[Dovecot] Dovecot 1.2.12 + Postfix + virtual domains: delivering to system users
As mentioned in my previous posting, I've set up a mailserver for a domain of Winboxen, authenticated through Active Directory. After some struggles, I finally got that working. But I also need to receive emails for a few system users on the mailserver (like postmaster, and a couple of accounts set up for maintaining the system).
I thought, based on the way I read the documentation, that I could just add
a "userdb passwd", ahead of the "userdb ldap", and deliver would find their
home directory maildirs. The virtual users would fail the passwd search,
fall through to the LDAP check, and deliver would drop their mail into their
maildirs in the /var/mailstore tree. I knew the system users wouldn't be
able to login to the IMAP server, but this isn't a concern.
Instead, the system users' mail got bounced, after an auth check via the "master" socket (from Postfix, I guess: it's a transient process) whose details don't get logged. And the virtual users' lookups (done by deliver) returned made-up UIDs and GIDs, and maildir locations (/home/<realm>/<username>) completely different from what the LDAP lookup normally returns (/var/mailstore/<username>).
So what am I missing here? I managed to work around this by adding the system users to the Postfix virtual.db, but it would be nice to not need to do that. It would also be nice to neable the system users to check email by logging in to the IMAP serve, but I'm reluctant to even try that after the way delivery went completely wonky.
Thanks,
Ran
On Sat, 2010-12-25 at 20:49 -0700, Ran Talbott wrote:
As mentioned in my previous posting, I've set up a mailserver for a domain of Winboxen, authenticated through Active Directory. After some struggles, I finally got that working. But I also need to receive emails for a few system users on the mailserver (like postmaster, and a couple of accounts set up for maintaining the system).
I thought, based on the way I read the documentation, that I could just add a "userdb passwd", ahead of the "userdb ldap", and deliver would find their home directory maildirs. The virtual users would fail the passwd search,
fall through to the LDAP check, and deliver would drop their mail into their maildirs in the /var/mailstore tree. I knew the system users wouldn't be able to login to the IMAP server, but this isn't a concern.
Yes, sounds right.
Instead, the system users' mail got bounced, after an auth check via the "master" socket (from Postfix, I guess: it's a transient process) whose details don't get logged. And the virtual users' lookups (done by deliver) returned made-up UIDs and GIDs, and maildir locations (/home/<realm>/<username>) completely different from what the LDAP lookup normally returns (/var/mailstore/<username>).
I've no idea why that would happen. dovecot -n output and logs with auth_debug=yes + mail_debug=yes would be helpful.
I've tested with 3 different configurations, using 3 users:
ran - a Linux system user that's in the postfix "virtual.db" vmail - a system user _not_ in virtual.db testing.testing - a Windoze user with no Linux account
All 3 configurations have passdb ldap and userdb ldap.
First config has no userdb or passdb for the Linux users. Second config adds userdb passwd. Both work the same: Mail to vmail bounces Mail to ran is delivered OK to /home/ran/maildir Mail to testing.testing goes to /var/mailstore//testing.testing/Maildir
But testing.testing mail _should_ go to /var/mailstore/<domain>/testing.testing/Maildir. As mentioned in my earlier email, %d doesn't seem to work with LDAP queries.
The third config adds passdb shadow. Mail to vmail bounces Mail to ran is delivered OK to /home/ran/maildir Mail to testing.testing tries to go to /home/testing.testing/Maildir. This delivery attempt fails because the manufactured Linux uid and gid are wrong. But it's also the wrong directory.
In a nutshel: it appears Dovecot can't deliver to sysem users at all (Postfix is taking care of "ran"), and the mere presence of a "passdb shadow" causes the DAP lookups to go awry.
Here's the dovecot -n and mail.log for configuration 1 (email addresses in all logs have been obscured by replacing domain name):
# 1.2.12: dovecot.conf.9 # OS: Linux 2.6.35-23-generic-pae i686 Ubuntu 10.10 ext4 log_timestamp: %Y-%m-%d %H:%M:%S login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_uid: 501 mail_gid: 501 mail_location: maildir:/var/mailstore/%d/%n/Maildir mbox_write_locks: fcntl dotlock imap_client_workarounds: delay-newmail outlook-idle netscape-eoh lda: postmaster_address: mail.server@lawleytechsupport.info hostname: lawleytechsupport.info auth default: mechanisms: plain login username_format: %Ln verbose: yes debug: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
Dec 30 19:25:30 IBMUBUNTU1 dovecot: last message repeated 2 times
Dec 30 19:25:30 IBMUBUNTU1 dovecot: auth(default): Killed with signal 15 (by
pid=1 uid=0 code=kill)
Dec 30 19:25:30 IBMUBUNTU1 dovecot: dovecot: Killed with signal 15 (by pid=1
uid=0 code=kill)
Dec 30 19:25:30 IBMUBUNTU1 dovecot: Dovecot v1.2.12 starting up (core dumps
disabled)
Dec 30 19:25:36 IBMUBUNTU1 dovecot: auth(default): new auth connection:
pid=24878
Dec 30 19:25:36 IBMUBUNTU1 dovecot: auth(default): new auth connection:
pid=24877
Dec 30 19:25:36 IBMUBUNTU1 dovecot: auth(default): new auth connection:
pid=24879
Dec 30 19:26:57 IBMUBUNTU1 postfix/smtpd[24884]: connect from
fed1rmmtao105.cox.net[68.230.241.41]
Dec 30 19:26:57 IBMUBUNTU1 dovecot: auth(default): new auth connection:
pid=24884
Dec 30 19:26:57 IBMUBUNTU1 postfix/smtpd[24884]: NOQUEUE: reject: RCPT from
fed1rmmtao105.cox.net[68.230.241.41]: 550 5.1.1 vmail@yyy.yyy: Recipient
address rejected: User unknown in virtual mailbox table;
from=embed-mobile@xxx.xxx to=vmail@yyy.yyy proto=ESMTP
helo=
Here's the dovecot -n and mail.log for configuration 2: # 1.2.12: dovecot.conf.11 # OS: Linux 2.6.35-23-generic-pae i686 Ubuntu 10.10 ext4 log_timestamp: %Y-%m-%d %H:%M:%S login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_uid: 501 mail_gid: 501 mail_location: maildir:/var/mailstore/%d/%n/Maildir mbox_write_locks: fcntl dotlock imap_client_workarounds: delay-newmail outlook-idle netscape-eoh lda: postmaster_address: mail.server@lawleytechsupport.info hostname: lawleytechsupport.info auth default: mechanisms: plain login username_format: %Ln verbose: yes debug: yes passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: passwd args: mail=maildir:~/Maildir socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
Dec 30 19:18:39 IBMUBUNTU1 postfix/smtpd[24843]: connect from
fed1rmmtao102.cox.net[68.230.241.44]
Dec 30 19:18:39 IBMUBUNTU1 dovecot: auth(default): new auth connection:
pid=24843
Dec 30 19:18:39 IBMUBUNTU1 postfix/smtpd[24843]: NOQUEUE: reject: RCPT from
fed1rmmtao102.cox.net[68.230.241.44]: 550 5.1.1 vmail@yyy.yyy: Recipient
address rejected: User unknown in virtual mailbox table;
from=embed-mobile@xxx.xxx to=vmail@yyy.yyy proto=ESMTP
helo=
Here's the dovecot -n and mail.log for configuration 3:
# 1.2.12: /etc/dovecot/dovecot.conf # OS: Linux 2.6.35-23-generic-pae i686 Ubuntu 10.10 ext4 log_timestamp: %Y-%m-%d %H:%M:%S login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login mail_privileged_group: mail mail_uid: 501 mail_gid: 501 mail_location: maildir:/var/mailstore/%d/%n/Maildir mbox_write_locks: fcntl dotlock imap_client_workarounds: delay-newmail outlook-idle netscape-eoh lda: postmaster_address: mail.server@lawleytechsupport.info hostname: lawleytechsupport.info auth default: mechanisms: plain login username_format: %Ln verbose: yes debug: yes passdb: driver: shadow passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: passwd args: mail=maildir:/home/%n/Maildir userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail
Dec 30 08:02:20 IBMUBUNTU1 postfix/cleanup[23693]: 502151009C7:
message-id=20101230150220.502151009C7@mail.lawleytechsupport.info
Dec 30 08:02:20 IBMUBUNTU1 postfix/qmgr[19282]: 502151009C7:
from=root@yyy.yyy, size=409, nrcpt=1 (queue active)
Dec 30 08:02:20 IBMUBUNTU1 postfix/local[23695]: 502151009C7:
to=root@localhost, orig_to=<root>, relay=local, delay=0.19,
delays=0.14/0.02/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)
Dec 30 08:02:20 IBMUBUNTU1 postfix/qmgr[19282]: 502151009C7: removed
Dec 30 17:34:41 IBMUBUNTU1 postfix/smtpd[24338]: connect from
fed1rmmtao107.cox.net[68.230.241.39]
Dec 30 17:34:41 IBMUBUNTU1 dovecot: auth(default): new auth connection:
pid=24338
Dec 30 17:34:41 IBMUBUNTU1 postfix/smtpd[24338]: NOQUEUE: reject: RCPT from
fed1rmmtao107.cox.net[68.230.241.39]: 550 5.1.1 vmail@yyy.yyy: Recipient
address rejected: User unknown in virtual mailbox table;
from=embed-mobile@xxx.xxx to=vmail@yyy.yyy proto=ESMTP
helo=
On 31/12/2010 10:18, Ran Talbott wrote:
Mail to vmail bounces
Have a look in the log file... mails bounce because of postfix, not dovecot: "Recipient address rejected: User unknown in virtual mailbox table"
In a nutshel: it appears Dovecot can't deliver to sysem users at all (Postfix is taking care of "ran"), and the mere presence of a "passdb shadow" causes the DAP lookups to go awry.
For local delivery u don't need dovecot lda, let postfix do it.
-- Simone Caruso IT Consultant
On Friday 31 December 2010 08:20:48 Simone Caruso wrote:
For local delivery u don't need dovecot lda, let postfix do it.
I can, but all the Linux users need to be aliased to "xxx@localhost" in the Postfix virtual.db. This isn't a huge problem for me, since it's unlikely we'll be adding new users more than once per year or two (for new IT staff) once the system is set up. But it means system users can't access their mail via IMAP, because the "passdb shadow" is screwing up delivery for all the end users. And it's likely to be a major hassle for other installations.
There's a way around that, of course, but it wouldn't look good to tell the company management "We're settng up this mail system for you e-peons, but the IT nobility are getting a separate system of their own" ;-)
Ran
On Fri, 2010-12-31 at 14:27 -0700, Ran Talbott wrote:
On Friday 31 December 2010 08:20:48 Simone Caruso wrote:
For local delivery u don't need dovecot lda, let postfix do it.
I can, but all the Linux users need to be aliased to "xxx@localhost" in the Postfix virtual.db. This isn't a huge problem for me, since it's unlikely we'll be adding new users more than once per year or two (for new IT staff) once the system is set up. But it means system users can't access their mail via IMAP, because the "passdb shadow" is screwing up delivery for all the end users. And it's likely to be a major hassle for other installations.
There's a way around that, of course, but it wouldn't look good to tell the company management "We're settng up this mail system for you e-peons, but the IT nobility are getting a separate system of their own" ;-)
Ran
install, migrate and use mysql - and be done with it, system users are dangerous in this era anyway.
Happy New Year! Noel
On 26/12/2010 04:49, Ran Talbott wrote:
But I also need to receive emails for a few system users on the mailserver (like postmaster, and a couple of accounts set up for maintaining the system).
On 31/12/2010 22:27, Ran Talbott wrote:
But it means system users can't access their mail via IMAP, because the "passdb shadow" is screwing up delivery for all the end users.
You can use /etc/aliases to redirect system emails to users' virtual accounts, by this way you can receive system messages in users IMAP inboxes and filter them by host.
-- Simone Caruso IT Consultant
participants (4)
-
Noel Butler
-
Ran Talbott
-
Simone Caruso
-
Timo Sirainen