[Dovecot] ACL with IMAP proxying
Hello,
I'm trying to use ACLs to restrict subscription on public mailboxes, but I went into trouble. My setup is made of two servers, and users are shared between them via a proxy. User authentication is done with LDAP, and credentials aren't shared between the mailservers. Instead, the proxies are using master password. The thing is that when the ACLs are checked, it actually doesn't give the user login, but the master login, which is useless. Is there a way to use the first part of destuser as it is done when fetching info from the userdb?
Any help is appreciated, Thansk!
Alexis
ACL bug logs :
104184 Jan 6 12:09:35 mail02 dovecot: imap(user@domain): Debug: acl: acl username = proxy 104185 Jan 6 12:09:35 mail02 dovecot: imap(user@domain): Debug: acl: owner = 0 104186 Jan 6 12:09:35 mail02 dovecot: imap(user@domain): Debug: acl vfile: Global ACL directory: (none) 104187 Jan 6 12:09:35 mail02 dovecot: imap(user@domain): Debug: Namespace : type=public, prefix=Shared., sep=., inbox=no, hidden=no, list=yes, subscriptions=no location=maildir:/var/vmail/domain/Shared
Output of "dovecot -n"
# 2.0.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-5-amd64 x86_64 Debian 6.0.3 ext3 auth_debug = yes auth_master_user_separator = * auth_socket_path = /var/run/dovecot/auth-userdb auth_verbose = yes first_valid_uid = 150 lmtp_proxy = yes login_trusted_networks = mail01.ip mail_debug = yes mail_location = maildir:/var/vmail/%d/%n mail_nfs_storage = yes mail_plugins = acl mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace { inbox = yes location = maildir:/var/vmail/%d/%n prefix = separator = . type = private } namespace { location = maildir:/var/vmail/domain/Shared prefix = Shared. separator = . subscriptions = no type = public } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } plugin { acl = vfile:/etc/dovecot/global-acls:cache_secs=300 recipient_delimiter = + sieve_after = /var/lib/dovecot/sieve/after.d/ sieve_before = /var/lib/dovecot/sieve/pre.d/ sieve_dir = /var/vmail/%d/%n/sieve sieve_global_path = /var/lib/dovecot/sieve/default.sieve } postmaster_address = user@domain protocols = " imap lmtp sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = mail mode = 0600 user = vmail } } service lmtp { inet_listener lmtp { address = mail02.ip port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } } ssl = required ssl_cert =
On Fri, 2012-01-06 at 12:36 +0100, Alexis Lelion wrote:
The thing is that when the ACLs are checked, it actually doesn't give the user login, but the master login, which is useless.
Yes, this is intentional.
Is there a way to use the first part of destuser as it is done when fetching info from the userdb?
You should be able to work around this with modifying userdb's query:
user_query = select '%n' AS master_user, ...
Hi Timo,
Thanks for your prompt answer, I wasn't expecting an answer that soon ;-) I just tried your workaround, and actually, master_user is properly set to the username, but then is overriden with the proxy login again :
Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: mail=maildir:/var/vmail/domain/user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/quota=dirsize:storage=0 Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=proxy
Is there any other flag I can set to avoid this? (Something like Y for the password)?
Alexis
On Fri, Jan 6, 2012 at 12:48 PM, Timo Sirainen tss@iki.fi wrote:
On Fri, 2012-01-06 at 12:36 +0100, Alexis Lelion wrote:
The thing is that when the ACLs are checked, it actually doesn't give the user login, but the master login, which is useless.
Yes, this is intentional.
Is there a way to use the first part of destuser as it is done when fetching info from the userdb?
You should be able to work around this with modifying userdb's query:
user_query = select '%n' AS master_user, ...
On Fri, 2012-01-06 at 13:22 +0100, Alexis Lelion wrote:
Thanks for your prompt answer, I wasn't expecting an answer that soon ;-) I just tried your workaround, and actually, master_user is properly set to the username, but then is overriden with the proxy login again :
Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: mail=maildir:/var/vmail/domain/user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/quota=dirsize:storage=0 Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=proxy
I thought it would have been the other way around.. See if http://hg.dovecot.org/dovecot-2.0/raw-rev/684381041dc4 helps?
Is there any other flag I can set to avoid this? (Something like Y for the password)?
Nope.
Thanks Timo. I'm actually using a packaged version of Dovecot 2.0 from Debian, so I can't apply the patch easily right now. I'll try do build dovecot this weekend and see if it solves the issue.
Cheers
Alexis
On Fri, Jan 6, 2012 at 1:30 PM, Timo Sirainen tss@iki.fi wrote:
On Fri, 2012-01-06 at 13:22 +0100, Alexis Lelion wrote:
Thanks for your prompt answer, I wasn't expecting an answer that soon ;-) I just tried your workaround, and actually, master_user is properly set to the username, but then is overriden with the proxy login again :
Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: mail=maildir:/var/vmail/domain/user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/quota=dirsize:storage=0 Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=proxy
I thought it would have been the other way around.. See if http://hg.dovecot.org/dovecot-2.0/raw-rev/684381041dc4 helps?
Is there any other flag I can set to avoid this? (Something like Y for the password)?
Nope.
Another possibility: http://wiki2.dovecot.org/PostLoginScripting
and set MASTER_USER environment.
On Fri, 2012-01-06 at 13:55 +0100, Alexis Lelion wrote:
Thanks Timo. I'm actually using a packaged version of Dovecot 2.0 from Debian, so I can't apply the patch easily right now. I'll try do build dovecot this weekend and see if it solves the issue.
Cheers
Alexis
On Fri, Jan 6, 2012 at 1:30 PM, Timo Sirainen tss@iki.fi wrote:
On Fri, 2012-01-06 at 13:22 +0100, Alexis Lelion wrote:
Thanks for your prompt answer, I wasn't expecting an answer that soon ;-) I just tried your workaround, and actually, master_user is properly set to the username, but then is overriden with the proxy login again :
Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: mail=maildir:/var/vmail/domain/user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/quota=dirsize:storage=0 Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=proxy
I thought it would have been the other way around.. See if http://hg.dovecot.org/dovecot-2.0/raw-rev/684381041dc4 helps?
Is there any other flag I can set to avoid this? (Something like Y for the password)?
Nope.
It worked! Thanks a lot for your help and have a wonderful day!
On Fri, Jan 6, 2012 at 1:57 PM, Timo Sirainen tss@iki.fi wrote:
Another possibility: http://wiki2.dovecot.org/PostLoginScripting
and set MASTER_USER environment.
On Fri, 2012-01-06 at 13:55 +0100, Alexis Lelion wrote:
Thanks Timo. I'm actually using a packaged version of Dovecot 2.0 from Debian, so I can't apply the patch easily right now. I'll try do build dovecot this weekend and see if it solves the issue.
Cheers
Alexis
On Fri, Jan 6, 2012 at 1:30 PM, Timo Sirainen tss@iki.fi wrote:
On Fri, 2012-01-06 at 13:22 +0100, Alexis Lelion wrote:
Thanks for your prompt answer, I wasn't expecting an answer that soon ;-) I just tried your workaround, and actually, master_user is properly set to the username, but then is overriden with the proxy login again :
Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: mail=maildir:/var/vmail/domain/user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/quota=dirsize:storage=0 Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=user Jan 6 13:14:19 mail01 dovecot: imap: Debug: Added userdb setting: plugin/master_user=proxy
I thought it would have been the other way around.. See if http://hg.dovecot.org/dovecot-2.0/raw-rev/684381041dc4 helps?
Is there any other flag I can set to avoid this? (Something like Y for the password)?
Nope.
participants (2)
-
Alexis Lelion
-
Timo Sirainen