LMTP and passdb deny=yes not working
Hi all,
I start this on in a new thread. I setup the deny-user setting to temporarily prevent users from logging in and (that would be great) also stop mail delivery for said user. All this is because of our upcoming migration.
Now it seems that lmtp is ignoring this setting. This is from the logfile:
Aug 21 13:01:00 klee dovecot: lmtp(pid): Connect from IP Aug 21 13:01:00 klee dovecot: auth: passwd-file(fischer,IP): User found from deny passdb Aug 21 13:01:00 klee dovecot: lmtp(pid, fischer): 2UErAGzR9VMBPQAAGyzfLQ: sieve: msgid=unspecified: stored mail into mailbox 'INBOX' Aug 21 13:01:00 klee dovecot: lmtp(pid): Disconnect from 172.16.16.205: Successful quit
So lmtp seems to find the user and correctly states the fact but then stores the email anyhow. Is this intended or did I hit a bug? Or do I have an error in my config?
Cheers,
j.hofmüller
mur.sat -- a space art project http://sat.mur.at/
Hi all,
Nobody with an idea on the ltmp passdb question? I would really love to find out if I am doing something wrong or if this just does not work as I expect it.
Cheers,
j.hofmüller
We are all idiots with deadlines. - Mike West
On 2014-08-26 5:42 AM, Jogi Hofmüller wrote:
Hi all,
Nobody with an idea on the ltmp passdb question? I would really love to find out if I am doing something wrong or if this just does not work as I expect it.
Cheers, I don't think that LMTP/LDA use passdb. I'm pretty sure that they use userdb only.
The delivery agents just need to lookup if the recipient exists and where to store the mail.
http://wiki2.dovecot.org/LDA gives you some info as to what LMTP/LDA can return to the MTA.
Greg
Hi,
Am 2014-08-26 16:48, schrieb Gregory Finch:
I don't think that LMTP/LDA use passdb. I'm pretty sure that they use userdb only.
The delivery agents just need to lookup if the recipient exists and where to store the mail.
OK, good point. Now I tried to disable LMTP for one user by means of a special userdb that would return 'return-fail' when it finds a user. I figured then LMTP would reject the message. Not so much though ... this is the special userdb I am using. The default fields are there to keep error messages in logs low.
userdb { driver = passwd-file args = /etc/dovecot/deny/%s/deny-user default_fields = uid=vmail gid=vmail home=/tmp/%Ln
result_success = return-fail }
Attached you find the config I tested.
Cheers,
J.Hofmüller
Im Übrigen bin ich der Meinung, das Joanneum muss zerschlagen werden! - Barbara Fischer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 27 Aug 2014, Jogi Hofmüller wrote:
Am 2014-08-26 16:48, schrieb Gregory Finch:
I don't think that LMTP/LDA use passdb. I'm pretty sure that they use userdb only.
The delivery agents just need to lookup if the recipient exists and where to store the mail.
OK, good point. Now I tried to disable LMTP for one user by means of a special userdb that would return 'return-fail' when it finds a user. I figured then LMTP would reject the message. Not so much though ... this is the special userdb I am using. The default fields are there to keep error messages in logs low.
userdb { driver = passwd-file args = /etc/dovecot/deny/%s/deny-user default_fields = uid=vmail gid=vmail home=/tmp/%Ln
result_success = return-fail }
Attached you find the config I tested.
you have lots of userdb's in your config. If you use %s in the general ones, I would remove the special ones in the "lmtp" section at all.
Also, try this #1
userdb { args = /etc/dovecot/deny/%s/deny-user default_fields = uid=vmail gid=vmail home=/tmp/non-existant-name driver = passwd-file }
That way, you get an hit for that userdb. Now return an _non-existant_ mail location. You get an error in the logs, but LMTP should tempfail the request.
===============
Try #2
If you enforce quota and tempfail the message, if the user is over quota, lower the user's quota to 1 byte temporarily.
===============
Try this #3
Just use one userdb:
userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
Then extent your userdb query by:
(&(original query)(!(attr=%s)))
choose any attr'ibute with text, such as description, that does no harm to other services. Then the LMTP service should get no hit and should, IMHO, tempfail the delivery.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBU/3bK3z1H7kL/d9rAQKTeQf9Eqqi+nfWEEMW3UZ3E3sg5ehOUrkInLWJ 8QPJ3A223+Uwul3662art4dbDJ1ybP5S+DxRW+K7mVjyIYEjMDGM6OkhTsFqURvw wmlkBjIZNkF8VSAR2MjrtBlyVjSoQ3LsVljrPR3MnIF1U3lyAVhzdUCkwxYSPgP2 /ijFaO0xIl7/Xk4uok14dT3IeBkjvCe56nY9B0mjjW+v5jyfb3iPnINySYtsobT6 Hb4Sb7Ffwyc56HmSAcvjV5wa4MWDnRxqCYU77DWBTgOcVSIUfFN9VGRIDh8Q4yjr 9Ke8lmGGYLG9tO+H+dWGUlayQEZgATsWwh/eT/vf41bGtleuIbv3JA== =coxQ -----END PGP SIGNATURE-----
Hi,
Am 2014-08-27 15:20, schrieb Steffen Kaiser:
you have lots of userdb's in your config. If you use %s in the general ones, I would remove the special ones in the "lmtp" section at all.
True. I cleaned them up a little.
userdb { args = /etc/dovecot/deny/%s/deny-user default_fields = uid=vmail gid=vmail home=/tmp/non-existant-name driver = passwd-file }
No dice.
Just use one userdb:
userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
Then extent your userdb query by:
(&(original query)(!(attr=%s)))
Huh, we're getting somewhere!
choose any attr'ibute with text, such as description, that does no harm to other services. Then the LMTP service should get no hit and should, IMHO, tempfail the delivery.
Thing is that it does not tmpfail but it says: 550 5.1.1 <user@domain> User doesn't exist.
But I guess that is correct. My reasoning is the following: The above method effectively disables a user's account. So from the point of view of lmtp/imap/pop3 the user does not exist. In case of lmtp it is totally appropriate to deny delivery instead of tmpfailing.
Guess I will have to take a look at the -- not yet tried -- quota solution ...
Thanks so far!
Cheers,
j.hofmüller
Gerüchtegenerator http://plagi.at/geruecht
Hi
Am 2014-08-27 16:04, schrieb Jogi Hofmüller:
Guess I will have to take a look at the -- not yet tried -- quota solution ...
Nice! In combination with 'quota_full_tempfail = yes' that finally does what we need/want!
Thanks and cheers,
J.Hofmüller
Ein literarisches Meisterwerk ist nur ein Wörterbuch in Unordnung.
- Jean Cocteau
participants (3)
-
Gregory Finch
-
Jogi Hofmüller
-
Steffen Kaiser