[Dovecot] How to bypass checking of system users by virtual users?
Hi, I have one real domain (abusar.org) and the others arevirtual. So I configured dovecot.conf as the following:
# for abusar.org, real domain mail_location = mbox:~/.mail/:INBOX=/var/mail/%n
# for the remaining virtual domains userdb static { args = uid=17 gid=17 home=/var/spool/virtual/%d/.home/%n mail=mbox:/var/spool/virtual/%d/home/%n:INBOX=/var/spool/virtual/%d/%n }
passdb passwd-file {
args = username_format=%n /etc/virtual/%d/passwd
}
***
Everything works perfectly except for the fact that when virtual users authenticate, dovecot uses the configuration for real users first and then authenticate succesfully with the virtual configuration, generating those annoying log error messages:
Oct 3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Oct 3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=belforts@ragio.com.br rhost=201.6.150.188 Oct 3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Oct 3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=belforts@telecomex.com.br rhost=201.6.150.188 Oct 3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Oct 3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=info@mostrasocioambiental.com.br rhost=201.6.150.188 Oct 3 03:12:00 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown Oct 3 03:12:00 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=comprovante@ragio.com.br rhost=200.204.124.212
This messages happen because dovecot is trying to check virtualusers in the system password file (which just contains real users and not virtual users).
So is there a way to force it to check virtual users just onthe /etc/virtual/%d/passwd? I mean, if the domain is the real one, abusar.org, or it doesn't have a domain, it will check in the system passwords, but if it's some other domain except abusar.org, it should skip checking system passwords and check directly in the /etc/virtual/%d/passwd.
I just don't know how to do that.
Any hints? Thank you!-- Linux 2.6.27-rc8: Rotary Wombat http://u-br.net
On Fri, 2008-10-03 at 03:22 -0300, Dâniel Fraga wrote:
This messages happen because dovecot is trying to check virtual users in the system password file (which just contains real users and not virtual users).
So is there a way to force it to check virtual users just on the /etc/virtual/%d/passwd? I mean, if the domain is the real one, abusar.org, or it doesn't have a domain, it will check in the system passwords, but if it's some other domain except abusar.org, it should skip checking system passwords and check directly in the /etc/virtual/%d/passwd.
You can't really tell that to Dovecot, but you could move passdb passwd-file {} before passdb pam {} so it'll first check the virtual users and you'll avoid the PAM messages.
On Sun, 05 Oct 2008 14:26:26 +0300 Timo Sirainen tss@iki.fi wrote:
You can't really tell that to Dovecot, but you could move passdb passwd-file {} before passdb pam {} so it'll first check the virtual users and you'll avoid the PAM messages.
Ok, I would see less error messages, since there are morevirtual users than real ones, but do you agree with me that I would keep seeing some error messages when real users try to authenticate? Because then, real users would be checked first against virtual passwd, giving the error.
Or not?
Thanks.--
On Sun, 2008-10-05 at 12:52 -0300, Dâniel Fraga wrote:
On Sun, 05 Oct 2008 14:26:26 +0300 Timo Sirainen tss@iki.fi wrote:
You can't really tell that to Dovecot, but you could move passdb passwd-file {} before passdb pam {} so it'll first check the virtual users and you'll avoid the PAM messages.
Ok, I would see less error messages, since there are more virtual users than real ones, but do you agree with me that I would keep seeing some error messages when real users try to authenticate? Because then, real users would be checked first against virtual passwd, giving the error.
If you don't set auth_debug=yes (and auth_verbose=yes? I'm not sure), you won't see any error messages when real users log in.
On Sun, 05 Oct 2008 18:59:10 +0300 Timo Sirainen tss@iki.fi wrote:
If you don't set auth_debug=yes (and auth_verbose=yes? I'm not sure), you won't see any error messages when real users log in.
Would you believe that when I switch the order of thereal/virtual users authentication configuration, the real users do not receive email anymore? I mean, the mail is in the mailbox, but dovecot returns 0 new messages. So I have to keep the real users checking first, before virtual users, otherwise it won't work for real users.
Strange, isn't?########### real
userdb passwd { }
passdb pam { }
############ virtual
userdb static { args = uid=17 gid=17 home=/var/spool/virtual/%d/.home/%n mail=mbox:/var/spool/virtual/%d/home/%n:INBOX=/var/spool/virtual/%d/%n }
passdb passwd-file {
args = username_format=%n /etc/virtual/%d/passwd
}
***
The above works, but the opposite, no.--
On Sun, 2008-10-05 at 13:27 -0300, Dâniel Fraga wrote:
On Sun, 05 Oct 2008 18:59:10 +0300 Timo Sirainen tss@iki.fi wrote:
If you don't set auth_debug=yes (and auth_verbose=yes? I'm not sure), you won't see any error messages when real users log in.
Would you believe that when I switch the order of the real/virtual users authentication configuration, the real users do not receive email anymore? I mean, the mail is in the mailbox, but dovecot returns 0 new messages. So I have to keep the real users checking first, before virtual users, otherwise it won't work for real users.
Strange, isn't?
You probably also moved userdb static before userdb passwd, causing Dovecot to always use userdb static for everyone. So the order you want is:
- passdb passwd-file
- passdb pam
- userdb passwd
- userdb static
On Sun, 05 Oct 2008 19:31:20 +0300 Timo Sirainen tss@iki.fi wrote:
You probably also moved userdb static before userdb passwd, causing Dovecot to always use userdb static for everyone. So the order you want is:
- passdb passwd-file
- passdb pam
- userdb passwd
- userdb static
Thank you very much! This order definitely solved the problem ;)--
participants (2)
-
Dâniel Fraga
-
Timo Sirainen