lmtp and virtual users
Good afternoon.
I have dovecot setup to authenticate virtual users using either gssapi or doind a bind to an ldap server to achieve a single sign on capable imap server connected to a samba active directory DC. What I am also trying to achieve is to have dovecot's lmtp daemon handle the mails passed from postfix. However, the only way I've gotten this to work is setting allow_all_users = yes in the userdb but this causes lmtp to deliver mails to non existant accounts without rejection. I've been searching but haven't found a way to set this same thing up but having dovecots lmtp check the validity of the mails recipient against the same samba AD DC through ldap before delivering it and rejecting unknown email addresses. Could someone please provide some insight into how to achieve this?
Thank you very much in advance. Best regards, David Wells.
On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
Good afternoon.
I have dovecot setup to authenticate virtual users using either gssapi or doind a bind to an ldap server to achieve a single sign on capable imap server connected to a samba active directory DC. What I am also trying to achieve is to have dovecot's lmtp daemon handle the mails passed from postfix. However, the only way I've gotten this to work is setting allow_all_users = yes in the userdb but this causes lmtp to deliver mails to non existant accounts without rejection. I've been searching but haven't found a way to set this same thing up but having dovecots lmtp check the validity of the mails recipient against the same samba AD DC through ldap before delivering it and rejecting unknown email addresses. Could someone please provide some insight into how to achieve this?
Thank you very much in advance. Best regards, David Wells.
You could setup LDAP userdb without bind authentication, and use a service account instead.
Aki
Dear Aki, good afternoon.
Thank you very much for your response and thank you again for the tip on how I could resolve this issue. The problem I'm facing is that I need dovecot to serve emails with two different authorization methods for imap and sasl, one through the kerberos ticket as in https://wiki.dovecot.org/Authentication/Kerberos which I have working but only with a static userdb and also with plain (over tls of course) performing an ldap bind. I also need to verify the validity of incoming emails for the lmtp process. I have only managed to get plain working with the ldap userdb, or the kerberos solution with static databases and no address verification working but not both. I believe I could set up two different dovecot instances listening on different ports or even on different ip addresses over the same ethernet device but I believe I would run into problems with the locking of files and I would like a one solution to serve them all. Is this even possible? Is there information on how to achieve this somewhere I haven't found?
Thank you very much again. Best regards, David Wells.
El 30/09/2019 a las 03:36, Aki Tuomi escribió:
On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
Good afternoon.
I have dovecot setup to authenticate virtual users using either gssapi or doind a bind to an ldap server to achieve a single sign on capable imap server connected to a samba active directory DC. What I am also trying to achieve is to have dovecot's lmtp daemon handle the mails passed from postfix. However, the only way I've gotten this to work is setting allow_all_users = yes in the userdb but this causes lmtp to deliver mails to non existant accounts without rejection. I've been searching but haven't found a way to set this same thing up but having dovecots lmtp check the validity of the mails recipient against the same samba AD DC through ldap before delivering it and rejecting unknown email addresses. Could someone please provide some insight into how to achieve this?
Thank you very much in advance. Best regards, David Wells.
You could setup LDAP userdb without bind authentication, and use a service account instead.
Aki
Good morning.
I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA https://wiki.dovecot.org/LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.
Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?
-------- Mensaje reenviado -------- Asunto: Re: lmtp and virtual users Fecha: Mon, 30 Sep 2019 17:14:16 -0300 De: David Wells - Alfavinil S.A. via dovecot dovecot@dovecot.org Responder a: David Wells - Alfavinil S.A. dwells@alfavinil.com Para: Aki Tuomi aki.tuomi@open-xchange.com, dovecot@dovecot.org
Dear Aki, good afternoon.
Thank you very much for your response and thank you again for the tip on how I could resolve this issue. The problem I'm facing is that I need dovecot to serve emails with two different authorization methods for imap and sasl, one through the kerberos ticket as in https://wiki.dovecot.org/Authentication/Kerberos which I have working but only with a static userdb and also with plain (over tls of course) performing an ldap bind. I also need to verify the validity of incoming emails for the lmtp process. I have only managed to get plain working with the ldap userdb, or the kerberos solution with static databases and no address verification working but not both. I believe I could set up two different dovecot instances listening on different ports or even on different ip addresses over the same ethernet device but I believe I would run into problems with the locking of files and I would like a one solution to serve them all. Is this even possible? Is there information on how to achieve this somewhere I haven't found?
Thank you very much again. Best regards, David Wells.
El 30/09/2019 a las 03:36, Aki Tuomi escribió:
On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
Good afternoon.
I have dovecot setup to authenticate virtual users using either gssapi or doind a bind to an ldap server to achieve a single sign on capable imap server connected to a samba active directory DC. What I am also trying to achieve is to have dovecot's lmtp daemon handle the mails passed from postfix. However, the only way I've gotten this to work is setting allow_all_users = yes in the userdb but this causes lmtp to deliver mails to non existant accounts without rejection. I've been searching but haven't found a way to set this same thing up but having dovecots lmtp check the validity of the mails recipient against the same samba AD DC through ldap before delivering it and rejecting unknown email addresses. Could someone please provide some insight into how to achieve this?
Thank you very much in advance. Best regards, David Wells.
You could setup LDAP userdb without bind authentication, and use a service account instead.
Aki
On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.
I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA https://wiki.dovecot.org/LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.
Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?
You cannot check user existence with auth binds because auth bind requires user credentials.
This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.
Aki
Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users.
Thanks! Best regards, David Wells.
El 02/10/2019 a las 04:29, Aki Tuomi escribió:
On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.
I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA https://wiki.dovecot.org/LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.
Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?
You cannot check user existence with auth binds because auth bind requires user credentials.
This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.
Aki
You set ‘auth_bind' to ‘no' and and you make sure ‘dn’ and ‘dnpass’ are properly configured with a user with enough privileges to read users passwords.
And also, you make sure your pass_attrs contains a password attributes (containing the user password hash).
Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot dovecot@dovecot.org a écrit :
Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users.
Thanks! Best regards, David Wells.
El 02/10/2019 a las 04:29, Aki Tuomi escribió:
On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.
I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA https://wiki.dovecot.org/LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.
Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?
You cannot check user existence with auth binds because auth bind requires user credentials.
This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.
Aki
As documented e.g. here https://doc.dovecot.org/configuration_manual/authentication/ldap/
Aki
On 02/10/2019 20:47 Jean-Daniel via dovecot dovecot@dovecot.org wrote:
You set ‘auth_bind' to ‘no' and and you make sure ‘dn’ and ‘dnpass’ are properly configured with a user with enough privileges to read users passwords.
And also, you make sure your pass_attrs contains a password attributes (containing the user password hash).
Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot dovecot@dovecot.org a écrit :
Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users.
Thanks! Best regards, David Wells.
El 02/10/2019 a las 04:29, Aki Tuomi escribió:
On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.
I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA (https://wiki.dovecot.org/LDA) and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.
Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?
You cannot check user existence with auth binds because auth bind requires user credentials. This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.
Aki
participants (3)
-
Aki Tuomi
-
David Wells - Alfavinil S.A.
-
Jean-Daniel