doveadm_allowed_commands doesn't work as expected

Ronald Poon ronaldpoon at ud.hk
Thu Jan 3 22:45:23 EET 2019 

Trying to limit the API calls to doveadm-http-api by configure allowed 
commands, but once the commands added to the list, the RestAPI no longer 
work.


1) Return correct reply when doveadm_allowed_commands is empty

# curl -k -H "Content-Type: application/json" -H "Authorization: 
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 
-d'[["quotaGet",{"user":"user1 at mydomain.com"},"c01"]]'
[["doveadmResponse",[{"root":"User 
quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]


2) Return unAuthorized when doveadm_allowed_commands = 
quotaGet,quotaRecalc,expunge

# curl -k -H "Content-Type: application/json" -H "Authorization: 
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 
-d'[["quotaGet",{"user":"user1 at mydomain.com"},"c01"]]'
[["error",{"type":"unAuthorized", "exitCode":0},"c01"]]


Here is my config,

  # uname -a
Linux ad92422d8e94 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 
UTC 2018 x86_64 Linux
# free -m
              total       used       free     shared    buffers cached
Mem:         15885       7133       8751          0 1       4374
-/+ buffers/cache:       2758      13126
Swap:            0          0          0

/ # dovecot -n
# 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.2 (7704de5e)
# OS: Linux 3.10.0-862.2.3.el7.x86_64 x86_64  xfs
# Hostname: ad92422d8e94
auth_mechanisms = plain login
doveadm_allowed_commands = quotaGet,quotaRecalc,expunge
doveadm_api_key =  # hidden, use -P to show it
hostname = mailhost.mydomain.com
info_log_path = /dev/stdout
lda_mailbox_autosubscribe = yes
log_path = /dev/stderr
login_greeting = Dovecot ready.
mail_gid = vmail
mail_home = /var/vmail/%d/%n
mail_location = maildir:/var/vmail/%d/%n/Maildir
mail_plugins = " quota zlib"
mail_privileged_group = vmail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     auto = subscribe
     special_use = \Drafts
   }
   mailbox Junk {
     auto = subscribe
     special_use = \Junk
   }
   mailbox Sent {
     auto = subscribe
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     auto = subscribe
     special_use = \Sent
   }
   mailbox Trash {
     auto = subscribe
     special_use = \Trash
   }
   prefix =
}
passdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   driver = sql
}
plugin {
   imapsieve_mailbox1_before = 
file:/etc/dovecot/sieve/global/learn-spam.sieve
   imapsieve_mailbox1_causes = COPY
   imapsieve_mailbox1_name = Junk
   imapsieve_mailbox2_before = 
file:/etc/dovecot/sieve/global/learn-ham.sieve
   imapsieve_mailbox2_causes = COPY
   imapsieve_mailbox2_from = Junk
   imapsieve_mailbox2_name = *
   quota = maildir:User quota
   quota_exceeded_message = User %u has exhausted allowed storage space.
   recipient_delimiter = -
   sieve = file:~/sieve;active=~/.dovecot.sieve
   sieve_before = /etc/dovecot/sieve/global/spam-to-folder.sieve
   sieve_global_extensions = +vnd.dovecot.pipe
   sieve_pipe_bin_dir = /usr/lib/dovecot/sieve
   sieve_pipe_exec_timeout = 60s
   sieve_plugins = sieve_imapsieve sieve_extprograms
   zlib_save = gz
   zlib_save_level = 6
}
postmaster_address = postmaster at mydomain.com
protocols = lmtp imap pop3 sieve
recipient_delimiter = -
service auth {
   inet_listener {
     port = 9000
   }
}
service doveadm {
   client_limit = 1
   drop_priv_before_exec = no
   executable = doveadm-server
   extra_groups = $default_internal_group
   inet_listener http {
     port = 9088
     ssl = yes
   }
   service_count = 1
}
service lmtp {
   inet_listener lmtp {
     port = 24
   }
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
}
ssl_cert = </etc/tls/mailserver.crt
ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
submission_host = mta-host.mydomain.com
userdb {
   args = /etc/dovecot/dovecot-sql.conf.ext
   driver = sql
}
protocol lmtp {
   mail_plugins = " quota zlib sieve"
}
protocol imap {
   mail_plugins = " quota zlib imap_sieve imap_quota imap_zlib"
}

More information about the dovecot mailing list