Different passdb backends for different services
Hi,
as Dovecot supports submission, which is the sending direction, I am interested to know, if I can configure a separate passdb backend just for submission.
I habe LDAP attributes that differ sending or receiving permissions. It would be nice, if I had a second passdb backend just for submission, which has a LDAP filter for locking this service.
Example for IMAP, POP3, Sieve:
(&(mail=%s)(mailAllowIncoming=TRUE))
Example for Submission:
(&(mail=%s)(mailAllowOutgoing=TRUE))
Use case is to lock compromised accounts that send spam. An operator can notify the account owner by placing a warning messegae into his/her mailbox.
Is this possible?
Thanks in advance
Christian
On 3 Sep 2019, at 11.07, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
Hi,
as Dovecot supports submission, which is the sending direction, I am interested to know, if I can configure a separate passdb backend just for submission.
I habe LDAP attributes that differ sending or receiving permissions. It would be nice, if I had a second passdb backend just for submission, which has a LDAP filter for locking this service.
Example for IMAP, POP3, Sieve:
(&(mail=%s)(mailAllowIncoming=TRUE))
protocol imap { passdb { ... } }
Example for Submission:
(&(mail=%s)(mailAllowOutgoing=TRUE))
protocol submission { passdb { ... } }
etc.
Sami
Am 03.09.2019 um 10:54 schrieb Sami Ketola via dovecot <dovecot@dovecot.org>:
On 3 Sep 2019, at 11.07, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
Hi,
as Dovecot supports submission, which is the sending direction, I am interested to know, if I can configure a separate passdb backend just for submission.
I habe LDAP attributes that differ sending or receiving permissions. It would be nice, if I had a second passdb backend just for submission, which has a LDAP filter for locking this service.
Example for IMAP, POP3, Sieve:
(&(mail=%s)(mailAllowIncoming=TRUE))
protocol imap { passdb { ... } }
Example for Submission:
(&(mail=%s)(mailAllowOutgoing=TRUE))
protocol submission { passdb { ... } }
I tried this, but I have done something wrong probably.
I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the protocol sections. I also disabled the passdb section from the auth-ldap.conf.ext in 10-auth and left over the userdb part.
Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16106, input bytes=0 Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16107, input bytes=0
Can somebody tell me which "things" need the userdb and which the passdb sections?
I am a little bit confused. Or do I have to add the above lines and is some inheritance working here?
Thanks in advance
Christian
On 3 Sep 2019, at 19.08, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
I tried this, but I have done something wrong probably.
I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the protocol sections. I also disabled the passdb section from the auth-ldap.conf.ext in 10-auth and left over the userdb part.
Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16106, input bytes=0 Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16107, input bytes=0
Can somebody tell me which "things" need the userdb and which the passdb sections?
I am a little bit confused. Or do I have to add the above lines and is some inheritance working here?
Thanks in advance
Christian
I always use one flat dovecot.conf file. It is just so much more simpler and that way you can more easily ensure loading order of all settings.
Maybe you should too gather all settings you want to change to one config file and stop loading those in conf.d.
Also you can post your doveconf -n somewhere so that we can see what goes wrong.
Sami
Am 04.09.2019 um 08:24 schrieb Sami Ketola via dovecot <dovecot@dovecot.org>:
On 3 Sep 2019, at 19.08, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
I tried this, but I have done something wrong probably.
I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the protocol sections. I also disabled the passdb section from the auth-ldap.conf.ext in 10-auth and left over the userdb part.
Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16106, input bytes=0 Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16107, input bytes=0
Can somebody tell me which "things" need the userdb and which the passdb sections?
I am a little bit confused. Or do I have to add the above lines and is some inheritance working here?
Thanks in advance
Christian
I always use one flat dovecot.conf file. It is just so much more simpler and that way you can more easily ensure loading order of all settings.
Maybe you should too gather all settings you want to change to one config file and stop loading those in conf.d.
Also you can post your doveconf -n somewhere so that we can see what goes wrong.
I have created a doveconf -n output.
auth_cache_size = 64 M auth_master_user_separator = * auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes default_client_limit = 5000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it hostname = mail.roessner-net.de imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 4 M lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_access_groups = vmail mail_attachment_dir = /var/mail/virtual/copymail/attachments mail_gid = vmail mail_location = sdbox:~/sdbox mail_max_keyword_length = 4096 mail_plugins = quota acl fts fts_lucene zlib mail_log notify mail_privileged_group = mail mail_save_crlf = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_preallocate_space = yes mdbox_rotate_size = 128 M namespace { list = children location = sdbox:%%h/sdbox prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace { hidden = yes list = children location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk-E-Mail { special_use = \Junk } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve imapsieve_mailbox1_causes = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename mail_log_fields = box msgid quota = count:User quota quota_grace = 10%% quota_rule = *:storage=300M:messages=20000 quota_rule2 = Trash:storage=+500M quota_rule3 = Sent:storage=+2G quota_rule4 = Archive:storage=+2G quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_before = /etc/dovecot/sieve/before sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 10d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp submission sieve service auth-worker { extra_groups = ssl-cert unix_listener auth-worker { mode = 0600 user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener /var/spool/postfix-submission/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service config { unix_listener config { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service doveadm { inet_listener http { port = 9080 ssl = yes } } service imap-login { inet_listener imap { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener imaps { port = 0 } } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh user = vmail } service imap { executable = imap imap-postlogin } service lmtp { inet_listener lmtp { address = 127.0.0.1 port = 24 } unix_listener /var/spool/postfix/private/lmtp-dovecot { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener pop3s { port = 0 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh extra_groups = mail unix_listener quota-warning { group = vmail mode = 0600 user = vmail } user = vmail } ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_client_key = # hidden, use -P to show it ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_client_workarounds = whitespace-before-path submission_relay_host = mail.roessner-net.de submission_relay_port = 5870 submission_relay_ssl = starttls submission_relay_trusted = yes userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue } userdb { args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes driver = lua } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol lda { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol sieve { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
If I remove the outer userdb settings (not the ones inside the protocol), the auth-worker startes struggling:
userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue }
Removing this part.
Am I missing some place, where the userdb is also needed?
Thanks in advance -)
Christian
Am 04.09.2019 um 15:31 schrieb R.N.S. via dovecot <dovecot@dovecot.org>:
Am 04.09.2019 um 08:24 schrieb Sami Ketola via dovecot <dovecot@dovecot.org>:
On 3 Sep 2019, at 19.08, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
I tried this, but I have done something wrong probably.
I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the protocol sections. I also disabled the passdb section from the auth-ldap.conf.ext in 10-auth and left over the userdb part.
Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16106, input bytes=0 Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. my pid=16107, input bytes=0
Can somebody tell me which "things" need the userdb and which the passdb sections?
I am a little bit confused. Or do I have to add the above lines and is some inheritance working here?
Thanks in advance
Christian
I always use one flat dovecot.conf file. It is just so much more simpler and that way you can more easily ensure loading order of all settings.
Maybe you should too gather all settings you want to change to one config file and stop loading those in conf.d.
Also you can post your doveconf -n somewhere so that we can see what goes wrong.
I have created a doveconf -n output.
auth_cache_size = 64 M auth_master_user_separator = * auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes default_client_limit = 5000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it hostname = mail.roessner-net.de imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 4 M lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_access_groups = vmail mail_attachment_dir = /var/mail/virtual/copymail/attachments mail_gid = vmail mail_location = sdbox:~/sdbox mail_max_keyword_length = 4096 mail_plugins = quota acl fts fts_lucene zlib mail_log notify mail_privileged_group = mail mail_save_crlf = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_preallocate_space = yes mdbox_rotate_size = 128 M namespace { list = children location = sdbox:%%h/sdbox prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace { hidden = yes list = children location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk-E-Mail { special_use = \Junk } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve imapsieve_mailbox1_causes = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename mail_log_fields = box msgid quota = count:User quota quota_grace = 10%% quota_rule = *:storage=300M:messages=20000 quota_rule2 = Trash:storage=+500M quota_rule3 = Sent:storage=+2G quota_rule4 = Archive:storage=+2G quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_before = /etc/dovecot/sieve/before sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 10d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp submission sieve service auth-worker { extra_groups = ssl-cert unix_listener auth-worker { mode = 0600 user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener /var/spool/postfix-submission/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service config { unix_listener config { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service doveadm { inet_listener http { port = 9080 ssl = yes } } service imap-login { inet_listener imap { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener imaps { port = 0 } } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh user = vmail } service imap { executable = imap imap-postlogin } service lmtp { inet_listener lmtp { address = 127.0.0.1 port = 24 } unix_listener /var/spool/postfix/private/lmtp-dovecot { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener pop3s { port = 0 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh extra_groups = mail unix_listener quota-warning { group = vmail mode = 0600 user = vmail } user = vmail } ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_client_key = # hidden, use -P to show it ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_client_workarounds = whitespace-before-path submission_relay_host = mail.roessner-net.de submission_relay_port = 5870 submission_relay_ssl = starttls submission_relay_trusted = yes userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue } userdb { args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes driver = lua } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol lda { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol sieve { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
If I remove the outer userdb settings (not the ones inside the protocol), the auth-worker startes struggling:
userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue }
*plonk* Of course not userdb, I mean the passdb block. Anyways the problem is the same.
Christian
On 4 Sep 2019, at 16.38, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
...
protocol sieve { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
So the problem really is in order of things.
Your protocol specific passdbs are AFTER your global passdb. Global passdb {} returns return-ok on successful authentication and rest of the passdbs are never processed.
Sami
Am 04.09.2019 um 16:58 schrieb Sami Ketola via dovecot <dovecot@dovecot.org>:
On 4 Sep 2019, at 16.38, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
...
protocol sieve { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
So the problem really is in order of things.
Your protocol specific passdbs are AFTER your global passdb. Global passdb {} returns return-ok on successful authentication and rest of the passdbs are never processed.
postconf sorts all keys alphabetically. But I tried your idea and placed the global passdb also into the protocol. postconf looks now like this and it still produces the same errors:
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 (7372921a) # OS: Linux 4.19.44-gentoo x86_64 Gentoo Base System release 2.6 # Hostname: mx.roessner-net.de auth_cache_size = 64 M auth_master_user_separator = * auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes default_client_limit = 5000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it hostname = mail.roessner-net.de imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 4 M lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_access_groups = vmail mail_attachment_dir = /var/mail/virtual/copymail/attachments mail_gid = vmail mail_location = sdbox:~/sdbox mail_max_keyword_length = 4096 mail_plugins = quota acl fts fts_lucene zlib mail_log notify mail_privileged_group = mail mail_save_crlf = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_preallocate_space = yes mdbox_rotate_size = 128 M namespace { list = children location = sdbox:%%h/sdbox prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace { hidden = yes list = children location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk-E-Mail { special_use = \Junk } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } plugin { acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve imapsieve_mailbox1_causes = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename mail_log_fields = box msgid quota = count:User quota quota_grace = 10%% quota_rule = *:storage=300M:messages=20000 quota_rule2 = Trash:storage=+500M quota_rule3 = Sent:storage=+2G quota_rule4 = Archive:storage=+2G quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_before = /etc/dovecot/sieve/before sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 10d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp submission sieve service auth-worker { extra_groups = ssl-cert unix_listener auth-worker { mode = 0600 user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener /var/spool/postfix-submission/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service config { unix_listener config { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service doveadm { inet_listener http { port = 9080 ssl = yes } } service imap-login { inet_listener imap { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener imaps { port = 0 } } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh user = vmail } service imap { executable = imap imap-postlogin } service lmtp { inet_listener lmtp { address = 127.0.0.1 port = 24 } unix_listener /var/spool/postfix/private/lmtp-dovecot { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener pop3s { port = 0 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh extra_groups = mail unix_listener quota-warning { group = vmail mode = 0600 user = vmail } user = vmail } ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_client_key = # hidden, use -P to show it ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_client_workarounds = whitespace-before-path submission_relay_host = mail.roessner-net.de submission_relay_port = 5870 submission_relay_ssl = starttls submission_relay_trusted = yes userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue } userdb { args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes driver = lua } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol lda { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol sieve { passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
So now all passdbs are inside protocol.
Errors:
Sep 4 18:25:19 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:19 mx dovecot: master: Error: service(auth): command startup failed, throttling for 2 secs Sep 4 18:25:19 mx dovecot: submission-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=134.255.226.247, lip=134.255.226.248 Sep 4 18:25:21 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:21 mx dovecot: master: Error: service(auth): command startup failed, throttling for 4 secs Sep 4 18:25:21 mx dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 1 secs) : user=<>, rip=134.255.226.247, lip=134.255.226.248 Sep 4 18:25:24 mx dovecot: managesieve-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip =134.255.226.247, lip=134.255.226.248 Sep 4 18:25:25 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:25 mx dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs Sep 4 18:25:25 mx dovecot: pop3-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 3 secs) : user=<>, rip=134.255.226.247, lip=134.255.226.248
So it looks to me something is missing for the "auth" service. Do you have any ideas?
Thanks again for your help
Kind regards
Christian
Am 04.09.2019 um 18:32 schrieb R.N.S. via dovecot <dovecot@dovecot.org>:
Am 04.09.2019 um 16:58 schrieb Sami Ketola via dovecot <dovecot@dovecot.org>:
On 4 Sep 2019, at 16.38, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
...
protocol sieve { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
So the problem really is in order of things.
Your protocol specific passdbs are AFTER your global passdb. Global passdb {} returns return-ok on successful authentication and rest of the passdbs are never processed.
postconf sorts all keys alphabetically. But I tried your idea and placed the global passdb also into the protocol. postconf looks now like this and it still produces the same errors:
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.2 (7372921a) # OS: Linux 4.19.44-gentoo x86_64 Gentoo Base System release 2.6 # Hostname: mx.roessner-net.de auth_cache_size = 64 M auth_master_user_separator = * auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes default_client_limit = 5000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it hostname = mail.roessner-net.de imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 4 M lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_access_groups = vmail mail_attachment_dir = /var/mail/virtual/copymail/attachments mail_gid = vmail mail_location = sdbox:~/sdbox mail_max_keyword_length = 4096 mail_plugins = quota acl fts fts_lucene zlib mail_log notify mail_privileged_group = mail mail_save_crlf = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_preallocate_space = yes mdbox_rotate_size = 128 M namespace { list = children location = sdbox:%%h/sdbox prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace { hidden = yes list = children location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk-E-Mail { special_use = \Junk } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / type = private } plugin { acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve imapsieve_mailbox1_causes = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename mail_log_fields = box msgid quota = count:User quota quota_grace = 10%% quota_rule = *:storage=300M:messages=20000 quota_rule2 = Trash:storage=+500M quota_rule3 = Sent:storage=+2G quota_rule4 = Archive:storage=+2G quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_before = /etc/dovecot/sieve/before sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 10d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp submission sieve service auth-worker { extra_groups = ssl-cert unix_listener auth-worker { mode = 0600 user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener /var/spool/postfix-submission/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service config { unix_listener config { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service doveadm { inet_listener http { port = 9080 ssl = yes } } service imap-login { inet_listener imap { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener imaps { port = 0 } } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh user = vmail } service imap { executable = imap imap-postlogin } service lmtp { inet_listener lmtp { address = 127.0.0.1 port = 24 } unix_listener /var/spool/postfix/private/lmtp-dovecot { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener pop3s { port = 0 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh extra_groups = mail unix_listener quota-warning { group = vmail mode = 0600 user = vmail } user = vmail } ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_client_key = # hidden, use -P to show it ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_client_workarounds = whitespace-before-path submission_relay_host = mail.roessner-net.de submission_relay_port = 5870 submission_relay_ssl = starttls submission_relay_trusted = yes userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue } userdb { args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes driver = lua } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol lda { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol sieve { passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol pop3 { passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name = } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes name = pass = yes } passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name = } }
So now all passdbs are inside protocol.
Errors:
Sep 4 18:25:19 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:19 mx dovecot: master: Error: service(auth): command startup failed, throttling for 2 secs Sep 4 18:25:19 mx dovecot: submission-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=134.255.226.247, lip=134.255.226.248 Sep 4 18:25:21 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:21 mx dovecot: master: Error: service(auth): command startup failed, throttling for 4 secs Sep 4 18:25:21 mx dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 1 secs) : user=<>, rip=134.255.226.247, lip=134.255.226.248 Sep 4 18:25:24 mx dovecot: managesieve-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip =134.255.226.247, lip=134.255.226.248 Sep 4 18:25:25 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:25 mx dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs Sep 4 18:25:25 mx dovecot: pop3-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 3 secs) : user=<>, rip=134.255.226.247, lip=134.255.226.248
So it looks to me something is missing for the "auth" service. Do you have any ideas?
Thanks again for your help
I finally got it working. Thanks to your help. In addition to that I found this here:
https://dovecot.org/pipermail/dovecot/2012-March/081885.html
which seems to be required for Dovecot to function properly. It seems a little bit nasty to add a dummy backend, but at the end it works for me.
Christian
On 4 Sep 2019, at 19.32, R.N.S. via dovecot <dovecot@dovecot.org> wrote:
So now all passdbs are inside protocol.
Which is not what I said.
Errors:
Sep 4 18:25:19 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:19 mx dovecot: master: Error: service(auth): command startup failed, throttling for 2 secs Sep 4 18:25:19 mx dovecot: submission-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=134.255.226.247, lip=134.255.226.248 Sep 4 18:25:21 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:21 mx dovecot: master: Error: service(auth): command startup failed, throttling for 4 secs Sep 4 18:25:21 mx dovecot: imap-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 1 secs) : user=<>, rip=134.255.226.247, lip=134.255.226.248 Sep 4 18:25:24 mx dovecot: managesieve-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip =134.255.226.247, lip=134.255.226.248 Sep 4 18:25:25 mx dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one Sep 4 18:25:25 mx dovecot: master: Error: service(auth): command startup failed, throttling for 8 secs Sep 4 18:25:25 mx dovecot: pop3-login: Disconnected: Auth process broken (disconnected before auth was ready, waited 3 secs) : user=<>, rip=134.255.226.247, lip=134.255.226.248
So it looks to me something is missing for the "auth" service. Do you have any ideas?
Because it was only in "order of things". You must have a global passdb {}. Your problem was that protocol specific passdb:s need to be *before* the global passdb.
Sami
participants (3)
-
lists@mlserv.org
-
Sami Ketola
-
Sami Ketola