-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 10 Apr 2015, Jeroen Massar wrote:
Debian (and possibly other distros) use the /etc/dovecot/conf.d/* setup
where default config files are stuffed and then one can just add a
99-myconfig.conf et voila, variables are overruled.
This allows the distro to supply updates to the files at package upgrade
time without any/much user intervention.
The problem (for me ;) is that the system comes provided with:
auth-system.conf.ext containing:
passdb {
driver = pam
}
userdb {
driver = passwd
}
Hence pam & /etc/passwd based are always enabled.
This while I don't have any local users.
Isn't that a packaging problem then? Debian should use DEBCONF to ask you
while installation, which db to enable by default. You should file a bug
with Debian to let the admin choose, which (if at all) db to enable by
default. There are no config files installed by Dovecot, if compiled by
source.
Replication seems to then always pick up the local users, which are
vmail + nobody (65536).
doveadm user '*' thus reports vmail, nobody + virtual users
Setting:
first_valid_uid = 5000
last_valid_uid = 5000
only keeps vmail in there, but apparently some module (guess
replication) is still able to figure out that 'nobody' exists:
Apr 10 09:48:25 mail dovecot: doveadm(IPADDR,nobody): Error: Mail access
for users with UID 65534 not permitted (see first_valid_uid in config
file, uid from userdb lookup).
Apr 10 09:48:25 mail dovecot: doveadm(IPADDR,nobody): Error:
dsync-server: User init failed
Apr 10 09:49:38 mail dovecot: doveadm(nobody): Error: sync: Failed to
start remote dsync-server command: Remote exit_code=75
and on the other side:
Apr 10 09:54:38 mail dovecot: doveadm(nobody): Error: sync: Unknown user
in remote
This can be resolved by commenting out the entries in
auth-system.conf.ext but then I'll have to do that again at package
upgrade time.
Hence, would it be a cool option to be able (in the 99-myconfig.conf)
file to put:
passdb {
driver = pam
enabled = false
}
userdb {
driver = passwd
enabled = false
}
And thereby disabling those modules completely? Thus avoiding upgrade
conflicts etc.
Greets,
Jeroen
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBVSvDzHz1H7kL/d9rAQJybAgAyOmtGbDyp6nzR0IqK2RUTWTHtjkbcmrN
G6MNxMCzsByp7JCCKaKZy4Ec9//4ua5+29zwsF4f/EjdyxOtCdZkOA2TRuw3Zbns
nuECm4h03HsjkGIi216mMHP3z2QjqTuZNWFj0MppBuiBqSuNrNFfxQ0pac3xEeAo
IYnKl1Oq4SKfwr351iF94NSHzCbR7CJDe5Q7TqkK8OB7PuASFIbYX9R6CYZc1jsR
euLRHKssX7Brw44PkQGLjHEOBG8xWP4/cAVf4bApskSiW8q1IZWhMR7Z4rbUgxRY
3RInqI/rJ8azOjZWd8Us25eCJl3f30bFkdbmOlL6LlUkzPAjMPx/3A==
=MZqU
-----END PGP SIGNATURE-----
