[Dovecot] LDA without lookup as non-root?
Hello,
I'm having some problems getting LDA to work without userdb lookups and have a few related questions. This system has all users in MySQL, each user with unique UID/GID, no local users at all. Installation is from apt-get.
If LDA is invoked without lookups, is it correct to assume that the "service auth" and "service auth-worker" can be completely removed from dovecot master configuration? (I have tried commenting them out and logging into IMAP, which seems to work, not sure if anyone else needs the auth service)
If LDA is invoked without lookups, will I be unable to use Dovecot quota plugin? Does it need to have a user lookup to get quota info? (haven't added quota support, need to take this one step at a time)
The interesting part -- I am invoking LDA from Maildrop. See: http://thread.gmane.org/gmane.mail.imap.dovecot/65473 So when invoked, Maildrop has already dropped to the destination UID/GID and the needed paths are available in the environment. However, using as many permutations of calling LDA as I can think of (based on http://wiki2.dovecot.org/LDA ), I always get this:
(command line usage error. Command output: lda: Fatal: Couldn't lookup our username (uid=2500) )
The UID is correct for the target user. If I add "-d $LOGNAME" to my LDA callout, I get permission denied on the userdb lookup, which I guess is another issue to work out if I want to go with lookups. But right now I am trying not to. Why does LDA seem to try for a lookup even when I follow the wiki instructions how to call it without a lookup?
3.5) Related question, my users have separate homedir and maildir, both paths are looked up by Maildrop. I think I need to call LDA with "HOME=$DEFAULT dovecot-lda -f $FROM". Is this correct?
- If LDA is invoked without
lookups, is it correct to assume that the "service auth" and "service auth-worker" can be completely removed from dovecot master configuration? (I have tried commenting them out and logging into IMAP, which seems to work, not sure if anyone else needs the auth service)
Any confirmation on this?
- If LDA is invoked without lookups, will I be unable to use Dovecot quota plugin? Does it need to have a user lookup to get quota info? (haven't added quota support, need to take this one step at a time)
I'm especially interested if someone can comment on this, since maybe it makes my efforts here wasted
- The interesting part -- I am invoking LDA from Maildrop. See: http://thread.gmane.org/gmane.mail.imap.dovecot/65473 So when invoked, Maildrop has already dropped to the destination UID/GID and the needed paths are available in the environment. However, using as many permutations of calling LDA as I can think of (based on http://wiki2.dovecot.org/LDA ), I always get this:
(command line usage error. Command output: lda: Fatal: Couldn't lookup our username (uid=2500) )
I could not find anything in the mailing list archives to help me, but I googled and found a link to a source file:
http://hg.dovecot.org/dovecot-sieve-1.1/raw-rev/7d85833eff96
I read the source, it looks like it's not exactly a userdb lookup - LDA is trying to get the unix username for the given UID. In my case, UIDs are "virtual" so there isn't a unix username. The source doesn't really use the username that it looks up except in a call "open_logfile."
Is it possible to avoid this problem? It looks like the answer is no, I have to use -d which also forces a userdb lookup. Maybe this limitation can be removed in the future? Now I suppose I have to go understand the problems of userdb lookup permissions, but I think there are solutions for that.
Am I on the right understanding ?
The UID is correct for the target user. If I add "-d $LOGNAME" to my LDA callout, I get permission denied on the userdb lookup, which I guess is another issue to work out if I want to go with lookups. But right now I am trying not to. Why does LDA seem to try for a lookup even when I follow the wiki instructions how to call it without a lookup?
3.5) Related question, my users have separate homedir and maildir, both paths are looked up by Maildrop. I think I need to call LDA with "HOME=$DEFAULT dovecot-lda -f $FROM". Is this correct?
- The interesting part -- I am invoking LDA from Maildrop. See:
http://thread.gmane.org/gmane.mail.imap.dovecot/65473 So when invoked, Maildrop has already dropped to the destination UID/GID and the needed paths are available in the environment. However, using as many permutations of calling LDA as I can think of (based on http://wiki2.dovecot.org/LDA ), I always get this:
(command line usage error. Command output: lda: Fatal: Couldn't lookup our username (uid=2500) )
I could not find anything in the mailing list archives to help me, but I googled and found a link to a source file:
http://hg.dovecot.org/dovecot-sieve-1.1/raw-rev/7d85833eff96
I read the source, it looks like it's not exactly a userdb lookup - LDA is trying to get the unix username for the given UID. In my case, UIDs are "virtual" so there isn't a unix username. The source doesn't really use the username that it looks up except in a call "open_logfile."
Is it possible to avoid this problem? It looks like the answer is no, I have to use -d which also forces a userdb lookup. Maybe this limitation can be removed in the future? Now I suppose I have to go understand the problems of userdb lookup permissions, but I think there are solutions for that.
FWIW, in this scenario, "service auth" in master config has to have its mode relaxed to 0606 to make userdb lookups work. So ANYONE on the machine can see all userdb lookups. I don't have local users here, so it's probably safe anyway(?).
Can anyone explain if there are other security risks of running the auth service at 0606?
On 19.10.2012, at 23.43, E.B. wrote:
I'm having some problems getting LDA to work without userdb lookups and have a few related questions. This system has all users in MySQL, each user with unique UID/GID, no local users at all.
Installation is from apt-get.
- If LDA is invoked without lookups, is it correct to assume that the "service auth" and "service auth-worker" can be completely removed from dovecot master configuration? (I have tried commenting them out and logging into IMAP, which seems to work, not sure if anyone else needs the auth service)
If you remove them the defaults are simply used.
- If LDA is invoked without lookups, will I be unable to use Dovecot quota plugin? Does it need to have a user lookup to get quota info? (haven't added quota support, need to take this one step at a time)
You can give quota info also via either environment variables or via -o plugin/quota_rule=xx parameter.
- The interesting part -- I am invoking LDA from Maildrop. See: http://thread.gmane.org/gmane.mail.imap.dovecot/65473 So when invoked, Maildrop has already dropped to the destination UID/GID and the needed paths are available in the environment. However, using as many permutations of calling LDA as I can think of (based on http://wiki2.dovecot.org/LDA ), I always get this:
(command line usage error. Command output: lda: Fatal: Couldn't lookup our username (uid=2500) )
Set USER environment.
3.5) Related question, my users have separate homedir and maildir, both paths are looked up by Maildrop. I think I need to call LDA with "HOME=$DEFAULT dovecot-lda -f $FROM". Is this correct?
As long as the home and mail directories point to the same ones as they are when logging in via IMAP/POP3.
participants (2)
-
E.B.
-
Timo Sirainen