doveadm_allowed_commands doesn't work as expected
Trying to limit the API calls to doveadm-http-api by configure allowed commands, but once the commands added to the list, the RestAPI no longer work.
- Return correct reply when doveadm_allowed_commands is empty
curl -k -H "Content-Type: application/json" -H "Authorization:
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 -d'[["quotaGet",{"user":"user1@mydomain.com"},"c01"]]' [["doveadmResponse",[{"root":"User quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]
- Return unAuthorized when doveadm_allowed_commands = quotaGet,quotaRecalc,expunge
curl -k -H "Content-Type: application/json" -H "Authorization:
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 -d'[["quotaGet",{"user":"user1@mydomain.com"},"c01"]]' [["error",{"type":"unAuthorized", "exitCode":0},"c01"]]
Here is my config,
# uname -a Linux ad92422d8e94 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 UTC 2018 x86_64 Linux # free -m total used free shared buffers cached Mem: 15885 7133 8751 0 1 4374 -/+ buffers/cache: 2758 13126 Swap: 0 0 0
/ # dovecot -n # 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.2 (7704de5e) # OS: Linux 3.10.0-862.2.3.el7.x86_64 x86_64 xfs # Hostname: ad92422d8e94 auth_mechanisms = plain login doveadm_allowed_commands = quotaGet,quotaRecalc,expunge doveadm_api_key = # hidden, use -P to show it hostname = mailhost.mydomain.com info_log_path = /dev/stdout lda_mailbox_autosubscribe = yes log_path = /dev/stderr login_greeting = Dovecot ready. mail_gid = vmail mail_home = /var/vmail/%d/%n mail_location = maildir:/var/vmail/%d/%n/Maildir mail_plugins = " quota zlib" mail_privileged_group = vmail mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { imapsieve_mailbox1_before = file:/etc/dovecot/sieve/global/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/global/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * quota = maildir:User quota quota_exceeded_message = User %u has exhausted allowed storage space. recipient_delimiter = - sieve = file:~/sieve;active=~/.dovecot.sieve sieve_before = /etc/dovecot/sieve/global/spam-to-folder.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/lib/dovecot/sieve sieve_pipe_exec_timeout = 60s sieve_plugins = sieve_imapsieve sieve_extprograms zlib_save = gz zlib_save_level = 6 } postmaster_address = postmaster@mydomain.com protocols = lmtp imap pop3 sieve recipient_delimiter = - service auth { inet_listener { port = 9000 } } service doveadm { client_limit = 1 drop_priv_before_exec = no executable = doveadm-server extra_groups = $default_internal_group inet_listener http { port = 9088 ssl = yes } service_count = 1 } service lmtp { inet_listener lmtp { port = 24 } } service managesieve-login { inet_listener sieve { port = 4190 } } ssl_cert = </etc/tls/mailserver.crt ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it submission_host = mta-host.mydomain.com userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = " quota zlib sieve" } protocol imap { mail_plugins = " quota zlib imap_sieve imap_quota imap_zlib" }
On 03 January 2019 at 22:45 Ronald Poon <ronaldpoon@ud.hk> wrote:
Trying to limit the API calls to doveadm-http-api by configure allowed commands, but once the commands added to the list, the RestAPI no longer work.
- Return correct reply when doveadm_allowed_commands is empty
curl -k -H "Content-Type: application/json" -H "Authorization:
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 -d'[["quotaGet",{"user":"user1@mydomain.com"},"c01"]]' [["doveadmResponse",[{"root":"User quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]
- Return unAuthorized when doveadm_allowed_commands = quotaGet,quotaRecalc,expunge
curl -k -H "Content-Type: application/json" -H "Authorization:
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 -d'[["quotaGet",{"user":"user1@mydomain.com"},"c01"]]' [["error",{"type":"unAuthorized", "exitCode":0},"c01"]]
This is mostly because v1 API is not so fantastic. Try
doveadm_allowed_commands="quota get,quota recalc,expunge"
Aki
Err...! I thought it is matching the API commands, instead, matching doveadm cli commands.
Thanks you so much,
Ronald
On 4/1/2019 5:02 AM, Aki Tuomi wrote:
On 03 January 2019 at 22:45 Ronald Poon <ronaldpoon@ud.hk> wrote:
Trying to limit the API calls to doveadm-http-api by configure allowed commands, but once the commands added to the list, the RestAPI no longer work.
- Return correct reply when doveadm_allowed_commands is empty
curl -k -H "Content-Type: application/json" -H "Authorization:
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 -d'[["quotaGet",{"user":"user1@mydomain.com"},"c01"]]' [["doveadmResponse",[{"root":"User quota","type":"STORAGE","value":"0","limit":1024","percent":"0"},{"root":"Userquota","type":"MESSAGE","value":"0","limit":"-","percent":"0"}],"c01"]]
- Return unAuthorized when doveadm_allowed_commands = quotaGet,quotaRecalc,expunge
curl -k -H "Content-Type: application/json" -H "Authorization:
X-Dovecot-API <base64 api key>" https://localhost:9088/doveadm/v1 -d'[["quotaGet",{"user":"user1@mydomain.com"},"c01"]]' [["error",{"type":"unAuthorized", "exitCode":0},"c01"]] This is mostly because v1 API is not so fantastic. Try
doveadm_allowed_commands="quota get,quota recalc,expunge"
Aki
participants (2)
-
Aki Tuomi
-
Ronald Poon