Re: [Dovecot] LMTP with virtual and system users
Am 07.01.14 13:21 schrieb Philipp Kolmann: I didn't want to have lda SUID root... Is this necessary? Exim calls the dovecot-lda as user $local_part and if you setup your mail storage to have the right permissions, this should work without SUID. But maybe I'm wrong; anyway in the wiki there is a section on how-to use LDA without setting the process SUIDed. http://wiki2.dovecot.org/LDA/Exim - towards the end of the page Cheers, Adrian.
Re: [Dovecot] LMTP with virtual and system users
Hi Adrian, thanks for your reply. I have also thought in this direction already but I didn't want to have lda SUID root... I saw that the Passwd-file passdb supports username_format as argument. Would it be possible to add this feature also to the LMTP passdb driver? thanks Philipp On 01/01/14 18:25, Adrian Zaugg wrote: Hi Philipp You are completely right, the proposed solution doesn't work. It seems exim always qualifies an address without a domain, I believe this is because LMTP requiers to get only qualified addresses (LMTP is based on SMTP and the RFC, if I read it correctly specifies it like this). So, another solution would be to use LDA for your local users and LMTP for the rest. The configuration for exim would be: a router and a transport for your local users using LDA, and your virtual users setup as you have it using LMTP. local_user: debug_print = R: local_user for $local_part@$domain driver = accept domains = @ : localhost : ${primary_hostname} check_local_user transport = dovecot_lda cannot_route_message = Unknown user dovecot_lda: driver = pipe command = /usr/lib/dovecot/dovecot-lda \ -f $sender_address \ -a $original_local_part@$original_domain log_output delivery_date_add return_path_add envelope_to_add user = $local_part group = mail temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78 Please check man dovecot-lda and the dovecot wiki (http://wiki2.dovecot.org/LDA/Exim) for details. Also check the permissions you need for dovecot-lda to write to your mailspool (user and group options from the transport). I haven't tried the above, but I think it works like this ... Best regards, Adrian. Am 30.12.13 09:40 schrieb Philipp Kolmann: Hi Adrian, Am 26.12.2013 12:20, schrieb Adrian Zaugg: You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users. Configure a new router to strip the domain part for pam users: local_pam_users: debug_print = R: strip domain for local pam users driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your local_user router. Since your config works for your virtual users, you don't need to do anything in addition. I had tried this once already. I have used your snipplet and attached the debug output from exim. Sadly it didn't work, because the mtp process got the foll email again and not just the username. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 ---
Re: [Dovecot] LMTP with virtual and system users
Hi Philipp You are completely right, the proposed solution doesn't work. It seems exim always qualifies an address without a domain, I believe this is because LMTP requiers to get only qualified addresses (LMTP is based on SMTP and the RFC, if I read it correctly specifies it like this). So, another solution would be to use LDA for your local users and LMTP for the rest. The configuration for exim would be: a router and a transport for your local users using LDA, and your virtual users setup as you have it using LMTP. local_user: debug_print = R: local_user for $local_part@$domain driver = accept domains = @ : localhost : ${primary_hostname} check_local_user transport = dovecot_lda cannot_route_message = Unknown user dovecot_lda: driver = pipe command = /usr/lib/dovecot/dovecot-lda \ -f $sender_address \ -a $original_local_part@$original_domain log_output delivery_date_add return_path_add envelope_to_add user = $local_part group = mail temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78 Please check man dovecot-lda and the dovecot wiki (http://wiki2.dovecot.org/LDA/Exim) for details. Also check the permissions you need for dovecot-lda to write to your mailspool (user and group options from the transport). I haven't tried the above, but I think it works like this ... Best regards, Adrian. Am 30.12.13 09:40 schrieb Philipp Kolmann: Hi Adrian, Am 26.12.2013 12:20, schrieb Adrian Zaugg: You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users. Configure a new router to strip the domain part for pam users: local_pam_users: debug_print = R: strip domain for local pam users driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your local_user router. Since your config works for your virtual users, you don't need to do anything in addition. I had tried this once already. I have used your snipplet and attached the debug output from exim. Sadly it didn't work, because the mtp process got the foll email again and not just the username. thanks Philipp
Re: [Dovecot] LMTP with virtual and system users
Hi Adrian, Am 26.12.2013 12:20, schrieb Adrian Zaugg: You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users. Configure a new router to strip the domain part for pam users: local_pam_users: debug_print = R: strip domain for local pam users driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your local_user router. Since your config works for your virtual users, you don't need to do anything in addition. I had tried this once already. I have used your snipplet and attached the debug output from exim. Sadly it didn't work, because the mtp process got the foll email again and not just the username. thanks Philipp -- --- DI Mag. Philipp Kolmann mail: kolm...@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 WienDVR: 0005886 --- 17788 local_pam_users router 17788 local_part=pkolmann domain=lukas.rudolfina.at 17788 checking domains 17788 lukas.rudolfina.at in @ : localhost : lukas.rudolfina.at? yes (matched @) 17788 checking for local user 17788 seeking password data for user pkolmann: using cached result 17788 getpwnam() succeeded uid=1002 gid=1002 17788 R: strip domain for local pam users 17788 calling local_pam_users router 17788 rda_interpret (string): ${local_part} 17788 expanded: pkolmann 17788 file is not a filter file 17788 parse_forward_list: pkolmann 17788 extract item: pkolmann 17788 local_pam_users router generated pkolm...@lukas.rudolfina.at 17788 errors_to=NULL transport=NULL 17788 uid=unset gid=unset home=NULL 17788 routed by local_pam_users router 17788 envelope to: pkolm...@lukas.rudolfina.at 17788 transport: none 17788 locking /var/spool/exim4/db/retry.lockfile 17788 locked /var/spool/exim4/db/retry.lockfile 17788 EXIM_DBOPEN(/var/spool/exim4/db/retry) 17788 returned from EXIM_DBOPEN 17788 opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY 17788 17788 Considering: pkolm...@lukas.rudolfina.at 17788 unique = \0\pkolm...@lukas.rudolfina.at 17788 dbfn_read: key=R:lukas.rudolfina.at 17788 dbfn_read: key=R:pkolm...@lukas.rudolfina.at 17788 dbfn_read: key=R:pkolm...@lukas.rudolfina.at:phil...@kolmann.at 17788 no domain retry record 17788 no address retry record 17788 pkolm...@lukas.rudolfina.at: queued for routing 17788 17788 routing pkolm...@lukas.rudolfina.at 17788 local_user router 17788 local_part=pkolmann domain=lukas.rudolfina.at 17788 checking domains 17788 search_open: mysql NULL 17788 cached open 17788 search_find: file=NULL 17788 key=SELECT domain FROM domain WHERE domain='lukas.rudolfina.at'; partial=-1 affix=NULL starflags=0 17788 LRU list: 17788 :/etc/aliases 17788 End 17788 internal_search_find: file=NULL 17788 type=mysql key=SELECT domain FROM domain WHERE domain='lukas.rudolfina.at'; 17788 cached data used for lookup of SELECT domain FROM domain WHERE domain='lukas.rudolfina.at'; 17788 lookup failed 17788 lukas.rudolfina.at in @:localhost:? yes (matched @) 17788 lukas.rudolfina.at in +local_domains? yes (matched +local_domains) 17788 checking local_parts 17788 pkolmann in ! root? yes (end of list) 17788 checking for local user 17788 seeking password data for user pkolmann: using cached result 17788 getpwnam() succeeded uid=1002 gid=1002 17788 R: local_user for pkolm...@lukas.rudolfina.at 17788 calling local_user router 17788 local_user router called for pkolm...@lukas.rudolfina.at 17788 domain = lukas.rudolfina.at 17788 set transport dovecot_lmtp 17788 queued for dovecot_lmtp transport: local_part = pkolmann 17788 domain = lukas.rudolfina.at 17788 errors_to=NULL 17788 domain_data=NULL localpart_data=NULL 17788 routed by local_user router 17788 envelope to: pkolm...@lukas.rudolfina.at 17788 transport: dovecot_lmtp 17788 17788 After routing: 17788 Local deliveries: 17788 pkolm...@lukas.rudolfina.at 17788 Remote deliveries: 17788 Failed addresses: 17788 Deferred addresses: 17788 search_tidyup called 17788 close MYSQL connection: localhost/exim/exim 17788 Local deliveries 17788 pkolm...@lukas.rudolfina.at 17788 locking /var/spool/exim4/db/retry.lockfile 17788 locked /var/spool/exim4/db/retry.lockfile 17788 EXIM_DBOPEN(/var/spool/exim4/db/retry) 17788 returned from EXIM_DBOPEN
Re: [Dovecot] LMTP with virtual and system users
Hello, Personally, I think it is more simple and convenient to migrate system users' mail to the virtual-user setup (i.e. two separate logins, e.g. 'user' for SSH and 'u...@domain.com' for mail ). Here are the relevant portions of my postfix config: mydestination = localhost local_recipient_maps = $virtual_mailbox_maps $virtual_alias_maps mydomain = domain.com# your 'local' host/domain name myhostname = domain.com # your 'local' host/domain name smtpd_recipient_restrictions = ., reject_unverified_recipient, . # to do LMTP-based verification of incoming mail unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/ext/mail/valias virtual_mailbox_domains = hash:/usr/ext/mail/vdomains virtual_transport = lmtp:unix:private/dovecot-lmtp /usr/ext/mail/valias defines additional redirections like postmas...@domain.com ad...@domain.com r...@domain.com ad...@domain.com /usr/ext/mail/vdomains is an access-map file with records for supported domains, like: domain.com OK Also adjust 'root' record in /etc/mail/aliases to point to qualified admin's mail address (ad...@domain.com) Best wishes Eugene -Original Message- From: Philipp Kolmann Sent: Wednesday, December 25, 2013 11:16 AM To: Dovecot Mailing List Subject: [Dovecot] LMTP with virtual and system users Hi, I have a mailsystem where i have some local users with shell access and full home dirs which receive mail and also several SQL virtual users only for mail. With the virtual users, everything works fine. Mail is delivered via LMTP and also sieve works :) The SQL Lookup knows what to do with usern...@domain.com The problem is the system user. If exim delivers the mail to the lmtp socket, the LMTPd can't find usern...@local.host I would be able to specify the global auth_username_format=%n but then my SQL queries break and I like the possibility to have x...@domain1.com and x...@domain2.com routed to two different accounts. As I have seen in the source, I can't specify username_format=%n in the passdb { driver = pam } backend. Do you have any suggestion how to solve this issue? thanks Philipp
Re: [Dovecot] LMTP with virtual and system users
Hi Philipp You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users. Configure a new router to strip the domain part for pam users: local_pam_users: debug_print = R: strip domain for local pam users driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your local_user router. Since your config works for your virtual users, you don't need to do anything in addition. Regards, Adrian. Am 25.12.13 08:16 schrieb Philipp Kolmann: Hi, I have a mailsystem where i have some local users with shell access and full home dirs which receive mail and also several SQL virtual users only for mail. With the virtual users, everything works fine. Mail is delivered via LMTP and also sieve works :) The SQL Lookup knows what to do with usern...@domain.com The problem is the system user. If exim delivers the mail to the lmtp socket, the LMTPd can't find usern...@local.host I would be able to specify the global auth_username_format=%n but then my SQL queries break and I like the possibility to have x...@domain1.com and x...@domain2.com routed to two different accounts. As I have seen in the source, I can't specify username_format=%n in the passdb { driver = pam } backend. Do you have any suggestion how to solve this issue? thanks Philipp
[Dovecot] LMTP with virtual and system users
Hi, I have a mailsystem where i have some local users with shell access and full home dirs which receive mail and also several SQL virtual users only for mail. With the virtual users, everything works fine. Mail is delivered via LMTP and also sieve works :) The SQL Lookup knows what to do with usern...@domain.com The problem is the system user. If exim delivers the mail to the lmtp socket, the LMTPd can't find usern...@local.host I would be able to specify the global auth_username_format=%n but then my SQL queries break and I like the possibility to have x...@domain1.com and x...@domain2.com routed to two different accounts. As I have seen in the source, I can't specify username_format=%n in the passdb { driver = pam } backend. Do you have any suggestion how to solve this issue? thanks Philipp # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 3.2.0-4-686-pae i686 Debian 7.3 auth_debug = yes auth_verbose = yes first_valid_uid = 100 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes mail_debug = yes mail_location = maildir:~/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox Sent Messages { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } passdb { driver = pam } plugin { mail_log_fields = uid box msgid size from subject flags sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmas...@rudolfina.at protocols = imap lmtp sieve service auth { unix_listener auth-client { group = Debian-exim mode = 0660 } } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl_cert = /etc/exim4/exim.crt ssl_key = /etc/exim4/exim.key userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } userdb { driver = passwd } protocol lmtp { mail_plugins = quota sieve } protocol lda { mail_plugins = sieve } protocol imap { mail_plugins = quota } protocol sieve { mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 } user_query = \ SELECT concat('maildir:/var/spool/virtual_mail/', mailbox,'/Maildir/') as mail, \ concat('/var/spool/virtual_mail/', mailbox,'/') as home, \ 100 as uid, 102 as gid \ FROM email \ WHERE mailbox = '%u' password_query = \ SELECT mailbox as user, \ boxpass as password \ FROM email \ WHERE mailbox = '%u'