Re: [Dovecot] LMTP with virtual and system users
Am 07.01.14 13:21 schrieb Philipp Kolmann: I didn't want to have lda SUID root... Is this necessary? Exim calls the dovecot-lda as user $local_part and if you setup your mail storage to have the right permissions, this should work without SUID. But maybe I'm wrong; anyway in the wiki there is a section on how-to use LDA without setting the process SUIDed. http://wiki2.dovecot.org/LDA/Exim - towards the end of the page Cheers, Adrian.
Re: [Dovecot] LMTP with virtual and system users
Hi Adrian,
thanks for your reply. I have also thought in this direction already but
I didn't want to have lda SUID root...
I saw that the Passwd-file passdb supports username_format as argument.
Would it be possible to add this feature also to the LMTP passdb driver?
thanks
Philipp
On 01/01/14 18:25, Adrian Zaugg wrote:
Hi Philipp
You are completely right, the proposed solution doesn't work. It seems
exim always qualifies an address without a domain, I believe this is
because LMTP requiers to get only qualified addresses (LMTP is based on
SMTP and the RFC, if I read it correctly specifies it like this).
So, another solution would be to use LDA for your local users and LMTP
for the rest. The configuration for exim would be: a router and a
transport for your local users using LDA, and your virtual users setup
as you have it using LMTP.
local_user:
debug_print = R: local_user for $local_part@$domain
driver = accept
domains = @ : localhost : ${primary_hostname}
check_local_user
transport = dovecot_lda
cannot_route_message = Unknown user
dovecot_lda:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda \
-f $sender_address \
-a $original_local_part@$original_domain
log_output
delivery_date_add
return_path_add
envelope_to_add
user = $local_part
group = mail
temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78
Please check man dovecot-lda and the dovecot wiki
(http://wiki2.dovecot.org/LDA/Exim) for details. Also check the
permissions you need for dovecot-lda to write to your mailspool (user
and group options from the transport).
I haven't tried the above, but I think it works like this ...
Best regards, Adrian.
Am 30.12.13 09:40 schrieb Philipp Kolmann:
Hi Adrian,
Am 26.12.2013 12:20, schrieb Adrian Zaugg:
You can use exim to prepare the address as you wish: only the user name
for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users:
debug_print = R: strip domain for local pam users
driver = redirect
check_local_user
domains = @ : localhost : ${primary_hostname}
data = ${local_part}
redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the
router to your domain(s) where your pam users receive their email. The
redirect_router designates the router which routes your local deliveries
to your lmtp transport. Place the new router to run just before your
local_user router.
Since your config works for your virtual users, you don't need to do
anything in addition.
I had tried this once already. I have used your snipplet and attached
the debug output from exim. Sadly it didn't work, because the mtp
process got the foll email again and not just the username.
thanks
Philipp
--
---
DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at
Technische Universitaet Wien web: www.zid.tuwien.ac.at
Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011
Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886
---
Re: [Dovecot] LMTP with virtual and system users
Hi Philipp
You are completely right, the proposed solution doesn't work. It seems
exim always qualifies an address without a domain, I believe this is
because LMTP requiers to get only qualified addresses (LMTP is based on
SMTP and the RFC, if I read it correctly specifies it like this).
So, another solution would be to use LDA for your local users and LMTP
for the rest. The configuration for exim would be: a router and a
transport for your local users using LDA, and your virtual users setup
as you have it using LMTP.
local_user:
debug_print = R: local_user for $local_part@$domain
driver = accept
domains = @ : localhost : ${primary_hostname}
check_local_user
transport = dovecot_lda
cannot_route_message = Unknown user
dovecot_lda:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda \
-f $sender_address \
-a $original_local_part@$original_domain
log_output
delivery_date_add
return_path_add
envelope_to_add
user = $local_part
group = mail
temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78
Please check man dovecot-lda and the dovecot wiki
(http://wiki2.dovecot.org/LDA/Exim) for details. Also check the
permissions you need for dovecot-lda to write to your mailspool (user
and group options from the transport).
I haven't tried the above, but I think it works like this ...
Best regards, Adrian.
Am 30.12.13 09:40 schrieb Philipp Kolmann:
Hi Adrian,
Am 26.12.2013 12:20, schrieb Adrian Zaugg:
You can use exim to prepare the address as you wish: only the user name
for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users:
debug_print = R: strip domain for local pam users
driver = redirect
check_local_user
domains = @ : localhost : ${primary_hostname}
data = ${local_part}
redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the
router to your domain(s) where your pam users receive their email. The
redirect_router designates the router which routes your local deliveries
to your lmtp transport. Place the new router to run just before your
local_user router.
Since your config works for your virtual users, you don't need to do
anything in addition.
I had tried this once already. I have used your snipplet and attached
the debug output from exim. Sadly it didn't work, because the mtp
process got the foll email again and not just the username.
thanks
Philipp
Re: [Dovecot] LMTP with virtual and system users
Hi Adrian,
Am 26.12.2013 12:20, schrieb Adrian Zaugg:
You can use exim to prepare the address as you wish: only the user name
for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users:
debug_print = R: strip domain for local pam users
driver = redirect
check_local_user
domains = @ : localhost : ${primary_hostname}
data = ${local_part}
redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the
router to your domain(s) where your pam users receive their email. The
redirect_router designates the router which routes your local deliveries
to your lmtp transport. Place the new router to run just before your
local_user router.
Since your config works for your virtual users, you don't need to do
anything in addition.
I had tried this once already. I have used your snipplet and attached
the debug output from exim. Sadly it didn't work, because the mtp
process got the foll email again and not just the username.
thanks
Philipp
--
---
DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at
Technische Universitaet Wien web: www.zid.tuwien.ac.at
Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011
Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886
---
17788 local_pam_users router
17788 local_part=pkolmann domain=lukas.rudolfina.at
17788 checking domains
17788 lukas.rudolfina.at in @ : localhost : lukas.rudolfina.at? yes (matched
@)
17788 checking for local user
17788 seeking password data for user pkolmann: using cached result
17788 getpwnam() succeeded uid=1002 gid=1002
17788 R: strip domain for local pam users
17788 calling local_pam_users router
17788 rda_interpret (string): ${local_part}
17788 expanded: pkolmann
17788 file is not a filter file
17788 parse_forward_list: pkolmann
17788 extract item: pkolmann
17788 local_pam_users router generated pkolm...@lukas.rudolfina.at
17788 errors_to=NULL transport=NULL
17788 uid=unset gid=unset home=NULL
17788 routed by local_pam_users router
17788 envelope to: pkolm...@lukas.rudolfina.at
17788 transport: none
17788 locking /var/spool/exim4/db/retry.lockfile
17788 locked /var/spool/exim4/db/retry.lockfile
17788 EXIM_DBOPEN(/var/spool/exim4/db/retry)
17788 returned from EXIM_DBOPEN
17788 opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY
17788
17788 Considering: pkolm...@lukas.rudolfina.at
17788 unique = \0\pkolm...@lukas.rudolfina.at
17788 dbfn_read: key=R:lukas.rudolfina.at
17788 dbfn_read: key=R:pkolm...@lukas.rudolfina.at
17788 dbfn_read: key=R:pkolm...@lukas.rudolfina.at:phil...@kolmann.at
17788 no domain retry record
17788 no address retry record
17788 pkolm...@lukas.rudolfina.at: queued for routing
17788
17788 routing pkolm...@lukas.rudolfina.at
17788 local_user router
17788 local_part=pkolmann domain=lukas.rudolfina.at
17788 checking domains
17788 search_open: mysql NULL
17788 cached open
17788 search_find: file=NULL
17788 key=SELECT domain FROM domain WHERE domain='lukas.rudolfina.at';
partial=-1 affix=NULL starflags=0
17788 LRU list:
17788 :/etc/aliases
17788 End
17788 internal_search_find: file=NULL
17788 type=mysql key=SELECT domain FROM domain WHERE
domain='lukas.rudolfina.at';
17788 cached data used for lookup of SELECT domain FROM domain WHERE
domain='lukas.rudolfina.at';
17788 lookup failed
17788 lukas.rudolfina.at in @:localhost:? yes (matched @)
17788 lukas.rudolfina.at in +local_domains? yes (matched +local_domains)
17788 checking local_parts
17788 pkolmann in ! root? yes (end of list)
17788 checking for local user
17788 seeking password data for user pkolmann: using cached result
17788 getpwnam() succeeded uid=1002 gid=1002
17788 R: local_user for pkolm...@lukas.rudolfina.at
17788 calling local_user router
17788 local_user router called for pkolm...@lukas.rudolfina.at
17788 domain = lukas.rudolfina.at
17788 set transport dovecot_lmtp
17788 queued for dovecot_lmtp transport: local_part = pkolmann
17788 domain = lukas.rudolfina.at
17788 errors_to=NULL
17788 domain_data=NULL localpart_data=NULL
17788 routed by local_user router
17788 envelope to: pkolm...@lukas.rudolfina.at
17788 transport: dovecot_lmtp
17788
17788 After routing:
17788 Local deliveries:
17788 pkolm...@lukas.rudolfina.at
17788 Remote deliveries:
17788 Failed addresses:
17788 Deferred addresses:
17788 search_tidyup called
17788 close MYSQL connection: localhost/exim/exim
17788 Local deliveries
17788 pkolm...@lukas.rudolfina.at
17788 locking /var/spool/exim4/db/retry.lockfile
17788 locked /var/spool/exim4/db/retry.lockfile
17788 EXIM_DBOPEN(/var/spool/exim4/db/retry)
17788 returned from EXIM_DBOPEN
Re: [Dovecot] LMTP with virtual and system users
Hello,
Personally, I think it is more simple and convenient to migrate system
users' mail to the virtual-user setup (i.e. two separate logins, e.g. 'user'
for SSH and 'u...@domain.com' for mail ).
Here are the relevant portions of my postfix config:
mydestination = localhost
local_recipient_maps = $virtual_mailbox_maps $virtual_alias_maps
mydomain = domain.com# your 'local' host/domain name
myhostname = domain.com # your 'local' host/domain name
smtpd_recipient_restrictions = ., reject_unverified_recipient, . #
to do LMTP-based verification of incoming mail
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/ext/mail/valias
virtual_mailbox_domains = hash:/usr/ext/mail/vdomains
virtual_transport = lmtp:unix:private/dovecot-lmtp
/usr/ext/mail/valias defines additional redirections like
postmas...@domain.com ad...@domain.com
r...@domain.com ad...@domain.com
/usr/ext/mail/vdomains is an access-map file with records for supported
domains, like:
domain.com OK
Also adjust 'root' record in /etc/mail/aliases to point to qualified admin's
mail address (ad...@domain.com)
Best wishes
Eugene
-Original Message-
From: Philipp Kolmann
Sent: Wednesday, December 25, 2013 11:16 AM
To: Dovecot Mailing List
Subject: [Dovecot] LMTP with virtual and system users
Hi,
I have a mailsystem where i have some local users with shell access and
full home dirs which receive mail and also several SQL virtual users
only for mail.
With the virtual users, everything works fine. Mail is delivered via
LMTP and also sieve works :)
The SQL Lookup knows what to do with usern...@domain.com
The problem is the system user. If exim delivers the mail to the lmtp
socket, the LMTPd can't find usern...@local.host
I would be able to specify the global auth_username_format=%n but then
my SQL queries break and I like the possibility to have x...@domain1.com
and x...@domain2.com routed to two different accounts.
As I have seen in the source, I can't specify username_format=%n in the
passdb { driver = pam } backend. Do you have any suggestion how to
solve this issue?
thanks
Philipp
Re: [Dovecot] LMTP with virtual and system users
Hi Philipp
You can use exim to prepare the address as you wish: only the user name
for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users:
debug_print = R: strip domain for local pam users
driver = redirect
check_local_user
domains = @ : localhost : ${primary_hostname}
data = ${local_part}
redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the
router to your domain(s) where your pam users receive their email. The
redirect_router designates the router which routes your local deliveries
to your lmtp transport. Place the new router to run just before your
local_user router.
Since your config works for your virtual users, you don't need to do
anything in addition.
Regards, Adrian.
Am 25.12.13 08:16 schrieb Philipp Kolmann:
Hi,
I have a mailsystem where i have some local users with shell access and
full home dirs which receive mail and also several SQL virtual users
only for mail.
With the virtual users, everything works fine. Mail is delivered via
LMTP and also sieve works :)
The SQL Lookup knows what to do with usern...@domain.com
The problem is the system user. If exim delivers the mail to the lmtp
socket, the LMTPd can't find usern...@local.host
I would be able to specify the global auth_username_format=%n but then
my SQL queries break and I like the possibility to have x...@domain1.com
and x...@domain2.com routed to two different accounts.
As I have seen in the source, I can't specify username_format=%n in the
passdb { driver = pam } backend. Do you have any suggestion how to
solve this issue?
thanks
Philipp
[Dovecot] LMTP with virtual and system users
Hi,
I have a mailsystem where i have some local users with shell access and
full home dirs which receive mail and also several SQL virtual users
only for mail.
With the virtual users, everything works fine. Mail is delivered via
LMTP and also sieve works :)
The SQL Lookup knows what to do with usern...@domain.com
The problem is the system user. If exim delivers the mail to the lmtp
socket, the LMTPd can't find usern...@local.host
I would be able to specify the global auth_username_format=%n but then
my SQL queries break and I like the possibility to have x...@domain1.com
and x...@domain2.com routed to two different accounts.
As I have seen in the source, I can't specify username_format=%n in the
passdb { driver = pam } backend. Do you have any suggestion how to
solve this issue?
thanks
Philipp
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-686-pae i686 Debian 7.3
auth_debug = yes
auth_verbose = yes
first_valid_uid = 100
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_debug = yes
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox Sent Messages {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
passdb {
driver = pam
}
plugin {
mail_log_fields = uid box msgid size from subject flags
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmas...@rudolfina.at
protocols = imap lmtp sieve
service auth {
unix_listener auth-client {
group = Debian-exim
mode = 0660
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
process_min_avail = 0
service_count = 1
vsz_limit = 64 M
}
ssl_cert = /etc/exim4/exim.crt
ssl_key = /etc/exim4/exim.key
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = quota sieve
}
protocol lda {
mail_plugins = sieve
}
protocol imap {
mail_plugins = quota
}
protocol sieve {
mail_max_userip_connections = 10
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_logout_format = bytes=%i/%o
managesieve_max_compile_errors = 5
managesieve_max_line_length = 65536
}
user_query = \
SELECT concat('maildir:/var/spool/virtual_mail/', mailbox,'/Maildir/') as
mail, \
concat('/var/spool/virtual_mail/', mailbox,'/') as home, \
100 as uid, 102 as gid \
FROM email \
WHERE mailbox = '%u'
password_query = \
SELECT mailbox as user, \
boxpass as password \
FROM email \
WHERE mailbox = '%u'
