limit sharing ability to certain users

Simeon Ott

5 Aug 2018 5 Aug '18

2:04 p.m.

Hello

Is it possible to limit the ability of sharing it’s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.

I tried the following so far… doveadm acl remove -u test@onnet.ch INBOX user=test@onnet.ch admin

but when doing this the admin rights are still there doveadm acl rights -u test@onnet.ch INBOX vmail@buserver:~$ doveadm acl rights -u test@onnet.ch INBOX Rights
lookup read write write-seen write-deleted insert post expunge create delete admin

Thanks in advance for your help Simeon

Attachments:

attachment.html (text/html — 2.6 KB)

Show replies by date

Aki Tuomi

6 Aug 6 Aug

5:26 a.m.

You could do

userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }

# /etc/dovecot/share.passwd test@onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes

should prevent the user from modifying any ACL files.

Aki

On 05.08.2018 17:04, Simeon Ott wrote:

...

Hello

Is it possible to limit the ability of sharing it’s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.

I tried the following so far… doveadm acl remove -u test@onnet.ch mailto:test@onnet.ch INBOX user=test@onnet.ch mailto:user=test@onnet.ch admin

but when doing this the admin rights are still there doveadm acl rights -u test@onnet.ch mailto:test@onnet.ch INBOX vmail@buserver:~$ doveadm acl rights -u test@onnet.ch mailto:test@onnet.ch INBOX Rights lookup read write write-seen write-deleted insert post expunge create delete admin

Thanks in advance for your help Simeon

Aki Tuomi

5:27 a.m.

On 06.08.2018 08:26, Aki Tuomi wrote:

...

You could do

userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }

# /etc/dovecot/share.passwd test@onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes

should prevent the user from modifying any ACL files.

Aki

userdb_acl_globals_only=yes should be written without spaces...

Aki

...

On 05.08.2018 17:04, Simeon Ott wrote:

...
Hello

Is it possible to limit the ability of sharing it’s own mailboxes to only a few users? We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.

I tried the following so far… doveadm acl remove -u test@onnet.ch mailto:test@onnet.ch INBOX user=test@onnet.ch mailto:user=test@onnet.ch admin

but when doing this the admin rights are still there doveadm acl rights -u test@onnet.ch mailto:test@onnet.ch INBOX vmail@buserver:~$ doveadm acl rights -u test@onnet.ch mailto:test@onnet.ch INBOX Rights lookup read write write-seen write-deleted insert post expunge create delete admin

Thanks in advance for your help Simeon

Sami Ketola

6:35 p.m.

...

On 6 Aug 2018, at 8.26, Aki Tuomi aki.tuomi@dovecot.fi wrote:

You could do

userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }

# /etc/dovecot/share.passwd test@onnet.ch mailto:test@onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes

should prevent the user from modifying any ACL files.

close, but few typos. userdb should be:

userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }

Sami

Simeon Ott

7:52 p.m.

Thanks for the advice Aki

...

On 6 Aug 2018, at 07:26, Aki Tuomi aki.tuomi@dovecot.fi wrote:

userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }

Something is wrong with the suggested driver configuration – Leads to a fatal – I think there is missing a driver name. Any chance of doing this via LDAP attribute?

Here is my working config (without your suggestion): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }

Thanks in advance for your help

Aki Tuomi

7 Aug 7 Aug

6:54 a.m.

As Sami pointed out, I had wrong syntax:

...

close, but few typos. userdb should be:

userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }

Sami

On 06.08.2018 22:52, Simeon Ott wrote:

...

Thanks for the advice Aki

...
On 6 Aug 2018, at 07:26, Aki Tuomi mailto:aki.tuomi@dovecot.fi> wrote:

userdb { driver = username_format=%Lu passwd-file args = /etc/dovecot/share.passwd }

Something is wrong with the suggested driver configuration – Leads to a fatal – I think there is missing a driver name. Any chance of doing this via LDAP attribute?

Here is my working config (without your suggestion): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch mailto:postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }

Thanks in advance for your help

Simeon Ott

7:54 a.m.

Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.

The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.

Any ideas in conjunction with LDAP?

...

On 7 Aug 2018, at 08:54, Aki Tuomi aki.tuomi@dovecot.fi wrote:

As Sami pointed out, I had wrong syntax:

...
close, but few typos. userdb should be:

userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }

Sami

Aki Tuomi

8:03 a.m.

with ldap userdb, you need to omit the userdb_ prefix.

Aki

On 07.08.2018 10:54, Simeon Ott wrote:

...

Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.

The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.

Any ideas in conjunction with LDAP?

...
On 7 Aug 2018, at 08:54, Aki Tuomi aki.tuomi@dovecot.fi wrote:

As Sami pointed out, I had wrong syntax:

...
close, but few typos. userdb should be:

userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }

Sami

Simeon Ott

8:05 a.m.

May you please clarify that? Where should I omit the userdb_ prefix? Which of my attempts are you pointing at? As stated, I omitted the userdb_ prefix when working with an LDAP attribute.

...

On 7 Aug 2018, at 10:03, Aki Tuomi aki.tuomi@dovecot.fi wrote:

with ldap userdb, you need to omit the userdb_ prefix.

Aki

On 07.08.2018 10:54, Simeon Ott wrote:

...
Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.

The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.

Any ideas in conjunction with LDAP?

...
On 7 Aug 2018, at 08:54, Aki Tuomi aki.tuomi@dovecot.fi wrote:

As Sami pointed out, I had wrong syntax:

...
close, but few typos. userdb should be:

userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }

Sami

Aki Tuomi

8:34 a.m.

Can you provide your doveconf -n after adding the database *after* LDAP.

You probably need to add 'noauthenticate' as one parameter after the userdb ones.

Aki

On 07.08.2018 11:05, Simeon Ott wrote:

...

May you please clarify that? Where should I omit the userdb_ prefix? Which of my attempts are you pointing at? As stated, I omitted the userdb_ prefix when working with an LDAP attribute.

...
On 7 Aug 2018, at 10:03, Aki Tuomi aki.tuomi@dovecot.fi wrote:

with ldap userdb, you need to omit the userdb_ prefix.

Aki

On 07.08.2018 10:54, Simeon Ott wrote:

...
Sorry for that! I was offline during writing my answer to your mail and so it left my outbox after the advice from Sami.

The solution works well when using passwd userdbs only. I didn’t get it running in conjunction with ldap userdb. I tried to use an LDAP attribute and mapping it to userdb_acl_globals_only and another try with acl_globals_only. Both attributes were not considered by the lookup. Another try was to use a separate passwd-userdb for this attribute only. When placing the passwd-userdb before the ldap-userdb the ldap attributes are not considered. If the ldap-userdb is placed before the passwd-userdb, the extra attribute is not considered. I think this is a wanted behaviour.

Any ideas in conjunction with LDAP?

...
On 7 Aug 2018, at 08:54, Aki Tuomi aki.tuomi@dovecot.fi wrote:

As Sami pointed out, I had wrong syntax:

...
close, but few typos. userdb should be:

userdb { driver = passwd-file args = username_format=%Lu /etc/dovecot/share.passwd }

Sami

Simeon Ott

9:23 a.m.

… attached the dovecot -n, linked files, debug log lines during a standard client login

root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }

root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#

—> means empty file

root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes

root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT

root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=test@onnet.ch, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: acl username = test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: acl username = test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch): Disconnected: Logged out in=30 out=457

thanks for looking into this

...

On 7 Aug 2018, at 10:34, Aki Tuomi aki.tuomi@dovecot.fi wrote:

Can you provide your doveconf -n after adding the database *after* LDAP.

You probably need to add 'noauthenticate' as one parameter after the userdb ones.

Aki

Aki Tuomi

9:35 a.m.

Ah. You probably need to change ldap userdb so that you add userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok } so that the next one is processed. you can use 'doveadm user test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not. Aki On 07.08.2018 12:23, Simeon Ott wrote:

...

… attached the dovecot -n, linked files, debug log lines during a standard client login

root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch mailto:postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }

root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#

—> means empty file

root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch mailto:test@onnet.ch:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes

root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT

root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test http://onnet.ch/test//Maildir/.test folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl http://onnet.ch/test//Maildir/.super/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello http://onnet.ch/test//Maildir/.super.hello du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test http://onnet.ch/test//Maildir/.test folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch mailto:mail=test@onnet.ch)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch mailto:mail=test@onnet.ch; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch mailto:mail=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch mailto:OK#0111#011user=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch mailto:mail=test@onnet.ch)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ http://onnet.ch/test/; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ http://onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch mailto:USER#0113718250497#011test@onnet.ch#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=10737418... Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=mailto:test@onnet.ch>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ http://onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir http://onnet.ch/test//Maildir, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir http://onnet.ch/test//Maildir, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: acl username = test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/... Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: acl username = test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Disconnected: Logged out in=30 out=457

thanks for looking into this

...
On 7 Aug 2018, at 10:34, Aki Tuomi mailto:aki.tuomi@dovecot.fi> wrote:

Can you provide your doveconf -n after adding the database *after* LDAP.

You probably need to add 'noauthenticate' as one parameter after the userdb ones.

Aki

Simeon Ott

9:58 a.m.

Now the attributes are correctly read for the user test@onnet.ch mailto:test@onnet.ch, but other users are not able to authenticate anymore. root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes root@buserver:/etc/dovecot# doveadm user test2@onnet.ch field valueuserdb lookup: user test2@onnet.ch doesn't exist I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch:::::::” to the passwd file, doveadm user works with test2@onnet.ch root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test2@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test2/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch mailto:test@onnet.ch is still able to share its own folders?!

...

On 7 Aug 2018, at 11:35, Aki Tuomi wrote:

Ah. You probably need to change ldap userdb so that you add

userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok }

so that the next one is processed.

you can use 'doveadm user test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.

Aki

On 07.08.2018 12:23, Simeon Ott wrote:

...
… attached the dovecot -n, linked files, debug log lines during a standard client login

root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch mailto:postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }

root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#

—> means empty file

root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch mailto:test@onnet.ch:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes

root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT

root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test http://onnet.ch/test//Maildir/.test folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl http://onnet.ch/test//Maildir/.super/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello http://onnet.ch/test//Maildir/.super.hello du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test http://onnet.ch/test//Maildir/.test folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch mailto:mail=test@onnet.ch)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch mailto:mail=test@onnet.ch; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch mailto:mail=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch mailto:OK#0111#011user=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch mailto:mail=test@onnet.ch)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ http://onnet.ch/test/; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ http://onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch mailto:USER#0113718250497#011test@onnet.ch#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=10737418... Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=mailto:test@onnet.ch>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ http://onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir http://onnet.ch/test//Maildir, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir http://onnet.ch/test//Maildir, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: acl username = test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/... Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: acl username = test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Disconnected: Logged out in=30 out=457

thanks for looking into this

...
On 7 Aug 2018, at 10:34, Aki Tuomi mailto:aki.tuomi@dovecot.fi> wrote:

Can you provide your doveconf -n after adding the database *after* LDAP.

You probably need to add 'noauthenticate' as one parameter after the userdb ones.

Aki

Aki Tuomi

10:05 a.m.

Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in. What happens if you do userdb { driver = passwd-file args = .... skip = notfound result_failure = continue-ok } Aki On 07.08.2018 12:58, Simeon Ott wrote:

...

Now the attributes are correctly read for the user test@onnet.ch mailto:test@onnet.ch, but other users are not able to authenticate anymore.

root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# http://onnet.ch/test/Maildir/.super# doveadm user test@onnet.ch mailto:test@onnet.ch fieldvalue uid5000 gid5000 home/var/spool/postfix/virtual/onnet.ch/test/ http://onnet.ch/test/ mailmaildir:~/Maildir quota_rule*:bytes=1073741824 aclvfile:/etc/dovecot/dovecot-acl acl_globals_onlyyes

root@buserver:/etc/dovecot# doveadm user test2@onnet.ch mailto:test2@onnet.ch fieldvalueuserdb lookup: user test2@onnet.ch mailto:test2@onnet.ch doesn't exist

I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test@onnet.ch mailto:test@onnet.ch:::::::” to the passwd file, doveadm user works with test2@onnet.ch mailto:test2@onnet.ch

root@buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# http://onnet.ch/test/Maildir/.super# doveadm user test2@onnet.ch mailto:test2@onnet.ch fieldvalue uid5000 gid5000 home/var/spool/postfix/virtual/onnet.ch/test2/ http://onnet.ch/test2/ mailmaildir:~/Maildir quota_rule*:bytes=1073741824

IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch mailto:test@onnet.ch is still able to share its own folders?!

...
On 7 Aug 2018, at 11:35, Aki Tuomi mailto:aki.tuomi@dovecot.fi> wrote:

Ah. You probably need to change ldap userdb so that you add

userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf result_success = continue-ok }

so that the next one is processed.

you can use 'doveadm user test@onnet.ch mailto:test@onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.

Aki

On 07.08.2018 12:23, Simeon Ott wrote:

...
… attached the dovecot -n, linked files, debug log lines during a standard client login

root@buserver:/etc/dovecot/conf.d# doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 auth_debug = yes auth_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = plain debug_log_path = syslog disable_plaintext_auth = no info_log_path = syslog lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c mail_debug = yes mail_gid = 5000 mail_location = maildir:~/Maildir mail_plugins = zlib quota acl mail_uid = 5000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { hidden = no ignore_on_failure = no inbox = no list = children location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u prefix = shared/%%u/ separator = / subscriptions = yes type = shared } namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes quota = maildir:User quota quota_exceeded_message = 4.2.2 Mailbox full quota_rule = *:storage=1G quota_rule2 = INBOX.Trash:storage=+100M quota_rule3 = INBOX.Spam:ignore quota_warning = storage=95%% quota-warning 95 %u sieve = ~/.dovecot.sieve sieve_before = /var/lib/dovecot/sieve/default.sieve sieve_dir = ~/sieve sieve_max_actions = 32 sieve_max_redirects = 4 sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 0 } protocols = " imap lmtp sieve pop3" service auth { group = dovecot unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0666 user = vmail } user = dovecot } service lmtp { unix_listener lmtp { mode = 0666 } } service managesieve-login { inet_listener sieve { port = 4190 } inet_listener sieve_deprecated { port = 2000 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } ssl = no userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file } protocol lmtp { mail_plugins = zlib quota acl sieve } protocol lda { auth_socket_path = /var/run/dovecot/auth-master deliver_log_format = msgid=%m: %$ mail_plugins = zlib quota acl sieve postmaster_address = postmaster@onnet.ch mailto:postmaster@onnet.ch mailto:postmaster@onnet.ch } protocol imap { mail_plugins = zlib quota acl imap_quota imap_acl } protocol sieve { info_log_path = /var/log/sieve.log log_path = /var/log/sieve.log mail_max_userip_connections = 10 managesieve_implementation_string = Dovecot Pigeonhole managesieve_logout_format = bytes=%i/%o managesieve_max_compile_errors = 5 managesieve_max_line_length = 65536 }

root@buserver:/etc/dovecot# cat dovecot-acl root@buserver:/etc/dovecot#

—> means empty file

root@buserver:/etc/dovecot# cat share.passwd test@onnet.ch mailto:test@onnet.ch mailto:test@onnet.ch:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only=yes

root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf hosts = localhost uris = ldap://localhost:389/ debug_level = 10 auth_bind = yes ldap_version = 3 base = ou=domains,dc=intra,dc=onnet,dc=ch deref = never scope = subtree user_attrs = homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$ user_filter = (&(objectClass=CourierMailAccount)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=CourierMailAccount)(mail=%u)) iterate_attrs = mail=user iterate_filter = (objectClass=CourierMailAccount) default_pass_scheme = CRYPT

root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug 7 11:17:27" Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test http://onnet.ch/test//Maildir/.test folder 1.sub folder 1 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl http://onnet.ch/test//Maildir/.super/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: reading file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello http://onnet.ch/test//Maildir/.super.hello du/dovecot-acl Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: file /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test http://onnet.ch/test//Maildir/.test folder 1/dovecot-acl not found Aug 7 11:17:27 buserver dovecot: auth: Debug: auth client connected (pid=3203) Aug 7 11:17:27 buserver dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng== (previous base64 data may contain sensitive data) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search: base=ou=domains,dc=intra,dc=onnet,dc=ch filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch mailto:mail=test@onnet.ch)) Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch mailto:mail=test@onnet.ch; mail unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: mail=test@onnet.ch mailto:mail=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: client passdb out: OK#0111#011user=test@onnet.ch mailto:OK#0111#011user=test@onnet.ch Aug 7 11:17:27 buserver dovecot: auth: Debug: master in: REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search: base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree filter=(&(objectClass=CourierMailAccount)(mail=test@onnet.ch mailto:mail=test@onnet.ch)) fields=homeDirectory,uidNumber,gidNumber,quota Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ http://onnet.ch/test/; homeDirectory,uidNumber,quota,gidNumber unused Aug 7 11:17:27 buserver dovecot: auth: Debug: ldap(test@onnet.ch mailto:test@onnet.ch,192.168.56.1,<lkbV3NRyyQDAqDgB>): result: uidNumber=5000 quota=1073741824 gidNumber=5000 homeDirectory=onnet.ch/test/ http://onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: auth: Debug: master userdb out: USER#0113718250497#011test@onnet.ch mailto:USER#0113718250497#011test@onnet.ch#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201 http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=10737418... Aug 7 11:17:27 buserver dovecot: imap-login: Login: user=mailto:test@onnet.ch>, method=PLAIN, rip=192.168.56.1, lip=192.168.56.50, mpid=3206 Aug 7 11:17:27 buserver dovecot: imap: Debug: Loading modules from directory: /usr/lib/dovecot/modules Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib01_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Module loaded: /usr/lib/dovecot/modules/lib20_zlib_plugin.so Aug 7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting: plugin/quota_rule=*:bytes=1073741824 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Effective uid=5000, gid=5000, home=/var/spool/postfix/virtual/onnet.ch/test/ http://onnet.ch/test/ Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota root: name=User quota backend=maildir args= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=* bytes=1073741824 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Trash bytes=+104857600 messages=0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota rule: root=User quota mailbox=INBOX.Spam ignored Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Quota grace: root=User quota bytes=107374182 (10%) Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Namespace inbox: type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:~/Maildir Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: maildir++: root=/var/spool/postfix/virtual/onnet.ch/test//Maildir http://onnet.ch/test//Maildir, index=, indexpvt=, control=, inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir http://onnet.ch/test//Maildir, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: acl username = test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: owner = 1 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/... Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt= Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: initializing backend with data: vfile Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: acl username = test@onnet.ch mailto:test@onnet.ch Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl: owner = 0 Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Debug: acl vfile: Global ACLs disabled Aug 7 11:17:27 buserver dovecot: imap(test@onnet.ch mailto:test@onnet.ch): Disconnected: Logged out in=30 out=457

thanks for looking into this

...
On 7 Aug 2018, at 10:34, Aki Tuomi mailto:aki.tuomi@dovecot.fi> wrote:

Can you provide your doveconf -n after adding the database *after* LDAP.

You probably need to add 'noauthenticate' as one parameter after the userdb ones.

Aki

Simeon Ott

11 a.m.

still the same…

root@buserver:/etc/dovecot# doveadm user test2@onnet.ch field valueuserdb lookup: user test2@onnet.ch doesn't exist

relevant config output from doveconf -n userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap result_success = continue-ok } userdb { args = username_format=%Lu /etc/dovecot/share.passwd driver = passwd-file result_failure = continue-ok skip = notfound }

but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch mailto:test@onnet.ch is still able to share its own folders?!

root@buserver:/etc/dovecot# doveadm user test@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes

root@buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'.

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test@onnet.ch ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2@onnet.ch lrwstipekxa . OK Setacl complete. . GETACL Inbox
ACL Inbox test2@onnet.ch akxeilprwtscd test@onnet.ch lrwstipekxacd . OK Getacl completed.

Cheers

...

On 7 Aug 2018, at 12:05, Aki Tuomi aki.tuomi@dovecot.fi wrote:

Hmm. if you put it *after* the ldap userdb, it should not have prevented users from logging in.

What happens if you do userdb { driver = passwd-file args = .... skip = notfound result_failure = continue-ok }

Aki

Simeon Ott

8 Aug 8 Aug

7:27 a.m.

Okay, this seems to be due to the fact that the option “use_globals_only" is supported only in v2.2.31+ We are on Debian jessie with dovecot v2.2.13 – even an upgrade to current stable stretch won’t help (dovecot v2.2.27). So we will wait until the packages find their way into the repository.

thanks anyway

...

On 7 Aug 2018, at 13:00, Simeon Ott simeon.ott@onnet.ch wrote: but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch mailto:test@onnet.ch is still able to share its own folders?!

root@buserver:/etc/dovecot# doveadm user test@onnet.ch mailto:test@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ http://onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes

root@buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'.

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test@onnet.ch mailto:test@onnet.ch ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2@onnet.ch mailto:test2@onnet.ch lrwstipekxa . OK Setacl complete. . GETACL Inbox

ACL Inbox test2@onnet.ch mailto:test2@onnet.ch akxeilprwtscd test@onnet.ch mailto:test@onnet.ch lrwstipekxacd . OK Getacl completed.

Sami Ketola

7:41 a.m.

http://repo.dovecot.org/ http://repo.dovecot.org/

Sami

...

On 8 Aug 2018, at 10.27, Simeon Ott simeon.ott@onnet.ch wrote:

Okay, this seems to be due to the fact that the option “use_globals_only" is supported only in v2.2.31+ We are on Debian jessie with dovecot v2.2.13 – even an upgrade to current stable stretch won’t help (dovecot v2.2.27). So we will wait until the packages find their way into the repository.

thanks anyway

...
On 7 Aug 2018, at 13:00, Simeon Ott mailto:simeon.ott@onnet.ch> wrote: but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch mailto:test@onnet.ch is still able to share its own folders?!

root@buserver:/etc/dovecot# doveadm user test@onnet.ch mailto:test@onnet.ch field value uid 5000 gid 5000 home /var/spool/postfix/virtual/onnet.ch/test/ http://onnet.ch/test/ mail maildir:~/Maildir quota_rule *:bytes=1073741824 acl vfile:/etc/dovecot/dovecot-acl acl_globals_only yes

root@buserver:/etc/dovecot# telnet localhost 143 Trying ::1... Connected to localhost. Escape character is '^]'.

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. . login test@onnet.ch mailto:test@onnet.ch ********* . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA ACL RIGHTS=texk] Logged in . SETACL Inbox test2@onnet.ch mailto:test2@onnet.ch lrwstipekxa . OK Setacl complete. . GETACL Inbox

ACL Inbox test2@onnet.ch mailto:test2@onnet.ch akxeilprwtscd test@onnet.ch mailto:test@onnet.ch lrwstipekxacd . OK Getacl completed.

Simeon Ott

9 Aug 9 Aug

5:48 a.m.

Thanks Sami, thanks Aki

I just updated the packages on our testing server and now it works like expected. There are some LDAP tests to come. Are there many productive server out there using this repository?

Simeon

...

On 8 Aug 2018, at 09:41, Sami Ketola sami.ketola@dovecot.fi wrote:

http://repo.dovecot.org/ http://repo.dovecot.org/

Sami

...
On 8 Aug 2018, at 10.27, Simeon Ott mailto:simeon.ott@onnet.ch> wrote:

Okay, this seems to be due to the fact that the option “use_globals_only" is supported only in v2.2.31+ We are on Debian jessie with dovecot v2.2.13 – even an upgrade to current stable stretch won’t help (dovecot v2.2.27). So we will wait until the packages find their way into the repository.

thanks anyway

...
On 7 Aug 2018, at 13:00, Simeon Ott mailto:simeon.ott@onnet.ch> wrote: but, did you read my last note anyway? IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test@onnet.ch mailto:test@onnet.ch is still able to share its own folders?!

Sami Ketola

10 Aug 10 Aug

10:27 a.m.

...

On 9 Aug 2018, at 8.48, Simeon Ott simeon.ott@onnet.ch wrote:

Thanks Sami, thanks Aki

I just updated the packages on our testing server and now it works like expected. There are some LDAP tests to come. Are there many productive server out there using this repository?

We have no way of knowing that. We could probably check the logs for the number how many times the packages have been downloaded, but even then we don't know for what purpose those packages are downloaded for.

Sami

2245

Age (days ago)

2250

Last active (days ago)

List overview

18 comments

4 participants

participants (4)

Aki Tuomi
Sami Ketola
Simeon Ott
Simeon Ott