[Dovecot] disabling mail delivery for a user
How can I disable mail delivery for a user yet still allow access to their mailbox from another account which their mail is shared to?
If I put them in a userdb which has "deny = yes" that just disables their ability to login, yes? And they would still have mail delivered.
I want to disable their ability to login AND bounce all mail delivered to them, preferably solely through dovecot configuration. I am using lda, obviously, for mail delivery. (I could configure the MTA to reject mail for them if there is no other option.)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 2 Feb 2010, Frank Cusack wrote:
If I put them in a userdb which has "deny = yes" that just disables their ability to login, yes? And they would still have mail delivered.
I want to disable their ability to login AND bounce all mail delivered to them, preferably solely through dovecot configuration. I am using lda, obviously, for mail delivery. (I could configure the MTA to reject mail for them if there is no other option.)
IMHO: If you want to avoid backscatter, you must disable the user in the MTA, in order to reject the message during "rcpt to" command or at least in DATA.
If you reject the mail after DATA, e.g. in a Sieve script or so, a DSN / bounce mail is generated, aka backscatter for SPAM.
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS2fo6L+Vh58GPL/cAQIq7Qf/SZ7aXXjFl/eM04bjNws0ma4MCLdll/j2 WtUjSNn+lmJqPTtn9iOOhBlRbtXAxfoHBrCQUl0SIU3IdGNY709lZeiheTfbEoVh oxV6/tjJ1AZQ4EcGy+h8pTwRu7VTJoQyFpZ76BxgLFlSSS6StCDu+J5NqyICZDx3 kAJXWRL4ARa9N9bh2XjZkGnjAOsYvix4+v3tItK0IHI/Szit1r40I89JYrucj8Q8 dJ+3++5StoGaobGG8jJz/w7DLZrZfCUEF/5WrUsQRn5JPAs8XWuooVYoDlWZpwXH gizNYORh7VCtWDaQXwoPr7O78GqwKzoKtONjbUGWcH6nuc1u6ALg/Q== =D6L8 -----END PGP SIGNATURE-----
On February 2, 2010 9:57:12 AM +0100 Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> wrote:
IMHO: If you want to avoid backscatter, you must disable the user in the MTA, in order to reject the message during "rcpt to" command or at least in DATA.
I don't care about backscatter. There's no reason anyone should see significant backscatter these days; it's pretty much a solved problem.
(watermark all outgoing email and look for that watermark on DSN reports)
In any event, for this specific case I do already reject the user "at the gates". But I want to reject internal email for folks that don't know that user account has gone away. I prefer not to do it in the MTA so as to keep the MTA as free from this type of configuration that lingers for years and makes future migrations difficult.
-frank
On 2010-02-02 11:30 AM, Frank Cusack <frank+lists/dovecot@linetwo.net> wrote:
On February 2, 2010 9:57:12 AM +0100 Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> wrote:
IMHO: If you want to avoid backscatter, you must disable the user in the MTA, in order to reject the message during "rcpt to" command or at least in DATA.
I don't care about backscatter.
You should - if you are a backscatter source, you *will* be blacklisted, sooner or later.
There's no reason anyone should see significant backscatter these days; it's pretty much a solved problem.
(watermark all outgoing email and look for that watermark on DSN reports)
Yes, that helps you avoid *other* people's backscatter, but that wasn't the point of the warning: don't accept-then-bounce. If you're going to bounce it later, reject it at smtp time.
--
Best regards,
Charles
On 2.2.2010, at 7.51, Frank Cusack wrote:
How can I disable mail delivery for a user yet still allow access to their mailbox from another account which their mail is shared to?
If I put them in a userdb which has "deny = yes" that just disables their ability to login, yes? And they would still have mail delivered.
Logins would fail with "internal login failure". userdb lookup must succeed for imap/pop3 logins too. You could make the deny=yes happen only if %s != 'lda'.
I want to disable their ability to login AND bounce all mail delivered to them, preferably solely through dovecot configuration. I am using lda, obviously, for mail delivery. (I could configure the MTA to reject mail for them if there is no other option.)
But like Steffen said, you should do this in MTA side to avoid backscatter.
On February 2, 2010 1:29:24 PM +0200 Timo Sirainen <tss@iki.fi> wrote:
Logins would fail with "internal login failure". userdb lookup must succeed for imap/pop3 logins too. You could make the deny=yes happen only if %s != 'lda'.
A little more help? I've been looking at the docs and can't figure out how to do this. I do have one constraint: my userdb/passdb is a passwd-file. If that's not compatible I'd still like to know how to do it with LDAP (preferably) or SQLite.
-frank
On Tue, 2010-02-02 at 11:41 -0500, Frank Cusack wrote:
On February 2, 2010 1:29:24 PM +0200 Timo Sirainen <tss@iki.fi> wrote:
Logins would fail with "internal login failure". userdb lookup must succeed for imap/pop3 logins too. You could make the deny=yes happen only if %s != 'lda'.
A little more help? I've been looking at the docs and can't figure out how to do this. I do have one constraint: my userdb/passdb is a passwd-file.
You could do:
passdb passwd-file { args = /etc/deny.%s deny = yes }
Then symlink /etc/deny.imap, deny.pop3, etc. to your primary deny file.
Last question on deny userdb, I hope.
Comments in dovecot.conf:
# File contains a list of usernames, one per lineDoes that mean the deny passdb has a different format than other passdb's?
-frank
On Tue, 2010-02-02 at 14:51 -0500, Frank Cusack wrote:
Last question on deny userdb, I hope.
Comments in dovecot.conf:
# File contains a list of usernames, one per lineDoes that mean the deny passdb has a different format than other passdb's?
No. You could still do something like:
user:pass:etc.:etc:..
But everything except the user part is ignored.
On February 2, 2010 6:56:31 PM +0200 Timo Sirainen <tss@iki.fi> wrote:
passdb passwd-file { args = /etc/deny.%s deny = yes }
This didn't work for me as I expected. Not only did I have to put the user in the deny passdb, I ALSO had to remove them from the regular passdb. So it seems lda just ignores the deny passdb, that is it doesn't consult it at all, as opposed to imap which does consult it.
Is that expected behavior? It's fine by me, since I can still access the disabled user's mailbox from another account that it is shared to.
-frank
On Tue, 2010-02-02 at 15:45 -0500, Frank Cusack wrote:
On February 2, 2010 6:56:31 PM +0200 Timo Sirainen <tss@iki.fi> wrote:
passdb passwd-file { args = /etc/deny.%s deny = yes }
This didn't work for me as I expected. Not only did I have to put the user in the deny passdb, I ALSO had to remove them from the regular passdb.
Why? What does it log if you set auth_debug=yes? If you remove it from regular passdb I don't see what the point of the deny passdb would even be..
So it seems lda just ignores the deny passdb, that is it doesn't consult it at all, as opposed to imap which does consult it.
Oh, right. LDA only looks up userdb.
On February 2, 2010 10:54:10 PM +0200 Timo Sirainen <tss@iki.fi> wrote:
Oh, right. LDA only looks up userdb.
So when I access these disabled user's maildirs from another user's login, how is imap finding them? Simply by virtue of the acl_shared_dict and mail_location setting? Because moving them to my passwd.deny removes the user from the single userdb, my passwd file. imap still knows them through the passdb (passdb.deny), but not the userdb.
Yep, that seems to be the case. The target (disabled) user need not exist in the userdb at all and dovecot/imap can still find their shared maildir. That's interesting. It seems it could lead to confusion and perhaps this is not desirable? Because what if my userdb overrides the mail_location via proxy or load-balancing hash? imap wouldn't be able to find the correct maildir.
Also at first glance I would think that this means additional security is needed for a distributed (SQL or otherwise) acl_shared_dict but in addition to being in the acl_shared_dict, the dovecot-acl must grant permission to the sharing user, so I think it's ok. (And of course you need good controls on a distributed acl_shared_dict anyway.)
In summary I would suggest that access to shared namespaces need to include a userdb lookup to find the user's mail location, which doesn't seem to be happening now, or at least it seems to be defaulting to the global mail_location setting if the user is not found -- I suggest a failed (not found) userdb lookup should invalidate the shared mailbox.
-frank
On Tue, 2010-02-02 at 16:34 -0500, Frank Cusack wrote:
Yep, that seems to be the case. The target (disabled) user need not exist in the userdb at all and dovecot/imap can still find their shared maildir.
This depends on your settings. If you use ~/ in shared user's location, Dovecot needs to do a userdb lookup to find out the user's home. Otherwise it doesn't need to do it, so it doesn't.
That's interesting. It seems it could lead to confusion and perhaps this is not desirable? Because what if my userdb overrides the mail_location via proxy or load-balancing hash? imap wouldn't be able to find the correct maildir.
That wouldn't currently work for shared mailboxes anyway, because typically you'd have separate :INDEX= directory in the shared mail_location.
I guess in future something should be done about this..
participants (4)
-
Charles Marcus
-
Frank Cusack
-
Steffen Kaiser
-
Timo Sirainen