[Dovecot] Static userdb with LDAP passdb but without "allow_all_users=yes"?

Andreas Ntaflos daff at dword.org
Thu Nov 25 20:31:31 EET 2010 

Hi, 

Is it possible to have a static user database along with an LDAP 
password database and *not* be forced to set "allow_all_users=yes" for 
the userdb? 

The wiki page on static user database says "Normally static userdb 
handles this by doing a passdb lookup instead." How should the passdb 
behave in order for this to work?

In my tests (on a test server) I am using Dovecot 2.0.7 and Postfix 
2.7.0 on Ubuntu 10.04.1. I use (or am trying to use) LMTP with Dovecot 
and Postfix according to the HOWTO in the wiki [1] as well as dynamic 
address verification with LMTP [2]. Users are virtual, using a static 
userdb and passwords from LDAP. I also serve local system users which is 
why I also have userdb and passdb pam, but this isn't the issue here.

Delivering mail to an existing virtual user works fine as far as I can 
see but when a non-existent user is the recipient Dovecot complains that 
the passdb doesn't support lookups:

postfix/smtpd[26469]: connect from remote-smtp.example.net[10.0.0.10]
postfix/cleanup[26474]: 772A760B25: message-
id=<20101125172409.772A760B25 at mailtest.example.com>
postfix/qmgr[27672]: 772A760B25: from=<double-
bounce at mailtest.example.com>, size=276, nrcpt=1 (queue active)
dovecot: lmtp(22109): Connect from local
dovecot: auth: Error: static(not-a-user at test01.example.com): passdb 
doesn't support lookups, can't verify user's existence
dovecot: lmtp(22109): Error: user not-a-user at test01.example.com: Auth 
USER lookup failed
dovecot: lmtp(22109): Disconnect from local: Client quit
postfix/lmtp[26475]: 772A760B25: to=<not-a-user at test01.example.com>, 
relay=mailtest.example.com[private/dovecot-lmtp], delay=0.18, 
delays=0.17/0.01/0/0, dsn=4.3.0, status=undeliverable (host 
mailtest.example.com[private/dovecot-lmtp] said: 451 4.3.0 <not-a-
user at test01.example.com> Internal error occurred. Refer to server log 
for more information. (in reply to RCPT TO command))
postfix/qmgr[27672]: 772A760B25: removed
postfix/smtpd[26469]: NOQUEUE: reject: RCPT from remote-
smtp.example.net[10.0.0.10]: 450 4.1.1 <not-a-user at test01.example.com>: 
Recipient address rejected: unverified address: ho
st mailtest.example.com[private/dovecot-lmtp] said: 451 4.3.0 <not-a-
user at test01.example.com> Internal error occurred. Refer to server log 
for more information. (in reply to RCPT TO command); 
from=<andreas.ntaflos at example.net> to=<not-a-user at test01.example.com> 
proto=ESMTP helo=<remote-smtp.example.net>
postfix/smtpd[26469]: disconnect from remote-smtp.example.net[10.0.0.10] 

I've uploaded this log file excerpt for your viewing convenience to  
https://daff.pseudoterminal.org/misc/dovecot/failed_delivery.log 
More relevant information (doveconf -n, dovecot-ldap.conf) is found 
below. I can also provide a log excerpt from a successful delivery to an 
existing virtual user, if needed.

To summarise: I want to use LMTP, dynamic address verification, a static 
user database and an LDAP password database. Can it be done without 
having to rely on the MTA (Postfix) to verify existing users?

Thanks in advance!

Andreas

[1] http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
[2] http://wiki2.dovecot.org/LDA/Postfix

dovecot-ldap.conf:
uris = ldap://ldap.example.com:389
tls = yes
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
base = ou=virtualDomains,dc=example,dc=com
dn = uid=dovecot,ou=services,dc=example,dc=com
dnpass = xxx

pass_attrs=uid=user, userPassword=password
pass_filter=(&(objectClass=hostedAccount)(uid=%u)(accountEnabled=TRUE))

iterate_attrs = uid=user
iterate_filter = (objectClass=hostedAccount)

doveconf -n:
https://daff.pseudoterminal.org/misc/dovecot/doveconf-n.txt
-- 
Andreas Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://dovecot.org/pipermail/dovecot/attachments/20101125/73899c24/attachment-0001.bin

More information about the dovecot mailing list