<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Verdana">Moin,<br>
<br>
Aufgrund des Heartbleed-Bugs habe ich am Montag eines meiner
Systeme (Ubuntu 12.04.4 LTS) bzw. Pakete dessen geupdated, unter
anderem eben auch Dovecot und Postfix.<br>
Natürlich habe ich auch sämtliche Benutzerpasswörter geändert.<br>
Es besteht nur seit dem Update der Pakete das Problem, dass ich
mich um's verrecken nicht mehr bei Dovecot einloggen kann.<br>
Mails können über Postfix noch versendet werden, wobei ich auch
auf dem 25er Port beim Login keinerlei SSL-Zertifikat entgegen
geschmissen bekommen, aber das versenden funktioniert noch.<br>
Das Hauptproblem ist dass nicht mehr einloggen in Dovecot. <br>
<br>
Hat hierzu irgendwer eine Idee?<br>
<br>
Logs, etc. sind unten.<br>
<br>
Vielen Dank schon einmal und Gruß,<br>
Timo<br>
<br>
<br>
<br>
<br>
<br>
Zertifikate für Dovecot und Postfix:<br>
openssl req -x509 -out /etc/ssl/certs/NAME-cert.pem -newkey
rsa:4096 -keyout /etc/ssl/private/NAME-key.pem -nodes -sha256
-days 3650<br>
<br>
Dovecot -n:<br>
root@HOST:~# dovecot -n<br>
# 2.0.19: /etc/dovecot/dovecot.conf<br>
# OS: Linux 3.2.0-23-virtual x86_64 Ubuntu 12.04.4 LTS<br>
auth_debug = yes<br>
auth_debug_passwords = yes<br>
auth_verbose = yes<br>
listen = *<br>
mail_debug = yes<br>
mail_location = maildir:~/Maildir<br>
managesieve_notify_capability = mailto<br>
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave<br>
passdb {<br>
driver = pam<br>
}<br>
plugin {<br>
sieve = ~/.dovecot.sieve<br>
sieve_dir = ~/sieve<br>
}<br>
protocols = imap sieve<br>
service auth {<br>
unix_listener /var/spool/postfix/private/dovecot-auth {<br>
group = postfix<br>
mode = 0660<br>
user = postfix<br>
}<br>
}<br>
ssl = required<br>
ssl_cert = </etc/ssl/certs/dovecot-cert.pem<br>
ssl_key = </etc/ssl/private/dovecot-key.pem<br>
userdb {<br>
driver = passwd<br>
}<br>
verbose_ssl = yes<br>
protocol imap {<br>
imap_client_workarounds = delay-newmail<br>
mail_max_userip_connections = 50<br>
}<br>
protocol pop3 {<br>
mail_max_userip_connections = 10<br>
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh<br>
}<br>
protocol lda {<br>
deliver_log_format = msgid=%m: %$<br>
mail_plugins = sieve<br>
postmaster_address = postmaster@DOMAIN<br>
quota_full_tempfail = yes<br>
rejection_reason = Your message to <%t> was automatically
rejected:%n%r<br>
}<br>
<br>
mail.log<br>
<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x10, ret=1: before/accept initialization [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: before/accept initialization [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client hello A [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write server hello A [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write certificate A [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write server done A [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 flush data [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A
[12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A
[12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth<br>
Apr 10 09:49:00 HOST dovecot: auth: Debug: auth client connected
(pid=21546)<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read client key exchange A
[12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2002, ret=-1: SSLv3 read certificate verify A
[12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 read finished A [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write change cipher spec A
[12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 write finished A [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2001, ret=1: SSLv3 flush data [12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x20, ret=1: SSL negotiation finished successfully
[12.345.678.910]<br>
Apr 10 09:49:00 HOST dovecot: imap-login: Warning: SSL:
where=0x2002, ret=1: SSL negotiation finished successfully
[12.345.678.910]<br>
Apr 10 09:49:04 HOST dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=10.11.12.134#011rip=12.345.678.910#011lport=993#011rport=49211#011resp=AGlyaW5hADNYMS$<br>
Apr 10 09:49:04 HOST dovecot: auth-worker: Debug: Loading modules
from directory: /usr/lib/dovecot/modules/auth<br>
Apr 10 09:49:04 HOST dovecot: auth-worker: Debug:
pam(USER,12.345.678.910): lookup service=dovecot<br>
Apr 10 09:49:04 HOST dovecot: auth-worker: Debug:
pam(USER,12.345.678.910): #1/1 style=1 msg=Password:<br>
Apr 10 09:49:06 HOST dovecot: auth-worker:
pam(USER,12.345.678.910): pam_authenticate() failed:
Authentication failure (password mismatch?) (given password:
PASSWORD)<br>
Apr 10 09:49:08 HOST dovecot: auth: Debug: client out:
FAIL#0111#011user=USER<br>
Apr 10 09:49:08 HOST dovecot: imap-login: Warning: SSL alert:
where=0x4004, ret=256: warning close notify [12.345.678.910]<br>
Apr 10 09:49:08 HOST dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=256: warning close notify [12.345.678.910]<br>
Apr 10 09:49:08 HOST dovecot: imap-login: Aborted login (auth
failed, 1 attempts): user=<USER>, method=PLAIN,
rip=12.345.678.910, lip=10.11.12.134, TLS<br>
<br>
mail.err<br>
Apr 9 02:25:47 HOST dovecot: imap-login: Error: read(anvil)
failed: EOF<br>
Apr 9 03:09:59 HOST dovecot: auth: Error:
read(anvil-auth-penalty) failed: EOF<br>
Apr 9 03:09:59 HOST dovecot: auth: Error:
net_connect_unix(anvil-auth-penalty) failed: Permission denied<br>
Apr 9 07:07:35 HOST dovecot: master: Fatal: Dovecot is already
running with PID 2707 (read from /var/run/dovecot/master.pid)<br>
Apr 9 07:49:30 HOST dovecot: doveadm: Error: This is Dovecot's
error log (1397022570)<br>
Apr 9 07:49:30 HOST dovecot: doveadm: Fatal: This is Dovecot's
fatal log (1397022570)<br>
Apr 9 12:12:13 HOST postfix/smtpd[5462]: fatal: no SASL
authentication mechanisms<br>
Apr 9 12:13:14 HOST postfix/smtpd[5473]: fatal: no SASL
authentication mechanisms<br>
Apr 9 12:14:15 HOST postfix/smtpd[5494]: fatal: no SASL
authentication mechanisms<br>
Apr 9 12:15:16 HOST postfix/smtpd[5660]: fatal: no SASL
authentication mechanisms<br>
Apr 9 12:16:17 HOST postfix/smtpd[5684]: fatal: no SASL
authentication mechanisms<br>
Apr 9 12:52:27 HOST dovecot: auth: Error:
read(anvil-auth-penalty) failed: EOF<br>
Apr 9 12:52:27 HOST dovecot: auth: Error:
net_connect_unix(anvil-auth-penalty) failed: Permission denied<br>
<br>
main.cf<br>
# See /usr/share/postfix/main.cf.dist for a commented, more
complete version<br>
# Debian specific: Specifying a file name will cause the first<br>
# line of that file to be used as the name. The Debian default<br>
# is /etc/mailname.<br>
#myorigin = /etc/mailname<br>
<br>
smtpd_banner = $myhostname ESMTP $mail_name<br>
biff = no<br>
<br>
# appending .domain is the MUA's job.<br>
append_dot_mydomain = no<br>
<br>
# Uncomment the next line to generate "delayed mail" warnings<br>
#delay_warning_time = 4h<br>
<br>
readme_directory = no<br>
<br>
# TLS parameters<br>
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem<br>
smtpd_tls_key_file = /etc/ssl/private/postfix-key.pem<br>
smtpd_use_tls = yes<br>
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_scache<br>
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_scache<br>
#smtpd_tls_security_level = may<br>
<br>
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc
package for<br>
# information on enabling SSL in the smtp client.<br>
<br>
myhostname = HOST<br>
alias_maps = hash:/etc/aliases<br>
alias_database = hash:/etc/aliases<br>
myorigin = /etc/mailname<br>
mydestination = DOMAIN, localhost.de, mail.DOMAIN, localhost<br>
relayhost =<br>
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128<br>
mailbox_size_limit = 0<br>
recipient_delimiter = +<br>
inet_interfaces = all<br>
home_mailbox = Maildir/<br>
smtpd_sasl_auth_enable = yes<br>
smtpd_sasl_type = dovecot<br>
smtpd_sasl_path = private/dovecot-auth<br>
smtpd_sasl_authenticated_header = yes<br>
smtpd_sasl_security_options = noanonymous<br>
smtpd_sasl_local_domain = $myhostname<br>
#smtpd_tls_security_level = may<br>
broken_sasl_auth_clients = yes<br>
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination<br>
smtpd_sender_restrictions = reject_unknown_sender_domain<br>
mailbox_command = /usr/lib/dovecot/deliver -c
/etc/dovecot/dovecot.conf -m "${EXTENSION}"<br>
#smtp_use_tls = yes<br>
#smtp_tls_security_level = may<br>
smtpd_tls_received_header = yes<br>
smtpd_tls_mandatory_protocols = SSLv3, TLSv1<br>
smtpd_tls_mandatory_ciphers = medium<br>
#smtpd_tls_auth_only = yes<br>
tls_random_source = dev:/dev/urandom<br>
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt<br>
virtual_alias_maps = hash:/etc/postfix/virtual<br>
inet_protocols = all<br>
message_size_limit = 204800<br>
<br>
master.cf<br>
#<br>
# Postfix master process configuration file. For details on the
format<br>
# of the file, see the master(5) manual page (command: "man 5
master").<br>
#<br>
# Do not forget to execute "postfix reload" after editing this
file.<br>
#<br>
#
==========================================================================<br>
# service type private unpriv chroot wakeup maxproc command +
args<br>
# (yes) (yes) (yes) (never) (100)<br>
#
==========================================================================<br>
smtp inet n - - - - smtpd<br>
-o smtpd_enforce_tls=yes<br>
#smtp inet n - - - 1
postscreen<br>
#smtpd pass - - - - - smtpd<br>
#dnsblog unix - - - - 0 dnsblog<br>
#tlsproxy unix - - - - 0 tlsproxy<br>
#submission inet n - - - - smtpd<br>
# -o syslog_name=postfix/submission<br>
# -o smtpd_tls_security_level=encrypt<br>
# -o smtpd_sasl_auth_enable=yes<br>
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject<br>
# -o milter_macro_daemon_name=ORIGINATING<br>
#smtps inet n - - - - smtpd<br>
# -o syslog_name=postfix/smtps<br>
# -o smtpd_tls_wrappermode=yes<br>
# -o smtpd_sasl_auth_enable=yes<br>
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject<br>
# -o milter_macro_daemon_name=ORIGINATING<br>
#628 inet n - - - - qmqpd<br>
pickup fifo n - - 60 1 pickup<br>
cleanup unix n - - - 0 cleanup<br>
qmgr fifo n - n 300 1 qmgr<br>
#qmgr fifo n - n 300 1 oqmgr<br>
tlsmgr unix - - - 1000? 1 tlsmgr<br>
rewrite unix - - - - -
trivial-rewrite<br>
bounce unix - - - - 0 bounce<br>
defer unix - - - - 0 bounce<br>
trace unix - - - - 0 bounce<br>
verify unix - - - - 1 verify<br>
flush unix n - - 1000? 0 flush<br>
proxymap unix - - n - - proxymap<br>
proxywrite unix - - n - 1 proxymap<br>
smtp unix - - - - - smtp<br>
relay unix - - - - - smtp<br>
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5<br>
showq unix n - - - - showq<br>
error unix - - - - - error<br>
retry unix - - - - - error<br>
discard unix - - - - - discard<br>
local unix - n n - - local<br>
virtual unix - n n - - virtual<br>
lmtp unix - - - - - lmtp<br>
anvil unix - - - - 1 anvil<br>
scache unix - - - - 1 scache<br>
#<br>
#
====================================================================<br>
# Interfaces to non-Postfix software. Be sure to examine the
manual<br>
# pages of the non-Postfix software to find out what options it
wants.<br>
#<br>
# Many of the following services use the Postfix pipe(8) delivery<br>
# agent. See the pipe(8) man page for information about
${recipient}<br>
# and other message envelope options.<br>
#
====================================================================<br>
#<br>
# maildrop. See the Postfix MAILDROP_README file for details.<br>
# Also specify in main.cf: maildrop_destination_recipient_limit=1<br>
#<br>
maildrop unix - n n - - pipe<br>
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}<br>
#<br>
#
====================================================================<br>
#<br>
# Recent Cyrus versions can use the existing "lmtp" master.cf
entry.<br>
#<br>
# Specify in cyrus.conf:<br>
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4<br>
#<br>
# Specify in main.cf one or more of the following:<br>
# mailbox_transport = lmtp:inet:localhost<br>
# virtual_transport = lmtp:inet:localhost<br>
#<br>
#
====================================================================<br>
#<br>
# Cyrus 2.1.5 (Amos Gouaux)<br>
# Also specify in main.cf: cyrus_destination_recipient_limit=1<br>
#<br>
#cyrus unix - n n - - pipe<br>
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${user}<br>
#<br>
#
====================================================================<br>
# Old example of delivery via Cyrus.<br>
#<br>
#old-cyrus unix - n n - - pipe<br>
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension}
${user}<br>
#<br>
#
====================================================================<br>
#<br>
# See the Postfix UUCP_README file for configuration details.<br>
#<br>
uucp unix - n n - - pipe<br>
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender -
$nexthop!rmail ($recipient)<br>
#<br>
# Other external delivery methods.<br>
#<br>
ifmail unix - n n - - pipe<br>
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop
($recipient)<br>
bsmtp unix - n n - - pipe<br>
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop
-f$sender $recipient<br>
scalemail-backend unix - n n - 2
pipe<br>
flags=R user=scalemail
argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user}
${extension}<br>
mailman unix - n n - - pipe<br>
flags=FR user=list
argv=/usr/lib/mailman/bin/postfix-to-mailman.py<br>
${nexthop} ${user}<br>
<br>
Installierte Versionen:<br>
<a class="moz-txt-link-abbreviated" href="mailto:root@HOST:/etc/dovecot/conf.d#">root@HOST:/etc/dovecot/conf.d#</a> dpkg -l | grep "dov"<br>
ii dovecot-core
1:2.0.19-0ubuntu2 secure mail server that
supports mbox, maildir, dbox and mdbox mailboxes<br>
ii dovecot-imapd
1:2.0.19-0ubuntu2 secure IMAP server that
supports mbox, maildir, dbox and mdbox mailboxes<br>
ii dovecot-managesieved
1:2.0.19-0ubuntu2 secure ManageSieve server for
Dovecot<br>
ii dovecot-pop3d
1:2.0.19-0ubuntu2 secure POP3 server that
supports mbox, maildir, dbox and mdbox mailboxes<br>
ii dovecot-postfix
1:2.0.19-0ubuntu2 mail server delivery agent
stack provided by Ubuntu server team<br>
ii dovecot-sieve
1:2.0.19-0ubuntu2 sieve filters support for
Dovecot<br>
<a class="moz-txt-link-abbreviated" href="mailto:root@HOST:/etc/dovecot/conf.d#">root@HOST:/etc/dovecot/conf.d#</a> dpkg -l | grep "postfix"<br>
ii dovecot-postfix
1:2.0.19-0ubuntu2 mail server delivery agent
stack provided by Ubuntu server team<br>
ii postfix
2.9.6-1~12.04.1 High-performance mail transport
agent<br>
<br>
</font>
</body>
</html>