[Dovecot] Work with auth socket
-- Forwarded message --
From: Неворотин Вадим nevoro...@gmail.com
Date: 2010/6/29
Subject: Re: [Dovecot] Work with auth socket
To: Steffen Kaiser skdove...@smail.inf.fh-brs.de
Hmm, I have some problems with realization of authentication throw dovecot
socket.
I've wrote such script:
#!/usr/bin/perl
$login = test;
$passwd = test;
#utf8::encode($login); # I don't know are we really need it
#utf8::encode($passwd);
my $service = ejabberd;
my $timeout = 1;
my $socket = '/var/spool/postfix/private/auth-client';
my $sock = new IO::Socket::UNIX(Type = SOCK_STREAM, Peer = $socket) or
die Can't open socket.;
my $sel = new IO::Select($sock);
while (1) {
$sel-can_read($timeout) or last;
defined recv($sock, my $buf, 256, 0) or warn 'Error while reading
response';
print $buf;
}
send($sock,VERSION\t1\t0\nCPID\t$$\n,0) or
die Can't write to $socket;
my $base64 = encode_base64(\0$login\0$passwd);
$sock-send(AUTH\t1\tPLAIN\tservice=$service\tsecured\tresp=$base64\n) or
die Can't write to $socket;
my $i = 10;
while ($i--) {
$sel-can_read($timeout) or last; # Timed out while waiting for response;
defined recv($sock, my $buf, 256, 0) or warn 'Error while reading response';
print $buf;
}
And has such log:
# ./test.pl
MECH PLAIN plaintext
MECH LOGIN plaintext
VERSION 1 0
SPID 26023
CUID 1818
DONE
So dovecot doesn't answer anything after AUTH command. May be
http://wiki.dovecot.org/Authentication%20Protocol is not fully describe auth
protocol?
2010/6/24 Неворотин Вадим nevoro...@gmail.com
Thank you!
2010/6/24 Steffen Kaiser skdove...@smail.inf.fh-brs.de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 24 Jun 2010, Неворотин Вадим wrote:
I need to use Dovecot auth socket from my perl script to validate user's
passwords (for jabber server). Is there any information about how to
communicate with dovecot auth socket?
http://search.cpan.org/~sasha/Authen-SASL-Authd-0.04/lib/Authen/SASL/Authd.pm
NAME
Authen::SASL::Authd - Client authentication via Cyrus saslauthd or Dovecot
authentication daemon.
http://wiki.dovecot.org/Authentication+Protocol
Regards,
- -- Steffen Kaiser
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBTCNOy7+Vh58GPL/cAQJXEQf/SHlQTrUo/OiNFSLteEuF6kGGY/iYGYZ2
CUEKLJQtE92yyGJqt7CYun3Z64llrkzYUGoJDnyPtEFgP2a1uqaEUyusilobuYfB
E/B7zdRbHOD2+4afdwHocGundcfWB2GxZi+j454rCDWt5haX+cSd5Be561WdpyE0
yUc3raXLRz6qeRC/A+vmpbA4sbmm+Fd1fCHtwcQhOVvk+X7fJRLb30HUq1wRjyMi
LBTv5TxCib+O34MPYpA6xLyrNCkjwAuhdshiw6KihVBx29U9HcoNtUIjfSqL6/gG
vhKt6RfgahpytJm97LuDwE7GNf6/3oDeHlTJfAS5EfYdSqcnxxyfLw==
=1C+5
-END PGP SIGNATURE-
Re: [Dovecot] Work with auth socket
Yes, but this module doesn't work with my dovecot)) So I've tried to
manually debug it - and it really does not work and has an error somewhere.
Dovecot 1.2.10 from Debian backports.
2010/6/29 Anton Dollmaier antondollma...@aditsystems.de
Hi,
I've wrote such script:
use Authen::SASL::Authd, as suggested by Steffen.
This code-snippet should help you:
http://search.cpan.org/~sasha/Authen-SASL-Authd-0.04/lib/Authen/SASL/Authd.pm
#!/usr/bin/perl
use Authen::SASL::Authd qw(auth_cyrus auth_dovecot);
$login = test;
$passwd = test;
# authenticate user against Dovecot authentication daemon
auth_dovecot('login', 'passwd') or die dovecot-auth: FAIL;
I realized a monitoring-script with this snippet, works great.
good luck!
[Dovecot] Work with auth socket
I need to use Dovecot auth socket from my perl script to validate user's passwords (for jabber server). Is there any information about how to communicate with dovecot auth socket?
[Dovecot] [Bug] Case sensitive usernames and variables
Today I've found a very irritating bug:
I use
mail_location = maildir:/var/mail/%u/
in my dovecot.conf. And if user type Username, username, USERname etc at
login dovecot create a different Maildir's for one real user. But LDA works
corretly and save all messages to lowercase username mailbox. No problem,
add L:
mail_location = maildir:/var/mail/%Lu/
Then all works good. But I has also such namespace configuration:
namespace shared {
separator = /
prefix = BCAEMARBBEEESwQ7BDoEOA-/%%u/
location = maildir:/var/mail/%%u:INDEX=/var/mail/%u/shared/%%u
subscriptions = no
list = children
}
And here I can't replace %u with %Lu, because dovecot write to dovecot.log:
IMAP(malamut): Error: Namespace 'BCAEMARBBEEESwQ7BDoEOA-/%Lu/': shared:
Shared namespace prefix contains unknown variables
So user has only one mailbox (with lovercase name), but a lot of different
indexes for shared mailboxes, eg /var/mail/username/shared,
/var/mail/USERname/shared etc.
How can I tune dovecot to use always lowercase username?
Dovecot 1.2.10
Re: [Dovecot] [Bug] Case sensitive usernames and variables
2010/5/5 Steffen Kaiser skdove...@smail.inf.fh-brs.de First: Is it a typo or did you replaced %%u by %Lu ? Note the different number of %'s. No, of course I try to replace %u with %Lu. And also %%u with %%Lu. It's not working, so I think it's a bug. Second: You can have passdb return set/overwrite user, just return the normalized variant of the username as user field: http://wiki.dovecot.org/PasswordDatabase/ExtraFields I use LDAP for passdb and I can't be sure that in LDAP all my users has lovercase usernames. But I've found option auth_username_format = %Lu It's look like what I need, thank you!
Re: [Dovecot] Problems with masteruser
Hmm[?] For what can I use masterusers, if I even can't read with masteruser user's mails from INBOX? And where can I read about masterusers in that way. I really can't understand for what there is masterusers if they can't do anything))) 2010/4/16 Timo Sirainen t...@iki.fi On Fri, 2010-04-09 at 20:53 +0400, Неворотин Вадим wrote: Well, the main idea of master users is to able to log in as normal user with master password. So IMAP client shoudn't know at all that it work with masteruser password. And IMAP process must be exactly the same. If you can find difference between login*master and login - then there is a bug in master users implementation. I see a big difference It's not a bug, it's an intentional feature. What you're requesting is a different feature. You could try if having your userdb return master_user=%u field would make it work the way you want. 338.gif
Re: [Dovecot] Problems with masteruser
I've add
$ENV{'MASTER_USER'} = $ENV{'USER'};
to my postlogin-imap script, and it looks like that all is working, thank
you!!! I'll test it next week, but as I see ACL and base operations work, so
I think that all other works too))
But what does it mean when I return in master_user field current user's
name?))) As I understand it increase masteruser's rights to full control of
user's mailbox. But if I return in master_user not a current user name, but
something else?))) What master_user field control?))) (Sorry, I can't find
any information about this feature[?])
2010/4/16 Timo Sirainen t...@iki.fi
On Fri, 2010-04-16 at 15:30 +0400, Неворотин Вадим wrote:
Hmm[?] For what can I use masterusers, if I even can't read with
masteruser
user's mails from INBOX? And where can I read about masterusers in that
way.
I really can't understand for what there is masterusers if they can't do
anything)))
The feature was originally implemented for a voicemail feature. There
would be a voicemail master user that would have permission to write
new mails to users' voicemail mailbox, but nothing else.
You could have a similar spam master user that only has access to
users' Spam mailbox (for training spam bayesian or whatever).
Anyway, did you try my suggestion on how to make it work the way you
wanted? If it doesn't work yet, I can change the code to make it work:
You could try if having your userdb return
master_user=%u field would make it work the way you want.
362.gif
Re: [Dovecot] Problems with masteruser
Thank you for your answer! I'll try to use it for my autoconfiguration
script after weekends)) I use AD as userdb and passdb and have a group
mailboxes, but main users for this mailboxes hasn't got any password. And I
need automatically subscribe my users to new group maiboxes. So
full-access masteruser is really good for me[?]
2010/4/16 Timo Sirainen t...@iki.fi
On Fri, 2010-04-16 at 16:57 +0400, Неворотин Вадим wrote:
I've add
$ENV{'MASTER_USER'} = $ENV{'USER'};
to my postlogin-imap script, and it looks like that all is working, thank
you!!! I'll test it next week, but as I see ACL and base operations work,
so
I think that all other works too))
But what does it mean when I return in master_user field current user's
name?)))
It means exactly what you do in your post-login script. It sets
master_user to same as user.
But if I return in master_user not a current user name, but
something else?))) What master_user field control?))) (Sorry, I can't
find
any information about this feature[?])
master_user is used for the ACL checks. Currently it doesn't do anything
else. So if you set master_user to foo, it uses foo's ACLs when
determining access to mailboxes. There's nothing special about master
users after login, they're just usernames as any other usernames are.
349.gif
Re: [Dovecot] Problems with masteruser
Well, the main idea of master users is to able to log in as normal user with master password. So IMAP client shoudn't know at all that it work with masteruser password. And IMAP process must be exactly the same. If you can find difference between login*master and login - then there is a bug in master users implementation. I see a big difference 2010/4/9 Eric Rostetter rostet...@mail.utexas.edu Quoting Неворотин Вадим nevoro...@gmail.com: It's look like a big bug. As I understang there shouldn't be any different between logging in with masteruser and normal log in. But in my system I can't use masteruser at all due to IMAP errors. It works for me, with two exceptions: 1) The acl issue I mentioned. 2) It doesn't work right in my webmail for anything but the e-mail part, since the webmail retains the user as master*real instead of just real. So it does log me in and show me the mail, but everything else (preferences, filters, address book, etc) don't work right. The webmail has hooks which should allow me to fix this, but I've not had time to figure that out yet. So basically, it works for me, which just two little annoyances (one is dovecot specific, the other is actually my webmail and not dovecot). -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns!
[Dovecot] Problems with masteruser
I have very strange problem with masteruser. See two logs below: # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Welcome to our post server! x login nevorotin password x OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in x list * * LIST (\HasNoChildren) / INBOX x OK List completed. x getacl INBOX * ACL INBOX nevorotin lrwstipekxacd x OK Getacl completed. All work perfectly. And then I log in throw masteruser: # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Welcome to our post server! x login nevorotin*master masterpassword x OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in x list * * LIST (\Unmarked) / INBOX x OK List completed. x getacl INBOX x NO [NONEXISTENT] Mailbox doesn't exist: INBOX I've turned on debug logging, but there aren't any errors. I only see that masteruser succesfully logged in as nevorotin. How can I make a masteruser login to user account exactly the same as simple user login? Now it don't work at all [?] I use 1.2.10 version of dovecot. 323.gif
Re: [Dovecot] Problems with masteruser
It's look like a big bug. As I understang there shouldn't be any different between logging in with masteruser and normal log in. But in my system I can't use masteruser at all due to IMAP errors. 2010/4/9 Eric Rostetter rostet...@mail.utexas.edu Quoting ? ? nevoro...@gmail.com: I have very strange problem with masteruser. See two logs below: I can't help, but I can add my observations... Using dovecot 1.2.11 and master users, I noticed that if I login with to a user (real-user) using the master user (master-user), then the mailbox listing shows all non-acl mailboxes fine, but for acl-controlled mailboxes it shows those for which master-user has access, not those for which real-user has access. This really freaked me out the first time I logged in and a shared folder showed up when it shouldn't have. I thought I had shared it with everyone! But I was able to verify that a real login to real-user doesn't see the shared folder, while a master login to real-user does see it. So it is the master user login that is messing up the acl checks. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns!
[Dovecot] Per-user flags for shared folders
As I see in 2.0 there willn't be ability to control which flags should be shared, and which should be per-user. But may be there is some plans to implement settings to control that? It'll be great if you can write in dovecot-shared file which flags should be per-user. It's very usefull for group mailboxes, when each user should work with such mailbox like with their own. Now I can't add permission for delete on group mailbox for anybody, because if somebody delete a message, it dissapear for other users of group mailbox. So my group mailboxes look like a big scrapyard[?] I can compile from sources and add also \Deleted flag to private flags, but it's not an elegant solution[?] And my idea is easy to implement :) Only add here: 305 shared_path = t_strconcat(box-path, /dovecot-shared, NULL); 306 if (stat(shared_path, st) == 0) 307 box-private_flags_mask = MAIL_SEEN; in maildir-storage.c some code for reading a mask from dovecot-shared file. Unfortunatelly I'm not a good programmer, so I can't make a patch myself((( 323.gif330.gif
Re: [Dovecot] Manage mails from server
Hmm, PREAUTH is cool. But all Perl CPAN modules for IMAP can work only throw UNIX local sockets (or usual internet connection). May be there is an ability to create a socket when launchind 'dovecot --exec-mail imap' instead of working directly with STDIN/STDOUT?
Re: [Dovecot] Manage mails from server
Thanks! Master Users are very good solution for me. 2010/4/8 Timo Sirainen t...@iki.fi On Thu, 2010-04-08 at 01:38 +0400, Неворотин Вадим wrote: Hmm, PREAUTH is cool. But all Perl CPAN modules for IMAP can work only throw UNIX local sockets (or usual internet connection). May be there is an ability to create a socket when launchind 'dovecot --exec-mail imap' instead of working directly with STDIN/STDOUT? With v2.0 you can add a UNIX socket listener to IMAP, but you still have to log in with it. Maybe you should enable some kind of master user logins. http://wiki.dovecot.org/Authentication/MasterUsers
[Dovecot] Manage mails from server
I've configure Dovecot with shared namespace and IMAP ACL's to make a group mailboxes. I use maildir mailboxes, and I add dovecot-shared file to each group mailbox. So each user with access to group mailbox has their own \Seen flag. And now I need automatically delete a mail from server after 2 weeks after each user has readed email in shared mailbox. How can I from, e.g. Perl script, get \Seen flag for user and mail and then correctly delete a mail from a server? I need to create fully automatical mail system, maybe there is some HOW-TO's or examples anywhere? And will I can in 2.0 use per-user \Deleted flag, not only \Seen?
[Dovecot] Managing IMAP ACL from script
I need to change ALC for mailboxes from a script on my server. As I understand now I can correctly change ACL only via telnet using IMAP commands. And moreover I need to know user's password for it. Is there any plans to add inheritance of ACL and ability to manage it directly from a server? And if it is in which version? Will 2.0 fully support ACL? Now I use Dovecot 1.2.10.
[Dovecot] Shared folders
I need to create a shared folder (mailbox for group mailing list) with access of several accounts to it. But all peoples with access to this mailbox should be able to work with this folder absolutely in the same way, as with local mailbox. Each user should be able to delete emails and mark it as readed. But this changes must be only for one user, not for others. For example user1 and user2 have access to folder Trades. There is a new incoming mail. User1 read it and delete. But in user2's client this mail must be not readed and not deleted. So there should be only one copy of a email (in group mailbox), but state (unreaded|readed|deleted) of this email shoud be different for each user. Can I do this with dovecot? Yes, I know that I can send a copy of group letter to each user's mailbox, but unfortunately I has a lot of groups and very big letters, so I can't duplicate each letter to many mailboxes. The purpose is to story only one instance of each letter, but to allow users to work with it like with their own letters. Now I use Maildir++ mailboxes.
Re: [Dovecot] Problem with allow_nets passdb parameter and Postfix
Well, I've asked this question in Postfix mail list and after discussion as I understand Postfix 2.7 send all necessary client information to Dovecot socket. But I haven't try this solution yet. 2010/2/18 Timo Sirainen t...@iki.fi On Mon, 2010-02-15 at 14:00 +0300, Неворотин Вадим wrote: allow_nets check failed: Remote IP not known Problem is clear: smtpd don't send client IP to dovecot authentication socket. Yep. The only way you can get Postfix to send IP to Dovecot is by patching Postfix sources. But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny. Do you mean all users must connect from only specific IP, or is it a per-user configuration? If all users, maybe you can do this on Postfix side some other way. Or require clients to use submission port or a different IP and use a firewall.
[Dovecot] Problem with allow_nets passdb parameter and Postfix
I use Dovecot for SASL authentication from Postfix. In Postfix main.cf I have: smtpd_sasl_type = dovecot It works good, but now I need to allow users to connect by IMAP only from given IP adresses. I've added extra field allow_nets to passdb in Dovecot, and IMAP authentication works fine. But now I can't connect to my SMTP server because when smtpd ask dovecot about user authentification, dovecot always denied it. Even if I try to connect to SMTP from correct IP, listed in allow_nets for user. In dovecot log I have messages about incorrect ip like this: dovecot: 2010-02-15 13:28:51 Info: auth(default): passwd-file(malamut): lookup: user=malamut file=/etc/dovecot/temp.users dovecot: 2010-02-15 13:28:51 Info: auth(default): passdb(malamut): allow_nets check failed: Remote IP not known dovecot: 2010-02-15 13:28:53 Info: auth(default): client out: FAIL 7 user=malamut Problem is clear: smtpd don't send client IP to dovecot authentication socket. But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny.
