Disabling passdb pam in local.conf
Greetings,
I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section:
passdb { driver = pam }
It is in there, because 10-auth.conf includes it:
!include auth-system.conf.ext
These actions are not an option at the moment:
- modify /etc/dovecot/conf.d/10-auth.conf and comment/remove the !include-statement
- create an /etc/dovecot/dovecot.conf which would contain all options required and would not include any other *.conf files
Reading http://wiki2.dovecot.org/ConfigFile I see ways to include external files, but nothing to exclude a file in local.conf.
Knowing Timo I would expect there is a way to acchieve what I want. I just don't seem to find it.
What am I missing?
Regards,
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Sent from my iPhone
On Jun 20, 2016, at 3:03 PM, Patrick Ben Koetter p@sys4.de wrote:
Greetings,
I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section:
passdb { driver = pam }
It is in there, because 10-auth.conf includes it:
!include auth-system.conf.ext
These actions are not an option at the moment:
- modify /etc/dovecot/conf.d/10-auth.conf and comment/remove the !include-statement
- create an /etc/dovecot/dovecot.conf which would contain all options required and would not include any other *.conf files
Reading http://wiki2.dovecot.org/ConfigFile I see ways to include external files, but nothing to exclude a file in local.conf.
Knowing Timo I would expect there is a way to acchieve what I want. I just don't seem to find it.
What am I missing?
Regards,
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Is your goal to have "1" config file?
If so get your system working how you want it then:
doveconf -n > /etc/dovecot/config.test
Start dovecot with this file.
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 16-06-20 23:28:20, Patrick Ben Koetter wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schlei??heimer Stra??e 26/MG,80333 M??nchen
Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
By distro settings do you mean that you want a config that can be easily changed going from say Debian to FreeBSD? What package management do you speak of?
Edgar Pettijohn
On 16-06-20 23:28:20, Patrick Ben Koetter wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schlei??heimer Stra??e 26/MG,80333 M??nchen
Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
What package management do you speak of? I've installed dovecot on several distros and haven't had to use anything other than the typical dovecot config files.
Edgar Pettijohn
On 16-06-20 23:28:20, Patrick Ben Koetter wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schlei??heimer Stra??e 26/MG,80333 M??nchen
Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
I'm not sure what you mean by "ability to change distro settings"
Edgar Pettijohn
What distro settings?
Sent from my iPhone
On Jun 20, 2016, at 4:28 PM, Patrick Ben Koetter p@sys4.de wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
- Edgar Pettijohn edgar@pettijohn-web.com:
What distro settings?
These files should remain unchanged:
~$ tree /etc/dovecot/ /etc/dovecot/ ├── conf.d │ ├── 10-auth.conf │ ├── 10-director.conf │ ├── 10-logging.conf │ ├── 10-mail.conf │ ├── 10-master.conf │ ├── 10-ssl.conf │ ├── 10-tcpwrapper.conf │ ├── 15-lda.conf │ ├── 15-mailboxes.conf │ ├── 20-imap.conf │ ├── 90-acl.conf │ ├── 90-plugin.conf │ ├── 90-quota.conf │ ├── auth-checkpassword.conf.ext │ ├── auth-deny.conf.ext │ ├── auth-master.conf.ext │ ├── auth-passwdfile.conf.ext │ ├── auth-sql.conf.ext │ ├── auth-static.conf.ext │ ├── auth-system.conf.ext │ └── auth-vpopmail.conf.ext ├── dovecot.conf ├── dovecot-dict-sql.conf.ext ├── dovecot.pem ├── dovecot-sql.conf.ext ├── private └── README
Only /etc/dovecot/local.conf should be changed.
p@rick
Sent from my iPhone
On Jun 20, 2016, at 4:28 PM, Patrick Ben Koetter p@sys4.de wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Jun 21, 2016, at 1:26 AM, Patrick Ben Koetter p@sys4.de wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
What distro settings?
These files should remain unchanged:
~$ tree /etc/dovecot/ /etc/dovecot/ ├── conf.d │ ├── 10-auth.conf │ ├── 10-director.conf │ ├── 10-logging.conf │ ├── 10-mail.conf │ ├── 10-master.conf │ ├── 10-ssl.conf │ ├── 10-tcpwrapper.conf │ ├── 15-lda.conf │ ├── 15-mailboxes.conf │ ├── 20-imap.conf │ ├── 90-acl.conf │ ├── 90-plugin.conf │ ├── 90-quota.conf │ ├── auth-checkpassword.conf.ext │ ├── auth-deny.conf.ext │ ├── auth-master.conf.ext │ ├── auth-passwdfile.conf.ext │ ├── auth-sql.conf.ext │ ├── auth-static.conf.ext │ ├── auth-system.conf.ext │ └── auth-vpopmail.conf.ext ├── dovecot.conf ├── dovecot-dict-sql.conf.ext ├── dovecot.pem ├── dovecot-sql.conf.ext ├── private └── README
Only /etc/dovecot/local.conf should be changed.
So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf?
p@rick
Sent from my iPhone
On Jun 20, 2016, at 4:28 PM, Patrick Ben Koetter p@sys4.de wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Is your goal to have "1" config file?
No, that would eliminate the ability to change distro settings via the regular package management.
My goal is to add/remove what my service requires via the additional local.conf.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
- Edgar Pettijohn edgar@pettijohn-web.com:
Only /etc/dovecot/local.conf should be changed.
So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf?
Exactly (he said that in his initial mail).
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Sent from my iPhone
On Jun 21, 2016, at 6:46 AM, Ralf Hildebrandt r@sys4.de wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Only /etc/dovecot/local.conf should be changed. So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf?
Exactly (he said that in his initial mail).
Sorry for requesting verification.
However, to answer the question. I don't think it's possible. There are a lot of neat config options, but I don't think the exact use case is possible. It may be easy to implement, im not familiar with dovecots parse_config(). Maybe store the first occurrence of a setting, but replace it with the last encountered.
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 16-06-21 07:20:49, Edgar Pettijohn wrote:
Sent from my iPhone
On Jun 21, 2016, at 6:46 AM, Ralf Hildebrandt r@sys4.de wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Only /etc/dovecot/local.conf should be changed. So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf?
Exactly (he said that in his initial mail).
Sorry for requesting verification.
However, to answer the question. I don't think it's possible. There are a lot of neat config options, but I don't think the exact use case is possible. It may be easy to implement, im not familiar with dovecots parse_config(). Maybe store the first occurrence of a setting, but replace it with the last encountered.
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schlei??heimer Stra??e 26/MG, 80333 M??nchen Sitz der Gesellschaft: M??nchen, Amtsgericht M??nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Sorry didn't send to list.
Edgar Pettijohn
On 2016-06-21 13:46, Ralf Hildebrandt wrote:
- Edgar Pettijohn edgar@pettijohn-web.com:
Only /etc/dovecot/local.conf should be changed.
So you want the standard files to remain unchanged from default settings and override them with your settings in local.conf?
Exactly (he said that in his initial mail).
so we all need to do "dovecot -n >>/tmp/dovecot.conf"
or go back to dovecot v1 ? :-)
i think local.conf is more and extender conf file for new things not in current config, or more like non standard plugins not in dovecot sources
in gentoo i just keep edit default files, and if its changed AFTER install gentoo tells me that its changed, and then show a "diff old new" so i know my faults later
ps: is there a hope for dovecot maillist not break dkim ?
- Patrick Ben Koetter p@sys4.de:
Greetings,
I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section:
passdb { driver = pam }
It seems that there is no way of saying something like:
remove passdb
Adding new passdb entries is no problem, but removing existing ones is hard.
What is the actual problem? System accounts shouldn't be able to log-in? System accounts shouldn't be valid mailboxes?
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 21 Jun 2016, Ralf Hildebrandt wrote:
I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section:
passdb { driver = pam }
It seems that there is no way of saying something like:
remove passdb
Adding new passdb entries is no problem, but removing existing ones is hard.
I thought
passwd 1 { driver = none }
would do the trick, but you get an error about that this passdb is already defined.
passdb 0 { passdb 2 {
is fine, because they do not already exist.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBV2k483z1H7kL/d9rAQKAkQgApe4vem0lhSEcsgNK8W0jJjROC/z7N5Ij sNBdWolbzwP7I1cnNMP6cs7xHwneM7khmRh6PzNScHBoF6YpMkAb7MLWeXKpWLpN AafN9NOM6wBjr1Stzb4DzuztuKsFE806md96MgrSQKqfNKPNUDwlNpDW8yIRo07E kOi3CBRzur+ZVkUFXhtgtcejTpoo441WNUMbL9oFRatMv+lPVddLHMuNWINWoz2N kVtYdzN+hlTUHuI2wlWIs1J0YqiAVXbbsEHT8LExp9d30eMxbNiQDqX9hQlUSmax 2tTKPuiLZ8VRZytQcMfAHX0DmNfDga8/zvWrt9SRaLn5d9Qc4rGdPA== =5tei -----END PGP SIGNATURE-----
Am 2016-06-21 um 13:51 schrieb Ralf Hildebrandt:
- Patrick Ben Koetter p@sys4.de:
Greetings,
I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section:
passdb { driver = pam }
What is the actual problem? System accounts shouldn't be able to log-in? System accounts shouldn't be valid mailboxes?
Use case: virtual accounts in "passdb { driver = passwd-file …"
The initial pam driver will make each logon have to wait for pam to timeout first which adds a considerable delay in the process
-- peter
On Mon, 20 Jun 2016 22:03:44 +0200 Patrick Ben Koetter p@sys4.de wrote:
Greetings,
I'm trying to create a configuration that leaves every config file deployed by an install process or paket management software untouched. The goal is to put every configuration required into /etc/dovecot/local.conf.
I've come quite far, but I fail to disable pam as passdb service in local.conf. What I get if I run doveconf -n is this section:
passdb { driver = pam }
It is in there, because 10-auth.conf includes it:
!include auth-system.conf.ext
These actions are not an option at the moment:
- modify /etc/dovecot/conf.d/10-auth.conf and comment/remove the !include-statement
- create an /etc/dovecot/dovecot.conf which would contain all options required and would not include any other *.conf files
Reading http://wiki2.dovecot.org/ConfigFile I see ways to include external files, but nothing to exclude a file in local.conf.
Knowing Timo I would expect there is a way to acchieve what I want. I just don't seem to find it.
What am I missing?
That 10-auth.conf is actually meant to be edited. most distros should have configuration file handling pretty much figured out by now. so none of your changes to those files should get lost. also configuration management comes to mind.
darix-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
- Marcus Rueckert darix@nordisch.org:
What am I missing?
That 10-auth.conf is actually meant to be edited. most distros should have configuration file handling pretty much figured out by now. so none of your changes to those files should get lost. also configuration management comes to mind.
As I repeatedly said none of those actions are an option in this project. I think we better stop this thread.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
- Patrick Ben Koetter p@sys4.de:
- Marcus Rueckert darix@nordisch.org:
What am I missing?
That 10-auth.conf is actually meant to be edited. most distros should have configuration file handling pretty much figured out by now. so none of your changes to those files should get lost. also configuration management comes to mind.
As I repeatedly said none of those actions are an option in this project. I think we better stop this thread.
For the books:
It can't be done at the moment. That would require the passdb section to become a named section, e.g. like this:
passdb pam { driver = pam }
Then one would be able to address this particular passdb namespace and do e.g. something like this:
passdb pam { driver = pam enabled = no }
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 22 Jun 2016, at 09:48, Patrick Ben Koetter p@sys4.de wrote:
- Patrick Ben Koetter p@sys4.de:
- Marcus Rueckert darix@nordisch.org:
What am I missing?
That 10-auth.conf is actually meant to be edited. most distros should have configuration file handling pretty much figured out by now. so none of your changes to those files should get lost. also configuration management comes to mind.
As I repeatedly said none of those actions are an option in this project. I think we better stop this thread.
For the books:
It can't be done at the moment. That would require the passdb section to become a named section, e.g. like this:
passdb pam { driver = pam }
Then one would be able to address this particular passdb namespace and do e.g. something like this:
passdb pam { driver = pam enabled = no }
Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf:
passdb { driver = whatever you want for your real passdb args = etc result_failure = return result_internalfail = return }
So even though pam is still in the config, it's just never actually called.
- Timo Sirainen dovecot@dovecot.org:
Hmm. If you want to just kludge it, I guess you could do a 00-auth.conf:
passdb { driver = whatever you want for your real passdb args = etc result_failure = return result_internalfail = return }
So even though pam is still in the config, it's just never actually called.
I played with the idea to set result_failure and result_internalfail to pass it all through, too. But then things started to get nasty and I took the long road and began to edit more than local.conf.
But thanks for taking the time to review and rethink this.
p@rick
-- [*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
participants (8)
-
Benny Pedersen
-
Edgar Pettijohn
-
Marcus Rueckert
-
Patrick Ben Koetter
-
Peter Chiochetti
-
Ralf Hildebrandt
-
Steffen Kaiser
-
Timo Sirainen