New subject: [SOLVED] Re: LMTP Post login script for acl_groups

28 Aug 2019

      Hi,
I use a post login script for imap, to fetch acl groups from LDAP. Because Dovecot can only deal with a single value, which must be a comma seperated list of groups, I decided to use a post login script do deal with multi values in LDAP:
This looks like this in LDAP:
rnsMSACLGroup: admin
rnsMSACLGroup: automx
rnsMSACLGroup: amavis
rnsMSACLGroup: postfix
rnsMSACLGroup: dovecot
rnsMSACLGroup: rspamd
rnsMSACLGroup: powerdns
rnsMSACLGroup: sogo
rnsMSACLGroup: zabbix
rnsMSACLGroup: dane-users
rnsMSACLGroup: gentoo
rnsMSACLGroup: openbsd
My post login script looks like this:

#!/bin/sh
BINDDN='cn=dovecot-postlogin,ou=people,ou=it,dc=roessner-net,dc=de'
BINDPWFILE='/etc/dovecot/ldap-postlogin.secret'
BASE='ou=people,ou=it,dc=roessner-net,dc=de'
LDAPSEARCH="/usr/bin/ldapsearch"
AWK="/usr/bin/awk"
test -x ${LDAPSEARCH} || exec "$@"
test -x ${AWK} || exec "$@"
ACL_GROUPS=$(
${LDAPSEARCH} -LLL -ZZ -y ${BINDPWFILE} -xD ${BINDDN} -b ${BASE} "(rnsMSDovecotUser=${USER})" rnsMSACLGroup | 

grep rnsMSACLGroup | 

${AWK} -vORS=, '{ print $2 }' | 

sed 's/,$/\n/'
)
export ACL_GROUPS
export USERDB_KEYS="${USERDB_KEYS} acl_groups"
exec "$@"
This script is included in imap-postlogin executables and works for logged in users.
But it does not work for LMTP. LMTP itself seems not to have any permissions to access the folders associated with these groups. I thought, I simply could add the imap-postlogin block to lmtp-postlogin and that would work, but it doesn't.
So here is the question:
What am I missing in Dovecot that LMTP can also have ACL_GROUPS like the imap service?
Here is my config (non-defaults):

doveconf -n
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.19.44-gentoo x86_64 Gentoo Base System release 2.6
# Hostname: mx.roessner-net.de
auth_cache_size = 64 M
auth_master_user_separator = *
auth_mechanisms = plain login
auth_ssl_username_from_cert = yes
auth_verbose = yes
default_client_limit = 5000
default_process_limit = 500
default_vsz_limit = 512 M
disable_plaintext_auth = no
hostname = mail.roessner-net.de
imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags
imap_max_line_length = 4 M
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_rcpt_check_quota = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_access_groups = vmail
mail_attachment_dir = /var/mail/virtual/copymail/attachments
mail_gid = vmail
mail_location = sdbox:~/sdbox
mail_max_keyword_length = 4096
mail_plugins = quota acl fts fts_lucene zlib mail_log notify
mail_privileged_group = mail
mail_save_crlf = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve
mdbox_preallocate_space = yes
mdbox_rotate_size = 128 M
namespace {
list = children
location = sdbox:%%h/sdbox
prefix = Shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace {
hidden = no
list = children
location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox "Deleted Messages" {
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk-E-Mail {
special_use = \Junk
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300
acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db
fts = lucene
fts_autoindex = yes
fts_lucene = whitespace_chars=@.
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve
imapsieve_mailbox1_causes = COPY FLAG
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename
mail_log_fields = box msgid
quota = count:User quota
quota_grace = 10%%
quota_rule = *:storage=300M:messages=20000
quota_rule2 = Trash:storage=+500M
quota_rule3 = Sent:storage=+2G
quota_rule4 = Archive:storage=+2G
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_vsizes = yes
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
quota_warning3 = -storage=100%% quota-warning below %u
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after
sieve_before = /etc/dovecot/sieve/before
sieve_extensions = +vacation-seconds
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug
sieve_pipe_bin_dir = /usr/bin
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_vacation_default_period = 10d
sieve_vacation_max_period = 30d
sieve_vacation_min_period = 1h
zlib_save = gz
zlib_save_level = 6
}
protocols = imap pop3 lmtp submission sieve
service auth-worker {
extra_groups = ssl-cert
unix_listener auth-worker {
mode = 0600
user = vmail
}
user = vmail
}
service auth {
extra_groups = ssl-cert
unix_listener /var/spool/postfix-submission/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = vmail
}
service config {
unix_listener config {
mode = 0600
user = vmail
}
}
service dict {
unix_listener dict {
mode = 0600
user = vmail
}
}
service imap-login {
inet_listener imap {
address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
}
inet_listener imaps {
port = 0
}
}
service imap-postlogin {
executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh /usr/local/bin/dovecot-aclgroups.sh
user = vmail
}
service imap {
executable = imap imap-postlogin
}
service lmtp-postlogin {
executable = script-login /usr/local/bin/dovecot-aclgroups.sh
user = vmail
}
service lmtp {
executable = lmtp lmtp-postlogin
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
unix_listener /var/spool/postfix/private/lmtp-dovecot {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
}
}
service pop3-login {
inet_listener pop3 {
address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
}
inet_listener pop3s {
port = 0
}
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
inet_listener {
address = 127.0.0.1
port = 12340
}
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
extra_groups = mail
unix_listener quota-warning {
group = vmail
mode = 0600
user = vmail
}
user = vmail
}
ssl_cert = 
Thanks for any help in advance
Christian

LMTP Post login script for acl_groups

exec "$@"

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

This version uses lualdap:

-- vim: expandtab ts=2 sw=2

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

Changes to the auth-ldap.conf.ext file:

# Default fields can be used to specify defaults that LDAP may override #default_fields = home=/home/virtual/%u }

I created this auth-lua.conf.ext:

userdb { driver = lua args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes }

The Lua script looks like this:

-- vim: expandtab ts=2 sw=2

tags

participants (3)