search

WilliamFromTW / docker-postfix-openldap

docker , centos , postfix , rspamnd with backend openldap authentication
1 stars 1 forks source link

imap 無法登入 imap-login: Error: proxy: Remote returned invalid banner #3

Open changchichung opened 2 years ago

changchichung commented 2 years ago

run container with following command

docker run --name postfixldap -v /etc/letsencrypt:/etc/letsencrypt \
-v postfixldap_vmail:/home/vmail \
-v postfixldap_postfix:/etc/postfix \
-v postfixldap_dovecot:/etc/dovecot \
-v postfixldap_rspamd:/etc/rspamd \
-v postfixldap_log:/var/log \
-p 25:25 -p 110:110 -p 143:143 -p 465:465 -p 587:587  -p 993:993 -p 995:995 -p 4190:419 \
-e DOMAIN_NAME="test.com" \
-e HOST_NAME="hqs013"  \
-e HOST_IP="192.168.11.1"  \
-e SEARCH_BASE="ou=People,dc=test,dc=com" \
-e BIND_DN="cn=admin,dc=test,dc=com" \
-e BIND_PW="PASSWORD"  \
-e TZ="Asia/Taipei" \
-e ENABLE_QUOTA="true" --restart always \
-e MY_NETWORKS="192.168.11.0/24"  \
-d inmethod/docker-postfix-openldap:0.1

and add account in thunderbird

but log shows some error

Feb 14 13:56:01 5408c083fa15 dovecot: lmtp(525): Connect from 127.0.0.1
Feb 14 13:56:01 5408c083fa15 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 5408c083fa15 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.39, lip=172.17.0.2, TLS, session=<2lYbEvTXXMPAqAsn>
Feb 14 13:56:01 5408c083fa15 dovecot: lmtp(525): Disconnect from 127.0.0.1: Connection closed (in banner)
Feb 14 13:56:03 5408c083fa15 dovecot: lmtp(531): Connect from 127.0.0.1
Feb 14 13:56:03 5408c083fa15 dovecot: lmtp(531): Disconnect from 127.0.0.1: Connection closed (in banner)
Feb 14 13:56:03 5408c083fa15 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 5408c083fa15 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.39, lip=172.17.0.2, TLS, session=<2lYbEvTXXMPAqAsn>
Feb 14 13:56:03 5408c083fa15 dovecot: imap-login: Disconnected (internal failure, 2 successful auths): user=<test@test.com>, method=PLAIN, rip=192.168.11.39, lip=172.17.0.2, TLS, session=<2lYbEvTXXMPAqAsn>

any suggestions ??

WilliamFromTW commented 2 years ago

我看了一下 host name 要完整的 hqs013.test.com my network 要加跳脫字元 192.168.11.0\/24 後面0.1已經來到0.9 inmethod/docker-postfix-openldap:0.9

可參考docker hub https://hub.docker.com/repository/docker/inmethod/docker-postfix-openldap

另外認證部分, 這個docker沒有內建 openldap , 必須自己安裝,也是docker版本, 這樣做的原因是將認證部分切開.

請參考readme裏面關於 openldap的安裝方式

changchichung commented 2 years ago

OK ,這是我改過的docker 啟動指令

 docker run --name postfixldap -v /etc/letsencrypt:/etc/letsencrypt \
 -v postfixldap_vmail:/home/vmail \
 -v postfixldap_postfix:/etc/postfix \
 -v postfixldap_dovecot:/etc/dovecot \
 -v postfixldap_rspamd:/etc/rspamd \
 -v postfixldap_log:/var/log \
 -p 25:25 -p 110:110 -p 143:143 -p 465:465 -p 587:587  -p 993:993 -p 995:995 -p 4190:419 -e 11334:11334 \
 -e DOMAIN_NAME="test.com" \
 -e HOST_NAME="hqs013.test.com"  \
 -e HOST_IP="192.168.11.1"  \
 -e SEARCH_BASE="ou=People,dc=test,dc=com" \
 -e BIND_DN="cn=admin,dc=test,dc=com" \
 -e BIND_PW="password"  \
 -e TZ="Asia/Taipei" \
 -e ENABLE_QUOTA="False" --restart always \
 -e MY_NETWORKS="192.168.11.0\/24" \
 -d inmethod/docker-postfix-openldap:0.9

不過看起來還是一樣的錯誤 BTW 這個錯誤在 docker logs 看不到,需要進去container 看 /var/log/maillog

Feb 14 17:14:40 fe375aeffbb3 dovecot: lmtp(127): Connect from 127.0.0.1
Feb 14 17:14:40 fe375aeffbb3 dovecot: lmtp(127): Disconnect from 127.0.0.1: Connection closed (in banner)
Feb 14 17:14:40 fe375aeffbb3 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 fe375aeffbb3 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.39, lip=172.17.0.2, TLS, session=<R79i2PbXesPAqAsn>
Feb 14 17:14:40 fe375aeffbb3 dovecot: imap-login: Disconnected (internal failure, 2 successful auths): user=<test@test.com>, method=PLAIN, rip=192.168.11.39, lip=172.17.0.2, TLS, session=<R79i2PbXesPAqAsn>
WilliamFromTW commented 2 years ago

好奇怪, 另外let's encrypt 有對應到host上面嗎? 也建議再用真的domain測試 當然openldap 那邊也要確認是ok的

changchichung commented 2 years ago

經過測試 帳號如果是 test 可以發郵件,但是無法收到外面回覆的信件,可是log 會顯示信件已經投遞成功 發出信件的log

Feb 14 20:59:08 fe375aeffbb3 postfix/submission/smtpd[1216]: 16C56180379: client=unknown[192.168.11.4], sasl_method=PLAIN, sasl_username=test
Feb 14 20:59:08 fe375aeffbb3 postfix/cleanup[1221]: 16C56180379: message-id=<9bb2c8d8-e45f-ed50-1cff-f661fde980c9@test.com>
Feb 14 20:59:08 fe375aeffbb3 postfix/qmgr[1052]: 16C56180379: from=<test@test.com>, size=697, nrcpt=1 (queue active)
Feb 14 20:59:08 fe375aeffbb3 postfix/submission/smtpd[1216]: disconnect from unknown[192.168.11.4]
Feb 14 20:59:08 fe375aeffbb3 dovecot: imap(test): Logged out in=694 out=1010
Feb 14 20:59:17 fe375aeffbb3 postfix/smtp[1223]: 16C56180379: to=<chang0206@gmail.com>, relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=9.3, delays=0.17/0/8.1/0.98, dsn=2.0.0, status=sent (250 2.0.0 OK  1644843557 v5si11426971pgr.653 - gsmtp)
Feb 14 20:59:17 fe375aeffbb3 postfix/qmgr[1052]: 16C56180379: removed

收到信件的log

Feb 14 20:50:07 fe375aeffbb3 postfix/qmgr[1052]: 57D8218036D: from=<chang0206@gmail.com>, size=4326, nrcpt=1 (queue active)
Feb 14 20:50:07 fe375aeffbb3 postfix/smtpd[1168]: disconnect from unknown[192.168.11.240]
Feb 14 20:50:07 fe375aeffbb3 postfix/virtual[1183]: 57D8218036D: to=<test@test.com>, relay=virtual, delay=0.09, delays=0.08/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Feb 14 20:50:07 fe375aeffbb3 postfix/qmgr[1052]: 57D8218036D: removed

如果帳號用 test@test.com 就會出現invalid banner 的錯誤

Feb 14 20:51:50 fe375aeffbb3 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 fe375aeffbb3 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.4, lip=172.17.0.2, TLS, session=<cYk24fnXKsHAqAsE>
Feb 14 20:51:50 fe375aeffbb3 dovecot: lmtp(1208): Connect from 127.0.0.1
Feb 14 20:51:50 fe375aeffbb3 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 fe375aeffbb3 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.4, lip=172.17.0.2, TLS, session=<b5U24fnXJsHAqAsE>
Feb 14 20:51:50 fe375aeffbb3 dovecot: lmtp(1208): Disconnect from 127.0.0.1: Connection closed (in banner)
Feb 14 20:51:52 fe375aeffbb3 dovecot: lmtp(1208): Connect from 127.0.0.1
Feb 14 20:51:52 fe375aeffbb3 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 fe375aeffbb3 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.4, lip=172.17.0.2, TLS, session=<cYk24fnXKsHAqAsE>
Feb 14 20:51:52 fe375aeffbb3 dovecot: lmtp(1208): Disconnect from 127.0.0.1: Connection closed (in banner)
Feb 14 20:51:52 fe375aeffbb3 dovecot: lmtp(1209): Connect from 127.0.0.1
Feb 14 20:51:52 fe375aeffbb3 dovecot: imap-login: Error: proxy: Remote returned invalid banner: 220 fe375aeffbb3 Dovecot ready.: user=<test@test.com>, method=PLAIN, rip=192.168.11.4, lip=172.17.0.2, TLS, session=<b5U24fnXJsHAqAsE>
Feb 14 20:51:52 fe375aeffbb3 dovecot: lmtp(1209): Disconnect from 127.0.0.1: Connection closed (in banner)

憑證有對應了,也的確是真的domain ,只是我用test.com 取代掉了

changchichung commented 2 years ago

發現一件奇怪的事,我用 test 作為帳號,可以發信,但是信件的儲存路徑卻是在 /home/vmail/Maildir 正常應該是 /home/vmail/test@test.com/Maildir 才對..

有點亂了,明天再重頭來一次好了

WilliamFromTW commented 2 years ago

我想先問一下, openldap 是自己架設的, 還是用我上面的docker-compose.yml 檔案 ?

WilliamFromTW commented 2 years ago

image

新增群組 image

新增帳號密碼, 加密我是選用crypt image

可以看一下ldap server container裏面的sn屬性滿重要的 , 會對照到 docker-postfix-openldap 的 /etc/postfix/ldap-users.cf , 與 /etc/dovecot/... 相關ldap檔案 image

WilliamFromTW commented 2 years ago

這是我openldap相關設定, 記得openldap 沒有postfix 的相關物件屬性, 記得要把我的postfix.ldif放進去,重開ldap啟用 image

這是我的設定檔案 docker run --name postfixldap \ -v /etc/letsencrypt:/etc/letsencrypt \ -v kafeiou_postfixldap_vmail:/home/vmail \ -v kafeiou_postfixldap_postfix:/etc/postfix \ -v kafeiou_postfixldap_dovecot:/etc/dovecot \ -v kafeiou_postfixldap_rspamd:/etc/rspamd \ -v kafeiou_postfixldap_log:/var/log \ -p 25:25 -p 143:143 -p 465:465 -p 587:587 -p 993:993 -p 995:995 \ -e DOMAIN_NAME="kafeiou.pw" \ -e HOST_NAME="mail.kafeiou.pw" \ -e HOST_IP="10.192.130.146:8389" \ -e SEARCH_BASE="DC=kafeiou,DC=pw" \ -e BIND_DN="cn=admin,dc=kafeiou,dc=pw" \ -e BIND_PW="xxxxxx" \ -e ALIASES=OU=aliases,DC=kafeiou,DC=pw \ -e MY_NETWORKS="10.192.130.0\/24" \ -e TZ="Asia/Taipei" \ -e ENABLE_QUOTA="true" \ --restart always -d --net=host inmethod/docker-postfix-openldap:0.9

我的ldap server port 是8389 , 範例也是, 需修改

WilliamFromTW commented 2 years ago

還有maillog 是對應到volume裏面, 這方便備份, 以後存查用, 不用進去container看, 當然進去會比較習慣路徑 另外我有加上 --net=host 是因為我想做fail2ban , 若沒有用--net=host , 那所有的log都是假的ip連線, 這不方便當證據使用 banner那個錯誤我沒見過,

ldap 吃下postfix.ldif 檔案之後, 可以新增群組, 再加上postfixuser這個物件,以及裏面的相關屬性, 就可以達到aliases的作用 image

changchichung commented 2 years ago

LDAP 是前人的「遺產」,已經存在很久了 我有用那個 fuck-ldap.sh 匯入 postfix.ldif ,不過因為還沒進行到那邊,我不確定這段有沒有成功 底下是我的 LDIF 其中的一筆資料

dn: uid=changcw,ou=People,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: Chang Chun Wei
gidNumber: 50500
homeDirectory: /home/changcw
sn: Chang
givenName: Chun Wei
uid: changcw
uidNumber: 5002
gecos: Chang Chun wei
loginShell: /bin/bash
mail: changcw@test.com
mobile: 0912-xxx-xxx
userPassword:: Zxxxxxxxx
structuralObjectClass: inetOrgPerson
entryUUID: a54b81f6-4375-1038-9db0-197a0820bdeb
creatorsName: cn=admin,dc=test,dc=com
createTimestamp: 20180903033153Z
entryCSN: 20180903033153.422036Z#000000#000#000000
modifiersName: cn=admin,dc=test,dc=com
modifyTimestamp: 20180903033153Z

不過我沒有在ldap-user.cf 裡面有看到 sn 欄位呀?

如果是 user/filter , pass_filter 用到的 

(sn=%u)

這裡我有改成對應的欄位,以上面的例子來說,我是改成 uid=%u

WilliamFromTW commented 2 years ago

那應該是我記錯, 反正就是抓資料用, 可以改成你ldap相關屬性,不一定要用sn

WilliamFromTW commented 2 years ago

登入的帳號就不需要用完整的email 若要完整的email , ldap-users ... 相關檔案都要改 我這版用意可以讓帳號與email不相同, 減少一些暴力登入等入侵

changchichung commented 2 years ago

可是我在volume 裡面沒有看到 maillog , dovecot.log 耶? 可以請教你對應到哪個路徑嗎?

changchichung commented 2 years ago

然後還有一個很奇怪的地方,我如果一開始指定錯了變數 比如說

-e HOST_NAME="mail.kafeiou.pw"

我打成

-e HOST_NAME="mil.kafeiou.pw"

那就算我把container 砍掉,修改成正確的,然後再次啟動 在config 裡面,還是會看到錯誤的 mil.kafeiou.pw

WilliamFromTW commented 2 years ago

volume postfixldap_log 裏面都是log dovecot 也會放到 maillog 裏面去

對了 若要全部重新來過 ,相關 volume 也必須刪除再重建 . 我自己測試時,只會保留這個volume postfixldap_vmail (存放信件)