[Dovecot] Username issue with Dovecot LDA, IMAP and Winbind Authentication
Hi there Dovecot community --
I'll try to make this short. Here's the setup … Ubuntu 12.04, Postfix, Dovecot, along with Amavis/Clamd/Spamassassin. Postfix is currently receiving emails for virtual users in multiple domains, all of which are authenticating through Winbind to Windows AD servers. The users log in to the POP/IMAP/SMTP services using the format user@domain.corp (the internal domain, not the external mail domain). The domains are all in the same forest, but there are many different domains to authenticate against.
Dovecot is currently handling POP, IMAP, and authentication. Postfix uses a MySQL database to map the external email domain to the internal AD domain, for example domain.com -> domain.corp. Postfix also queries the same SQL database for where to save the messages -- /home/vmail/domain\user -- I have the SQL query strip off the ".corp". I had to do this because pam_winbind returns the usernames as "DOMAIN\user" upon successful Dovecot authentication, instead of "user@domain.corp", which ends up invalidating all of the %u, %n, and %d variables. On the user side, after successful auth, I can only define %u and %n in my Dovecot configuration -- %d is null, %u is "DOMAIN\user", and %n is "DOMAIN\user". (I use %Lu or %Ln to make it all lower-case.)
With this, I am able to authenticate users off of multiple domains, have the mail delivered to a folder that is also accessible to the user when they log in. It serves its purpose.
Here's my problem. I am trying to now integrate Pigeonhole and ManageSieve using Dovecot-LDA specified by "virtual_transport", and this is where things get confusing. Dovecot IMAP/POP/SMTP auth notes the user account to be "DOMAIN\user", while Dovecot-LDA receives the email to user@domain.com, noting the user account to be "user@domain.corp". The same arguments for userdb in "auth-system.conf.ext" are used by both Dovecot when user is logging in for IMAP/POP/SMTP and Dovecot-LDA when it is storing the mail. Because of the way pam_winbind returns the usernames without being able to use %d anymore, I cannot seem to get the same behavior for both sides of Dovecot.
For example, if I set home and maildir to "/home/vmail/%Ln", Dovecot-LDA delivers emails into the folder "/home/vmail/user@domain.corp" and Dovecot IMAP/POP looks in "/home/vmail/domain\user". If I set the home/maildir to "/home/vmail/%Ld/%Lu", Dovecot-LDA delivers emails into the folder "/home/vmail/domain.corp/user" and Dovecot IMAP/POP looks in "/home/vmail/\/domain\user". So, I seem to be thoroughly unable to get something here that works … The closest I can get is setting home/maildir to "/home/vmail/%Ld\%Lu", but that now gives the LDA side "/home/vmail/domain.corp\user" and the IMAP/POP/SMTP side "/home/vmail/\\domain\user".
If I am able to get pam_winbind to return "user@domain.corp" instead of "DOMAIN\user", I'd be fine. Or, if I could set the home and maildir locations separately for Dovecot-LDA and Dovecot, I would also be okay.
Any suggestions? I know this is probably a Winbind limitation, but I do not know a thing about working with PAM authentication. I tried to compile and install a pam_regex module (which seems to not be offered as a native package in Ubuntu), but it gives errors after adding that to my PAM configuration. I'm stumped.
Please let me know if I can include my configuration for either Postfix or Dovecot.
Thank you so much for any help.
~ Laz Peterson
I forgot to add … (Doh) … My Dovecot version is 2.1.7. Thanks.
~ Laz Peterson Paravis Business Networks Ph: 909.660.5100
On Oct 2, 2013, at 9:20 AM, Laz Peterson laz@paravis.net wrote:
Hi there Dovecot community --
I'll try to make this short. Here's the setup … Ubuntu 12.04, Postfix, Dovecot, along with Amavis/Clamd/Spamassassin. Postfix is currently receiving emails for virtual users in multiple domains, all of which are authenticating through Winbind to Windows AD servers. The users log in to the POP/IMAP/SMTP services using the format user@domain.corp (the internal domain, not the external mail domain). The domains are all in the same forest, but there are many different domains to authenticate against.
Dovecot is currently handling POP, IMAP, and authentication. Postfix uses a MySQL database to map the external email domain to the internal AD domain, for example domain.com -> domain.corp. Postfix also queries the same SQL database for where to save the messages -- /home/vmail/domain\user -- I have the SQL query strip off the ".corp". I had to do this because pam_winbind returns the usernames as "DOMAIN\user" upon successful Dovecot authentication, instead of "user@domain.corp", which ends up invalidating all of the %u, %n, and %d variables. On the user side, after successful auth, I can only define %u and %n in my Dovecot configuration -- %d is null, %u is "DOMAIN\user", and %n is "DOMAIN\user". (I use %Lu or %Ln to make it all lower-case.)
With this, I am able to authenticate users off of multiple domains, have the mail delivered to a folder that is also accessible to the user when they log in. It serves its purpose.
Here's my problem. I am trying to now integrate Pigeonhole and ManageSieve using Dovecot-LDA specified by "virtual_transport", and this is where things get confusing. Dovecot IMAP/POP/SMTP auth notes the user account to be "DOMAIN\user", while Dovecot-LDA receives the email to user@domain.com, noting the user account to be "user@domain.corp". The same arguments for userdb in "auth-system.conf.ext" are used by both Dovecot when user is logging in for IMAP/POP/SMTP and Dovecot-LDA when it is storing the mail. Because of the way pam_winbind returns the usernames without being able to use %d anymore, I cannot seem to get the same behavior for both sides of Dovecot.
For example, if I set home and maildir to "/home/vmail/%Ln", Dovecot-LDA delivers emails into the folder "/home/vmail/user@domain.corp" and Dovecot IMAP/POP looks in "/home/vmail/domain\user". If I set the home/maildir to "/home/vmail/%Ld/%Lu", Dovecot-LDA delivers emails into the folder "/home/vmail/domain.corp/user" and Dovecot IMAP/POP looks in "/home/vmail/\/domain\user". So, I seem to be thoroughly unable to get something here that works … The closest I can get is setting home/maildir to "/home/vmail/%Ld\%Lu", but that now gives the LDA side "/home/vmail/domain.corp\user" and the IMAP/POP/SMTP side "/home/vmail/\\domain\user".
If I am able to get pam_winbind to return "user@domain.corp" instead of "DOMAIN\user", I'd be fine. Or, if I could set the home and maildir locations separately for Dovecot-LDA and Dovecot, I would also be okay.
Any suggestions? I know this is probably a Winbind limitation, but I do not know a thing about working with PAM authentication. I tried to compile and install a pam_regex module (which seems to not be offered as a native package in Ubuntu), but it gives errors after adding that to my PAM configuration. I'm stumped.
Please let me know if I can include my configuration for either Postfix or Dovecot.
Thank you so much for any help.
~ Laz Peterson
An update on the status of my situation --
I switched from pam_winbind to pam_krb5. Now, my user accounts are being returned as "user@DOMAIN.CORP" instead of "DOMAIN\user". Dovecot-LDA is running flawlessly alongside Dovecot-IMAP. All systems go.
Case closed. Thanks.
On Oct 2, 2013, at 9:20 AM, Laz Peterson laz@paravis.net wrote:
Hi there Dovecot community --
I'll try to make this short. Here's the setup … Ubuntu 12.04, Postfix, Dovecot, along with Amavis/Clamd/Spamassassin. Postfix is currently receiving emails for virtual users in multiple domains, all of which are authenticating through Winbind to Windows AD servers. The users log in to the POP/IMAP/SMTP services using the format user@domain.corp (the internal domain, not the external mail domain). The domains are all in the same forest, but there are many different domains to authenticate against.
Dovecot is currently handling POP, IMAP, and authentication. Postfix uses a MySQL database to map the external email domain to the internal AD domain, for example domain.com -> domain.corp. Postfix also queries the same SQL database for where to save the messages -- /home/vmail/domain\user -- I have the SQL query strip off the ".corp". I had to do this because pam_winbind returns the usernames as "DOMAIN\user" upon successful Dovecot authentication, instead of "user@domain.corp", which ends up invalidating all of the %u, %n, and %d variables. On the user side, after successful auth, I can only define %u and %n in my Dovecot configuration -- %d is null, %u is "DOMAIN\user", and %n is "DOMAIN\user". (I use %Lu or %Ln to make it all lower-case.)
With this, I am able to authenticate users off of multiple domains, have the mail delivered to a folder that is also accessible to the user when they log in. It serves its purpose.
Here's my problem. I am trying to now integrate Pigeonhole and ManageSieve using Dovecot-LDA specified by "virtual_transport", and this is where things get confusing. Dovecot IMAP/POP/SMTP auth notes the user account to be "DOMAIN\user", while Dovecot-LDA receives the email to user@domain.com, noting the user account to be "user@domain.corp". The same arguments for userdb in "auth-system.conf.ext" are used by both Dovecot when user is logging in for IMAP/POP/SMTP and Dovecot-LDA when it is storing the mail. Because of the way pam_winbind returns the usernames without being able to use %d anymore, I cannot seem to get the same behavior for both sides of Dovecot.
For example, if I set home and maildir to "/home/vmail/%Ln", Dovecot-LDA delivers emails into the folder "/home/vmail/user@domain.corp" and Dovecot IMAP/POP looks in "/home/vmail/domain\user". If I set the home/maildir to "/home/vmail/%Ld/%Lu", Dovecot-LDA delivers emails into the folder "/home/vmail/domain.corp/user" and Dovecot IMAP/POP looks in "/home/vmail/\/domain\user". So, I seem to be thoroughly unable to get something here that works … The closest I can get is setting home/maildir to "/home/vmail/%Ld\%Lu", but that now gives the LDA side "/home/vmail/domain.corp\user" and the IMAP/POP/SMTP side "/home/vmail/\\domain\user".
If I am able to get pam_winbind to return "user@domain.corp" instead of "DOMAIN\user", I'd be fine. Or, if I could set the home and maildir locations separately for Dovecot-LDA and Dovecot, I would also be okay.
Any suggestions? I know this is probably a Winbind limitation, but I do not know a thing about working with PAM authentication. I tried to compile and install a pam_regex module (which seems to not be offered as a native package in Ubuntu), but it gives errors after adding that to my PAM configuration. I'm stumped.
Please let me know if I can include my configuration for either Postfix or Dovecot.
Thank you so much for any help.
~ Laz Peterson
participants (1)
-
Laz Peterson