand what is going on and at the same time, reports depreciated strings in the configuration such as auth default settings needing to be preceded with auth_ which is not correct.

    2.) The authentication method settings are missing CRYPT and should be updated to use / include more current Dovecot mail  standards of authentication methods. As well, CRAM-MD5 was originally set out in RFC 2095 and was later obsoleted by RFC 2195. it would probably be a good idea to remove that entirely from the module itself for security reasons. For more information on this visit https://en.wikipedia.org/wiki/CRAM-MD5

    For the most part this module appears to function correctly on FreeBSD as far as configuring the module for the software to use the configuration file itself for Dovecot, but it does require some attention in regards to actually configuring for Dovecot 2.x when using the Webmin module.

    Thank you for your time. :)

     
  • Jamie Cameron
    Jamie Cameron
    2013-02-19

    1) Could you explain further what you had to change to get Webmin working here? Was it looking in the wrong place for the dovecot config file, or something else?

    2) Is CRYPT an authentication mechanism supported by dovecot? I didn't see it mentioned on http://wiki2.dovecot.org/Authentication/Mechanisms

     
  • Jaret
    Jaret
    2013-02-19

    Well, the problem isn't that the Dovecot module can't find or use the configuration file that's all good and Webmin works great.

    The problem is that it's not writing to the configuration file properly when using Dovecot 2.x. When Dovecot 1.x is installed the module seems to work ok and configurations save without complaint from Webmin, but with Dovecot 2.x, it's just not writing to the configuration file when using Dovecot 2.x. If entries are placed in the Dovecot configuration file manually which are intended for Dovecot 2.x, Webmin complains (the Dovecot module) that the parameters in the configuration file are incorrect and that it can't save configuration. It then suggests to use the Dovecot 1.x authentication mechanism and such. it doesn't write to the file correctly it seems although it does detect the configuration file is there. It simply appears to be trying to use Dovecot configuration parameters from what I've tried and referenced on Dovecot 1.x and 2.x authentication mechanisms.

    I know I don't have any issues with Dovecot until I attempt to use version 2.x and it's actually been like this for quite some time so I hung back on version 1.x, but because manage-sieve is obsoleted now, I had to move up to Dovecot 2.x to utilize dovecot-pigeonhole which does what sieve would do.

    With CRYPT, this is what I saw for password scheming mechanism http://wiki2.dovecot.org/Authentication/PasswordSchemes

    If you set CRYPT as a scheme for Dovecot 2.x manually in the configuration file it shows in the list of authentication mechanisms and is correct for Dovecot 2.x. Dovecot also doesn't complain about this and it works. The Webmin Dovecot module still will read the configuration file if you edit parameters manually in the configuration file, but as soon as you attempt to save any setting from within Webmin, that is when it complains about the authentication mechanism being wrong and suggests to use the old style authentication mechanism and configuration parameters.

    Thanks for your response and time Jamie. Much appreciated. If there is anything else I can provide that might help do let me know please.

     
  • For reference:

    When installing Dovecot 2 through the FreeBSD Ports system…
    -The configuration folder is /usr/local/etc/dovecot and does not contain anything other than a "README" file by default.

     
  • Also for reference:

    On the page specified: http://wiki2.dovecot.org/Authentication/Mechanisms
    It mentions "ith success/failure password databases (e.g. PAM) it's not possible to use non-plaintext mechanisms at all, because they only support verifying a known plaintext password." Which has a link to http://wiki2.dovecot.org/PasswordDatabase
    That page may help regarding authentication to password databases.

     
  • Jaret
    Jaret
    2013-02-19

    @rsecor

    Yeah I know about the configuration file not existing after installation of Dovecot thus why I mentioned above that the configuration file is detected present by the module so it is in fact there or Webmin would report it missing. I have checked for physical presence of the file, permissions, etc.

    As far as plain-text passwords go I have never used plain-text passwords with Dovecot and even on Dovecot 1.x I'd used CRYPT with FreeBSD because the password hash by default is MD5 and can as well support BLF which is also a CRYPT password scheme. I have used it in this manner on Dovecot 1.x and had no issues at all before.

    It's not just a matter of the password scheming not saving in the configuration, it's that it also is not accepting the authentication mechanism for Dovecot 2.x to be written to the configuration file, but instead 1.x. Even with a freshly created configuration file and attempting to save an authentication mechanism, the Webmin module complains that there is no authentication mechanism present. If you attempt to set one, it says it is not the correct parameters in the configuration file. If you remove those parameters and replace them with Dovecot 1.x style parameters, Webmin doesn't complain, but then if you go to save any setting for Dovecot from Webmin, Webmin starts complaining. So, this doesn't make sense at the slightest as to why it is attempting to even use Dovecot 1.x parameters on Dovecot 2.x with Webmin. This is what I've been trying to explain really is that it is wanting one thing, but doing another.

    I do know at any rate that I have always used CRYPT as the scheme to read MD5 / BLF hashed passwords which is exactly what the FreeBSD password database and password file uses.(by default MD5 hashes; BLF if BSD password hashing is changed to Blowfish).

    Unless I'm missing something as to why Webmin won't save Dovecot 2.x settings to the configuration file to start with is a mystery to me. It works great with Dovecot 1.x.

     
  • Jamie Cameron
    Jamie Cameron
    2013-03-07

    So it looks like the real issue is that Webmin isn't detecting the Dovecot version properly.

    If you open the Dovecot module in Webmin, what version number is shown at the top of the page?

     
  • Jaret
    Jaret
    2013-03-07

    Hi Jamie and thanks for the reply. The version showing in Webmin is 'Version 2.1.15'.

     
  • Jamie Cameron
    Jamie Cameron
    2013-03-08

    Normally Webmin determines which dovecot directives to set (version 1 or 2) based on what already exists in the config file.  It also looks at commented out directives, which exist for most settings in the default dovecot.conf .

    Could you post the exact error message that you are getting from Webmin?

     
  • Jaret
    Jaret
    2013-03-08

    This is what I run into when trying to save the configuration using a stock configuration file for Dovecot 2.

    "Failed to save user and login options : Failed to find section auth default !"

    If I add the auth default mechanism manually, for example:

    auth default {
      mechanisms = digest-md5
    }

    and try to save configuration, Webmin outputs the following message:

    Failed to save user and login options : Missing file to open at WebminCore::/usr/local/lib/webmin/web-lib-funcs.pl line 3018

     
  • Jamie Cameron
    Jamie Cameron
    2013-03-08

    Does your config file have a auth_mechanisms line? Webmin uses that as an indicator of which Dovecot version you are running.

    If possible, I'd be interested to see you initial configuration file.

     
  • Jaret
    Jaret
    2013-03-08

    Yeah no problem. Here you are sir. http://pastebin.ca/2330134

    This is the stock configuration file exception of me adding the part stated in the description on the pastebin.

    Hope this helps. If I'm missing something I don't know what. All I know is on Dovecot 1 I never had to mess with any of it in the configuration file other than a few things here and there for customized settings.

    Thanks again for your time and help.

     
  • Jamie Cameron
    Jamie Cameron
    2013-03-09

    I think I see the issue - Webmin isn't reading the additional Dovecot config files specified by the line :

    !include conf.d/*.conf

    That's why it isn't finding the default "auth" block.

    Is there a conf.d sub-directory under the same directory that contains dovecot.conf?

    Also, if you click on the Edit Config Files icon in the Dovecot module, does it give you the option to edit all the files in that conf.d dir?

     
  • Jaret
    Jaret
    2013-03-09

    Well, I don't think you saw the issue, but in fact knew the issue.

    It seems that from Dovecot 1 to 2 these files had been removed from the /user/local/etc/dovecot/ directory all together and placed in the /usr/local/share/doc/dovecot/example-config/conf.d directory for custom additions of configuration for both Dovecot version 1 and 2 so this change is new since version 2 was deployed. I had no idea this was done. I saved settings with Unix user and Unix password file and it saved without a hitch.

    So heads up to anyone else who doesn't know this. Make sure the directory and configuration includes you want are copied and in that folder.

    Thank you Jamie for pointing this out and your time. I apologize for overlooking taking up your time on such a simple thing. I should have thought to check there. Will pay closer attention in future.