Best practice for Dovecot with LDAP and Postfix
Hi all,
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
And I changed the userdb driver to static since anyway there is just the vmail system account for all virtual user mailboxes.
This is working as expected for the IMAP connections. But postfix authentication fails as it is apparently using a wrong user_filter. This is what I see in the logs from OpenLDAP:
docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389) docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn="" method=128 docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000072 text= docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51] docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5: message-id=713569303.508224.1683556526256@webmail.strato.de docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: from=moritz@pflanzer.eu, size=3340, nrcpt=1 (queue active) docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))" docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH attr=uid docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
I tried setting the user_filter manually to "user_filter = (mail=%u)" but that doesn't have any effect.
Is this the expected behavior from Dovecot? I guess I can get it working by using the ldap driver for the userdb as well. But is that the best approach since I technically don't need it for dovecot itself. Or should I now change the postfix config as well to directly authenticate against the LDAP server instead of using SASL with Dovecot?
Looking forward to recommendations, Moritz
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
On 5/8/23 23:06, Marc wrote:
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
If I understood correctly the question, you ask why do not add the ldap users to system ( like using pam ldap plugin) .
This will certainly work but I consider more secure to have pure e-mail users, not system users - which can have shell, local folder and so on ( sure it can be restricted but why bother if nobody will ssh on that server).
But the main reason is the scalability: if your setup became bigger you can consider to have different servers ( or containers), adding multiple ldap servers for redundancy and so on...
so far I had a setup where Dovecot was using a passwd file as
userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for
Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
If I understood correctly the question, you ask why do not add the ldap users to system ( like using pam ldap plugin) .
This will certainly work but I consider more secure to have pure e-mail
I am always surprised to read such statement. The fact is that user authentication/authorisation is a core task of linux. Dovecots core tasks are related to handling mail. How on earth would you come to conclude that dovecot should be able to handle such tasks better than linux? Afaik even dovecot is utilizing the use of different uid's in a virtual environment to store files.
users, not system users - which can have shell, local folder and so on ( sure it can be restricted but why bother if nobody will ssh on that server).
? Imho are these just arguments for people not being able to setup an environment correctly.
But the main reason is the scalability: if your setup became bigger you can consider to have different servers ( or containers), adding multiple ldap servers for redundancy and so on...
I was also researching a 'micro service' approach of hosting dovecot, but for now I will just stick to what I know works. If I get the >30k users, I am happy to pursue this again, and if you have these numbers, you will not be researching ldap but iops. I don't really understand the relationship between wanting to have multiple ldap servers, which is possible in any scenario.
On 2023-05-09 11:14, Marc wrote:
so far I had a setup where Dovecot was using a passwd file as
userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for
Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
If I understood correctly the question, you ask why do not add the ldap users to system ( like using pam ldap plugin) .
This will certainly work but I consider more secure to have pure e-mail
I am always surprised to read such statement. The fact is that user authentication/authorisation is a core task of linux. Dovecots core tasks are related to handling mail. How on earth would you come to conclude that dovecot should be able to handle such tasks better than linux? Afaik even dovecot is utilizing the use of different uid's in a virtual environment to store files.
users, not system users - which can have shell, local folder and so on ( sure it can be restricted but why bother if nobody will ssh on that server).
? Imho are these just arguments for people not being able to setup an environment correctly.
I do not intend to start a flame on this topic, it is just my opinion. It's not about the correct environment (you can google for it and you will found a pretty good setup even when you are newbie) but about the potential vulnerabilities related to each component of the system: if the system has less components the probability to have issues is smaller. Also you can have cases when you really want to have system users ( like using the same server as samba server or so) and in this case the opposite approach is better.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
? Imho are these just arguments for people not being able to setup an environment correctly.
I do not intend to start a flame on this topic, it is just my opinion.
But writing it down like this is still educating people (incorrectly).
It's not about the correct environment (you can google for it and you will found a pretty good setup even when you are newbie) but about the potential vulnerabilities related to each component of the system: if the system has less components the probability to have issues is smaller.
Yes but this is reasoning backwards, and even then, it is not complete because you have multiple layers of security. Eg only dovecot is public facing and can have an exploit that would be limited to just by os uid environment. If you are proficient with selinux you could even enhance the os rules for access.
Also you can have cases when you really want to have system users ( like using the same server as samba server or so) and in this case the opposite approach is better.
It is not about sharing, it is about how many people are looking and reporting authentication/authorisation issues and specialize in this area. You should choose the tool made for its purpose. When having a nail you choose a hammer. Obviously you can also use a hammer on a screw.
On 09/05/2023 12:26 EEST Marc marc@f1-outsourcing.eu wrote:
? Imho are these just arguments for people not being able to setup an environment correctly.
I do not intend to start a flame on this topic, it is just my opinion.
But writing it down like this is still educating people (incorrectly).
It's not about the correct environment (you can google for it and you will found a pretty good setup even when you are newbie) but about the potential vulnerabilities related to each component of the system: if the system has less components the probability to have issues is smaller.
Yes but this is reasoning backwards, and even then, it is not complete because you have multiple layers of security. Eg only dovecot is public facing and can have an exploit that would be limited to just by os uid environment. If you are proficient with selinux you could even enhance the os rules for access.
Also you can have cases when you really want to have system users ( like using the same server as samba server or so) and in this case the opposite approach is better.
It is not about sharing, it is about how many people are looking and reporting authentication/authorisation issues and specialize in this area. You should choose the tool made for its purpose. When having a nail you choose a hammer. Obviously you can also use a hammer on a screw.
Your argumentation though is not really solid. Forcing your system to be aware of all the users that are valid for mail delivery is not necessarely a good idea. E.g. it will sometimes make shared folder configuration unnecessarely difficult. It will also make your system aware of all the possible mail users.
If you are doing multi-domain hosting, it becomes even more difficult, now your system needs to be aware of users from multiple different domains with potentially overlapping usernames.
In the end you get no practical gains from going through OS authentication for just storing & accessing emails, but you sure get lots of complications.
The system simply does not need to be aware of these users.
Aki
? Imho are these just arguments for people not being able to setup
an
environment correctly.
I do not intend to start a flame on this topic, it is just my opinion.
But writing it down like this is still educating people (incorrectly).
It's not about the correct environment (you can google for it and you will found a pretty good setup even when you are newbie) but about the potential vulnerabilities related to each component of the system: if the system has less components the probability to have issues is smaller.
Yes but this is reasoning backwards, and even then, it is not complete because you have multiple layers of security. Eg only dovecot is public facing and can have an exploit that would be limited to just by os uid environment. If you are proficient with selinux you could even enhance the os rules for access.
Also you can have cases when you really want to have system users ( like using the same server as samba server or so) and in this case the opposite approach is better.
It is not about sharing, it is about how many people are looking and reporting authentication/authorisation issues and specialize in this area. You should choose the tool made for its purpose. When having a nail you choose a hammer. Obviously you can also use a hammer on a screw.
Your argumentation though is not really solid. Forcing your system to be aware of all the users that are valid for mail delivery is not necessarely a good idea.
My argument is solely reasoned from the perspective of security and authentication etc and not even particularly aimed at dovecot but any application taking over the role of users and authentication. A multi user environment is the core of linux/unix over decades.
E.g. it will sometimes make shared folder configuration unnecessarely difficult.
So this would be an argument to switch to different auth methods. Just having unfounded security hunch is not an argument.
It will also make your system aware of all the possible mail users.
I don't see the relevance of your system being or not being aware of users that use mail. I even like it, so I can resource throttle some users when I need to.
If you are doing multi-domain hosting, it becomes even more difficult, now your system needs to be aware of users from multiple different domains with potentially overlapping usernames.
These are all valid arguments to do things differently. The only problem I have is when people start stating that it is more secure to have virtual users. In my setup the multi domain is not an issues at all, and to ensure uniqueness you can use overlays in ldap.
In the end you get no practical gains from going through OS authentication for just storing & accessing emails, but you sure get lots of complications.
If that were the case, dovecot would not be utilizing different uids for virtual users and use these to write files/spawn processes(? not entirely sure how this currently is)
On 08/05/2023 23:06 EEST Marc marc@f1-outsourcing.eu wrote:
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
Doing "real unix UIDs" based solution only makes sense if you are gonna have users logging into the system over SSH or something to check their mails.
Otherwise it's just a useless complication over virtual user system.
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/
A simple guide on how to get started with virtual users, and some information about how to get LDAP working
https://doc.dovecot.org/configuration_manual/authentication/ldap/
Aki
Thanks for the hints. I already followed that guide.
The question about best practices was more a conceptual one. Should dovecot and postfix talk independently to the LDAP database? Or should dovecot be the gateway for postfix to get the information out of the LDAP database?
Cheers, Moritz
On 09/05/2023 08:30 CEST Aki Tuomi via dovecot dovecot@dovecot.org wrote:
On 08/05/2023 23:06 EEST Marc marc@f1-outsourcing.eu wrote:
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
Doing "real unix UIDs" based solution only makes sense if you are gonna have users logging into the system over SSH or something to check their mails.
Otherwise it's just a useless complication over virtual user system.
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/
A simple guide on how to get started with virtual users, and some information about how to get LDAP working
https://doc.dovecot.org/configuration_manual/authentication/ldap/
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
You will likely get better results if you let postfix to validate recipients with LDAP first. This way it can already refuse to accept mail for invalid recipients, and this reduces backscatter spam.
Aki
On 09/05/2023 10:11 EEST Moritz Pflanzer moritz@pflanzer.eu wrote:
Thanks for the hints. I already followed that guide.
The question about best practices was more a conceptual one. Should dovecot and postfix talk independently to the LDAP database? Or should dovecot be the gateway for postfix to get the information out of the LDAP database?
Cheers, Moritz
On 09/05/2023 08:30 CEST Aki Tuomi via dovecot dovecot@dovecot.org wrote:
On 08/05/2023 23:06 EEST Marc marc@f1-outsourcing.eu wrote:
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
So why not handle this on the os? Have the os publish the ldap users, and have dovecot handle os users. It needs to create uid's anyway for the files etc.
Doing "real unix UIDs" based solution only makes sense if you are gonna have users logging into the system over SSH or something to check their mails.
Otherwise it's just a useless complication over virtual user system.
https://doc.dovecot.org/configuration_manual/howto/simple_virtual_install/
A simple guide on how to get started with virtual users, and some information about how to get LDAP working
https://doc.dovecot.org/configuration_manual/authentication/ldap/
Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
The question about best practices was more a conceptual one. Should dovecot and postfix talk independently to the LDAP database? Or should dovecot be the gateway for postfix to get the information out of the LDAP database?
Just my 2 cents, id have postfix talk directly to LDAP to see if a user is valid for accepting mail. Having it go through dovecot is just adding extra moving parts and overhead. Cut out the middle man since postfix would be talking to the same "database" that dovecot would. Why give dovecot more work?
postfix can use LDAP for authentication (i.e. SASL) and for validation("ldap" table).
As best I can tell, postfix cannot use dovecot to validate addresses, if you want that you will need postfix to talk directly to ldap. GOTCHA: use the "postconf -m" command to check that the "ldap" table is available in your distro - it wasn't in mine (Alpine).
For authentication, postfix can use smtpd_sasl_type = "cyrus" or "dovecot". "cyrus" uses the saslauthd authentication daemon from the Cyrus mail package and "dovecot" uses the dovecot/auth daemon. These options are much more similar that they might seem. Both are a thin layer over the OpenLDAP libldap library. Postfix can talk to either auth daemon over a Unix domain socket or in the Dovecot case, over an IP socket with a simple proprietary protocol. The protocols they speak are different but very similar - they achieve the same thing.
Use "postconf -a" command to check which authentication types are available in your distro.
Computationally speaking, there probably isn't that much difference. For my system, I chose not to use the dovecot SASL in Postfix for various reasons but mostly to remove dependencies between the packages. This way I could "switch out" either package if required and avoid too much pain..
That's my 2 cents.
On 9/05/2023 5:30 pm, dovecot--- via dovecot wrote:
The question about best practices was more a conceptual one. Should dovecot and postfix talk independently to the LDAP database? Or should dovecot be the gateway for postfix to get the information out of the LDAP database?
Just my 2 cents, id have postfix talk directly to LDAP to see if a user is valid for accepting mail. Having it go through dovecot is just adding extra moving parts and overhead. Cut out the middle man since postfix would be talking to the same "database" that dovecot would. Why give dovecot more work?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
It should also be mentioned that dovecot can act as a SMTP relay in "front" of Postfix (or any other MTA) and handle the authentication part of the transaction. This of course implies use of the dovecot authentication machinery for mail submissions. I don't know much about it beyond it's existence so I'll leave others to speak to it's merits. I chose the "decoupled" configuration personally.
On 9/05/2023 6:51 pm, Sean Gallagher wrote:
postfix can use LDAP for authentication (i.e. SASL) and for validation("ldap" table).
As best I can tell, postfix cannot use dovecot to validate addresses, if you want that you will need postfix to talk directly to ldap. GOTCHA: use the "postconf -m" command to check that the "ldap" table is available in your distro - it wasn't in mine (Alpine).
For authentication, postfix can use smtpd_sasl_type = "cyrus" or "dovecot". "cyrus" uses the saslauthd authentication daemon from the Cyrus mail package and "dovecot" uses the dovecot/auth daemon. These options are much more similar that they might seem. Both are a thin layer over the OpenLDAP libldap library. Postfix can talk to either auth daemon over a Unix domain socket or in the Dovecot case, over an IP socket with a simple proprietary protocol. The protocols they speak are different but very similar - they achieve the same thing.
Use "postconf -a" command to check which authentication types are available in your distro.
Computationally speaking, there probably isn't that much difference. For my system, I chose not to use the dovecot SASL in Postfix for various reasons but mostly to remove dependencies between the packages. This way I could "switch out" either package if required and avoid too much pain..
That's my 2 cents.
On 9/05/2023 5:30 pm, dovecot--- via dovecot wrote:
The question about best practices was more a conceptual one. Should dovecot and postfix talk independently to the LDAP database? Or should dovecot be the gateway for postfix to get the information out of the LDAP database?
Just my 2 cents, id have postfix talk directly to LDAP to see if a user is valid for accepting mail. Having it go through dovecot is just adding extra moving parts and overhead. Cut out the middle man since postfix would be talking to the same "database" that dovecot would. Why give dovecot more work?
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
On 08-05-2023 16:43, Moritz Pflanzer wrote:
Hi all,
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
And I changed the userdb driver to static since anyway there is just the vmail system account for all virtual user mailboxes.
This is working as expected for the IMAP connections. But postfix authentication fails as it is apparently using a wrong user_filter. This is what I see in the logs from OpenLDAP:
docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389) docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn="" method=128 docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000072 text= docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51] docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5: message-id=713569303.508224.1683556526256@webmail.strato.de docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: from=moritz@pflanzer.eu, size=3340, nrcpt=1 (queue active) docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))" docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH attr=uid docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
I tried setting the user_filter manually to "user_filter = (mail=%u)" but that doesn't have any effect.
Is this the expected behavior from Dovecot? I guess I can get it working by using the ldap driver for the userdb as well. But is that the best approach since I technically don't need it for dovecot itself. Or should I now change the postfix config as well to directly authenticate against the LDAP server instead of using SASL with Dovecot?
Looking forward to recommendations, Moritz
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org First setup and test dovecot-ldap.conf.ext, only when your queries are correct it makes sense to continue with the rest of the configuration. Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter, iterate_attrs. That last one can be tested with: doveadm user -u "*" and should list all users.
When these queries work it is easy to add passdb and userdb.
- Kees.
Thanks Kees. The doveadm command is showing the same behavior as I can see from postfix where the wrong search filter is used:
docker-openldap-1 | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))"
Why is dovecot still using the default filter setting even though my config now looks like this:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
pass_attrs =
=user=%{ldap:mail},
=password=%{ldap:userPassword}
user_attrs =
=user=%{ldap:mail}
user_filter = (mail=%u) iterate_attrs = mail=user
Anyway, I might have discovered the flaw in my assumptions. I thought I can use "auth_bind_userdn" setting and then wouldn't need to specify "dn" and "dnpass" (or allow anonymous access) since there would be no need to search for matching dn's.
But I guess that is only true for the authentication use case and not in the case where postfix just needs to know if a user exists or not (like the doveadm user command).
Is my (new) understanding correct that I always need a dovecot user (or anonymous read access) in the LDAP database?
Thanks, Moritz
On 08/05/2023 23:36 CEST Kees van Vloten keesvanvloten@gmail.com wrote:
On 08-05-2023 16:43, Moritz Pflanzer wrote:
Hi all,
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
And I changed the userdb driver to static since anyway there is just the vmail system account for all virtual user mailboxes.
This is working as expected for the IMAP connections. But postfix authentication fails as it is apparently using a wrong user_filter. This is what I see in the logs from OpenLDAP:
docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389) docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn="" method=128 docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000072 text= docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51] docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5: message-id=713569303.508224.1683556526256@webmail.strato.de docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: from=moritz@pflanzer.eu, size=3340, nrcpt=1 (queue active) docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))" docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH attr=uid docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
I tried setting the user_filter manually to "user_filter = (mail=%u)" but that doesn't have any effect.
Is this the expected behavior from Dovecot? I guess I can get it working by using the ldap driver for the userdb as well. But is that the best approach since I technically don't need it for dovecot itself. Or should I now change the postfix config as well to directly authenticate against the LDAP server instead of using SASL with Dovecot?
Looking forward to recommendations, Moritz
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org First setup and test dovecot-ldap.conf.ext, only when your queries are correct it makes sense to continue with the rest of the configuration. Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter, iterate_attrs. That last one can be tested with: doveadm user -u "*" and should list all users.
When these queries work it is easy to add passdb and userdb.
- Kees.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Thanks Kees. The doveadm command is showing the same behavior as I can see from postfix where the wrong search filter is used:
docker-openldap-1 | 6459e95f.1a1ad6c2 0x7fe379a98700 conn=1427 op=67 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))"
Why is dovecot still using the default filter setting even though my config now looks like this:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
pass_attrs =
=user=%{ldap:mail},
=password=%{ldap:userPassword}user_attrs =
=user=%{ldap:mail}user_filter = (mail=%u) iterate_attrs = mail=user %u refers to the current user for iterate, you iterate over all users
On 09-05-2023 08:58, Moritz Pflanzer wrote: that have dovecot access, probably something like this:
iterate_filter = (objectClass=user)
iterate_attrs =
=user=%{ldap:mail}
- Kees.
Anyway, I might have discovered the flaw in my assumptions. I thought I can use "auth_bind_userdn" setting and then wouldn't need to specify "dn" and "dnpass" (or allow anonymous access) since there would be no need to search for matching dn's.
But I guess that is only true for the authentication use case and not in the case where postfix just needs to know if a user exists or not (like the doveadm user command).
Is my (new) understanding correct that I always need a dovecot user (or anonymous read access) in the LDAP database?
Thanks, Moritz
On 08/05/2023 23:36 CEST Kees van Vlotenkeesvanvloten@gmail.com wrote:
On 08-05-2023 16:43, Moritz Pflanzer wrote:
Hi all,
so far I had a setup where Dovecot was using a passwd file as userdb and passdb. Postfix was then authenticating with Dovecot via SASL to validate user accounts.
Now I added an LDAP backend and would like to use that for Dovecot and Postfix. My first approach was to change the passdb to use the LDAP driver with the following settings:
hosts = openldap:1389 base = ou=users,dc=example,dc=com auth_bind = yes auth_bind_userdn = uid=%n,ou=users,dc=example,dc=com
And I changed the userdb driver to static since anyway there is just the vmail system account for all virtual user mailboxes.
This is working as expected for the IMAP connections. But postfix authentication fails as it is apparently using a wrong user_filter. This is what I see in the logs from OpenLDAP:
docker-openldap-1 | 645908ae.1d975b70 0x7fe379297700 conn=1347 fd=12 ACCEPT from IP=172.19.0.7:52144 (IP=0.0.0.0:1389) docker-openldap-1 | 645908ae.1d98571f 0x7fe379a98700 conn=1347 op=0 BIND dn="" method=128 docker-openldap-1 | 645908ae.1d993bd7 0x7fe379a98700 conn=1347 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000072 text= docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: 8A9FC1E03C5: client=mo4-p01-ob.smtp.rzone.de[85.215.255.51] docker-postfix-1 | May 08 14:35:26 nest postfix/cleanup[12461]: 8A9FC1E03C5: message-id=713569303.508224.1683556526256@webmail.strato.de docker-postfix-1 | May 08 14:35:26 nest postfix/qmgr[951]: 8A9FC1E03C5: from=moritz@pflanzer.eu, size=3340, nrcpt=1 (queue active) docker-postfix-1 | May 08 14:35:26 nest postfix/smtpd[12455]: disconnect from mo4-p01-ob.smtp.rzone.de[85.215.255.51] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 docker-openldap-1 | 645908ae.2616b031 0x7fe379297700 conn=1347 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=moritz@example.com))" docker-openldap-1 | 645908ae.26179272 0x7fe379297700 conn=1347 op=1 SRCH attr=uid docker-openldap-1 | 645908ae.2619389b 0x7fe379297700 conn=1347 op=1 SEARCH RESULT tag=101 err=32 qtime=0.000017 etime=0.000221 nentries=0 text=
I tried setting the user_filter manually to "user_filter = (mail=%u)" but that doesn't have any effect.
Is this the expected behavior from Dovecot? I guess I can get it working by using the ldap driver for the userdb as well. But is that the best approach since I technically don't need it for dovecot itself. Or should I now change the postfix config as well to directly authenticate against the LDAP server instead of using SASL with Dovecot?
Looking forward to recommendations, Moritz
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org First setup and test dovecot-ldap.conf.ext, only when your queries are correct it makes sense to continue with the rest of the configuration. Setup pass_filter, pass_attrs, user_filter, user_attrs, iterate_filter, iterate_attrs. That last one can be tested with: doveadm user -u "*" and should list all users.
When these queries work it is easy to add passdb and userdb.
- Kees.
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
dovecot mailing list --dovecot@dovecot.org To unsubscribe send an email todovecot-leave@dovecot.org
participants (7)
-
Aki Tuomi
-
dovecot@ptld.com
-
Kees van Vloten
-
Marc
-
Mihai Badici
-
Moritz Pflanzer
-
Sean Gallagher