Configure dovecot and exim4 to accept username#company.com logins - authentication

I can login on my IMAP server using my username, but can't using username#company.com (related: Dovecot Authentication failed if trying login with #domain) . Same thing happens for SMTP with exim4.
How can I setup dovecot (IMAP) and exim4 (SMTP) to allow username#company.com as the login?
EDIT: I'm using driver = passwd for the userdb, and driver = pam for the passdb.

I had the same question, and similar reasons. This may not be the best wa but I used a test account, lets call it 'user' for the sake of illustration and, copied the user's line in /etc/passwd (I'm on a Ubuntu cloud server), and changed the name on the copied line-- just adding the fqdn so the user UID has two names: 'user#mydomain.com' and the original, just 'user'. I setup the account first on Thunderbird with just 'user' to login to dovecot and exim, tested send/recieve ok. Then changed the login on Thunderbird for both servers to 'user#mydomain.com'. I had to re-enter the password, but it appears to have worked spectacularly well. It tested send/recieve ok, and otherwise appears the same as before. Now, I'm short on time so I set the password separately for both accounts, but I'm not sure that part is necessary. I'll have to check later, but I think pam looks up passwords matched to the PID (if I'm wrong about that, please someone tell me!). Anyway, more testing later. I'll let you know if there are deleterious side-effects. Aside: it may be possible to simply add the full email address as an alias in /etc/alias but I haven't tested that, and I just thought of it. Anyone try that one, leave a comment! Thanks! Ciao...

You have to create users in complete form of user#domain.tld.
Setup login autocompletion by #hostname if domain part is omitted, before dovecot-auth invocation.
As far as there is lot of dovecot/exim howtos, there is no ready-to-use recipe for your case.

You can change your SQL query to use only the first part before the # sign by using the substring_index() function. Conveniently, this string search query will return the whole string if there is no # sign. This means that if the customer enters "user#domain.com", it will use the correct value (just the "local_part"), and if the customer enters just "user", it will return the whole string.
Example:
mysql> select substring_index('user#example.net','#',1);
+-------------------------------------------+
| substring_index('user#example.net','#',1) |
+-------------------------------------------+
| user |
+-------------------------------------------+
1 row in set (0.00 sec)
mysql> select substring_index('user','#',1);
+-------------------------------+
| substring_index('user','#',1) |
+-------------------------------+
| user |
+-------------------------------+
1 row in set (0.00 sec)

Related

Zabbix user login trigger

I have a problem with zabbix, i want him to search trough /var/log/log.auth and send a notification when someone logs into by SSH. I know how to send notifications when trigger is active but i don't know how to create this exact trigger.
You should set up a log item like log[/var/log/log.auth,authentication successful] (or the exact string you are looking for in the logfile.
Then you should create a corresponding trigger with the regexp function: .regexp(authentication successful)}=1
From the doc, regexp:
Returns:
1 - found
0 - otherwise
It's a bit redundant, but it's good to filter out everything you don't need before storing it into zabbix.

Bareos error: Sorry, can not authenticate. Wrong username and/or password

I wanted to give Bareos (Open Source Data Protection) a go to see how it works and performs. However I cannot even get past the basic installation and get it working...
I followed the following installation tutorial (several times now): https://www.svennd.be/installing-bareos-on-centos-7/
But I am getting every time the following error: Sorry, can not authenticate. Wrong username and/or password.
I don't understand what I am doing wrong. I even tried using the previous version of Bareos 16.2, but that didn't make a difference and I experience the same issue. I am 200% sure the password and username are correct.
I also consulted the logs:
17-Mar 13:00 bareos-dir JobId 0: Fatal error: Authorization key rejected by Console USERNAME.
Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.
17-Mar 13:00 bareos-dir: ERROR in authenticate.c:283 Unable to authenticate console "USERNAME" at client:127.0.0.1:9101
I checked that page (also several times) and even made sure the (user)names/passwords were correct. But still I get the message "Sorry, can not authenticate. Wrong username and/or password." when I try to login on "bareos-webui".
Probably I am doing something wrong, but I cannot disover what.
I have the following files available. Maybe I need to make certain changes to those as well?
/etc/bareos/bareos-dir.d/director/bareos-dir.conf
/etc/bareos/bareos-fd.d/director/bareos-dir.conf
/etc/bareos/bareos-sd.d/director/bareos-dir.conf
/etc/bareos/bconsole.conf
/etc/bareos/bareos-sd.d/storage/bareos-sd.conf
/etc/bareos/bareos-dir.d/client/bareos-fd.conf
/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf
When I compared some files, they have different passwords in them?
For example: /etc/bareos/bareos-fd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "J36zN1mQVF5lLA/FP0kASo+X9wTo8D988nsVqZjx"
Description = "Allow the configured Director to access this file daemon."
}
And /etc/bareos/bareos-sd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "PAU/ov3RvnFp0I59brd4d8u9m8ejRpkVE7P/4Qz3"
Description = "Director, who is permitted to contact this storage daemon."
}
And (one more example): /etc/bareos/bconsole.conf
# Bareos User Agent (or Console) Configuration File
Director {
Name = bareos-dir
address = localhost
Password = "Fs5JnyO1ypBhcR0D9CNkx3gynPMa+jmp7sj9Ghst"
Description = "Bareos Console credentials for local Director"
}
They all have different passwords here? As I understand it, from the online docs, they should all be the same, right?
Maybe that's the issue? Hopefully someone can explain things a bit better or advice me what to do in order to get this working... Maybe it's something simple that I may overlooked?
FYI: I whitelisted all IP's and ports I use on this server.
//small edit
I re-read the documents once again and it says: "The default configuration files are automatically defined for correct authorization with random passwords. If you add to or modify these files, you will need to take care to keep them consistent."
So if I didn't change a thing, it should have worked in the first place, right? So I think something else is wrong here?
Well I finally found the issue...
Apparently my username or password was to difficult for Bareos to accept.
Don't know exactly which one it was, but either username or password caused issues.
I used as a username something like:
BCKPserver
And the password I used was similar to:
!!!!RNDpassW222####
For some reason Bareos saved the password (in the console) and was displayed correctly in the configuration files, HOWEVER it didn't allow me to login on the bareos-webui!
Solved. Hopefully this will help someone else.

OpenAM / OpenDJ custom username field works with less than 4000 users

I am currently working on a project that uses OpenAM 12.0.2 with OpenDJ 2.6
We had a requirement to make the username editable. So, we ended up creating a custom ldap attribute called loginId and updating OpenAM config to use this attribute instead of uid.
When I import less than 4000 users, login works fine. When I import 4000+ users login doesn't work for any user, even 1 of the first 4000 users in the directory.
I can manually ldapsearch for the users and they exist in the directory, but I can't login with any of them.
We get an "Authorization failed!!" error, which is different to the usual username/password doesn't match error.
If anyone could shed any light on this, I would appreciate it.
Thanks
Edit
Here is the attribute definition I am now using.
attributeTypes: ( 1.3.6.1.4.1.37238.2.9 NAME 'loginId' DESC 'username (that can be updated)' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'project schema')
I have rebuilt the indices and still having the same problem :(
That is probably because your instance of OpenDJ is configured to reject unindexed search request and you haven't defined and built an index for the loginID attribute.

LDAP Authentication failed: Invalid Credentials

In Gforge, when a new user tries to log in; the user is automatically registered by fetching data from LDAP. It works fine for other users but one particular user is not able to log in and gets the error LDAP Authentication failed: Invalid Credentials . I don't understand what could be the issue? Could you please help?
This is the search function I am using.
ldap_bind($ldap, $dn, $pw)
$dn = ldap_get_dn($ldap, $entry);
$entry = ldap_first_entry($ldap,$res);
$res=ldap_search($ldap, $sys_ldap_base,$sys_ldap_id_attribute . '=' . $id,
array());
If it works for some users but not for one specific user, then it's something to do with the LDAP configuration, or with the characters in that user's ID or pwd.
Is the failing user in a different org/OU? Do they have accent characters in their username or password? These things can cause compatibility issues between GForge and the LDAP server.
Does this user have a much longer user name than other users? There is a GForge config setting called "usernameregex" that governs the complexity and length of allowed user names. Even though LDAP logins result in automatic account creation, the validation of the user's unix name might fail due to the regex in place. The error noted above could certainly be the catch-all message when this happens.
The default setting is "^[a-z0-9_.-]{3,15}$". You can change the upper length limit by changing the 15 to something else. The unix_name field in the GForge database is TEXT, so it can be extremely long (1GB?).
In GForge 6.3.x and earlier, you can find that setting in /etc/gforge/gforge.conf. Change the value and then update the system using:
cd /opt/gforge/bin && php create_config_cache.php
In GForge 6.4 and later, you can use the gf-config utility to set the value. It will take effect right away:
/opt/gforge/bin/gf-config set "usernameregex" "new regex value"

Email Authentication with Mailchimp and Bluehost

Can someone please help me get this right. I've been trying for days and just can't do it.
This is what mail chimp is asking me to do.
Set a TXT (SPF) record for averyburch.com to:
v=spf1 include:servers.mcsv.net ?all
Set the CNAME record for k1._domainkey.averyburch.com to:
dkim.mcsv.net
So I have entered the following in my bluehost DNS zone editor. But it's not authenticating. I've waited 48 hours.
CNAME
k1._domainkey points to dkim.mcsv.net
TXT
# txt value is: v=spf1 a mx ptr include:bluehost.com include:servers.mcsv.net ?all
I did enter exactly k1._domainkey.averyburch.com but the control panel seems to change it to k1._domainkey. Everything in the spf record is the bluehost default setting apart from include:servers.mcsv.net which i added.
Can someone please tell me what I'm messing up. I'm not experienced with this. Thanks so much.
This is instructions I followed from someone else on another forum that worked perfectly the first time:
Hey all,
I have been looking into this because of wanting to use DKIM support
for MailChimp emails. Most of this stuff is above my pay grade, but I
was able to successfully set up DKIM. Here's how it went:
Here are the instructions from MailChimp:
DKIM: Create a CNAME record for k1._domainkey.[example.com] with this
value: dkim.mcsv.net
SPF: Create a TXT record for [example.com] with: v=spf1
include:servers.mcsv.net ?all
I then logged into my Bluehost account: cPanel -> DNS Zone Editor
I chose the domain I wanted in the dropdown menu and filled out the
following:
Host Record: k1._domainkey.[example.com] TTL: 14400 (the default)
Type: CNAME Points To: dkim.mcsv.net
Then I clicked "Add Record," and it added successfully.
Then I filled out another entry:
Host Record: [example.com] TTL: 14400 (the default) Type: TXT Points
To: v=spf1 include:servers.mcsv.net ?all**
"Add Record," and it was all set. Both entries showed up in the list
below.
I was able to use this methods for two domains, and MailChimp verified
that it went through, and they have authenticated DKIM and SPF
records.
Hope that helps. Thanks for the thread.
So there are a couple of issues that are immediately apparent:
The DKIM key is malformed. Looking at the DNS the key record is "k=rsa; p=MIGfMA0GCSqG...". That's missing the initial prefix. It should be "v=DKIM1;k=rsa;p=MIGfMA0GCSqG...". Ideally if you fix that, DKIM signatures will start working
The SPF record you've got in place exceeds the allowed domain lookup limit of 10. You can see some info here - https://dmarcian.com/spf-survey/averyburch.com . Solving this for situations like yours is non-trivial. (Full disclosure, my company ValiMail is about to roll out tech to address a number of common email authentication issues, including this one).
For the moment, assuming DKIM starts working, I wouldn't worry too much about the SPF issue.
Make the DKIM change noted above, and see if that at least gets DKIM authentication working. If you want some visibility, you may also want to add a DMARC record so you can see whether email is authenticating or failing.