Am 29.08.2019 um 11:58 schrieb R.N.S. via dovecot dovecot@dovecot.org:
Am 29.08.2019 um 11:30 schrieb R.N.S. via dovecot dovecot@dovecot.org:
Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 29.8.2019 12.18, R.N.S. via dovecot wrote:
Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 28/08/2019 21:01 R.N.S. via dovecot dovecot@dovecot.org wrote:
> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot dovecot@dovecot.org: > > I think, i had the same problem as you. > > When dovecot runs lmtp, no user is logged in, so there is no user from > which you can get groups. So i think, my solution is (not really sure, > if this is right, it's a long time ago, i played around) this transport > in exim for local delivery > > dovecot_delivery:
> debug_print = "T: dovecot_delivery_pipe for $local_part@$domain > translates to GET_LOCAL_MAIL" > driver = pipe
> command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL" > message_prefix = > message_suffix = > delivery_date_add > envelope_to_add
> return_path_add
> log_output > user = MAILUSER > group = MAILUSER > > I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and > MAILUSER are makros which get the email-adress and the mailuser for the > receiving emailadress. > > GET_LOCAL_MAIL could be $local_part@$domain > MAILUSER is vmail in my setup, the user who owns all mailboxes > > /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery. Unfortunately this way Postfix and Dovecot need to run on the same host.I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in sieve configuration to solve this?
Is there nobody from @Dovecot who could give some feedback :-) please :-)
Thanks
Christian It could be possible to solve this with auth lua script that would allow returning the acl groups as a string, instead of using post-login script. I finally got it working with Lua.
Changes to the auth-ldap.conf.ext file:
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext
# Fetch acl_groups from LDAP with the Lua userdb script skip = never result_success = continue result_failure = return-fail
# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }
I created this auth-lua.conf.ext:
# https://wiki.dovecot.org/AuthDatabase/Lua
userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }
I added it in 10-auth.conf behind the LDAP auth include statement.
The Lua script looks like this:
require('io')
function auth_userdb_lookup(req) local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret" local base = "ou=people,ou=it,dc=roessner-net,dc=de" local binddn = "cn=dovecot," .. base
local cmd = [=[ /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup |
grep rnsMSACLGroup |
awk -vORS=, '{ print \$2 }' |
sed 's/,$/\n/'" ]=]cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile }) cmd = cmd:gsub('$(%w+)', { binddn = binddn }) cmd = cmd:gsub('$(%w+)', { base = base }) cmd = cmd:gsub('$(%w+)', { user = req.user })
local handle = io.popen(cmd) local acl_groups = handle:read("*a")
return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups end
function script_init() return 0 end
function script_deinit() end
-- vim: expandtab ts=2 sw=2
And this works for me :-)
Many thanks
Christian
There really is no LDAP module for your LUA?
I was too early with success :-(
Even the doveadm acl debug command shows that I would have all rights, mails are insert into the INBOX :-(
... doveadm(lists@srvint.net): Info: User lists@srvint.net has rights: lookup read write write-seen write-deleted insert post expunge doveadm(lists@srvint.net): Info: Mailbox found from dovecot-acl-list doveadm(lists@srvint.net): Info: Mailbox is in public namespace doveadm(lists@srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is visible in LIST
Why can't LMTP/Sieve insert the Mail to that place?
If I use a LDAP attribute with a comma separated list in the dovecot-ldap.conf.ext file, everything works. So what is different to the second Lua backend?
It is really a pain that acl_groups does not simply support multi values.
Maybe I will spend some more time for the Lua LDAP module, but for now, it is really frustrating.
Have been minor issues in the Lua script. I now will spend some time to dive into the Lua-LDAP module. For now, the posted solution works.
If I have a module that talks directly to LDAP, I will return later here and post the results.
Christian
This version uses lualdap:
require('io') local ldap = require "lualdap" assert(ldap)
-- Global LDAP settings local uri = "ldap://db.roessner-net.de" local cacertfile = "/etc/ssl/certs/rnscacert.pem" local base = "ou=people,ou=it,dc=roessner-net,dc=de" local binddn = "cn=dovecot," .. base local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret" local attrs = "rnsMSACLGroup" local filter = "(rnsMSRecipientAddress=$user)"
function auth_userdb_lookup(req)
-- read bind password local handle = io.open(bindpwfile) local password = handle:read("*all") handle:close()
-- connect to LDAP local session, err = ldap.open_simple({ uri = uri, who = binddn, password = password, starttls = true, cacertfile = cacertfile }) assert(err == nil) assert(session)
-- read acl_groups from LDAP local acl_groups = nil for dn, attribs in session:search{ attrs = attrs, base = base, scope = "sub", filter = filter:gsub('$(%w+)', { user = req.user }) } do for name, values in pairs(attribs) do if type(values) == "string" then acl_groups = values elseif type(values) == "table" then acl_groups = table.concat(values, ",") end end end
dovecot.i_info("user=" .. req.user .. " acl_groups=" .. acl_groups)
return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups end
function script_init() return 0 end
function script_deinit() end
-- vim: expandtab ts=2 sw=2
Have fun
Christian