[Dovecot] Post-login scripting with virtual users
I am running Dovecot 2.0.13 on Fedora 15. I have migrated from a bincimap installation using checklocalpwd. All email is in folders owned by a unprivileged user, popuser. The email users are entirely virtual and have no relationship to actual linux users.
My userdb calls return the UID and GID of popuser and all goes well retrieving the mail via POP3 and IMAP.
I am trying to implement a Post-login script to register the IP address that the authentication came from. Dovecot seems to be trying to execute the script as the email non-user, which does not work. I have specified that the script should be run as popuser, but it still runs as devnull@dhzone.com for instance. Everything up top that point seems to be happening happily under popuser.
I added a "user = popuser" directive and it had no effect that I could see. I know that dovecot read the directive because I changed it to "user = 555" and dovecot would not run because "555" is not a user.
I tried adding a "User = popuser" within the unix_listener but that also had no effect.
Any ideas? Thank you!
Here is my dovecot -n: # 2.0.13: /etc/dovecot/dovecot.conf # OS: Linux 2.6.40.3-0.fc15.x86_64 x86_64 Fedora release 15 (Lovelock) auth_debug = yes disable_plaintext_auth = no mail_debug = yes mbox_write_locks = fcntl passdb { args = /etc/dovecot/conf.d/dovecot-sql.conf.ext driver = sql } protocols = imap pop3 service imap-postpop { executable = script-login /usr/local/bin/set_postpop unix_listener imap-postpop { } user = popuser } service imap { executable = imap imap-postpop } ssl_cert =
The dovecot-sql.conf.ext looks like this: driver = mysql connect = host=localhost dbname=webmail user=xxxx password=xxxx
password_query = SELECT id AS user, IF( clear IS NULL,
CONCAT('{CRYPT}',crypto), CONCAT('{PLAIN}',clear)) AS password
FROM users WHERE id = '%u'
user_query = SELECT home, uid, gid
FROM users WHERE id = '%u'
From the maillog: Aug 24 13:01:57 callisto dovecot: auth: Debug: client out: OK#0111#011user=devnull@dhzone.com Aug 24 13:01:57 callisto dovecot: auth: Debug: master in: REQUEST... Aug 24 13:01:57 callisto dovecot: auth: Debug: sql(devnull@dhzone.com,75.221.209.232): SELECT home, uid, gid FROM users WHERE id = 'devnull@dhzone.com' Aug 24 13:01:57 callisto dovecot: auth: Debug: master out: USER#0114007264257#011devnull@dhzone.com#011home=/var/qmail/popbox/dhzone-com/devnull#011uid=555#011gid=555 Aug 24 13:01:57 callisto dovecot: imap-login: Login: user=devnull@dhzone.com, method=PLAIN, rip=75.221.209.232, lip=76.76.59.241, mpid=667 Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Error: user devnull@dhzone.com: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Fatal: Internal error occurred. Refer to server log for more information. Aug 24 13:01:57 callisto dovecot: imap(devnull@dhzone.com): Post-login script denied access to user devnull@dhzone.com Aug 24 13:01:57 callisto dovecot: log: Error: service(imap-postpop): child 668 returned error 89 (Fatal failure) Aug 24 13:02:03 callisto dovecot: master: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill)
--
Mark Willcox Data Helper, Inc.
Quoting Mark Willcox willcox@datahelper.com:
I am running Dovecot 2.0.13 on Fedora 15. I have migrated from a bincimap installation using checklocalpwd. All email is in folders owned by a unprivileged user, popuser. The email users are entirely virtual and have no relationship to actual linux users.
I am trying to implement a Post-login script to register the IP address that the authentication came from. Dovecot seems to be trying to execute the script as the email non-user, which does not work. I have specified that the script should be run as popuser, but it still runs as devnull@dhzone.com for instance. Everything up top that point seems to be happening happily under popuser.
I'd remove the unix_listener directive: service imap-postpop { executable = script-login /usr/local/bin/set_postpop user = popuser }
The equivalent is working for me.
Rick
Much closer! It seems to run the script, but now I get: Error: net_connect_unix(/var/run/dovecot/imap-postpop) failed: Connection refused
I thought it might be because popuser has no logon capability (/sbin/nologin), but I changed that and connection is still refused.
Can it be my script? It is just:
#!/bin/bash
echo "$USER $IP host $IP" > /var/lib/postpop/db/$IP
exec "$@"
The IP-named file is not being created. popuser owns the folder.
Also, when I get this working, can I set up a pop3 equivalent?
Mark Willcox Data Helper, Inc.
On 8/24/2011 2:06 PM, Rick Romero wrote:
Quoting Mark Willcox willcox@datahelper.com:
I am running Dovecot 2.0.13 on Fedora 15. I have migrated from a bincimap installation using checklocalpwd. All email is in folders owned by a unprivileged user, popuser. The email users are entirely virtual and have no relationship to actual linux users.
I am trying to implement a Post-login script to register the IP address that the authentication came from. Dovecot seems to be trying to execute the script as the email non-user, which does not work. I have specified that the script should be run as popuser, but it still runs as devnull@dhzone.com for instance. Everything up top that point seems to be happening happily under popuser.
I'd remove the unix_listener directive: service imap-postpop { executable = script-login /usr/local/bin/set_postpop user = popuser }
The equivalent is working for me.
Rick
Is the script executable? I'm out of ideas.
Yes, you can set it up exactly the same for IMAP.
Rick
Quoting Mark Willcox willcox@datahelper.com:
Much closer! It seems to run the script, but now I get: Error: net_connect_unix(/var/run/dovecot/imap-postpop) failed: Connection refused
I thought it might be because popuser has no logon capability (/sbin/nologin), but I changed that and connection is still refused.
Can it be my script? It is just: #!/bin/bash echo "$USER $IP
host $IP" > /var/lib/postpop/db/$IP exec "$@"The IP-named file is not being created. popuser owns the folder.
Also, when I get this working, can I set up a pop3 equivalent?
Mark Willcox Data Helper, Inc.
On 8/24/2011 2:06 PM, Rick Romero wrote:
Quoting Mark Willcox willcox@datahelper.com:
I am running Dovecot 2.0.13 on Fedora 15. I have migrated from a bincimap installation using checklocalpwd. All email is in folders owned by a unprivileged user, popuser. The email users are entirely virtual and have no relationship to actual linux users.
I am trying to implement a Post-login script to register the IP address that the authentication came from. Dovecot seems to be trying to execute the script as the email non-user, which does not work. I have specified that the script should be run as popuser, but it still runs as devnull@dhzone.com for instance. Everything up top that point seems to be happening happily under popuser.
I'd remove the unix_listener directive: service imap-postpop { executable = script-login /usr/local/bin/set_postpop user = popuser }
The equivalent is working for me.
Rick
On Wed, 2011-08-24 at 13:57 -0500, Mark Willcox wrote:
Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Error: user devnull@dhzone.com: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied
This is your problem.. It's a bug in v2.0.13. You could patch with http://hg.dovecot.org/dovecot-2.0/rev/a2d57b43ccb2 or change config socket's permissions. I'll hopefully release v2.0.14 in not too distant future.
I don't think that this is the problem now. I removed the unix_listener as per Rick's advice. That got me past the Error reading configuration. Just to be sure, I made the config socket world-readable which made no difference.
Now instead I get: Error: net_connect_unix(/var/run/dovecot/imap-postpop) failed: Connection refused
The script is executable. On a hunch, I made the directly that the scripts writes to world-writable, which didn't help. The Connection refused" means that there was some kind of problem with my script, I assume. It seems that the script does not run at all. Is there anything I can do to narrow down what is going wrong? Some higher level of logging?
Thanks!
Mark Willcox Data Helper, Inc.
On 8/24/2011 3:37 PM, Timo Sirainen wrote:
On Wed, 2011-08-24 at 13:57 -0500, Mark Willcox wrote:
Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Error: user devnull@dhzone.com: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied This is your problem.. It's a bug in v2.0.13. You could patch with http://hg.dovecot.org/dovecot-2.0/rev/a2d57b43ccb2 or change config socket's permissions. I'll hopefully release v2.0.14 in not too distant future.
I am about 97.2% certain that it never tries to run the script. I changed it to simply touch a file in /tmp with the same result. I simplified it to:
#!/bin/sh exec "$@"
Still refused.
Mark Willcox Data Helper, Inc.
On 8/24/2011 5:16 PM, Mark Willcox wrote:
I don't think that this is the problem now. I removed the unix_listener as per Rick's advice. That got me past the Error reading configuration. Just to be sure, I made the config socket world-readable which made no difference.
Now instead I get: Error: net_connect_unix(/var/run/dovecot/imap-postpop) failed: Connection refused
The script is executable. On a hunch, I made the directly that the scripts writes to world-writable, which didn't help. The Connection refused" means that there was some kind of problem with my script, I assume. It seems that the script does not run at all. Is there anything I can do to narrow down what is going wrong? Some higher level of logging?
Thanks!
Mark Willcox Data Helper, Inc.
On 8/24/2011 3:37 PM, Timo Sirainen wrote:
On Wed, 2011-08-24 at 13:57 -0500, Mark Willcox wrote:
Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Error: user devnull@dhzone.com: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied This is your problem.. It's a bug in v2.0.13. You could patch with http://hg.dovecot.org/dovecot-2.0/rev/a2d57b43ccb2 or change config socket's permissions. I'll hopefully release v2.0.14 in not too distant future.
You didn't get past the config reading error, it now fails before it even gets that far.
On Wed, 2011-08-24 at 17:16 -0500, Mark Willcox wrote:
I don't think that this is the problem now. I removed the unix_listener as per Rick's advice. That got me past the Error reading configuration. Just to be sure, I made the config socket world-readable which made no difference.
Now instead I get: Error: net_connect_unix(/var/run/dovecot/imap-postpop) failed: Connection refused
The script is executable. On a hunch, I made the directly that the scripts writes to world-writable, which didn't help. The Connection refused" means that there was some kind of problem with my script, I assume. It seems that the script does not run at all. Is there anything I can do to narrow down what is going wrong? Some higher level of logging?
Thanks!
Mark Willcox Data Helper, Inc.
On 8/24/2011 3:37 PM, Timo Sirainen wrote:
On Wed, 2011-08-24 at 13:57 -0500, Mark Willcox wrote:
Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Error: user devnull@dhzone.com: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied This is your problem.. It's a bug in v2.0.13. You could patch with http://hg.dovecot.org/dovecot-2.0/rev/a2d57b43ccb2 or change config socket's permissions. I'll hopefully release v2.0.14 in not too distant future.
I downloaded the source and patched script-login.c. It is working fine now! Thank you!
My script is running as root now and it resisted all efforts to make it run as popuser, but I can work with that.
Why did I wait so long to move from bincimap?
Mark Willcox Data Helper, Inc.
On 8/24/2011 7:04 PM, Timo Sirainen wrote:
You didn't get past the config reading error, it now fails before it even gets that far.
On Wed, 2011-08-24 at 17:16 -0500, Mark Willcox wrote:
I don't think that this is the problem now. I removed the unix_listener as per Rick's advice. That got me past the Error reading configuration. Just to be sure, I made the config socket world-readable which made no difference.
Now instead I get: Error: net_connect_unix(/var/run/dovecot/imap-postpop) failed: Connection refused
The script is executable. On a hunch, I made the directly that the scripts writes to world-writable, which didn't help. The Connection refused" means that there was some kind of problem with my script, I assume. It seems that the script does not run at all. Is there anything I can do to narrow down what is going wrong? Some higher level of logging?
Thanks!
Mark Willcox Data Helper, Inc.
On 8/24/2011 3:37 PM, Timo Sirainen wrote:
On Wed, 2011-08-24 at 13:57 -0500, Mark Willcox wrote:
Aug 24 13:01:57 callisto dovecot: imap-postpop: Error: script-login: Error: user devnull@dhzone.com: Error reading configuration: net_connect_unix(/var/run/dovecot/config) failed: Permission denied This is your problem.. It's a bug in v2.0.13. You could patch with http://hg.dovecot.org/dovecot-2.0/rev/a2d57b43ccb2 or change config socket's permissions. I'll hopefully release v2.0.14 in not too distant future.
On 25.8.2011, at 4.17, Mark Willcox wrote:
My script is running as root now and it resisted all efforts to make it run as popuser, but I can work with that.
Hmm. If it's running as root, you shouldn't have had the config problem in the first place because that means it's not running as root..
participants (3)
-
Mark Willcox
-
Rick Romero
-
Timo Sirainen