[Dovecot] LMTP: Rejecting unknown users
Hi!
I'm using static results in LDAP-lookups:
uris = ldap://127.0.0.1 dn = xxxxxxxxxxxxx dnpass = xxxxxxxxxxxx tls = no ldap_version = 3 base = xxxxxxxxxxxxxxxxx user_attrs = =home=/mail/%d/%n,=uid=10000,=gid=10000,jpberlinMailQuota=quota_rule=*:storage=%$B user_filter = (email=%u) pass_attrs = userPassword=password pass_filter = (email=%u) default_pass_scheme = PLAIN
Unfortunately, LMTP accepts mail for *all* users, even for those users, that doesn't exist in LDAP at all:
010-08-04 12:27:58 auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
2010-08-04 12:27:58 auth: Debug: auth client connected (pid=10049)
2010-08-04 12:27:58 lmtp(10054): Debug: none: root=, index=, control=,
inbox=
2010-08-04 12:27:58 auth: Debug: master in: USER 1
tessdfdfgdsft@example.org service=lmtp lip=(null) r
ip=(null)
2010-08-04 12:27:58 auth: Debug:
ldap(tessdfdfgdsft@example.org,0.0.0.0): user search:
base=xxxxxxxxxxxxxxxxxxx
2010-08-04 12:27:58 auth: Debug:
ldap(tessdfdfgdsft@example.org,0.0.0.0): no fields returned by the
server
2010-08-04 12:27:58 auth: Debug: master out: USER 1
tessdfdfgdsft@example.org home=/mail/example.org/tessdfdfgd
sft uid=10000 gid=10000
2010-08-04 12:27:58 lmtp(10054): Debug: auth input:
tessdfdfgdsft@example.org home=/mail/example.org/tessdfdfgdsft
uid=10000 gid=
10000
2010-08-04 12:27:58 lmtp(10054, tessdfdfgdsft@example.org): Debug:
Effective uid=10000, gid=10000, home=/mail/example.org/tessdfd
fgdsft
2010-08-04 12:27:58 lmtp(10054, tessdfdfgdsft@example.org): Debug:
Namespace : type=private, prefix=, sep=/, inbox=yes, hidden=no
, list=yes, subscriptions=yes
2010-08-04 12:27:58 lmtp(10054, tessdfdfgdsft@example.org): Debug:
maildir++: root=/mail/example.org/tessdfdfgdsft/Maildir, index
=, control=, inbox=/mail/example.org/tessdfdfgdsft/Maildir
2010-08-04 12:27:58 lmtp(10054, tessdfdfgdsft@example.org): Debug:
Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, h
idden=no, list=children, subscriptions=no
2010-08-04 12:27:58 lmtp(10054, tessdfdfgdsft@example.org): Debug:
shared: root=/var/run/dovecot, index=, control=, inbox=
Looks like the "allow_all_users"-Problem from the static database. :-) How can I tell LMTP do reject Mails to users, that doesn't exist in the database/LDAP?
It's much better to do this in Dovecot/LMTP then in Postfix-Relay (which can then use LMTP for dynamic address verification).
Peer
--
Heinlein Professional Linux Support GmbH Linux: Akademie - Support - Hosting http://www.heinlein-support.de
Tel: 030-405051-42 Fax: 030-405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin
On Wed, 2010-08-04 at 15:37 +0200, Peer Heinlein wrote:
user_attrs = =home=/mail/%d/%n,=uid=10000,=gid=10000,jpberlinMailQuota=quota_rule=*:storage=%$B user_filter = (email=%u)
Looks ok..
Unfortunately, LMTP accepts mail for *all* users, even for those users, that doesn't exist in LDAP at all:
Shouldn't happen..
2010-08-04 12:27:58 auth: Debug: master in: USER 1
tessdfdfgdsft@example.org service=lmtp lip=(null) r ip=(null)
The lip=(null) rip=(null) here is a bug (fixed by http://hg.dovecot.org/dovecot-2.0/rev/10c4c9d5fb5b) but I don't think that matters.
2010-08-04 12:27:58 auth: Debug: ldap(tessdfdfgdsft@example.org,0.0.0.0): user search: base=xxxxxxxxxxxxxxxxxxx 2010-08-04 12:27:58 auth: Debug: ldap(tessdfdfgdsft@example.org,0.0.0.0): no fields returned by the server 2010-08-04 12:27:58 auth: Debug: master out: USER 1
tessdfdfgdsft@example.org home=/mail/example.org/tessdfdfgd sft uid=10000 gid=10000
It looks like LDAP still sent a reply. Otherwise it would do that it does with me:
Aug 04 15:24:57 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Aug 04 15:24:57 auth: Debug: master in: USER 1 tss@example.com service=lmtp lip=::1 rip=::1 Aug 04 15:24:57 auth: Debug: ldap(tss@example.com,::1): user search: base=ou=people,dc=example,dc=com scope=subtree filter=(mail=tss@example.com) fields=uidNumber Aug 04 15:24:57 auth: Info: ldap(tss@example.com,::1): unknown user Aug 04 15:24:57 auth: Debug: master out: NOTFOUND 1
BTW. You should be able to test this more easily with "doveadm user foo@example.org". It should also return "unknown user".
Am Mittwoch 04 August 2010 schrieb Timo Sirainen:
Unfortunately, LMTP accepts mail for *all* users, even for those users, that doesn't exist in LDAP at all:
Shouldn't happen..
Okay, so I'm hopefully not toooo stupid :-)
BTW. You should be able to test this more easily with "doveadm user foo@example.org". It should also return "unknown user".
Oh, I'm not used to the new features :-)
But even if doveadm user denies the existence of my dummy-user:
root@mail-archiv:/etc/dovecot# doveadm user hgjhgjhg@example.org userdb lookup: user hgjhgjhg@example.org doesn't exist
Aug 4 14:30:49 mail-archiv dovecot: auth: ldap(hgjhgjhg@example.org): unknown user
...it's still possible to send him e-mails...
root@mail-archiv:/etc/dovecot# echo hhh | sendmail hgjhgjhg@example.org
root@mail-archiv:/etc/dovecot# grep hgjhgjhg@example.org /var/log/mail.info
Aug 4 14:31:07 mail-archiv postfix/smtp[11471]: 1EB2C8115: to=hgjhgjhg@example.org, relay=127.0.0.1[127.0.0.1]:7123, delay=0.37, delays=0.07/0.01/0.05/0.25, dsn=2.0.0, status=sent (250 Message requeued) Aug 4 14:31:07 mail-archiv dovecot: lmtp(10423, hgjhgjhg@example.org): GFarClBFWUy3KAAA/hwkHw: msgid=20100804123107.1EB2C8115@mail-archiv.heinlein-support.test: saved mail to INBOX Aug 4 14:31:07 mail-archiv postfix/lmtp[11477]: 6026A8111: to=hgjhgjhg@example.org, relay=mail-archiv.heinlein-support.test[private/dovecot-lmtp], delay=0.13, delays=0.11/0.02/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 hgjhgjhg@example.org GFarClBFWUy3KAAA/hwkHw Saved)
2010-08-04 14:34:41 auth: Debug: Loading modules from
directory: /usr/lib/dovecot/modules/auth
2010-08-04 14:34:41 auth: Debug: auth client connected (pid=11517)
2010-08-04 14:34:41 lmtp(11522): Debug: none: root=, index=, control=,
inbox=
2010-08-04 14:34:41 auth: Debug: master in: USER 1
hgjhgjhg@example.org service=lmtp lip=(null) rip=(null)
2010-08-04 14:34:41 auth: Debug: ldap(hgjhgjhg@example.org,0.0.0.0):
user search: base=ou=domain,dc=heinlein-support,dc=de scope=subtree
filter=(email=hgjhgjhg@example.org) fields=jpberlinMailQuota
2010-08-04 14:34:41 auth: Debug: ldap(hgjhgjhg@example.org,0.0.0.0): no
fields returned by the server
2010-08-04 14:34:41 auth: Debug: master out: USER 1
hgjhgjhg@example.org home=/mail/example.org/hgjhgjhg uid=10000
gid=10000
2010-08-04 14:34:41 lmtp(11522): Debug: auth input: hgjhgjhg@example.org
home=/mail/example.org/hgjhgjhg uid=10000 gid=10000
2010-08-04 14:34:41 lmtp(11522, hgjhgjhg@example.org): Debug: Effective
uid=10000, gid=10000, home=/mail/example.org/hgjhgjhg
2010-08-04 14:34:41 lmtp(11522, hgjhgjhg@example.org): Debug:
Namespace : type=private, prefix=, sep=/, inbox=yes, hidden=no,
list=yes, subscriptions=yes
2010-08-04 14:34:41 lmtp(11522, hgjhgjhg@example.org): Debug: maildir++:
root=/mail/example.org/hgjhgjhg/Maildir, index=, control=,
inbox=/mail/example.org/hgjhgjhg/Maildir
2010-08-04 14:34:41 lmtp(11522, hgjhgjhg@example.org): Debug:
Namespace : type=shared, prefix=shared/%u/, sep=/, inbox=no, hidden=no,
list=children, subscriptions=no
2010-08-04 14:34:41 lmtp(11522, hgjhgjhg@example.org): Debug: shared:
root=/var/run/dovecot, index=, control=, inbox=
Peer Heinlein
--
Heinlein Professional Linux Support GmbH Linux: Akademie - Support - Hosting http://www.heinlein-support.de
Tel: 030-405051-42 Fax: 030-405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin
On Wed, 2010-08-04 at 16:35 +0200, Peer Heinlein wrote:
But even if doveadm user denies the existence of my dummy-user:
root@mail-archiv:/etc/dovecot# doveadm user hgjhgjhg@example.org userdb lookup: user hgjhgjhg@example.org doesn't exist
Aug 4 14:30:49 mail-archiv dovecot: auth: ldap(hgjhgjhg@example.org): unknown user
What are the full debug logs for this lookup? (What's different in them compared to "doveadm user"?)
...it's still possible to send him e-mails...
LMTP and "doveadm user" should send the same command to auth process and they should be processed identically.
Am Mittwoch 04 August 2010 schrieb Timo Sirainen:
What are the full debug logs for this lookup? (What's different in them compared to "doveadm user"?)
...it's still possible to send him e-mails...
LMTP and "doveadm user" should send the same command to auth process and they should be processed identically.
Strange:
root@mail-archiv:/etc/dovecot# doveadm user notexistent@example.org userdb lookup: user notexistent@example.org doesn't exist
root@mail-archiv:/etc/dovecot# echo hhhhh | sendmail notexistent@example.org
root@mail-archiv:/etc/dovecot# doveadm user notexistent@example.org userdb: notexistent@example.org home : /mail/example.org/notexistent uid : 10000 gid : 10000 root@mail-archiv:/etc/dovecot#
But the user still exists if his Maildir is deleted:
root@mail-archiv:/mail/example.org# rm -R /mail/example.org/notexistent/
root@mail-archiv:/mail/example.org# doveadm user notexistent@example.org userdb: notexistent@example.org home : /mail/example.org/notexistent uid : 10000 gid : 10000
...and the user still exists after a complete restart of Dovecot?!
Peer Heinlein
--
Heinlein Professional Linux Support GmbH Linux: Akademie - Support - Hosting http://www.heinlein-support.de
Tel: 030-405051-42 Fax: 030-405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin
On Wed, 2010-08-04 at 17:00 +0200, Peer Heinlein wrote:
root@mail-archiv:/etc/dovecot# doveadm user notexistent@example.org userdb lookup: user notexistent@example.org doesn't exist
What if you run this twice, does the second one say it doesn't exist or does it then return the user?
But the user still exists if his Maildir is deleted:
Yeah, that isn't checked.
...and the user still exists after a complete restart of Dovecot?!
Sounds like LDAP server starts returning different replies. Restarting it probably resets it? You should be able to reproduce the "doveadm user" lookup the same way with "ldapsearch" by giving the same search queries etc.
So to me this sounds like something weird going on with your LDAP server..
Am Mittwoch 04 August 2010 schrieben Sie:
Okay, sorry, I **AM** tooooo stupid.
I just learned, that someone has implemented a stupid "autolearn"-function in a mailfilter that adds anknown recipients to the ldap-directory.
My whole problem has nothing to do with dovecot. Dovecot is right: the "notexistent"-User *does* exist in the ldap-directory.
Same with my IPv4/IPv6-problem with "listen". On a *real* Debian Lenny system it's working fine. On our appliance system a "listen = *" opens IPv4 and IPv6. I haven't found the reason yet, there's nothing strange in /etc/sysctl.conf, but it looks like somebody has implemented a "cool killer feature" several years ago. I'll find it (and maybe him!), but it's not a dovecot-problem.
Sorry for wasting your time. Dovecot works fine and great like always.
I just learned that our base-system isn't that plain vanilla as I always thought and they always told me. Sorry, I haven't checked that possibility hard enough before sending to the list.
Peer Heinlein
--
Heinlein Professional Linux Support GmbH Linux: Akademie - Support - Hosting http://www.heinlein-support.de
Tel: 030-405051-42 Fax: 030-405051-19
Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Peer Heinlein wrote:
I just learned, that someone has implemented a stupid "autolearn"-function in a mailfilter that adds anknown recipients to the ldap-directory.
Yikes! Hopefully you explained to them why that is such a really, really bad idea and disabled it?
participants (4)
-
Charles Marcus
-
Peer Heinlein
-
Peer Heinlein
-
Timo Sirainen