[Dovecot] LMTP with virtual and system users
Hi,
I have a mailsystem where i have some local users with shell access and full home dirs which receive mail and also several SQL virtual users only for mail. With the virtual users, everything works fine. Mail is delivered via LMTP and also sieve works :) The SQL Lookup knows what to do with username@domain.com
The problem is the system user. If exim delivers the mail to the lmtp socket, the LMTPd can't find username@local.host I would be able to specify the global auth_username_format=%n but then my SQL queries break and I like the possibility to have xx@domain1.com and xx@domain2.com routed to two different accounts.
As I have seen in the source, I can't specify username_format=%n in the passdb { driver = pam } backend. Do you have any suggestion how to solve this issue?
thanks Philipp
Hi Philipp
You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users: debug_print = "R: strip domain for local pam users" driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your "local_user" router.
Since your config works for your virtual users, you don't need to do anything in addition.
Regards, Adrian.
Am 25.12.13 08:16 schrieb Philipp Kolmann:
Hi,
I have a mailsystem where i have some local users with shell access and full home dirs which receive mail and also several SQL virtual users only for mail. With the virtual users, everything works fine. Mail is delivered via LMTP and also sieve works :) The SQL Lookup knows what to do with username@domain.com
The problem is the system user. If exim delivers the mail to the lmtp socket, the LMTPd can't find username@local.host I would be able to specify the global auth_username_format=%n but then my SQL queries break and I like the possibility to have xx@domain1.com and xx@domain2.com routed to two different accounts.
As I have seen in the source, I can't specify username_format=%n in the passdb { driver = pam } backend. Do you have any suggestion how to solve this issue?
thanks Philipp
Hi Adrian,
Am 26.12.2013 12:20, schrieb Adrian Zaugg:
You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users: debug_print = "R: strip domain for local pam users" driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your "local_user" router.
Since your config works for your virtual users, you don't need to do anything in addition.
I had tried this once already. I have used your snipplet and attached the debug output from exim. Sadly it didn't work, because the mtp process got the foll email again and not just the username.
thanks Philipp
--
DI Mag. Philipp Kolmann mail: kolmann@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 Wien DVR: 0005886
Hi Philipp
You are completely right, the proposed solution doesn't work. It seems exim always qualifies an address without a domain, I believe this is because LMTP requiers to get only qualified addresses (LMTP is based on SMTP and the RFC, if I read it correctly specifies it like this).
So, another solution would be to use LDA for your local users and LMTP for the rest. The configuration for exim would be: a router and a transport for your local users using LDA, and your virtual users setup as you have it using LMTP.
local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = @ : localhost : ${primary_hostname} check_local_user transport = dovecot_lda cannot_route_message = Unknown user
dovecot_lda:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda
-f $sender_address
-a $original_local_part@$original_domain
log_output
delivery_date_add
return_path_add
envelope_to_add
user = $local_part
group = mail
temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78
Please check man dovecot-lda and the dovecot wiki (http://wiki2.dovecot.org/LDA/Exim) for details. Also check the permissions you need for dovecot-lda to write to your mailspool (user and group options from the transport).
I haven't tried the above, but I think it works like this ...
Best regards, Adrian.
Am 30.12.13 09:40 schrieb Philipp Kolmann:
Hi Adrian,
Am 26.12.2013 12:20, schrieb Adrian Zaugg:
You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users: debug_print = "R: strip domain for local pam users" driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your "local_user" router.
Since your config works for your virtual users, you don't need to do anything in addition.
I had tried this once already. I have used your snipplet and attached the debug output from exim. Sadly it didn't work, because the mtp process got the foll email again and not just the username.
thanks Philipp
Hi Adrian,
thanks for your reply. I have also thought in this direction already but I didn't want to have lda SUID root...
I saw that the Passwd-file passdb supports username_format as argument. Would it be possible to add this feature also to the LMTP passdb driver?
thanks Philipp
On 01/01/14 18:25, Adrian Zaugg wrote:
Hi Philipp
You are completely right, the proposed solution doesn't work. It seems exim always qualifies an address without a domain, I believe this is because LMTP requiers to get only qualified addresses (LMTP is based on SMTP and the RFC, if I read it correctly specifies it like this).
So, another solution would be to use LDA for your local users and LMTP for the rest. The configuration for exim would be: a router and a transport for your local users using LDA, and your virtual users setup as you have it using LMTP.
local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = @ : localhost : ${primary_hostname} check_local_user transport = dovecot_lda cannot_route_message = Unknown user
dovecot_lda: driver = pipe command = /usr/lib/dovecot/dovecot-lda
-f $sender_address
-a $original_local_part@$original_domain log_output delivery_date_add return_path_add envelope_to_add user = $local_part group = mail temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78Please check man dovecot-lda and the dovecot wiki (http://wiki2.dovecot.org/LDA/Exim) for details. Also check the permissions you need for dovecot-lda to write to your mailspool (user and group options from the transport).
I haven't tried the above, but I think it works like this ...
Best regards, Adrian.
Am 30.12.13 09:40 schrieb Philipp Kolmann:
Hi Adrian,
You can use exim to prepare the address as you wish: only the user name for pam users and the full address for virtual users.
Configure a new router to strip the domain part for pam users:
local_pam_users: debug_print = "R: strip domain for local pam users" driver = redirect check_local_user domains = @ : localhost : ${primary_hostname} data = ${local_part} redirect_router = local_user
I'm not 100% sure of the domains condition; it should restrict the router to your domain(s) where your pam users receive their email. The redirect_router designates the router which routes your local deliveries to your lmtp transport. Place the new router to run just before your "local_user" router.
Since your config works for your virtual users, you don't need to do anything in addition. I had tried this once already. I have used your snipplet and attached
Am 26.12.2013 12:20, schrieb Adrian Zaugg: the debug output from exim. Sadly it didn't work, because the mtp process got the foll email again and not just the username.
thanks Philipp
--
DI Mag. Philipp Kolmann mail: kolmann@zid.tuwien.ac.at Technische Universitaet Wien web: www.zid.tuwien.ac.at Zentraler Informatikdienst (ZID) tel: +43(1)58801-42011 Wiedner Hauptstr. 8-10, A-1040 Wien DVR: 0005886
I didn't want to have lda SUID root... Is this necessary? Exim calls the dovecot-lda as user $local_part and if you setup your mail storage to have the right permissions, this should work without SUID. But maybe I'm wrong; anyway in the wiki there is a
Am 07.01.14 13:21 schrieb Philipp Kolmann: section on how-to use LDA without setting the process SUIDed.
http://wiki2.dovecot.org/LDA/Exim -> towards the end of the page
Cheers, Adrian.
Hello,
Personally, I think it is more simple and convenient to migrate system users' mail to the virtual-user setup (i.e. two separate logins, e.g. 'user' for SSH and 'user@domain.com' for mail ).
Here are the relevant portions of my postfix config:
mydestination = localhost local_recipient_maps = $virtual_mailbox_maps $virtual_alias_maps mydomain = domain.com # your 'local' host/domain name myhostname = domain.com # your 'local' host/domain name smtpd_recipient_restrictions = ....., reject_unverified_recipient, ..... # to do LMTP-based verification of incoming mail unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/ext/mail/valias virtual_mailbox_domains = hash:/usr/ext/mail/vdomains virtual_transport = lmtp:unix:private/dovecot-lmtp
/usr/ext/mail/valias defines additional redirections like postmaster@domain.com admin@domain.com root@domain.com admin@domain.com
/usr/ext/mail/vdomains is an access-map file with records for supported domains, like: domain.com OK
Also adjust 'root' record in /etc/mail/aliases to point to qualified admin's mail address (admin@domain.com)
Best wishes Eugene
-----Original Message----- From: Philipp Kolmann Sent: Wednesday, December 25, 2013 11:16 AM To: Dovecot Mailing List Subject: [Dovecot] LMTP with virtual and system users
Hi,
I have a mailsystem where i have some local users with shell access and full home dirs which receive mail and also several SQL virtual users only for mail. With the virtual users, everything works fine. Mail is delivered via LMTP and also sieve works :) The SQL Lookup knows what to do with username@domain.com
The problem is the system user. If exim delivers the mail to the lmtp socket, the LMTPd can't find username@local.host I would be able to specify the global auth_username_format=%n but then my SQL queries break and I like the possibility to have xx@domain1.com and xx@domain2.com routed to two different accounts.
As I have seen in the source, I can't specify username_format=%n in the passdb { driver = pam } backend. Do you have any suggestion how to solve this issue?
thanks Philipp
participants (3)
-
Adrian Zaugg
-
Eugene
-
Philipp Kolmann