[Dovecot] dovecot and vmailmgr/qmail mailboxes
Hello folks,
Time ago I worked on a patch for dovecot to work with vmailmgr
http://mij.oltrelinux.com/net/dovecot-qmail-vmailmgr/
The patch was required because, despite vmailmgr complies with the
checkpassword
interface supported by dovecot, dovecot snips the mailbox directory
returned by the
authentication module at colon characters ':'. Incidentally, vmailmgr
maps any
"name.surname@domain"
to
"~domain/users/name:surname"
(a standard practice in the qmail world, see eg http://www.qmail.org/man/man5/dot-qmail.html at "For security")
This path dovecot would then parse as "~domain/users/name".
An authentication module can't do anything about it, as this is due to
dovecot collecting
accounting information in one common buffer, tokenized by ':'
separators. I soon stopped
updating the patch because I didn't see much point in running
indefinitely after releases.
However, a bunch of people wrote me over the last years asking for
details or updates.
Partially for having a similar requirement myself, partially drafted
by such feedback, I recently
wrote a "compromise" wrapper solution (attached). It does not require
patching dovecot
(external module) and it's thus (supposedly) durable across dovecot
releases; however,
it cannot help with the colon problem.
The wrapper works as follows:
compile and install: # cc -O2 -Wall -o checkvpw-dovecot-wrapper checkvpw-dovecot-wrapper.c # install -s -o root checkvpw-dovecot-wrapper /usr/local/bin
edit dovecot.conf, setup the auth section as follows:
auth default { mechanism = plain passdb checkpassword { args = /usr/local/bin/checkvpw-dovecot-wrapper } userdb prefetch { } user = root }
If "name.surname@domain" wants to be created, the administrator shall
instead create
the user "namesurname@domain" and an alias "name.surname@domain"
pointing to it.
This may be conceivable for new installations, but it is not for
scenarios where dovecot
is to replace another server on top of an existing user base.
Of course, it's very desirable to support "." users too. I see that it
would require several
changes in the code, but I'd like to hear your opinion on this. What
about
- using a different separator than ":", less common and safer. Could
'\0' be one? If not, what about '*'? - as a quicker & dirtier solution, what about allowing escaping? One
can modify the auth module to replace ":" with "\:", if dovecot is instructed to
avoid tokenizing when a "\" precedes a ":". - as an alternative, dovecot may require the module to chdir() to the
mailbox directory instead of returning its path as a string, and subsequently operate
locally on mailbox-relative paths. I can't guess how compatible this is with the
current design.
In the next days, I will publish such wrapper to the webpage. For your
convenience, I will
invite interested users to show up on this thread; this should help
you in assessing how
this is interesting for people.
bye
On Tue, 2009-06-16 at 17:26 +0200, Mij wrote:
Hello folks, Time ago I worked on a patch for dovecot to work with vmailmgr http://mij.oltrelinux.com/net/dovecot-qmail-vmailmgr/ [...] In the next days, I will publish such wrapper to the webpage. For your
convenience, I will invite interested users to show up on this thread; this should help
you in assessing how this is interesting for people.
Thanks for your work! Count +1 for the interested people, I'd be happy to migrate from courier to dovecot, but since all my servers are vmailmgr-based, I can't at the moment...
Regards, Olivier
I'm interested.
View this message in context: http://www.nabble.com/dovecot-and-vmailmgr-qmail-mailboxes-tp24056770p241270... Sent from the Dovecot mailing list archive at Nabble.com.
On Tue, 2009-06-16 at 17:26 +0200, Mij wrote:
interface supported by dovecot, dovecot snips the mailbox directory
returned by the authentication module at colon characters ':'. .. Of course, it's very desirable to support "." users too. I see that it
would require several changes in the code, but I'd like to hear your opinion on this. What
about
- using a different separator than ":", less common and safer. Could
'\0' be one? If not, what about '*'?
The problem is that mail_location setting uses ":" as the "sub-setting" separator. If I changed it, I'd break a huge number of Dovecot installations. The reason why I chose ":" in the first place was because I didn't think anyone would really use it in directory names, because that would also break e.g. $PATH.
- as a quicker & dirtier solution, what about allowing escaping? One
can modify the auth module to replace ":" with "\:", if dovecot is instructed to
avoid tokenizing when a "\" precedes a ":".
I suppose :: could be used to escape a single : character. I might break a few installations by doing that change, but I could live with that. Added to v1.2: http://hg.dovecot.org/dovecot-1.2/rev/675f0df22f24
On Sun, 2009-06-21 at 22:24 -0400, Timo Sirainen wrote:
On Tue, 2009-06-16 at 17:26 +0200, Mij wrote:
interface supported by dovecot, dovecot snips the mailbox directory
returned by the authentication module at colon characters ':'. .. Of course, it's very desirable to support "." users too. I see that it
would require several changes in the code, but I'd like to hear your opinion on this. What
about
- using a different separator than ":", less common and safer. Could
'\0' be one? If not, what about '*'?The problem is that mail_location setting uses ":" as the "sub-setting" separator.
Hmm. Although now that I looked at your code, you seem to be using only HOME. And using ~/ in mail_location should work around any ":" issues. So what exactly is the problem you're seeing?
Hello,
On Sun, 2009-06-21 at 22:24 -0400, Timo Sirainen wrote:
I suppose :: could be used to escape a single : character. I might break a few installations by doing that change, but I could live with that. Added to v1.2: http://hg.dovecot.org/dovecot-1.2/rev/675f0df22f24
Wow, that was quick, thanks :-) So now it would mean that using latest dovecot rc's with vmailmgr accounts would be now possible ? (with Mij's wrapper). Or is there still some work left?
Thanks & regards from Zürich, Olivier
I modified the wrapper to perform this escaping. With the new wrapper and dovecot v1.2rc6, authentication works fine for "dot users" too. See http://mij.oltrelinux.com/net/dovecot-qmail-vmailmgr/
for further instructions.
have fun
On Jun 24, 2009, at 22:16 , Olivier Mueller wrote:
Hello,
On Sun, 2009-06-21 at 22:24 -0400, Timo Sirainen wrote:
I suppose :: could be used to escape a single : character. I might
break a few installations by doing that change, but I could live with that. Added to v1.2: http://hg.dovecot.org/dovecot-1.2/rev/675f0df22f24Wow, that was quick, thanks :-) So now it would mean that using
latest dovecot rc's with vmailmgr accounts would be now possible ? (with
Mij's wrapper). Or is there still some work left?Thanks & regards from Zürich, Olivier
Hello,
On Thu, 2009-06-25 at 00:49 +0200, Mij wrote:
I modified the wrapper to perform this escaping. With the new wrapper and dovecot v1.2rc6, authentication works fine for "dot users" too. See http://mij.oltrelinux.com/net/dovecot-qmail-vmailmgr/ for further instructions.
Many thanks Mij & Timo, I just installed everything on a new server with dovecot 1.2rc6, and it seems to work perfectly. I will continue my tests with large and imported maildirs.
So qmail + vmailmgr + dovecot = ok :-)
Now I am wondering whether I should also replace qmail-pop3d by dovecot for more consistency (and performance?).
Regards & a nice week-end to you all, Olivier
participants (4)
-
Giam Teck Choon
-
Mij
-
Olivier Mueller
-
Timo Sirainen