[Dovecot] Dovecot as LDA with Postfix and virtual users
Hello!
I've been trying to configure Dovecot to work as LDA for file-based virtual users with Postfix.
Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself.
Postfix drops the mail in /var/mail/<user>/mbox, if Dovecot would be called, it should deliver it to /var/vmail/<domain>/<user>/Maildir.
I've made sure to add the dovecot-service to postfix/master.cf according to http://wiki2.dovecot.org/LDA/Postfix and tried all kinds of settings and did quadruple checks for errors.
I'm using Debian 6.0 with Dovecot 2.1.7(From backports) and Postfix 2.7.1
I've been trying to figure out what's missing for a few hours now and have to give up for today. I hope someone can help me with a hint what's missing or wrong :-/
Here's an excerpt from my mail.log, my postconf -n and dovecot -n:
Mar 17 00:02:46 poab postfix/smtpd[15333]: connect from mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/smtpd[15333]: setting up TLS connection from mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/smtpd[15333]: Anonymous TLS connection established from mail-wg0-f47.google.com[74.125.82.47]: TLSv1 with cipher RC4-SHA (128/128 bits) Mar 17 00:02:46 poab dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Mar 17 00:02:46 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so Mar 17 00:02:46 poab dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs Mar 17 00:02:46 poab dovecot: auth: Debug: auth client connected (pid=0) Mar 17 00:02:46 poab postfix/smtpd[15333]: 66AD04E23EE: client=mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/cleanup[15340]: 66AD04E23EE: message-id=CAAMQ8bSEetcSYKKHKhbAqWxJwRewaPB_wA2DK8J4N-q5Y+dG7w@mail.gmail.com Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: from=<benkkk AT wheemail.com>, size=1611, nrcpt=1 (queue active) Mar 17 00:02:46 poab postfix/smtpd[15333]: disconnect from mail-wg0-f47.google.com[74.125.82.47] Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=<benkkk AT example.com>, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox) Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: removed
# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix debug_peer_level = 3 inet_interfaces = all inet_protocols = all mailbox_size_limit = 5120000000 myhostname = example.com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_reject_unlisted_recipient = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem smtpd_tls_key_file = /etc/ssl/private/postfix.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_maps virtual_transport = dovecot
# dovecot -n # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-openvz-amd64 x86_64 Debian 6.0.7 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_socket_path = /var/run/dovecot/auth-master auth_verbose = yes auth_verbose_passwords = sha1 first_valid_gid = 5000 first_valid_uid = 5000 last_valid_gid = 5000 last_valid_uid = 5000 lda_mailbox_autocreate = yes log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_gid = 5000 mail_home = /var/vmail/%d/%n mail_location = maildir:~/Maildir mail_privileged_group = vmail mail_uid = 5000 namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = scheme=SHA1 /etc/dovecot/users driver = passwd-file } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 0 } } ssl_cert =
Thanks & good night, Christian
-- Central Asia by bike, starting May 2013 - http://poab.org
On Sun, Mar 17, 2013 at 01:20:55AM +0100, Christian Benke wrote:
I've been trying to configure Dovecot to work as LDA for file-based virtual users with Postfix.
Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself.
Perhaps surprisingly, this is a Postfix issue, not a Dovecot one.
Postfix drops the mail in /var/mail/<user>/mbox, if Dovecot would be called, it should deliver it to /var/vmail/<domain>/<user>/Maildir.
I've made sure to add the dovecot-service to postfix/master.cf according to http://wiki2.dovecot.org/LDA/Postfix and tried all kinds of settings and did quadruple checks for errors.
I'm using Debian 6.0 with Dovecot 2.1.7(From backports) and Postfix 2.7.1
I've been trying to figure out what's missing for a few hours now and have to give up for today. I hope someone can help me with a hint what's missing or wrong :-/
Here's an excerpt from my mail.log, my postconf -n and dovecot -n:
[snip]
Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=<benkkk AT example.com>, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
This is postfix/local, which means it is not being routed to your virtual_transport. It means example.com is in mydestination.
Mar 17 00:02:46 poab postfix/qmgr[14844]: 66AD04E23EE: removed
# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix debug_peer_level = 3 inet_interfaces = all inet_protocols = all mailbox_size_limit = 5120000000 myhostname = example.com
... You did not even set mydestination, thus you get the default. You really should review the Postfix Basic Configuration README:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
Perhaps you'd be better off without the virtual mailboxes anyway?
[snip]
Central Asia by bike, starting May 2013 - http://poab.org
Wow, a great adventure, good luck!
http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Hello Rob!
Thanks for answering!
On 17 March 2013 02:58, /dev/rob0 rob0@gmx.co.uk wrote:
On Sun, Mar 17, 2013 at 01:20:55AM +0100, Christian Benke wrote:
Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself.
Perhaps surprisingly, this is a Postfix issue, not a Dovecot one.
No, i was expecting it :-) I just wasn't sure where it belongs to.
Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=<benkkk AT example.com>, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
This is postfix/local, which means it is not being routed to your virtual_transport. It means example.com is in mydestination.
You did not even set mydestination, thus you get the default. You really should review the Postfix Basic Configuration README:
No, i tried a lot yesterday and i started from a working postfix/dovecot-setup with PAM. The config i posted above was merely the last incarnation. Should probably have emphasized that.
I commented out mydestination because i received warnings that i shouldn't list them in both mydestination and virtual_mailbox_domains. Still, dovecot LDA has not been called either when the mydestination-parameter was present:
Mar 16 21:54:56 poab postfix/smtpd[4197]: connect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: setting up TLS connection from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: Anonymous TLS connection established from mail-we0-f176.google.com[74.125.82.176]: TLSv1 with cipher RC4-SHA (128/128 bits) Mar 16 21:54:56 poab dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so Mar 16 21:54:56 poab dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs Mar 16 21:54:56 poab dovecot: auth: Debug: auth client connected (pid=0) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: 856034E1FD1: client=mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/cleanup[4203]: 856034E1FD1: message-id=CAAMQ8bS2bi6HG=u8bmC+e-_Yu47WrB6DWxhH2rGSushdvPnH4Q@mail.gmail.com Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: from=<benkkk AT wheemail.com>, size=1644, nrcpt=1 (queue active) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: disconnect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/local[4204]: 856034E1FD1: to=<benkkk AT example.com>, relay=local, delay=0.39, delays=0.33/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to mailbox) Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: removed
Perhaps you'd be better off without the virtual mailboxes anyway?
Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser. I've gone back to the working PAM-config today and will try to figure out SASL for now, maybe going back to virtual users later. But i'm still interested in comments regarding the mydestination issue, i can go back to the virtual user settings quickly to try.
[snip]
Central Asia by bike, starting May 2013 - http://poab.org
Wow, a great adventure, good luck!
Thanks! Will (re-)add a RSS-feed soon.
Best regards, Christian
On Sun, Mar 17, 2013 at 04:57:36PM +0100, Christian Benke wrote:
On 17 March 2013 02:58, /dev/rob0 rob0@gmx.co.uk wrote:
On Sun, Mar 17, 2013 at 01:20:55AM +0100, Christian Benke wrote:
Some part in the configuration seems to miss though, as mails are received by Postfix, but instead of giving it to Dovecot for delivery, it delivers the mails itself.
Perhaps surprisingly, this is a Postfix issue, not a Dovecot one.
No, i was expecting it :-) I just wasn't sure where it belongs to.
Mar 17 00:02:46 poab postfix/local[15341]: 66AD04E23EE: to=<benkkk AT example.com>, relay=local, delay=0.35, delays=0.3/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
This is postfix/local, which means it is not being routed to your virtual_transport. It means example.com is in mydestination.
You did not even set mydestination, thus you get the default. You really should review the Postfix Basic Configuration README:
No, i tried a lot yesterday and i started from a working postfix/dovecot-setup with PAM. The config i posted above was merely the last incarnation. Should probably have emphasized that.
I commented out mydestination because i received warnings that i shouldn't list them in both mydestination and virtual_mailbox_domains.
With mydestination commented out you get the default, which is not an empty set.
$ /usr/sbin/postconf -d mydestination mydestination = $myhostname, localhost.$mydomain, localhost
Still, dovecot LDA has not been called either when the mydestination-parameter was present:
Mar 16 21:54:56 poab postfix/smtpd[4197]: connect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: setting up TLS connection from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/smtpd[4197]: Anonymous TLS connection established from mail-we0-f176.google.com[74.125.82.176]: TLSv1 with cipher RC4-SHA (128/128 bits) Mar 16 21:54:56 poab dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so Mar 16 21:54:56 poab dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so Mar 16 21:54:56 poab dovecot: auth: Debug: passwd-file /etc/dovecot/users: Read 1 users in 0 secs Mar 16 21:54:56 poab dovecot: auth: Debug: auth client connected (pid=0) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains Mar 16 21:54:56 poab postfix/smtpd[4197]: 856034E1FD1: client=mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/cleanup[4203]: 856034E1FD1: message-id=CAAMQ8bS2bi6HG=u8bmC+e-_Yu47WrB6DWxhH2rGSushdvPnH4Q@mail.gmail.com Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: from=<benkkk AT wheemail.com>, size=1644, nrcpt=1 (queue active) Mar 16 21:54:56 poab postfix/trivial-rewrite[4202]: warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains
This is undocumented, but when a domain is in some other class in addition to mydestination, mydestination takes priority. Don't count on that: just ensure that each address class definition (see the Address Class README) is unique.
Mar 16 21:54:56 poab postfix/smtpd[4197]: disconnect from mail-we0-f176.google.com[74.125.82.176] Mar 16 21:54:56 poab postfix/local[4204]: 856034E1FD1: to=<benkkk AT example.com>, relay=local, delay=0.39, delays=0.33/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to mailbox)
Thus we see again, mail is handled by the local_transport, local(8).
Mar 16 21:54:56 poab postfix/qmgr[4195]: 856034E1FD1: removed
Perhaps you'd be better off without the virtual mailboxes anyway?
Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser.
Virtual mailboxes have their place, indeed, but more so for large numbers of domains and users. For a small-timer (as it sounds like you are), I wouldn't say they're attractive. Increased complexity, decreased functionality, [usually] security tradeoffs. (System users who own all and ONLY their own mail are not going to endanger others' mail. Virtual mailboxes typically are owned by a shared UID+GID, and a compromise of that UID or GID could threaten all mail.)
I've gone back to the working PAM-config today and will try to figure out SASL for now, maybe going back to virtual users later. But i'm still interested in comments regarding the mydestination issue, i can go back to the virtual user settings quickly to try.
If your domain is NOT listed in mydestination, but it IS listed in virtual_mailbox_domains, it will be handled by your virtual_transport. Quite as simple as that.
http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Perhaps you'd be better off without the virtual mailboxes anyway?
Perhaps, and that's where i actually started from. Virtual users are an attractive feature tough and as it didn't seem too intimidating, i thought i could give it a try. 6 hours later, i was wiser.
Virtual mailboxes have their place, indeed, but more so for large numbers of domains and users. For a small-timer (as it sounds like you are), I wouldn't say they're attractive. Increased complexity, decreased functionality, [usually] security tradeoffs. (System users who own all and ONLY their own mail are not going to endanger others' mail. Virtual mailboxes typically are owned by a shared UID+GID, and a compromise of that UID or GID could threaten all mail.)
Rob, thank you for your comments! I'll just stay with system users then, i only need a few accounts as you guessed correctly. Virtual users appeared nice due to the separation from the system. But probably not worth the effort, as you argumented.
Cheers, Christian
participants (2)
-
/dev/rob0
-
Christian Benke