Hello
Is it possible to limit the ability of sharing it’s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.
I tried the following so far… doveadm acl remove -u test@onnet.ch INBOX user=test@onnet.ch admin
but when doing this the admin rights are still there
doveadm acl rights -u test@onnet.ch INBOX
vmail@buserver:~$ doveadm acl rights -u test@onnet.ch INBOX
Rights
lookup read write write-seen write-deleted insert post expunge create delete admin
Thanks in advance for your help Simeon
You could do
userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }
# /etc/dovecot/share.passwd test@onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes
should prevent the user from modifying any ACL files.
Aki
On 05.08.2018 17:04, Simeon Ott wrote:
Hello
Is it possible to limit the ability of sharing it’s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.
I tried the following so far… doveadm acl remove -u test@onnet.ch <mailto:test@onnet.ch> INBOX user=test@onnet.ch <mailto:user=test@onnet.ch> admin
but when doing this the admin rights are still there doveadm acl rights -u test@onnet.ch <mailto:test@onnet.ch> INBOX vmail@buserver:~$ doveadm acl rights -u test@onnet.ch <mailto:test@onnet.ch> INBOX Rights lookup read write write-seen write-deleted insert post expunge create delete admin
Thanks in advance for your help Simeon
On 06.08.2018 08:26, Aki Tuomi wrote:
You could do
userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }
# /etc/dovecot/share.passwd test@onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes
should prevent the user from modifying any ACL files.
Aki
userdb_acl_globals_only=yes should be written without spaces...
Aki
On 05.08.2018 17:04, Simeon Ott wrote:
Hello
Is it possible to limit the ability of sharing it’s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.
I tried the following so far… doveadm acl remove -u test@onnet.ch <mailto:test@onnet.ch> INBOX user=test@onnet.ch <mailto:user=test@onnet.ch> admin
but when doing this the admin rights are still there doveadm acl rights -u test@onnet.ch <mailto:test@onnet.ch> INBOX vmail@buserver:~$ doveadm acl rights -u test@onnet.ch <mailto:test@onnet.ch> INBOX Rights lookup read write write-seen write-deleted insert post expunge create delete admin
Thanks in advance for your help Simeon
On 6 Aug 2018, at 8.26, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
You could do
userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }
# /etc/dovecot/share.passwd test@onnet.ch <mailto:test@onnet.ch>::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes
should prevent the user from modifying any ACL files.
close, but few typos. userdb should be:
userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }
Sami
Thanks for the advice Aki
On 6 Aug 2018, at 07:26, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }
Something is wrong with the suggested driver configuration – Leads to a fatal – I think there is missing a driver name. Any chance of doing this via LDAP attribute?
Here is my working config (without your suggestion): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
Thanks in advance for your help
As Sami pointed out, I had wrong syntax:
close, but few typos. userdb should be:
userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }
Sami
On 06.08.2018 22:52, Simeon Ott wrote:
Thanks for the advice Aki
On 6 Aug 2018, at 07:26, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }
Something is wrong with the suggested driver configuration – Leads to a fatal – I think there is missing a driver name. Any chance of doing this via LDAP attribute?
Here is my working config (without your suggestion): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch> } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
Thanks in advance for your help
Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.
The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.
Any ideas in conjunction with LDAP?
On 7 Aug 2018, at 08:54, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
As Sami pointed out, I had wrong syntax:
close, but few typos. userdb should be:
userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }
Sami
with ldap userdb, you need to omit the userdb_ prefix.
Aki
On 07.08.2018 10:54, Simeon Ott wrote:
Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.
The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.
Any ideas in conjunction with LDAP?
On 7 Aug 2018, at 08:54, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
As Sami pointed out, I had wrong syntax:
close, but few typos. userdb should be:
userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }
Sami
May you please clarify that? Where should I omit the userdb_ prefix? Which of my attempts are you pointing at? As stated, I omitted the userdb_ prefix when working with an LDAP attribute.
On 7 Aug 2018, at 10:03, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
with ldap userdb, you need to omit the userdb_ prefix.
Aki
On 07.08.2018 10:54, Simeon Ott wrote:
Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.
The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.
Any ideas in conjunction with LDAP?
On 7 Aug 2018, at 08:54, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
As Sami pointed out, I had wrong syntax:
close, but few typos. userdb should be:
userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }
Sami
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the userdb ones.
Aki
On 07.08.2018 11:05, Simeon Ott wrote:
May you please clarify that? Where should I omit the userdb_ prefix? Which of my attempts are you pointing at? As stated, I omitted the userdb_ prefix when working with an LDAP attribute.
On 7 Aug 2018, at 10:03, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
with ldap userdb, you need to omit the userdb_ prefix.
Aki
On 07.08.2018 10:54, Simeon Ott wrote:
Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.
The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.
Any ideas in conjunction with LDAP?
On 7 Aug 2018, at 08:54, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
As Sami pointed out, I had wrong syntax:
close, but few typos. userdb should be:
userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }
Sami
… attached the dovecot -n, linked files, debug log lines during a standard client login
root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#
—> means empty file
root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes
root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT
root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=<test@onnet.ch>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: acl username = test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: acl username = test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Disconnected: Logged out in=30 out=457
thanks for looking into this
On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the userdb ones.
Aki
Ah. You probably need to change ldap userdb so that you add
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok }
so that the next one is processed.
you can use 'doveadm user test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.
Aki
On 07.08.2018 12:23, Simeon Ott wrote:
… attached the dovecot -n, linked files, debug log lines during a standard client login
root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch> } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#
—> means empty file
root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch <mailto:test@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes
root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT
root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl <http://onnet.ch/test//Maildir/.super/dovecot-acl> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch>; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch <mailto:OK#0111#011user=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch <mailto:USER#0113718250497#011test@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201> Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=<test@onnet.ch <mailto:test@onnet.ch>>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Disconnected: Logged out in=30 out=457
thanks for looking into this
On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the userdb ones.
Aki
Now the attributes are correctly read for the user test@onnet.ch <mailto:test@onnet.ch>, but other users are not able to authenticate anymore.
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes
root@buserver:/etc/dovecot# doveadm user test2@onnet.ch field valueuserdb lookup: user test2@onnet.ch doesn't exist
I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch:::::::” to the passwd file, doveadm user works with test2@onnet.ch
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test2@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test2/ mail maildir:~/Maildir quota_rule *:bytes=1073741824
IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Ah. You probably need to change ldap userdb so that you add
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok }
so that the next one is processed.
you can use 'doveadm user test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.
Aki
On 07.08.2018 12:23, Simeon Ott wrote:
… attached the dovecot -n, linked files, debug log lines during a standard client login
root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch> } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#
—> means empty file
root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch <mailto:test@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes
root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT
root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl <http://onnet.ch/test//Maildir/.super/dovecot-acl> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch>; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch <mailto:OK#0111#011user=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch <mailto:USER#0113718250497#011test@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201> Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=<test@onnet.ch <mailto:test@onnet.ch>>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Disconnected: Logged out in=30 out=457
thanks for looking into this
On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the userdb ones.
Aki
Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in.
What happens if you do
userdb { driver = passwd-file args = .... skip = notfound result_failure = continue-ok }
Aki
On 07.08.2018 12:58, Simeon Ott wrote:
Now the attributes are correctly read for the user test@onnet.ch <mailto:test@onnet.ch>, but other users are not able to authenticate anymore.
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# <http://onnet.ch/test/Maildir/.super#> doveadm user test@onnet.ch <mailto:test@onnet.ch> fieldvalue uid5000 gid5000 home/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> mailmaildir:~/Maildir quota_rule*:bytes=1073741824 aclvfile:/etc/dovecot/dovecot-acl acl_globals_onlyyes
root@buserver:/etc/dovecot# doveadm user test2@onnet.ch <mailto:test2@onnet.ch> fieldvalueuserdb lookup: user test2@onnet.ch <mailto:test2@onnet.ch> doesn't exist
I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch <mailto:test@onnet.ch>:::::::” to the passwd file, doveadm user works with test2@onnet.ch <mailto:test2@onnet.ch>
root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# <http://onnet.ch/test/Maildir/.super#> doveadm user test2@onnet.ch <mailto:test2@onnet.ch> fieldvalue uid5000 gid5000 home/var/spool/postfix/virtual/onnet.ch/test2/ <http://onnet.ch/test2/> mailmaildir:~/Maildir quota_rule*:bytes=1073741824
IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
Ah. You probably need to change ldap userdb so that you add
userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok }
so that the next one is processed.
you can use 'doveadm user test@onnet.ch <mailto:test@onnet.ch>' to verify that the attributes are read for this user, and with another username that they are not.
Aki
On 07.08.2018 12:23, Simeon Ott wrote:
… attached the dovecot -n, linked files, debug log lines during a standard client login
root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch <mailto:postmaster@onnet.ch> <mailto:postmaster@onnet.ch> } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }
root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#
—> means empty file
root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch <mailto:test@onnet.ch> <mailto:test@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes
root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT
root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl <http://onnet.ch/test//Maildir/.super/dovecot-acl> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch>; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch <mailto:mail=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch <mailto:OK#0111#011user=test@onnet.ch> Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch <mailto:mail=test@onnet.ch>)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch <mailto:test@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch <mailto:USER#0113718250497#011test@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201> Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=<test@onnet.ch <mailto:test@onnet.ch>>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir <http://onnet.ch/test//Maildir>, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: acl username = test@onnet.ch <mailto:test@onnet.ch> Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch <mailto:test@onnet.ch>): Disconnected: Logged out in=30 out=457
thanks for looking into this
On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi@dovecot.fi <mailto:aki.tuomi@dovecot.fi>> wrote:
Can you provide your doveconf -n after adding the database *after* LDAP.
You probably need to add 'noauthenticate' as one parameter after the userdb ones.
Aki
still the same…
root@buserver:/etc/dovecot# doveadm user test2@onnet.ch field valueuserdb lookup: user test2@onnet.ch doesn't exist
relevant config output from doveconf -n userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap result_success = continue-ok } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file result_failure = continue-ok skip = notfound }
but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
root@buserver:/etc/dovecot# doveadm user test@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes
root@buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test@onnet.ch ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2@onnet.ch lrwstipekxa . OK Setacl complete. . GETACL Inbox
- ACL Inbox test2@onnet.ch akxeilprwtscd test@onnet.ch lrwstipekxacd . OK Getacl completed.
Cheers
On 7 Aug 2018, at 12:05, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in.
What happens if you do userdb { driver = passwd-file args = .... skip = notfound result_failure = continue-ok }
Aki
Okay, this seems to be due to the fact that the option “use_globals_only" is supported only in v2.2.31+ We are on Debian jessie with dovecot v2.2.13 – even an upgrade to current stable stretch won’t help (dovecot v2.2.27). So we will wait until the packages find their way into the repository.
thanks anyway
On 7 Aug 2018, at 13:00, Simeon Ott <simeon.ott@onnet.ch> wrote: but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
root@buserver:/etc/dovecot# doveadm user test@onnet.ch <mailto:test@onnet.ch> field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes
root@buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test@onnet.ch <mailto:test@onnet.ch> ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2@onnet.ch <mailto:test2@onnet.ch> lrwstipekxa . OK Setacl complete. . GETACL Inbox
- ACL Inbox test2@onnet.ch <mailto:test2@onnet.ch> akxeilprwtscd test@onnet.ch <mailto:test@onnet.ch> lrwstipekxacd . OK Getacl completed.
http://repo.dovecot.org/ <http://repo.dovecot.org/>
Sami
On 8 Aug 2018, at 10.27, Simeon Ott <simeon.ott@onnet.ch> wrote:
Okay, this seems to be due to the fact that the option “use_globals_only" is supported only in v2.2.31+ We are on Debian jessie with dovecot v2.2.13 – even an upgrade to current stable stretch won’t help (dovecot v2.2.27). So we will wait until the packages find their way into the repository.
thanks anyway
On 7 Aug 2018, at 13:00, Simeon Ott <simeon.ott@onnet.ch <mailto:simeon.ott@onnet.ch>> wrote: but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
root@buserver:/etc/dovecot# doveadm user test@onnet.ch <mailto:test@onnet.ch> field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/> mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes
root@buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'.
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test@onnet.ch <mailto:test@onnet.ch> ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2@onnet.ch <mailto:test2@onnet.ch> lrwstipekxa . OK Setacl complete. . GETACL Inbox
- ACL Inbox test2@onnet.ch <mailto:test2@onnet.ch> akxeilprwtscd test@onnet.ch <mailto:test@onnet.ch> lrwstipekxacd . OK Getacl completed.
Thanks Sami, thanks Aki
I just updated the packages on our testing server and now it works like expected. There are some LDAP tests to come. Are there many productive server out there using this repository?
Simeon
On 8 Aug 2018, at 09:41, Sami Ketola <sami.ketola@dovecot.fi> wrote:
http://repo.dovecot.org/ <http://repo.dovecot.org/>
Sami
On 8 Aug 2018, at 10.27, Simeon Ott <simeon.ott@onnet.ch <mailto:simeon.ott@onnet.ch>> wrote:
Okay, this seems to be due to the fact that the option “use_globals_only" is supported only in v2.2.31+ We are on Debian jessie with dovecot v2.2.13 – even an upgrade to current stable stretch won’t help (dovecot v2.2.27). So we will wait until the packages find their way into the repository.
thanks anyway
On 7 Aug 2018, at 13:00, Simeon Ott <simeon.ott@onnet.ch <mailto:simeon.ott@onnet.ch>> wrote: but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch <mailto:test@onnet.ch> is still able to share its own folders?!
On 9 Aug 2018, at 8.48, Simeon Ott <simeon.ott@onnet.ch> wrote:
Thanks Sami, thanks Aki
I just updated the packages on our testing server and now it works like expected. There are some LDAP tests to come. Are there many productive server out there using this repository?
We have no way of knowing that. We could probably check the logs for the number how many times the packages have been downloaded, but even then we don't know for what purpose those packages are downloaded for.
Sami
participants (4)
-
Aki Tuomi
-
Sami Ketola
-
Simeon Ott
-
Simeon Ott