Develop Reference

Sorry i'm stuck with freeraduis to LDAP

Ok Im a little stuck with FreeRad A little lost
I think I have found the problem, I just don't understand why
so If I try to auth over the wifi to rad it looks like its not getting the password below is the debug of that
Ready to process requests
(0) Received Access-Request Id 149 from 192.168.200.238:49881 to 192.168.20.2:1812 length 227
(0) User-Name = "testing"
(0) NAS-IP-Address = 192.168.200.238
(0) NAS-Identifier = "d221f94b63df"
(0) Called-Station-Id = "D2-21-F9-4B-63-DF:test no join"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "D2-5A-22-F3-F6-A1"
(0) Connect-Info = "CONNECT 0Mbps 802.11a"
(0) Acct-Session-Id = "08DE2818B2804F38"
(0) Acct-Multi-Session-Id = "47EF77EBC7B5BF7A"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02bd000c0174657374696e67
(0) Message-Authenticator = 0xcef6985af177d3099edb44dbcfaba6e7
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/my_server
(0) authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (cn=testing)
(0) ldap: Performing search in "ou=users,dc=ldap,DC=alexosaurous,DC=co,DC=nz" with filter "(cn=testing)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "cn=testing,ou=users,dc=ldap,dc=alexosaurous,dc=co,dc=nz"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
(0) [ldap] = ok
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> FALSE
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 149 from 192.168.20.2:1812 to 192.168.200.238:49881 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 149 with timestamp +10 due to cleanup_delay was reached
As you can see no password in that unless I'm missing something which maybe but when I do a radtest I get accept-accept below the debug log from doing it that way
radtest testing test localhost 2 testing123 root#docker-host
Sent Access-Request Id 76 from 0.0.0.0:39308 to 127.0.0.1:1812 length 77
User-Name = "testing"
User-Password = "test"
NAS-IP-Address = 127.0.1.1
NAS-Port = 2
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 76 from 127.0.0.1:1812 to 127.0.0.1:39308 length 20
Ready to process requests
q(1) Received Access-Request Id 163 from 127.0.0.1:53905 to 127.0.0.1:1812 length 77
(1) User-Name = "testing"
(1) User-Password = "test"
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Port = 2
(1) Message-Authenticator = 0xfade5a334cefa11b8d1c07ea3ca02fae
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/my_server
(1) authorize {
rlm_ldap (ldap): Reserved connection (1)
(1) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (cn=testing)
(1) ldap: Performing search in "ou=users,dc=ldap,DC=alexosaurous,DC=co,DC=nz" with filter "(cn=testing)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN "cn=testing,ou=users,dc=ldap,dc=alexosaurous,dc=co,dc=nz"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
rlm_ldap (ldap): Closing connection (2) - Too many unused connections.
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing expired connection (4) - Hit idle_timeout limit
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing expired connection (3) - Hit idle_timeout limit
(1) [ldap] = ok
(1) if ((ok || updated) && User-Password) {
(1) if ((ok || updated) && User-Password) -> TRUE
(1) if ((ok || updated) && User-Password) {
(1) update {
(1) control:Auth-Type := LDAP
(1) } # update = noop
(1) } # if ((ok || updated) && User-Password) = noop
(1) } # authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/my_server
(1) Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: Login attempt by "testing"
(1) ldap: Using user DN from request "cn=testing,ou=users,dc=ldap,dc=alexosaurous,dc=co,dc=nz"
(1) ldap: Waiting for bind result...
(1) ldap: Bind successful
(1) ldap: Bind as user "cn=testing,ou=users,dc=ldap,dc=alexosaurous,dc=co,dc=nz" was successful
rlm_ldap (ldap): Released connection (0)
(1) [ldap] = ok
(1) } # Auth-Type LDAP = ok
(1) Sent Access-Accept Id 163 from 127.0.0.1:1812 to 127.0.0.1:53905 length 20
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 163 with timestamp +67 due to cleanup_delay was reached
Ready to process requests
(2) Received Access-Request Id 210 from 127.0.0.1:49536 to 127.0.0.1:1812 length 77
Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.)
Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 210 with timestamp +109 due to done
Ready to process requests
In that request looks like it got the password and had put it in LDAP then authed the username and password
I'm so very lost as to way the phone over wifi is not sending the password
config below
sites enabled
server my_server {
listen {
type = auth
ipaddr = *
port = 1812
}
authorize {
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
}
LDAP config
# -*- text -*-
#
# $Id: 1f0ee0383834684c7314a89be40003933023c401 $
#
# Lightweight Directory Access Protocol (LDAP)
#
ldap {
# Note that this needs to match the name(s) in the LDAP server
# certificate, if you're using ldaps. See OpenLDAP documentation
# for the behavioral semantics of specifying more than one host.
server = "auth.domain"
# Port to connect on, defaults to 389. Setting this to 636 will enable
# LDAPS if start_tls (see below) is not able to be used.
port = "389"
# Administrator account for searching and possibly modifying.
identity = "cn=myserviceaccount,dc=domain"
password = ""
# Unless overridden in another section, the dn from which all
# searches will start from.
base_dn = "dc=ldap,dc=alexosaurous,dc=co,dc=nz"
#
# Generic valuepair attribute
#
# If set, this will attribute will be retrieved in addition to any
# mapped attributes.
#
# Values should be in the format:
# <radius attr> <op> <value>
#
# Where:
# <radius attr>: Is the attribute you wish to create
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <value>: Is the value to parse into the new valuepair.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
# valuepair_attribute = "radiusAttribute"
#
# Mapping of LDAP directory attributes to RADIUS dictionary attributes.
#
# WARNING: Although this format is almost identical to the unlang
# update section format, it does *NOT* mean that you can use other
# unlang constructs in module configuration files.
#
# Configuration items are in the format:
# <radius attr> <op> <ldap attr>
#
# Where:
# <radius attr>: Is the destination RADIUS attribute
# with any valid list and request qualifiers.
# <op>: Is any assignment attribute (=, :=, +=, -=).
# <ldap attr>: Is the attribute associated with user or
# profile objects in the LDAP directory.
# If the attribute name is wrapped in double
# quotes it will be xlat expanded.
#
# Request and list qualifiers may also be placed after the 'update'
# section name to set defaults destination requests/lists
# for unqualified RADIUS attributes.
#
# Note: LDAP attribute names should be single quoted unless you want
# the name value to be derived from an xlat expansion, or an
# attribute ref.
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# These are provided for backwards compatibility.
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
# control: += 'radiusCheckAttributes'
# reply: += 'radiusReplyAttributes'
}
# Set to yes if you have eDirectory and want to use the universal
# password mechanism.
# edir = no
# Set to yes if you want to bind as the user after retrieving the
# Cleartext-Password. This will consume the login grace, and
# verify user authorization.
# edir_autz = no
# Note: set_auth_type was removed in v3.x.x
# Equivalent functionality can be achieved by adding the following
# stanza to the authorize {} section of your virtual server.
#
# ldap
# if ((ok || updated) && User-Password) {
# update {
# control:Auth-Type := ldap
# }
# }
#
# User object identification.
#
user {
# Where to start searching in the tree for users
base_dn = "ou=users,dc=ldap,DC=alexosaurous,DC=co,DC=nz"
# Filter for user objects, should be specific enough
# to identify a single user object.
filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# If this is undefined, anyone is authorised.
# If it is defined, the contents of this attribute
# determine whether or not the user is authorised
# access_attribute = "dialupAccess"
# Control whether the presence of "access_attribute"
# allows access, or denys access.
#
# If "yes", and the access_attribute is present, or
# "no" and the access_attribute is absent then access
# will be allowed.
#
# If "yes", and the access_attribute is absent, or
# "no" and the access_attribute is present, then
# access will not be allowed.
#
# If the value of the access_attribute is "false", it
# will negate the result.
#
# e.g.
# access_positive = yes
# access_attribute = userAccessAllowed
#
# userAccessAllowed = false
#
# Will result in the user being locked out.
# access_positive = yes
}
#
# User membership checking.
#
group {
# Where to start searching in the tree for groups
base_dn = "ou=Groups,dc=ldap,DC=alexosaurous,DC=co,DC=nz"
# Filter for group objects, should match all available
# group objects a user might be a member of.
filter = "(objectClass=posixGroup)"
# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
name_attribute = cn
# Filter to find group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
# The attribute in user objects which contain the names
# or DNs of groups a user is a member of.
#
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
# membership_attribute = "memberOf"
# If cacheable_name or cacheable_dn are enabled,
# all group information for the user will be
# retrieved from the directory and written to LDAP-Group
# attributes appropriate for the instance of rlm_ldap.
#
# For group comparisons these attributes will be checked
# instead of querying the LDAP directory directly.
#
# This feature is intended to be used with rlm_cache.
#
# If you wish to use this feature, you should enable
# the type that matches the format of your check items
# i.e. if your groups are specified as DNs then enable
# cacheable_dn else enable cacheable_name.
# cacheable_name = "no"
# cacheable_dn = "no"
# Override the normal cache attribute (<inst>-LDAP-Group)
# and create a custom attribute. This can help if multiple
# module instances are used in fail-over.
# cache_attribute = "LDAP-Cached-Membership"
}
#
# User profiles. RADIUS profile objects contain sets of attributes
# to insert into the request. These attributes are mapped using
# the same mapping scheme applied to user objects.
#
profile {
# Filter for RADIUS profile objects
# filter = "(objectclass=radiusprofile)"
# The default profile applied to all users.
# default = "cn=radprofile,dc=example,dc=org"
# The list of profiles which are applied (after the default)
# to all users.
# The "User-Profile" attribute in the control list
# will override this setting at run-time.
# attribute = "radiusProfileDn"
}
#
# Bulk load clients from the directory
#
client {
# Where to start searching in the tree for clients
base_dn = "ou=Clients,dc=example,dc=com"
#
# Filter to match client objects
#
filter = '(objectClass=frClient)'
# Search scope, may be 'base', 'one', 'sub' or 'children'
# scope = 'sub'
#
# Client attribute mappings are in the format:
# <client attribute> = <ldap attribute>
#
# Arbitrary attributes (accessible by %{client:<attr>}) are not yet supported.
#
# The following attributes are required:
# * identifier - IPv4 address, or IPv4 address with prefix, or hostname.
# * secret - RADIUS shared secret.
#
# The following attributes are optional:
# * shortname - Friendly name associated with the client
# * nas_type - NAS Type
# * virtual_server - Virtual server to associate the client with
# * require_message_authenticator - Whether we require the Message-Authenticator
# attribute to be present in requests from the client.
#
# Schemas are available in doc/schemas/ldap for openldap and eDirectory
#
attribute {
identifier = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
# shortname = 'radiusClientShortname'
# nas_type = 'radiusClientType'
# virtual_server = 'radiusClientVirtualServer'
# require_message_authenticator = 'radiusClientRequireMa'
}
}
# Load clients on startup
# read_clients = no
#
# Modify user object on receiving Accounting-Request
#
# Useful for recording things like the last time the user logged
# in, or the Acct-Session-ID for CoA/DM.
#
# LDAP modification items are in the format:
# <ldap attr> <op> <value>
#
# Where:
# <ldap attr>: The LDAP attribute to add modify or delete.
# <op>: One of the assignment operators:
# (:=, +=, -=, ++).
# Note: '=' is *not* supported.
# <value>: The value to add modify or delete.
#
# WARNING: If using the ':=' operator with a multi-valued LDAP
# attribute, all instances of the attribute will be removed and
# replaced with a single attribute.
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
#
# Post-Auth can modify LDAP objects too
#
post-auth {
update {
description := "Authenticated at %S"
}
}
#
# LDAP connection-specific options.
#
# These options set timeouts, keep-alives, etc. for the connections.
#
options {
# Control under which situations aliases are followed.
# May be one of 'never', 'searching', 'finding' or 'always'
# default: libldap's default which is usually 'never'.
#
# LDAP_OPT_DEREF is set to this value.
# dereference = 'always'
#
# The following two configuration items control whether the
# server follows references returned by LDAP directory.
# They are mostly for Active Directory compatibility.
# If you set these to "no", then searches will likely return
# "operations error", instead of a useful result.
#
chase_referrals = yes
rebind = yes
# Seconds to wait for LDAP query to finish. default: 20
timeout = 10
# Seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
# Seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x0028
}
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = no
# ca_file = ${certdir}/cacert.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = ${certdir}/random
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the certificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# As of version 3.0, the "pool" section has replaced the
# following configuration items:
#
# ldap_connections_number
# The connection pool is new for 3.0, and will be used in many
# modules, for all kinds of connection-related activity.
#
# When the server is not threaded, the connection pool
# limits are ignored, and only one connection is used.
pool {
# Number of connections to start
start = 5
# Minimum number of connections to keep open
min = 4
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like "No connections available and at max connection limit"
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set.
spare = 3
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
lifetime = 0
# Idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
side note my user filter is a bit different as I used authentik LDAP outpost
and as per
https://goauthentik.io/docs/providers/ldap
the username is mapped to cn
Thank you for taking the time to read all of this by the way

Assuming you're using EAP-PEAP, are the passwords being stored in your LDAP directory as either plaintext (not advisable in production) or NTLM hashes?
If they're being stored as SHA hashes for example, you'll run into an issue of no known good password as the supplicant will respond to the access-challenge from the NAS with an NTLM hash which freeradius won't be able to use to calculate the corresponding SHA hash it receives from the LDAP server after binding.
When you're using radtest, you're sending a plaintext password which freeradius can convert to the appropriate hash for comparison.
If you're not using PEAP and/or your passwords are stored in your directory as plaintext or NTLM hashes, you can disregard this.

Delayed outgoing mail in active queue

I am stuck for some time trying to set up an email server. I've been mostly successful in my setup, but I am currently stuck at the following impasse: every time I send an email (regardless of queue size), my message will get stuck in the active queue for ~ 5 minutes, after which it will always be sent and reach it's final destination.
postqueue -p
(shows only one mail in the queue)
postqueue -f
... has no effect
I am running postfix 3.1.0, and dovecot 2.2.22 on Ubuntu 16.04. Also, I used iRedMail scripts for the installation. I can see from /var/log/mail.log that the mail is being stored in a queue by postfix, and I'm assuming there's another setting to set the time at which it will be processed. Any help would be most appreciated.
/var/log/mail.log
Jan 9 14:35:28 mail postfix[26070]: name_mask: all
Jan 9 14:35:28 mail postfix[26070]: inet_addr_local: configured 2 IPv4 addresses
Jan 9 14:35:28 mail postfix[26070]: inet_addr_local: configured 3 IPv6 addresses
Jan 9 14:35:28 mail postfix/postfix-script[26075]: error: unknown command: ''
Jan 9 14:35:28 mail postfix/postfix-script[26076]: fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration)
Jan 9 14:35:49 mail postfix[26085]: fatal: usage: postfix [-c config_dir] [-Dv] command
Jan 9 14:35:58 mail postfix[26090]: fatal: usage: postfix [-c config_dir] [-Dv] command
Jan 9 14:40:17 mail postfix/submission/smtpd[26282]: connect from mail.example.com[127.0.0.1]
Jan 9 14:40:17 mail postfix/submission/smtpd[26282]: Anonymous TLS connection established from mail.example.com[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jan 9 14:40:17 mail postfix/submission/smtpd[26282]: 87ABB42362: client=mail.example.com[127.0.0.1], sasl_method=PLAIN, sasl_username=jamal#example.com
Jan 9 14:40:17 mail postfix/cleanup[26288]: 87ABB42362: message-id=<0130a1e7b419fdf0f31ce406618aef97#example.com>
Jan 9 14:40:17 mail postfix/qmgr[28474]: 87ABB42362: from=, size=1845, nrcpt=1 (queue active)
Jan 9 14:40:17 mail postfix/submission/smtpd[26282]: disconnect from mail.example.com[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Jan 9 14:45:05 mail amavis[10642]: (10642-08) (!)ClamAV-clamd av-scanner FAILED: run_av error: ask_daemon_internal: Exceeded allowed time at (eval 104) line 611.\n
Jan 9 14:45:05 mail amavis[10642]: (10642-08) (!)WARN: all primary virus scanners failed, considering backups
Jan 9 14:45:05 mail amavis[10642]: (10642-08) (!!)AV: ALL VIRUS SCANNERS FAILED
Jan 9 14:45:07 mail postfix/postqueue[26446]: fatal: usage: postqueue -f | postqueue -i queueid | postqueue -j | postqueue -p | postqueue -s site
Jan 9 14:45:08 mail postfix/10025/smtpd[26452]: connect from mail.example.com[127.0.0.1]
Jan 9 14:45:08 mail postfix/10025/smtpd[26452]: 60ADA423BA: client=mail.example.com[127.0.0.1]
Jan 9 14:45:08 mail postfix/cleanup[26454]: 60ADA423BA: message-id=<0130a1e7b419fdf0f31ce406618aef97#example.com>
Jan 9 14:45:08 mail postfix/10025/smtpd[26452]: disconnect from mail.example.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 9 14:45:08 mail postfix/qmgr[28474]: 60ADA423BA: from=, size=2920, nrcpt=1 (queue active)
Jan 9 14:45:08 mail amavis[10642]: (10642-08) Passed UNCHECKED {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:33748 -> , Queue-ID: 87ABB42362, Message-ID: <0130a1e7b419fdf0f31ce406618aef97#example.com>, mail_id: FFIMhQZ3j_4G, Hits: 0.204, size: 1845, queued_as: 60ADA423BA, dkim_new=dkim:example.com, 290782 ms, Tests: [ALL_TRUSTED=-1,HTML_MESSAGE=0.001,TVD_RCVD_SINGLE=1.213,T_RP_MATCHES_RCVD=-0.01]
Jan 9 14:45:08 mail postfix/amavis/smtp[26293]: 87ABB42362: to=, relay=127.0.0.1[127.0.0.1]:10026, delay=291, delays=0.16/0.03/0.04/291, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 60ADA423BA)
Jan 9 14:45:08 mail postfix/qmgr[28474]: 87ABB42362: removed
Jan 9 14:45:09 mail postfix/smtp[26455]: Untrusted TLS connection established to cornellprod-mail-onmicrosoft-com.mail.eo.outlook.com[216.32.181.106]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Jan 9 14:45:09 mail postfix/smtp[26455]: 60ADA423BA: to=, relay=cornellprod-mail-onmicrosoft-com.mail.eo.outlook.com[216.32.181.106]:25, delay=1.6, delays=0.02/0.03/0.64/0.89, dsn=2.6.0, status=sent (250 2.6.0 <0130a1e7b419fdf0f31ce406618aef97#example.com> [InternalId=132499741090511, Hostname=BN3PR0401MB1284.namprd04.prod.outlook.com] 10597 bytes in 0.347, 29.819 KB/sec Queued mail for delivery)
Jan 9 14:45:09 mail postfix/qmgr[28474]: 60ADA423BA: removed
Jan 9 14:45:20 mail postfix/postqueue[26468]: fatal: Flush service is not configured for destination "active"
/etc/postfix/main.cf
# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix. queue_directory = /var/spool/postfix
# location of all postXXX commands. Default is /usr/sbin. command_directory = /usr/sbin
# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix daemon_directory = /usr/lib/postfix/sbin
# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix. data_directory = /var/lib/postfix
# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix. mail_owner = postfix
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
# sendmail_path = /usr/sbin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
# newaliases_path = /usr/bin/newaliases
# full pathname of the Postfix mailq command. This is the Sendmail-compatible
# mail queue listing command. mailq_path = /usr/bin/mailq
# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account. setgid_group = postdrop
# debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
debug_peer_level = 2
# --------------------
# CUSTOM SETTINGS
#
# SMTP server response code when recipient or domain not found. unknown_local_recipient_reject_code = 550
# Do not notify local user. biff = no
# Disable the rewriting of "site!user" into "user#site". swap_bangpath = no
# Disable the rewriting of the form "user%domain" to "user#domain". allow_percent_hack = no
# Allow recipient address start with '-'. allow_min_user = no
# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses. disable_vrfy_command = yes
# Enable both IPv4 and/or IPv6: ipv4, ipv6, all. inet_protocols = all
# Enable all network interfaces. inet_interfaces = all
#
# TLS settings.
#
# SSL key, certificate, CA
# smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.example.com/chain.pem
#
# Disable SSLv2, SSLv3
# smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols =
!SSLv2 !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
#
# Fix 'The Logjam Attack'.
# smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 1
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption. smtpd_tls_security_level = may
# Produce Received: message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes
# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
# - http://www.postfix.org/TLS_README.html#client_tls_may
# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level smtp_tls_security_level = may
# Use the same CA file as smtpd. smtp_tls_CAfile = $smtpd_tls_CAfile smtp_tls_note_starttls_offer = yes
# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
#enable_long_queue_ids = yes
# Reject unlisted sender and recipient smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = yes
# Header and body checks with PCRE table header_checks = pcre:/etc/postfix/header_checks body_checks =
pcre:/etc/postfix/body_checks.pcre
# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
# HELO restriction smtpd_helo_required = yes smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Sender restrictions smtpd_sender_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unlisted_sender
permit_mynetworks
permit_sasl_authenticated
check_sender_access pcre:/etc/postfix/sender_access.pcre
# Recipient restrictions smtpd_recipient_restrictions =
reject_unknown_recipient_domain
reject_non_fqdn_recipient
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:7777
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
# END-OF-MESSAGE restrictions smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777
# Data restrictions smtpd_data_restrictions = reject_unauth_pipelining
proxy_read_maps = $canonical_maps $lmtp_generic_maps
$local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps
$recipient_canonical_maps $relay_domains $relay_recipient_maps
$relocated_maps $sender_bcc_maps $sender_canonical_maps
$smtp_generic_maps $smtpd_sender_login_maps $transport_maps
$virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains
$virtual_mailbox_maps $smtpd_sender_restrictions
$sender_dependent_relayhost_maps
# Avoid duplicate recipient messages. Default is 'yes'. enable_original_recipient = no
# Virtual support. virtual_minimum_uid = 2000 virtual_uid_maps = static:2000 virtual_gid_maps = static:2000 virtual_mailbox_base =
/var/vmail
# Do not set virtual_alias_domains. virtual_alias_domains =
#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
# be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes
# hostname myhostname = mail.example.com myorigin = mail.example.com mydomain = mail.example.com
# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
# in iRedAPD setting 'MYNETWORKS' (in /opt/iredapd/settings.py) too.
# for example:
#
# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
# mynetworks = 127.0.0.1 [::1]
# Accepted local emails mydestination = $myhostname, localhost, localhost.localdomain
alias_maps = hash:/etc/postfix/aliases alias_database =
hash:/etc/postfix/aliases
# Default message_size_limit. message_size_limit = 15728640
# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters. recipient_delimiter = +
# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h compatibility_level = 2
#
# Lookup virtual mail accounts
# transport_maps =
proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
sender_dependent_relayhost_maps =
proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses. smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
relay_domains =
$mydestination
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps =
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
#
# Postscreen
# postscreen_greet_action = enforce postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_threshold =
2 postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[2..11]*3
b.barracudacentral.org=127.0.0.[2..11]*2
postscreen_dnsbl_reply_map =
texthash:/etc/postfix/postscreen_dnsbl_reply postscreen_access_list =
permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
# Require Postfix-2.11+ postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
# smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth virtual_transport = dovecot dovecot_destination_recipient_limit = 1
#
# Amavisd + SpamAssassin + ClamAV
# content_filter = smtp-amavis:[127.0.0.1]:10024
# Concurrency per recipient limit. smtp-amavis_destination_recipient_limit = 1
/etc/dovecot/dovecot.conf
# More details about Dovecot settings: # -
http://wiki2.dovecot.org/ # - http://wiki2.dovecot.org/Variables
# Listen addresses. # - '*' means all available IPv4 addresses. #
- '[::]' means all available IPv6 addresses. # Listen on all available addresses by default listen = * [::]
#base_dir = /var/run/dovecot mail_plugins = quota mailbox_alias acl
mail_log notify
# Enabled mail protocols. protocols = pop3 imap sieve lmtp
# User/group who owns the message files: mail_uid = 2000 mail_gid =
2000
# Assign uid to virtual users. first_valid_uid = 2000 last_valid_uid
= 2000
# Logging. Reference: http://wiki2.dovecot.org/Logging # # Use
syslog syslog_facility = local5 # Log file path if we use internal
log system #log_path = /var/log/dovecot/dovecot.log
# Debug #mail_debug = yes #auth_verbose = yes #auth_debug = yes
#auth_debug_passwords = yes # Possible values: no, plain, sha1.
#auth_verbose_passwords = no
# SSL: Global settings. # Refer to wiki site for per protocol, ip,
server name SSL settings: #
http://wiki2.dovecot.org/SSL/DovecotConfiguration ssl_protocols =
!SSLv2 !SSLv3 ssl = required verbose_ssl = no #ssl_ca =
# Fix 'The Logjam Attack' ssl_cipher_list =
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
# Dovecot 2.2.6 or greater: # Specify the wanted DH parameters
length ssl_dh_parameters_length = 2048 ssl_prefer_server_ciphers = yes
# With disable_plaintext_auth=yes AND ssl=required, STARTTLS is
mandatory. # Set disable_plaintext_auth=no AND ssl=yes to allow plain
password transmitted # insecurely. disable_plaintext_auth = yes
# Allow plain text password per IP address/net #remote
192.168.0.0/24 { # disable_plaintext_auth = no #}
# Mail location and mailbox format. mail_location =
maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
# Authentication related settings. # Append this domain name if
client gives empty realm. #auth_default_realm = example.com
# Authentication mechanisms. auth_mechanisms = PLAIN LOGIN
# Limits the number of users that can be logging in at the same time.
# Default is 100. This can be overridden by process_limit = in #
service [protocol] block. # e.g. # protocol imap-login { #
... # process_limit = 500 # }
#default_process_limit = 100
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
user = postfix
group = postfix
mode = 0666
}
unix_listener auth-master {
user = vmail
group = vmail
mode = 0666
}
unix_listener auth-userdb {
user = vmail
group = vmail
mode = 0660
} }
# LMTP server (Local Mail Transfer Protocol). # Reference:
http://wiki2.dovecot.org/LMTP service lmtp {
user = vmail
\# For higher volume sites, it may be desirable to increase the number of
\# active listener processes. A range of 5 to 20 is probably good for most
\# sites.
process_min_avail = 5
\# Logging.
\# Require 'log_path =' in 'protocol lmtp {}' block.
executable = lmtp -L
\# Listening on socket file and TCP
unix_listener /var/spool/postfix/private/dovecot-lmtp {
user = postfix
group = postfix
mode = 0600
}
inet_listener lmtp {
\# Listen on localhost (ipv4)
address = 127.0.0.1
port = 24
} }
# Virtual mail accounts. userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql } passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql }
auth_master_user_separator = * passdb {
driver = passwd-file
args = /etc/dovecot/dovecot-master-users
master = yes }
plugin {
# Quota configuration.
# Reference: http://wiki2.dovecot.org/Quota/Configuration
quota = dict:user::proxy::quotadict
quota_rule = *:storage=1G
#quota_rule2 = *:messages=0
#quota_rule3 = Trash:storage=1G
#quota_rule4 = Junk:ignore
\# Quota warning.
\#
\# If user suddenly receives a huge mail and the quota jumps from
\# 85% to 95%, only the 95% script is executed.
\#
\# Only the command for the first exceeded limit is executed, so configure
\# the highest limit first.
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
\# allow user to become max 10% (or 50 MB) over quota
quota_grace = 10%%
\#quota_grace = 50 M
\# Custom Quota Exceeded Message.
\# You can specify the message directly or read the message from a file.
\#quota_exceeded_message = Quota exceeded, please try again later.
\#quota_exceeded_message = </path/to/quota_exceeded_message.txt
\# Plugin: expire.
\#expire = Trash 7 Trash/* 7 Junk 30
\#expire_dict = proxy::expire
\# ACL and share folder
acl = vfile
acl_shared_dict = proxy::acl
\# By default Dovecot doesn't allow using the IMAP "anyone" or
\# "authenticated" identifier, because it would be an easy way to spam
\# other users in the system. If you wish to allow it,
\#acl_anyone = allow
\# Pigeonhole managesieve service.
\# Reference: http://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
\# Per-user sieve settings.
sieve_dir = %Lh/sieve
sieve = %Lh/sieve/dovecot.sieve
\# Global sieve settings.
sieve_global_dir = /var/vmail/sieve
\# Note: if user has personal sieve script, global sieve rules defined in
\# sieve_default will be ignored. Please use sieve_before or
\# sieve_after instead.
\#sieve_default =
sieve_before = /var/vmail/sieve/dovecot.sieve
\#sieve_after =
\# The maximum number of redirect actions that can be performed during a
\# single script execution.
\# The meaning of 0 differs based on your version. For pigeonhole-0.3.0 and
\# beyond this means that redirect is prohibited. For older versions,
\# however, this means that the number of redirects is unlimited.
sieve_max_redirects = 30
\# Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias
mailbox_alias_old = Sent
mailbox_alias_new = Sent Messages
mailbox_alias_old2 = Sent
mailbox_alias_new2 = Sent Items
\# Events to log. `autoexpunge` is included in `expunge`
\# Defined in https://github.com/dovecot/core/blob/master/src/plugins/mail-log/mail-log-plugin.c
mail_log_events = delete undelete expunge mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size from subject }
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
user = vmail
group = vmail
mode = 0660
} }
service dict {
unix_listener dict {
mode = 0660
user = vmail
group = vmail
} }
dict {
#expire = db:/var/lib/dovecot/expire/expire.db
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
acl = mysql:/etc/dovecot/dovecot-share-folder.conf }
protocol lda {
# Reference: http://wiki2.dovecot.org/LDA
mail_plugins = $mail_plugins sieve
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
postmaster_address = root
\# Log file path if we use internal log system
\#log_path = /var/log/dovecot/sieve.log }
protocol lmtp {
# Log file path if we use internal log system
#log_path = /var/log/dovecot/lmtp.log
\# Plugins
mail_plugins = quota sieve
postmaster_address = postmaster
\# Address extension delivery
lmtp_save_to_detail_mailbox = yes
recipient_delimiter = + }
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_acl
imap_client_workarounds = tb-extra-mailbox-sep
\# Maximum number of IMAP connections allowed for a user from each IP address.
\# NOTE: The username is compared case-sensitively.
\# Default is 10.
\# Increase it to avoid issue like below:
\# "Maximum number of concurrent IMAP connections exceeded"
mail_max_userip_connections = 30 }
protocol pop3 {
mail_plugins = $mail_plugins
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
\# Maximum number of IMAP connections allowed for a user from each IP address.
\# NOTE: The username is compared case-sensitively.
\# Default is 10.
mail_max_userip_connections = 30
\# POP3 logout format string:
\# %i - total number of bytes read from client
\# %o - total number of bytes sent to client
\# %t - number of TOP commands
\# %p - number of bytes sent to client as a result of TOP command
\# %r - number of RETR commands
\# %b - number of bytes sent to client as a result of RETR command
\# %d - number of deleted messages
\# %m - number of messages (before deletion)
\# %s - mailbox size in bytes (before deletion)
\# Default format doesn't have 'in=%i, out=%o'.
\#pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o }
# Login processes. Refer to Dovecot wiki for more details: #
http://wiki2.dovecot.org/LoginProcess service imap-login {
#inet_listener imap {
# port = 143
#}
#inet_listener imaps {
# port = 993
# ssl = yes
#}
service_count = 1
\# To avoid startup latency for new client connections, set process_min_avail
\# to higher than zero. That many idling processes are always kept around
\# waiting for new connections.
\#process_min_avail = 0
\# number of simultaneous IMAP connections
process_limit = 500
\# vsz_limit should be fine at its default 64MB value
\#vsz_limit = 64M }
service pop3-login {
#inet_listener pop3 {
# port = 110
#}
#inet_listener pop3s {
# port = 995
# ssl = yes
#}
service_count = 1
\# number of simultaneous POP3 connections
\#process_limit = 500 }
service managesieve-login {
inet_listener sieve {
# Listen on localhost (ipv4)
address = 127.0.0.1
port = 4190
} }
namespace {
type = private
separator = /
prefix =
inbox = yes
\# Refer to document for more details about alias mailbox:
\# http://wiki2.dovecot.org/MailboxSettings
\#
\# Sent
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
\# Trash
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
\# Junk
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Spam {
auto = no
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
special_use = \Junk
}
\# Archive
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
} }
namespace {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln
\# this namespace should handle its own subscriptions or not.
subscriptions = yes
list = children }
# Public mailboxes. # Refer to Dovecot wiki page for more details:
# http://wiki2.dovecot.org/SharedMailboxes/Public #namespace { #
type = public # separator = / # prefix = Public/ #
location =
maildir:/var/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public
# # # Allow users to subscribe to the public folders. #
subscriptions = yes #}

It looks like the ClamAV hangs and times out after 5 minutes. Would that explain things? I find it hard to read your configurations.

SQLSTATE[HY000]: General error: 20003 Adaptive Server connection timed out [20003]

I'm trying to execute a store procedure on a SQL Server 2008.
After about 30 seconds it ends in
SQLSTATE[HY000]: General error: 20003 Adaptive Server connection timed
out [20003]
I've checked if on the SQL Server remote connections are allowed and they are with a timeout of 600 seconds (default).
This is my config.yml
doctrine:
dbal:
default_connection: default
connections:
default: ...
mssql:
driver_class: \Lsw\DoctrinePdoDblib\Doctrine\DBAL\Driver\PDODblib\Driver
host: mssql_freetds
port: "%stage_database_port%"
dbname: "%stage_database_name%"
user: "%stage_database_user%"
password: "%stage_database_password%"
charset: UTF8
options:
timeout: 600 // I don't know if it's correct but it doesn't work even without this
And this is my code
$connection = $this->getDoctrine()->getManager('mssql')
->getConnection();
$stmt = $connection->prepare("Exec SP_MyStoreProcedure ?, ?");
$stmt->bindValue(1, $sd->format("Y-m-d") /* This is a date */);
$stmt->bindValue(2, $ed->format("Y-m-d") /* This is a date */);
$stmt->execute();
[EDIT]
So, i've found that i should configure time out on freetds configuration because of LswDoctrinePdoDblib. I'v edited the /etc/freetds/freetds.conf file but it still ends up connection after 30 seconds
/etc/freetds/freetds.conf
# $Id: freetds.conf,v 1.12 2007/12/25 06:02:36 jklowden Exp $
#
# This file is installed by FreeTDS if no file by the same
# name is found in the installation directory.
#
# For information about the layout of this file and its settings,
# see the freetds.conf manpage "man freetds.conf".
# Global settings are overridden by those in a database
# server specific section
[global]
# TDS protocol version
; tds version = 4.2
# Whether to write a TDSDUMP file for diagnostic purposes
# (setting this to /tmp is insecure on a multi-user system)
; dump file = /tmp/freetds.log
; debug flags = 0xffff
# Command and connection timeouts
timeout = 600
connect timeout = 600
[mssql_freetds]
host = 192.168.0.xx
port = 1433
timeout = 600
tds version = 8.0
client charset = UTF-8
text size = 20971520
[EDIT 2]
Nothing worked for timeout except this:
doctrine:
dbal:
default_connection: default
connections:
default: ...
mssql:
driver_class: \Lsw\DoctrinePdoDblib\Doctrine\DBAL\Driver\PDODblib\Driver
host: mssql_freetds
port: "%stage_database_port%"
dbname: "%stage_database_name%"
user: "%stage_database_user%"
password: "%stage_database_password%"
charset: UTF8
options:
2: 600 # 2 is the equivalent of \PDO::ATTR_TIMEOUT
But the store procedure should end in 17seconds, it waited 10 minutes ending with the same result. I don't know why. It seems to be a FREETDS/SQL SERVER bug or something like that...
[EDIT 3]
Found that the problem was a "NOT IN" clause in the SQL of the stored procedure. I had to replace it with a LEFT JOIN combined with a IS NULL clause in WHERE statement. There's also a "IN" clause but it works. I don't know if it's a FREETDS or a LswDoctrinePdoDblib issue.

Oracle dataguard is not working properly because a FAL[client]

I had two databases, a primary and secondary and a configured dataguard between both, i restarted the suse linux but when starting up databases, the replication is not being done, i think i took the wrong way to startup the standby database....no it is just mounted, i have a gap not posibble to be detected at standby gap table, and a 'no FAL server specified' problem at standby database, what could be wrong?
From Primary:
System parameters with non-default values:
processes = 1200
nls_date_format = "MM/DD/YYYY HH24:MI:SS"
memory_target = 8000M
memory_max_target = 8G
control_files = "/oracle/app/oradata/ora11g/control01.ctl"
control_files = "/oracle/app/oradata/ora11g/control02.ctl"
control_files = "/oracle/app/oradata/ora11g/control03.ctl"
db_block_size = 8192
compatible = "11.1.0.0.0"
log_archive_start = TRUE
log_archive_dest_1 = "LOCATION=/home/oracle/archive"
log_archive_format = "%t_%s_%r.dbf"
db_recovery_file_dest = "/oracle/app/flash_recovery_area"
db_recovery_file_dest_size= 2G
undo_tablespace = "UNDOTBS1"
sec_case_sensitive_logon = FALSE
remote_login_passwordfile= "EXCLUSIVE"
db_domain = ""
dispatchers = "(PROTOCOL=TCP) (SERVICE=ora11gXDB)"
local_listener = ""
remote_listener = ""
session_cached_cursors = 450
cursor_sharing = "FORCE"
audit_file_dest = "/oracle/app/admin/ora11g/adump"
audit_trail = "NONE"
db_name = "ora11g"
open_cursors = 300
diagnostic_dest = "/oracle/app"
From standby database alert log:
Thu Feb 13 17:16:02 2014
Starting ORACLE instance (normal)
LICENSE_MAX_SESSION = 0
LICENSE_SESSIONS_WARNING = 0
Picked latch-free SCN scheme 3
Autotune of undo retention is turned on.
IMODE=BR
ILAT =145
LICENSE_MAX_USERS = 0
SYS auditing is disabled
Starting up ORACLE RDBMS Version: 11.1.0.7.0.
Using parameter settings in server-side spfile
/oracle/app/product/11g/db/dbs/spfileora11g.ora
System parameters with non-default values:
processes = 1200
nls_date_format = "MM/DD/YYYY HH24:MI:SS"
memory_target = 8000M
memory_max_target = 8G
control_files = "/oracle/app/oradata/ora11g/control01.ctl"
control_files = "/oracle/app/oradata/ora11g/control02.ctl"
control_files = "/oracle/app/oradata/ora11g/control03.ctl"
db_block_size = 8192
compatible = "11.1.0.0.0"
log_archive_start = TRUE
log_archive_dest_1 = "LOCATION=/home/oracle/archive"
log_archive_format = "%t_%s_%r.dbf"
db_recovery_file_dest = "/oracle/app/flash_recovery_area"
db_recovery_file_dest_size= 2G
undo_tablespace = "UNDOTBS1"
sec_case_sensitive_logon = FALSE
remote_login_passwordfile= "EXCLUSIVE"
db_domain = ""
dispatchers = "(PROTOCOL=TCP) (SERVICE=ora11gXDB)"
local_listener = ""
remote_listener = ""
session_cached_cursors = 450
cursor_sharing = "FORCE"
audit_file_dest = "/oracle/app/admin/ora11g/adump"
audit_trail = "NONE"
db_name = "ora11g"
open_cursors = 300
diagnostic_dest = "/oracle/app"
Deprecated system parameters with specified values:
log_archive_start
End of deprecated system parameter listing
Thu Feb 13 17:16:04 2014
.
.
.
starting up 1 dispatcher(s) for network address '(ADDRESS=(PARTIAL=YES) (PROTOCOL=TCP))'...
Thu Feb 13 17:16:04 2014
MMNL started with pid=15, OS id=10039
starting up 1 shared server(s) ...
ORACLE_BASE from environment = /oracle/app
Thu Feb 13 17:16:04 2014
ALTER DATABASE MOUNT
Setting recovery target incarnation to 2
ARCH: STARTING ARCH PROCESSES
Thu Feb 13 17:16:09 2014
ARC0 started with pid=19, OS id=10272
Thu Feb 13 17:16:09 2014
ARC1 started with pid=20, OS id=10274
Thu Feb 13 17:16:09 2014
ARC2 started with pid=21, OS id=10276
ARC0: Archival started
ARC1: Archival started
ARC2: Archival started
Thu Feb 13 17:16:09 2014
ARC3 started with pid=22, OS id=10278
ARC3: Archival started
ARCH: STARTING ARCH PROCESSES COMPLETE
ARC0: Becoming the 'no FAL' ARCH
ARC0: Becoming the 'no SRL' ARCH
ARC0: Thread not mounted
ARC1: Becoming the heartbeat ARCH
ARC2: Thread not mounted
ARC1: Thread not mounted
ARC3: Thread not mounted
Successful mount of redo thread 1, with mount id 4235628820
Physical Standby Database mounted.
Lost write protection disabled
Completed: ALTER DATABASE MOUNT
FAL[client]: Error fetching gap sequence, no FAL server specified
Primary
SQL> select max(sequence#) from v$log_history;
MAX(SEQUENCE#)
--------------
1606
SQL> SELECT name FROM v$archived_log WHERE thread# = 1 AND dest_id = 1 AND sequence# BETWEEN 1591 and 1606;
/home/oracle/archive/1_1606_792822090.dbf
16 rows selected.
SQL> SELECT GROUP#, BYTES FROM V$LOG;
GROUP# BYTES
---------- ----------
1 52428800
2 52428800
3 52428800
Secondary
SQL> select max(sequence#) from v$log_history;
MAX(SEQUENCE#)
--------------
1591
SQL>select process, thread#, sequence#, status from v$managed_standby where process='MRP0';
no rows selected
SQL> SELECT GROUP#, BYTES FROM V$STANDBY_LOG;
no rows selected

You need to set to parameters in the init file or spfile(sqlplus)
In the Primary database :
FAL_SERVER='standby_database'
FAL_CLIENT='primary_database'
In the standby database :
FAL_SERVER='primary_database'
FAL_CLIENT='standby_database'
These two parameters are needed for fetching archived log files (FAL mean Fetch ArchiveLog).
Hope that i help you.
Kind

This question is 5 years old but I feel it hasn't been completely answered yet.
First how does oracle resolves the gap:
The MRP process is the one triggering the request for a GAP.
That process is turned on like so:
Without standby redo logs:
alter database recover managed standby database disconnect;
With standby redo:
alter database recover managed standby database using current logfile disconnect;
If you have only one standby database for your primary database, then fal_server and fal_client parameters actually don't need to be configured.
If the fal_server is missing, oracle will grab that information from log_archive_dest_n.
This means that log_archive_dest_2 needs to be configured also on the standby database.
So how to solve a GAP resolution issue:
Make sure log_archive_dest_n is setup in both primary and standby
Make sure that there's no typo in the "service" value of
log_archive_dest_n.
Make sure that the service value references a valid tns entry in tnsnames.ora
Make sure that the same password file is used on all nodes of your primary and standby cluster.
Make sure you can connect with sqlplus "sys/syspassword#primary as sysdba" and sqlplus "sys/syspassword#standby as sysdba" from both primary and standby.List item
The MRP process sends a GAP resolution requests every so often. If you want to get it immediately in order to make sure it works:
SQL>alter database recover managed standby database cancel;
SQL>alter database recover managed standby database using current logfile;
(use standby redo logs, it applies logs faster on standby)
fal_server and fal_client parameters actually exists if you want to setup a cascaded standby setup.
Primary DB A sends archived logs to standby B
If standby B becomes primary then send archived logs to standby C.
FAL behavior on 11.2 (Doc ID 1394472.1)
From 11.2 no need to mention FAL_CLIENT primary will take it from
log_archive_dest_n (remote destination standby from where it received
the FAL request) service.
FAL_SERVER And FAL_CLIENT Settings For Cascaded Standby (Doc ID 358767.1)

Missing user Profile ,But in Conbridge.conf it is present Asterisk-11.5.1 app_confbridge

Dailplan
'5006005' => 1. answer()
2. Set(myconference=4000)
3. Set(TMP_CONF_COUNT=${CONFBRIDGE_INFO(parties,myconference)})
4. verbose(3,"sabse 4000 has users:${TMP_CONF_COUNT}) [pbx_config]
5. Set(TMP_CONF_LOCKED=${CONFBRIDGE_INFO(locked,myconference)}) [pbx_config]
6. verbose(3,"sasbse 4000 has users:${TMP_CONF_COUNT} and lock or unlock:${TMP_CONF_LOCKED}") [pbx_config]
[Press5MuteAll] 7. ConfBridge(4000,,6016adminuser,) [pbx_config]
8. Set(TMP_CONF_COUNT=${CONFBRIDGE_INFO(parties,myconference)}) [pbx_config]
9. Set(TMP_CONF_LOCKED=${CONFBRIDGE_INFO(locked,myconference)}) [pbx_config]
10. verbose(3,"sasbse 4000 has users:${TMP_CONF_COUNT} and lock or unlock:${TMP_CONF_LOCKED}") [pbx_config]
*CLI> confbridge show profile user 6016adminuser
--------------------------------------------
Name: 6016adminuser
Admin: true
Marked User: false
Start Muted: false
MOH When Empty: enabled
MOH Class: default
Announcement:
Quiet: disabled
Wait Marked: disabled
END Marked: disabled
Drop_silence: enabled
Silence Threshold: 160ms
Talking Threshold: 0ms
Denoise: enabled
Jitterbuffer: disabled
Talk Detect Events: disabled
DTMF Pass Through: enabled
PIN: 4321
Announce User Count: enabled
Announce join/leave: enabled
Announce User Count all: enabled
===
static int confbridge_exec(struct ast_channel *chan, const char *data)
if(conf_find_user_profile(chan, u_profile_name, &conference_bridge_user.u_profile)==NULL){
ast_verb(3,"\n NULL USER\n");
}
if (!conf_find_user_profile(chan, u_profile_name, &conference_bridge_user.u_profile)) {
ast_verb(3, "Conference user profile %s does not exist\n", u_profile_name);
ast_log(LOG_WARNING, "Conference user profile %s does not exist\n", u_profile_name);
res = -1;
goto confbridge_cleanup;
}
confbridge_cleanup:
ast_bridge_features_cleanup(&conference_bridge_user.features);
conf_bridge_profile_destroy(&conference_bridge_user.b_profile);
===========
so why user is missing when user is preset in confbridge.conf?
-- Executing [5006005#ConfBridgeIncomingCalls:1] Answer("SIP/6017-00000002", "") in new stack
> 0xb766d7d0 -- Probation passed - setting RTP source address to 172.18.100.49:8000
-- Executing [5006005#ConfBridgeIncomingCalls:2] Set("SIP/6017-00000002", "myconference=4000") in new stack
-- Executing [5006005#ConfBridgeIncomingCalls:3] Set("SIP/6017-00000002", "TMP_CONF_COUNT=0") in new stack
-- Executing [5006005#ConfBridgeIncomingCalls:4] Verbose("SIP/6017-00000002", "3,"sabse 4000 has users:0") in new stack
-- "sabse 4000 has users:0
-- Executing [5006005#ConfBridgeIncomingCalls:5] Set("SIP/6017-00000002", "TMP_CONF_LOCKED=0") in new stack
-- Executing [5006005#ConfBridgeIncomingCalls:6] Verbose("SIP/6017-00000002", "3,"sasbse 4000 has users:0 and lock or unlock:0"") in new stack
-- "sasbse 4000 has users:0 and lock or unlock:0"
-- Executing [5006005#ConfBridgeIncomingCalls:7] ConfBridge("SIP/6017-00000002", "4000,,6016adminuser,") in new stack
--
info === 4000,6016adminuser,, --
**NULL USER**
**-- Conference user profile 6016adminuser, does not exist**
[2013-12-27 15:48:45] WARNING[20071][C-00000002]: app_confbridge.c:3722 confbridge_exec: Conference user profile 6016adminuser, does not exist
[2013-12-27 15:48:45] WARNING[20071][C-00000002]: app_confbridge.c:3722 confbridge_exec: Conference user profile 6016adminuser, does no

I can see in source code:
ast_log(LOG_WARNING, "Conference user profile %s does not exist\n", u_profile_name);
As you can see it have no comma after profile.
So solution is:
change your dialplan to remove trailing comma after userprofile