Re: [Dovecot] Problem with ldap / quotas
I forgot to cc the list in my subsequent question in this thread, so that question and Timo's reply has not been included in the mailing list.
I am submitting for thread completeness, thanking Timo for his invaluable help.
Nick
On 22/2/2011 6:23 μμ, Timo Sirainen wrote:
On 22.2.2011, at 18.11, Nikolaos Milas wrote:
I added dn and dnpass and now everything appears to be running smoothly. I checked, and the maildirsize file gets updated according to the quota value we set in LDAP.
Can you also please clarify: When the default policy is to offer to users some storage space (say 4G) and some additional for Trash (say 100M), and then we define (over LDAP) a different storage space for a particular user (for example 1M), then:
- This user will also "inherit" a 100M Trash from the default policy or not (in this example 1+100M)? Yes.
Can we change this (also define per user Trash size)? Yes, you can also have ldap return quota_rule2 to override it. Or instead of a hard coded limit, you could set Trash's size to e.g. 10% of the default limit (quota_rule2 = Trash:storage=10%%) so you don't have to return it from ldap.
- If we define quota_warning (say 75%), the value will apply to the total of (MainStorage + Trash (here 101M)) or to MainStorage only (1M)? MainStorage = 1M.
I'm asking because I reduced the storage space to only 50K for a test account (for experimenting), and sent various emails (over smtp) to that mailbox, but I saw no warnings or mailbox locking when the mailbox was over-quota or full. Locking? You mean it allowed user to exceed quota? mail_debug=yes could log something useful about what's going on.
Here is a session logged with mail_debug=yes; the mailbox has already exceeded quota (I set it to 100K for testing). Note that I have only changed IP addresses (actual ones are public) and main domain name:
Feb 22 23:02:31 vmail dovecot: POP3(tester): Disconnected: Logged out top=0/0, retr=1/829, del=1/1, size=813 Feb 22 23:02:35 vmail dovecot: POP3(tester): Loading modules from directory: /usr/lib64/dovecot/pop3 Feb 22 23:02:35 vmail dovecot: POP3(tester): Module loaded: /usr/lib64/dovecot/pop3/lib10_quota_plugin.so Feb 22 23:02:35 vmail dovecot: POP3(tester): Effective uid=500, gid=500, home=/home/vmail/tester Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota root: name=User quota backend=maildir args= Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota rule: root=User quota mailbox=* bytes=102400 messages=0 Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota rule: root=User quota mailbox=Trash bytes=104857600 messages=0 Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota warning: bytes=76800 (75%) messages=0 command=/opt/mail.sh 75 tester Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota warning: bytes=92160 (90%) messages=0 command=/opt/mail.sh 90 tester Feb 22 23:02:35 vmail dovecot: POP3(tester): maildir: data=~/Maildir/ Feb 22 23:02:35 vmail dovecot: POP3(tester): maildir++: root=/home/vmail/tester/Maildir, index=, control=, inbox=/home/vmail/tester/Maildir Feb 22 23:02:35 vmail dovecot: POP3(tester): Namespace : Using permissions from /home/vmail/tester/Maildir: mode=0700 gid=-1 Feb 22 23:02:35 vmail dovecot: pop3-login: Login: user=<tester>, method=PLAIN, rip=10.10.11.105, lip=10.10.11.100 Feb 22 23:02:38 vmail dovecot: POP3(tester): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
No warning mail was sent, at any point, even when the last mail was received, which exceeded the quota.
# ls -la /home/vmail/tester/Maildir/new
total 232
drwx------ 2 vmail vmail 12288 Feb 22 23:07 .
drwx------ 8 vmail vmail 4096 Feb 22 23:02 ..
-rw------- 1 vmail vmail 4397 Feb 22 23:03
1298408628.Vfc00I2e34701M573894.vmail.example.com
-rw------- 1 vmail vmail 13433 Feb 22 23:04
1298408654.Vfc00I2e34702M745961.vmail.example.com
-rw------- 1 vmail vmail 12621 Feb 22 23:05
1298408714.Vfc00I2e34703M525546.vmail.example.com
-rw------- 1 vmail vmail 174648 Feb 22 23:07
1298408854.Vfc00I2e34704M818941.vmail.example.comAnd also:
# cat /home/vmail/tester/Maildir/maildirsize
102400S
0 0Could this behavior be related to the MTA? Must we also configure quotas in Postfix (with VDA) for things to run correctly? (Note that I am forced to set (in Postfix) virtual_mailbox_limit = 0, because the max acceptable value of this parameter is 2G and in Dovecot I define mailbox limits of 4G. I haven't yet set any VDA parameters.)
Thanks, Nick
On 22/2/2011 6:23 μμ, Timo Sirainen wrote:
Locking? You mean it allowed user to exceed quota? mail_debug=yes could log something useful about what's going on.
On 22.2.2011, at 23.28, Nikolaos Milas wrote:
Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota rule: root=User quota mailbox=* bytes=102400 messages=0
Looks right.
No warning mail was sent, at any point, even when the last mail was received, which exceeded the quota.
That log was from pop3, not from mail delivery.. It's too late by then to give any kind of warnings.
Could this behavior be related to the MTA? Must we also configure quotas in Postfix (with VDA) for things to run correctly? (Note that I am forced to set (in Postfix) virtual_mailbox_limit = 0, because the max acceptable value of this parameter is 2G and in Dovecot I define mailbox limits of 4G. I haven't yet set any VDA parameters.)
Postfix completely ignores quotas limits, warnings and everything else you've set in Dovecot! You need to be using Dovecot LDA. http://wiki.dovecot.org/LDA
In Testing:
Note that the warning is ONLY executed at the exact time when the limit is being crossed, so when you're testing it you have to do it by crossing the limit by saving a new mail. If something else besides Dovecot updates quota so that the limit is crossed, the warning is never executed.
Deng
On Tue, 22 Feb 2011 23:33:35 +0200, Timo Sirainen wrote:
On 22.2.2011, at 23.28, Nikolaos Milas wrote:
Feb 22 23:02:35 vmail dovecot: POP3(tester): Quota rule: root=User quota mailbox=* bytes=102400 messages=0 Looks right.
No warning mail was sent, at any point, even when the last mail was received, which exceeded the quota. That log was from pop3, not from mail delivery.. It's too late by then to give any kind of warnings. run correctly? (Note that I am forced to set (in Postfix) virtual_mailbox_limit = 0, because the max acceptable value of this parameter is 2G and in Dovecot I define mailbox limits of 4G. I haven't yet set any VDA parameters.) Postfix completely ignores quotas limits, warnings and everything else you've set in Dovecot! be using Dovecot LDA. http://wiki.dovecot.org/LDA [1]
-- Best Cheer (XiaMen) Stone Works CO.,LTP. Phone: 0592-7221600
Links:
Thank you Timo,
I understand now.
I am checking the documentation at: http://wiki.dovecot.org/LDA which states to define ( in socket listen { master { ):
path = /var/run/dovecot/auth-masterObviously auth-master is a socket and created on the fly (?)
For this to work properly, we must have *already* correctly configured Postfix (according: http://wiki.dovecot.org/LDA/Postfix for virtual users)?? I am asking because I remember that, in the past, when I was initially setting up Dovecot, I got errors when I configured a master { } socket (according to directions I found in a Dovecot setup guide), so I disabled it (commented it out) and left only the client part (for Postfix SMTP AUTH).
Also, the line:
deliver -f $FROM_ENVELOPE -d $DEST_USERNAMEshould be put in the main ("root") part of dovecot.conf ?
Thanks, Nick
On 22/2/2011 11:33 μμ, Timo Sirainen wrote:
Postfix completely ignores quotas limits, warnings and everything else you've set in Dovecot! You need to be using Dovecot LDA. http://wiki.dovecot.org/LDA
Also, as my virtual mail user:group is vmail:vmail, should I change permissions in auth-master path (/var/run/dovecot)?
# ls -la /var/run/dovecot/
total 28
drwxr-xr-x 3 root dovecot 4096 Feb 22 23:32 .
drwxr-xr-x 23 root root 4096 Feb 23 08:36 ..
srw------- 1 root root 0 Feb 22 23:32 auth-worker.7282
srwxrwxrwx 1 root root 0 Feb 16 18:01 dict-server
lrwxrwxrwx 1 root root 17 Feb 16 18:01 dovecot.conf ->
/etc/dovecot.conf
drwxr-x--- 2 root dovecot 4096 Feb 22 23:32 login
-rw------- 1 root root 6 Feb 16 18:01 master.pidand in /var/run:
...
drwxr-xr-x 3 root dovecot 4096 Feb 22 23:32 dovecot
...Should we change to 777 so that vmail user (under which deliver will be running) has access to the above locations? If so, could there be security implications?
Thanks, Nick
On 23/2/2011 10:01 πμ, Nikolaos Milas wrote:
Obviously auth-master is a socket and created on the fly (?)
On Wed, 2011-02-23 at 10:50 +0200, Nikolaos Milas wrote:
Also, as my virtual mail user:group is vmail:vmail, should I change permissions in auth-master path (/var/run/dovecot)?
You can do it as explained in http://wiki.dovecot.org/LDA#Virtual_users, see especially the part with:
user = vmail # User running deliver
Having received no reply on this, and trying to find my way through, I came to the hypothesis that the mentioned line should go where we do userdb lookups:
So in /etc/dovecot-passdb-ldap.conf (which is identical to /etc/dovecot-usrdb-ldap.conf), we should add:
hosts = localhost tls = no base = ou=people, dc=example, dc=com scope = subtree ldap_version = 3 dn = uid=authenticate,ou=System,dc=example,dc=com dnpass = ************* auth_bind = yes user_filter = (uid=%u) pass_filter = (uid=%u) pass_attrs = uid=user,userPassword=password auth_bind_userdn = uid=%u,ou=people,dc=example,dc=com user_attrs = roomNumber=quota_rule=*:bytes=%$,uid=home=/home/vmail/%u deliver -f $FROM_ENVELOPE -d $DEST_USERNAME
So, we change the last line from: user_attrs = roomNumber=quota_rule=*:bytes=%$,uid=home=/home/vmail/%u to: user_attrs = roomNumber=quota_rule=*:bytes=%$,uid=home=/home/vmail/%u deliver -f $FROM_ENVELOPE -d $DEST_USERNAME
Is this correct?
If not, please can someone clarify where exactly "deliver -f $FROM_ENVELOPE -d $DEST_USERNAME" should be called (when we do userdb lookups over LDAP)???
Thanks, Nick
On 23/2/2011 10:01 πμ, Nikolaos Milas wrote:
Also, the line:
deliver -f $FROM_ENVELOPE -d $DEST_USERNAME
should be put in the main ("root") part of dovecot.conf ?
On Fri, 2011-02-25 at 13:04 +0200, Nikolaos Milas wrote:
If not, please can someone clarify where exactly "deliver -f $FROM_ENVELOPE -d $DEST_USERNAME" should be called (when we do userdb lookups over LDAP)???
deliver needs to be called by Postfix. http://wiki.dovecot.org/LDA/Postfix
Thanks Timo,
In the end, I figured things out.
Below are the changes to my initial configuration; now everything works fine.
Just a note about a detail which took me some time to sort out: In postfix master.cf, in LDA setup documentation, the suggested configuration is:
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
However, in my case, the working solution uses {user} rather than {recipient}, as - at the end - we just use the username for mailbox delivery and {recipient} is inappropriate in this context. I feel that this scenario is not rare in postfix/dovecot/LDAP implementations.
Config file changes follow:
# /etc/postfix/main.cf
mailbox_command = /usr/lib/dovecot/deliver ... dovecot_destination_recipient_limit = 1 virtual_transport = dovecot
# /etc/postfix/master.cf
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}
# /etc/dovecot.conf
protocol lda { postmaster_address = postmaster@noa.gr sendmail_path = /usr/lib/sendmail auth_socket_path = /var/run/dovecot/auth-master log_path = info_log_path = mail_plugins = quota }
# /etc/dovecot.conf, in listen {...
master { path = /var/run/dovecot/auth-master mode = 0660 user = vmail group = vmail }
Thanks again, Nick
On 28/2/2011 5:19 μμ, Timo Sirainen wrote:
deliver needs to be called by Postfix. http://wiki.dovecot.org/LDA/Postfix
participants (3)
-
Nikolaos Milas
-
Timo Sirainen
-
邓卫华