Проблема такая: есть фряха, заведённая в домен windows2003, на ней поднят Dovecot (1.1.2), который авторизует пользователей с использованием pam_winbindd, и Exim (4.69), который должен авторизовать пользователей, отправляющих почту, посредством Dovecot
1. Dovecot работает на ура: подцепляет пользователя из домена, создаёт папочку в хоумдире и складывает туда его почту;
2. Exim, если цепляться телнетом снаружи, тоже отлично определяет, что получатель письма в домене есть, и, в случае, если нету, отпинывает;
ПРОБЛЕМА:
3. Ну никак не получается авторизовать пользователя при отправке письма, из домена, никаким способом.
В свой лог exim пишет просто:
Код: Выделить всё
SMTP connection from [192.168.13.1]:3438 I=[192.168.13.2]:25 (TCP/IP connection count = 1)Код: Выделить всё
Aug 29 15:39:42 gw dovecot: auth(default): new auth connection: pid=65055
Aug 29 15:39:42 gw dovecot: auth(default): client in: AUTH 57 NTLM service=smtp rip=192.168.13.1 lip=192.168.13.2 resp=
Aug 29 15:39:42 gw dovecot: auth(default): client out: CONT 57
Aug 29 15:39:42 gw dovecot: auth(default): client in: CONT 57 TlRMTVNTUAABAAAAB7IIogkACQAvAAAABwAHACgAAAAFAs4OAAAAD0FELUtBWk5LQVpOLTJHSVM=
Aug 29 15:39:42 gw kernel: pid 65055 (exim-4.69-0), uid 26: exited on signal 11
Aug 29 15:39:42 gw dovecot: auth(default): client out: CONT 57 TlRMTVNTUAACAAAAEgASADAAAAAFgomiiQhgBmmZbucAAAAAAAAAAIAAgABCAAAASwBBAFoATgAtADIARwBJAFMAAgASAEsAQQBaAE4ALQAyAEcASQBTAAEADgBHAFcALQBLAEEAWgBOAAQAHgBrAGEAegBuAC4AMgBnAGkAcwAuAGwAbwBjAGEAbAADAC4AZwB3AC0AawBhAHoAbgAuAGsAYQB6AG4ALgAyAGcAaQBzAC4AbABvAGMAYQBsAAAAAAA=
И, причём, одно и то же, независимо от способов авторизации - хоть я plaintext'ом пытаюсь авторизоваться, хоть NTLM, всегда пишет "dovecot: auth(default): client in: AUTH XX NTLM service=smtp", хоть ты тресни..
Уже кипит мозг, и, скорее всего, я застрял где-то посреди трёх дубов, ткните, пожалуйста, носом!
Вот конфиги почтовиков (пардон за обширные портянки):
Конфиг Dovecot такой:
Код: Выделить всё
protocols = imap pop3
listen = *
disable_plaintext_auth = no
ssl_disable = yes
mail_location = maildir:/home/%Lu/Mail
mail_access_groups = mail
verbose_proctitle = yes
mail_debug = yes
first_valid_uid = 26
last_valid_uid = 26
first_valid_gid = 6
last_valid_gid = 6
umask = 0077
mbox_read_locks = fcntl
mbox_write_locks = dotlock fcntl
maildir_copy_with_hardlinks = yes
protocol imap {
imap_client_workarounds = delay-newmail outlook-idle tb-extra-mailbox-sep
}
protocol lda {
postmaster_address = root@mydomain.ru
sendmail_path = /usr/local/sbin/exim
# UNIX socket path to master authentication server to find users.
auth_socket_path = /var/run/dovecot/auth-master
log_path = /var/log/dovecot/deliver.log
info_log_path = /var/log/dovecot/deliver.log
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
auth_cache_size = 1024
auth_username_format = %u
auth_ntlm_use_winbind = yes
auth_winbind_helper_path = /usr/local/bin/ntlm_auth
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth default {
mechanisms = plain ntlm login
passdb pam {
args = exim
}
userdb static {
args = uid=26 gid=6 home=/home/%Lu/Mail allow_all_users=yes
}
user = root
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
# Default user/group is the one who started dovecot-auth (root)
user = mailnull
group = mail
}
client {
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/run/dovecot/auth-client
mode = 0660
user = mailnull
group = mail
}
}
}
Код: Выделить всё
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
primary_hostname = mail.mydomain.ru
domainlist local_domains = mydomain.ru
hostlist relay_from_hosts = localhost : 192.168.13.2
qualify_domain = mydomain.ru
domainlist relay_to_domains = mydomain.ru
MAIL_DOMAIN = mydomain.ru
ldap_default_servers = <; 192.168.13.1:389
LDAP_AD_BINDDN = CN=bsduser,CN=users,DC=mydomain,DC=local
LDAP_AD_PASS = "BSDuserPassworD"
LDAP_AD_BASE_DN = DC=mydomain,DC=local
LDAP_AD_MAIL_RCPT = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?mail?sub?\
(&\
(&\
(objectClass=user)\
(objectClass=person)\
)\
(mail=${quote_ldap:${local_part}@${domain}}))
LDAP_AD_MAIL_RETURN = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?mail?sub?\
(&\
(&\
(objectClass=user)\
(objectClass=person)\
)\
(sAMAccountName=${quote_ldap:$authenticated_id))
LDAP_AD_SAM_RETURN = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?sAMAccountName?sub?\
(&\
(&\
(objectClass=user)\
(objectClass=person)\
)\
(mail=${quote_ldap:${local_part}@${domain}}))
LDAP_AD_NAME_RCPT = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?sAMAccountName?sub?\
(&\
(&\
(objectClass=user)\
(objectClass=person)\
)\
(sAMAccountName=${quote_ldap:${local_part}}))
LDAP_AD_OU_RCPT = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?distinguishedName?sub?\
(&\
(&\
(objectClass=user)\
(objectClass=person)\
)\
(sAMAccountName=${quote_ldap:${local_part}}))
LDAP_AD_GROUP_RCPT = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?mail?sub?\
(&\
(&\
(objectClass=group)\
(objectClass=top)\
)\
(mail=${quote_ldap:${local_part}@${domain}}))
LDAP_AD_GROUP2_RCPT = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?distinguishedName?sub?\
(&\
(&\
(objectClass=group)\
(objectClass=top)\
)\
(mail=${quote_ldap:${local_part}@${domain}}))
LDAP_AD_MEMBER_RCPT = \
user=LDAP_AD_BINDDN \
pass=LDAP_AD_PASS \
ldap:///LDAP_AD_BASE_DN\
?sAMAccountName?sub?\
(&\
(&\
(objectClass=user)\
(objectClass=person)\
)\
(memberOf=${quote_ldap:${lookup ldap {LDAP_AD_GROUP2_RCPT}}}))
smtp_banner = "$primary_hostname, ESMTP EXIM"
helo_allow_chars = _
log_file_path = /var/log/exim/exim-%s-%D.log
log_selector = +all
SYSLOG_LONG_LINES = yes
host_lookup = !192.168.0.0/16
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 45m
auto_thaw = 1h
timeout_frozen_after = 15d
smtp_accept_max = 1000
smtp_accept_max_per_connection = 2000
smtp_accept_max_per_host = 100
split_spool_directory = true
remote_max_parallel = 15
return_size_limit = 70k
message_size_limit = 15M
smtp_enforce_sync = false
syslog_timestamp = no
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_connect = acl_check_host
acl_smtp_helo = acl_check_helo
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
acl_check_rcpt:
#accept hosts = +relay_from_hosts
accept hosts = :
accept authenticated = *
deny message = "incorrect symbol in address"
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = "incorrect symbol in address"
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
deny message = "HELO/EHLO require by SMTP RFC"
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
accept !authenticated = *
hosts = 192.168.13.2
deny !authenticated = *
domains = !+local_domains
message = Sorry, authorization required (1)
deny !authenticated = *
condition = ${if eq{$sender_address_domain}{$domain}{yes}{no}}
message = Sorry, authorization required (2)
deny !authenticated = *
hosts = 192.168.13.0/24
message = Sorry, authorization required (3)
deny message = "It is a not open relay"
domains = !+local_domains
warn set acl_m2 = 0
warn condition = ${if !eq{$sender_helo_name}{$sender_host_name}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+30}
warn condition = ${if eq{$host_lookup_failed}{1}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+50}
warn condition = ${if match{$sender_host_name}{\N((?>\w+[\.|\-]){4,})\N}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+40}
warn condition = ${if !match{$sender_helo_name}{\N\w\.\w\N}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+60}
warn condition = ${if <{${strlen:$sender_address}}{25}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+50}
warn condition = ${lookup {$sender_helo_name}wildlsearch{/usr/local/etc/exim/list/spam-hosts}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+60}
warn condition = ${lookup {$sender_host_name}wildlsearch{/usr/local/etc/exim/list/spam-hosts}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+60}
warn condition = ${if >{$recipients_count}{4}{yes}{no}}
set acl_m2 = ${eval:$acl_m2+($recipients_count*10)}
deny message = "Sender host contain dialup, dsl, pool etc."
condition = ${lookup {$sender_host_name}wildlsearch{/usr/local/etc/exim/list/host.blocked}{yes}{no}}
warn
condition = ${if >{$acl_m2}{160}{yes}{no}}
set acl_c0 = ${eval:$acl_m2/10}s
logwrite = Delay $acl_m2 for $sender_host_name [$sender_host_address] with HELO=$sender_helo_name. Mail from $sender_address to $local_part@$domain.
delay = $acl_c0
deny message = "you in blacklist - $dnslist_domain --> $dnslist_text"
dnslists = opm.blitzed.org : cbl.abuseat.org : dynablock.njabl.org
delay = 30s
accept domains = +local_domains
endpass
message = "In my mailserver not stored this user"
verify = recipient
deny message = "It is a not open relay"
acl_check_helo:
accept hosts = 192.168.13.0/24 : 127.0.0.1
accept hosts = wildlsearch;/usr/local/etc/exim/list/white-hosts
accept condition = ${lookup {$sender_helo_name}wildlsearch{/usr/local/etc/exim/list/white-hosts}{yes}{no}}
drop message = Invalid HELO/EHLO data
condition = ${if match {$sender_helo_name}{\N^-?[0-9]+$\N}{yes}{no}}
drop message = HELO/EHLO should not be the IP-address
condition = ${if match {$sender_helo_name}{\N^(\d+\.){3}\d+$\N}{yes}{no}}
drop message = Spam blocking
condition = ${lookup {$sender_helo_name}wildlsearch{/usr/local/etc/exim/list/host.blocked}{yes}{no}}
accept
acl_check_host:
accept hosts = wildlsearch;/usr/local/etc/exim/list/white-hosts
accept condition = ${lookup {$sender_helo_name}wildlsearch{/usr/local/etc/exim/list/white-hosts}{yes}{no}}
drop message = Spam blocking
hosts = !192.168.0.0/16 : !127.0.0.1 : wildlsearch;/usr/local/etc/exim/list/host.blocked
drop message = This IP-address in our blacklist
hosts = net32-lsearch;/usr/local/etc/exim/list/net.blocked
hosts = net24-lsearch;/usr/local/etc/exim/list/net.blocked
hosts = net16-lsearch;/usr/local/etc/exim/list/net.blocked
accept
acl_check_data:
deny condition = ${if eq{$sender_address}{}{yes}{no}}
hosts = !127.0.0.1 : !localhost : *
message = "Where sender of this mail?!"
deny message = Contains ".$found_extension" file (blacklisted).
demime = exe:com:vbs:bat:pif:scr:js:cab:wsh:msi:hta:vb:vbe:jse:cpl:reg:msp:mst:lnk
warn message = X-Spam-Score: $spam_score ($spam_bar)
condition = ${if < {$message_size}{300K}}
condition = ${if !eq{$sender_address_domain}{2gis.ru}{yes}{no}}
spam = nobody:true/defer_ok
warn message = X-Spam-Report: $spam_report
condition = ${if < {$message_size}{300K}}
condition = ${if !eq{$sender_address_domain}{2gis.ru}{yes}{no}}
spam = nobody:true/defer_ok
warn condition = ${if >{$spam_score_int}{60}{1}{0}}
set acl_c2= ***SPAM****
# message = Subject: ***SPAM**** $h_subject:
condition = ${if !eq{$sender_address_domain}{2gis.ru}{yes}{no}}
condition = ${if < {$message_size}{300K}}
spam = nobody/defer_ok
# reject spam at high scores (> 16)
deny message = This message scored $spam_score spam points.
condition = ${if < {$message_size}{300K}}
condition = ${if !eq{$sender_address_domain}{2gis.ru}{yes}{no}}
spam = nobody:true/defer_ok
condition = ${if >{$spam_score_int}{160}{1}{0}}
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
lists_all:
driver = redirect
domains = +local_domains
local_parts = all
senders = ${if exists {/usr/lists/.exim-all}{lsearch;/usr/lists/.exim-all}{*}}
file = /usr/local/etc/exim/list/.exim-all
forbid_pipe
forbid_file
redirect_router = local_adsi_user
lists_alias:
driver = redirect
domains = +local_domains
local_parts = ! all
file = /usr/local/etc/exim/list/.exim-$local_part
redirect_router = local_adsi_user
adsi_check:
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup ldap {LDAP_AD_NAME_RCPT}{${local_part}}}
redirect_router = local_adsi_user
AD_alias:
driver = redirect
domains = +local_domains
allow_defer
data = ${lookup ldap {LDAP_AD_SAM_RETURN}{${local_part}}}
redirect_router = local_adsi_user
AD_group:
driver = redirect
allow_fail
allow_defer
domains = +local_domains
data = ${lookup ldapm {LDAP_AD_MEMBER_RCPT}{${local_part}} {:fail: User unknown}}
# data = $address_data@${domain}
redirect_router = local_adsi_date_r
system_aliases:
driver = redirect
allow_fail
allow_defer
# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
data = ${lookup{$local_part}lsearch{/etc/aliases} {:fail: User unknown}}
# file_transport = address_file
# pipe_transport = address_pipe
redirect_router = local_adsi_user
local_adsi_user:
driver = accept
transport = local_adsi_delivery
local_adsi_date_r:
driver = accept
transport = local_adsi_date
cannot_route_message = Unknown user
begin transports
local_adsi_delivery:
driver = pipe
headers_remove = subject
headers_add = Subject: $acl_c2 $h_subject:
command = /usr/local/libexec/dovecot/deliver -d $local_part
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
group = mail
local_adsi_date:
driver = pipe
headers_remove = subject
headers_add = Subject: $acl_c2 $h_subject:
command = /usr/local/libexec/dovecot/deliver -d $address_data
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
group = mail
remote_smtp:
driver = smtp
address_pipe:
driver = pipe
return_output
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin authenticators
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
dovecot_spa:
driver = dovecot
public_name = NTLM
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth2
