[Dovecot] Master user creds for proxy stored statically/locally?
I have successfully set up the master user on the destination server (2.0.11) and tests have worked. now I'm working on the proxy Before I had the proxy just forward everything to the backend and had the destination server do the authentication.
My authentication is done via LDAP but not really sure how to append the master user and password to the users credentials after authentication is done. id rather not have the master user/pass in each users ldap entry and returned after doing a lookup or add a destuser field for each user... basically i prefer not having to add any new attributes to LDAP
Can the information be stored locally in a file on the proxy? do i just make the same master user file that I have on the backend?
Thanks!
On Sun, Mar 13, 2011 at 03:26:58PM -0400, Edward Carraro wrote:
I have successfully set up the master user on the destination server (2.0.11) and tests have worked. now I'm working on the proxy Before I had the proxy just forward everything to the backend and had the destination server do the authentication.
My authentication is done via LDAP but not really sure how to append the master user and password to the users credentials after authentication is done.
You should not save the master users credentials with the mail user credentials. Instead you should use a dedicated userdb and passdb.
For further reference have a look at http://wiki2.dovecot.org/Authentication/MasterUsers.
id rather not have the master user/pass in each users ldap entry and returned after doing a lookup or add a destuser field for each user... basically i prefer not having to add any new attributes to LDAP
Can the information be stored locally in a file on the proxy? do i just make the same master user file that I have on the backend?
I don't undestand your question. You can either forward plaintext credentials to your backend or authenticate on your proxy and go with the proxys master user to your backend (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy).
Dennis
Thanks for the reply Dennis
On Sun, Mar 13, 2011 at 7:19 PM, Dennis Guhl dg@dguhl.org wrote:
You should not save the master users credentials with the mail user credentials. Instead you should use a dedicated userdb and passdb.
For further reference have a look at http://wiki2.dovecot.org/Authentication/MasterUsers.
I created the htpasswd file on the destination server already. Does it also need to be done on the proxy?
I don't undestand your question. You can either forward plaintext credentials to your backend or authenticate on your proxy and go with the proxys master user to your backend (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy).
Dennis
I'm trying to authenticate on the proxy and use the master user to connect to the backend, just not sure how thats done. The link for ExtraFields says I need to return: master=s and pass=s
How do I state the user/pass for the master?
I've compiled my proxy with ldap support and created the same master user on the proxy that exists on the destination server.
I can telnet on the proxy still, but now its just creating user home directories on the proxy, and not going to the backend at all.
My proxy config
# 2.0.11: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.26-2-openvz-amd64 i686 Debian 5.0.8 auth_debug = yes auth_debug_passwords = yes auth_master_user_separator = * auth_mechanisms = plain login auth_socket_path = /usr/local/var/run/dovecot/auth-master auth_verbose = yes debug_log_path = /var/log/dovecot-debug.log director_doveadm_port = 542 director_mail_servers = mailstore.domain.com director_servers = proxy.domain.com disable_plaintext_auth = no info_log_path = /var/log/dovecot-info.log listen = * lmtp_proxy = yes log_path = /var/log/dovecot-err.log mail_debug = yes mail_gid = vmail mail_location = maildir:%h/Maildir mail_plugins = " quota" mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date passdb { args = /usr/local/etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin/acl = vfile plugin/acl_shared_dict = file:/home/%d/shared-mailboxes plugin/quota = maildir:User quota plugin/quota_rule = *:storage=1G plugin/sieve = %h/.dovecot.sieve plugin/sieve_dir = ~/sieve plugin/sieve_max_actions = 32 plugin/sieve_max_redirects = 4 plugin/sieve_max_script_size = 1M plugin/sieve_quota_max_scripts = 0 plugin/sieve_quota_max_storage = 0 postmaster_address = postmaster@domain.com protocols = imap pop3 lmtp sieve quota_full_tempfail = yes service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = dovecot } } service director { fifo_listener login/proxy-notify { mode = 0666 } inet_listener { port = 541 } inet_listener { port = 542 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director inet_listener imap { port = 143 } } service lmtp { inet_listener lmtp { port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { user = postfix } } service managesieve-login { executable = managesieve-login director inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } service pop3-login { executable = pop3-login director inet_listener pop3 { port = 110 } } ssl_cert =
Sorry for not coming back to you earlier than this.
On Sun, Mar 13, 2011 at 10:35:57PM -0400, Edward Carraro wrote:
Thanks for the reply Dennis
dnf
On Sun, Mar 13, 2011 at 7:19 PM, Dennis Guhl dg@dguhl.org wrote:
You should not save the master users credentials with the mail user credentials. Instead you should use a dedicated userdb and passdb.
For further reference have a look at http://wiki2.dovecot.org/Authentication/MasterUsers.
I created the htpasswd file on the destination server already. Does it also need to be done on the proxy?
What do you mean here? Did you create a file like passwd.masterusers with Apache's htpasswd(1) according to the wiki?
What is your configuration for the master user on the proxy destination?
I don't undestand your question. You can either forward plaintext credentials to your backend or authenticate on your proxy and go with the proxys master user to your backend (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy).
Dennis
I'm trying to authenticate on the proxy and use the master user to connect to the backend, just not sure how thats done.
This makes it a little tricky for me to help you. Since I use dovecot 1.2 with password forwarding and MySQL instead of LDAP I am unable to verify or test my suggestions.
The link for ExtraFields says I need to return: master=s and pass=s
How do I state the user/pass for the master?
I've compiled my proxy with ldap support and created the same master user on the proxy that exists on the destination server.
I can telnet on the proxy still, but now its just creating user home directories on the proxy, and not going to the backend at all.
My proxy config
# 2.0.11: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.26-2-openvz-amd64 i686 Debian 5.0.8
[..]
auth_master_user_separator = *
[..]
passdb { args = /usr/local/etc/dovecot/master-users driver = passwd-file master = yes pass = yes }
Both this you need on your backend.
passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
[..]
userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
In your /usr/local/etc/dovecot/dovecot-ldap.conf.ext you need to query for the users username and password as always. In conjunction to this you query for the additional fields or giveback the static values.
This could be something like this: pass_attrs=uid=user, userPassword=password, =proxy=y, hostName=host, =master=your_master_username, =pass=your_master_users_password
Dennis
Sorry for getting back a bit late myself
On Wed, Mar 16, 2011 at 8:00 AM, Dennis Guhl dg@dguhl.org wrote:
What do you mean here? Did you create a file like passwd.masterusers with Apache's htpasswd(1) according to the wiki?
Yes, I created the passwd file on both proxy and destination server (same user and pass on both)
In your /usr/local/etc/dovecot/dovecot-ldap.conf.ext you need to query for the users username and password as always. In conjunction to this you query for the additional fields or giveback the static values.
This could be something like this: pass_attrs=uid=user, userPassword=password, =proxy=y, hostName=host, =master=your_master_username, =pass=your_master_users_password
Ah, that's the part I was missing... the static values.
H'mm ok. I think its working now on the proxy but when I telnet from the proxy as the user, since it's now authenticating as the master user, it doesn't show anything in LIST. I think I read somewhere that it's suppose to be like that since its the master logging in... but if that's the case how would the user get his inbox if they login as master?
On Mon, 2011-03-21 at 11:28 -0400, Edward Carraro wrote:
H'mm ok. I think its working now on the proxy but when I telnet from the proxy as the user, since it's now authenticating as the master user, it doesn't show anything in LIST. I think I read somewhere that it's suppose to be like that since its the master logging in... but if that's the case how would the user get his inbox if they login as master?
If ACL plugin is enabled then yes, you'll have some trouble. Currently there is unfortunately no way to just give permissions to all mailboxes for a master user. But you could just not tell Dovecot's imap process that a master user is logging in. In the backend's userdb query you should be able to return master_user=%u.
On Mon, Mar 21, 2011 at 12:27 PM, Timo Sirainen tss@iki.fi wrote:
If ACL plugin is enabled then yes, you'll have some trouble. Currently there is unfortunately no way to just give permissions to all mailboxes for a master user. But you could just not tell Dovecot's imap process that a master user is logging in. In the backend's userdb query you should be able to return master_user=%u.
Hey Timo,
Yea I have ACLs for sharing folders.
Not sure if i added it in the correct location on the backend... in dovecot-ldap.conf.ext:
user_attrs = homeDirectory=home,master_user=%u
Still same thing when I login on the proxy, the debug on the backend says for all folders the user has:
Debug: acl: Mailbox not in dovecot-acl-list: Trash Debug: acl: Mailbox not in dovecot-acl-list: Drafts Debug: acl: Mailbox not in dovecot-acl-list: INBOX
On Mon, Mar 21, 2011 at 2:06 PM, Timo Sirainen tss@iki.fi wrote:
=master_user=%u
same thing with or without the = in front
I noticed that there are two master_users with different values in debug
Mar 21 18:09:49 auth: Info: passdb(doveadmin,192.168.12.209,master): Master user logging in as user@domain.com Mar 21 18:09:49 imap-login: Info: Login: user=user@domain.com, method=PLAIN, rip=192.168.12.209, lip=192.168.12.205, mpid=25147 [...] Mar 21 18:09:49 auth: Debug: master out: USER 3253338113 user@domain.com home=/home/domain.com/user@domain.com master_user=user@domain.com master_user=doveadmin [...] Mar 21 18:09:49 imap(user@domain.com): Debug: acl: acl username = doveadmin [...]
On 21.3.2011, at 20.16, Edward Carraro wrote:
=master_user=%u
same thing with or without the = in front
I noticed that there are two master_users with different values in debug
Yes, it's a bit kludgy way.
Mar 21 18:09:49 auth: Debug: master out: USER 3253338113 user@domain.com home=/home/domain.com/user@domain.com master_user=user@domain.com master_user=doveadmin
Too bad the fields are in wrong order now. I think it was the other way around in v1.x so it just happened to work there. So either there needs to be some code changes, or you could alternatively create a post-login script that sets the master_user. http://wiki2.dovecot.org/PostLoginScripting
On Mon, Mar 21, 2011 at 2:20 PM, Timo Sirainen tss@iki.fi wrote:
Too bad the fields are in wrong order now. I think it was the other way around in v1.x so it just happened to work there. So either there needs to be some code changes, or you could alternatively create a post-login script that sets the master_user. http://wiki2.dovecot.org/PostLoginScripting
Trying to do the postlogin script but i get
script-login: Fatal: execvp(/usr/local/bin/postlogin.sh) failed: Permission denied
I tried with user = $default_internal_user (which is dovecot) and then with it set to vmail I changed the perms on the actual file to 777 and owned by vmail and dovecot but again, same thing.
This is the same location i have quota-warning.sh running (owned by vmail)
also to change the master user, its just the following?
cat postlogin.sh #!/bin/sh
=master_user = %u
On 21.3.2011, at 20.52, Edward Carraro wrote:
script-login: Fatal: execvp(/usr/local/bin/postlogin.sh) failed: Permission denied
I tried with user = $default_internal_user (which is dovecot) and then with it set to vmail I changed the perms on the actual file to 777 and owned by vmail and dovecot but again, same thing.
Well, that's a bit strange. What's your doveconf -n output now? Do you have something like SELinux enabled?
also to change the master user, its just the following?
cat postlogin.sh #!/bin/sh
=master_user = %u
No, you need something like:
#!/bin/sh
export MASTER_USER=$USER export USERDB_KEYS="$USERDB_KEYS master_user" exec "$@"
On Mon, Mar 21, 2011 at 3:20 PM, Timo Sirainen tss@iki.fi wrote:
Well, that's a bit strange. What's your doveconf -n output now?
# 2.0.11: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.26-2-openvz-amd64 i686 Debian 5.0.8 auth_debug = yes auth_master_user_separator = * auth_socket_path = /usr/local/var/run/dovecot/auth-userdb debug_log_path = /var/log/dovecot-debug.log disable_plaintext_auth = no info_log_path = /var/log/dovecot-info.log listen = * log_path = /var/log/dovecot-err.log mail_debug = yes mail_gid = vmail mail_location = maildir:%h/Maildir mail_plugins = " quota" mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date namespace { hidden = no inbox = yes list = yes location = prefix = separator = . subscriptions = yes type = private } namespace { list = children location = maildir:%%h/Maildir:INDEX=%h/Maildir/shared/%%u prefix = shared.%%u. separator = . subscriptions = no type = shared } passdb { args = /usr/local/etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin/acl = vfile plugin/acl_shared_dict = file:/home/%d/shared-mailboxes plugin/quota = maildir:User quota plugin/quota_rule = *:storage=1G plugin/quota_warning = storage=95%% quota-warning 95 %u %d plugin/quota_warning2 = storage=80%% quota-warning 80 %u %d plugin/sieve = %h/.dovecot.sieve plugin/sieve_dir = ~/sieve plugin/sieve_max_actions = 32 plugin/sieve_max_redirects = 4 plugin/sieve_max_script_size = 1M plugin/sieve_quota_max_scripts = 0 plugin/sieve_quota_max_storage = 0 postmaster_address = postmaster@domain.com protocols = imap pop3 lmtp sieve quota_full_tempfail = yes service auth { unix_listener auth-userdb { group = vmail mode = 0660 user = dovecot } } service imap-login { inet_listener imap { port = 143 } } service imap-postlogin { executable = script-login /usr/local/bin/postlogin.sh user = $default_internal_user } service imap { executable = imap imap-postlogin } service lmtp { inet_listener lmtp { port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } service pop3-login { inet_listener pop3 { port = 110 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = dovecot } ssl = no userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } verbose_proctitle = yes protocol lmtp { mail_plugins = " quota quota sieve" } protocol lda { info_log_path = /var/log/dovecot-lda.log log_path = /var/log/dovecot-lda-errors.log mail_plugins = " quota sieve" } protocol imap { mail_max_userip_connections = 20 mail_plugins = " quota imap_quota imap_acl acl" } protocol sieve { mail_debug = yes mail_max_userip_connections = 10 mail_plugins = managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 managesieve_notify_capability = managesieve_sieve_capability = } protocol pop3 { mail_max_userip_connections = 20 mail_plugins = " quota quota" pop3_fast_size_lookups = no pop3_uidl_format = %08Xu%08Xv }
Do you have something like SELinux enabled?
Nope. Packages aren't installed on my Debian box.
On Tue, Mar 22, 2011 at 12:54 PM, Timo Sirainen tss@iki.fi wrote:
On 21.3.2011, at 20.52, Edward Carraro wrote:
script-login: Fatal: execvp(/usr/local/bin/postlogin.sh) failed: Permission denied
It's working! I re-examined my file and I had two postlogin.sh scripts (in different locations) the one being used by dovecot didn't have the correct permissions on it (i 777'ed the wrong one)
So far everything looks good.
Proxy authenticates the user then connects to the backend as the master user. the script then changes the master user back to the real user to access their folders.
Thanks for the help Timo and Dennis
participants (3)
-
Dennis Guhl
-
Edward Carraro
-
Timo Sirainen