[Dovecot] dovecot 2.1.13, proxy and nologin extras field

Marco Giunta giunta at sissa.it
Wed Jan 23 14:44:23 EET 2013 

Hi at all,
in our test environment, I'm playing with dovecot 2.1.13 configured as 
imap/pop/managesieve proxy. It is configured to authenticate users with 
ldap and it works very well.

Now, I'd like to temporary disable some users's login, because we are 
moving to another storage, and I wouldn't stop imap service at all.

I've found on Dovecot wiki that I could use 'nologin' extra field, but I 
wasn't been able to get it work. My dovecot configuration is:


# 2.1.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 ...
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
listen = *
mail_debug = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
mbox_write_locks = fcntl
namespace inbox {
   inbox = yes
   location =
   mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix =
}
passdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}
plugin {
   sieve = ~/.dovecot.sieve
   sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
   inet_listener sieve_deprecated {
     port = 2000
   }
}
ssl = no
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
   driver = prefetch
}


and my 'dovecot-ldap.conf.ext' is:

uris = ldap://ldap.example.it/
dn = "cn=Reader,dc=example,dc=it"
dnpass = password
base = ou=People,dc=example,dc=it
pass_attrs = uid=user,userPassword=password,\
   
=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,\
   =proxy=y,=host=imap.example.it,\
   =nologin=y
pass_filter = (&(objectClass=qmailUser)(uid=%u)(accountStatus=active))


With this configuration, all users can login, and log said:

Jan 23 09:16:18 localhost dovecot: master: Dovecot v2.1.13 starting up 
(core dumps disabled)
Jan 23 09:16:33 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 23 09:16:33 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jan 23 09:16:33 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 23 09:16:33 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jan 23 09:16:33 localhost dovecot: auth: Debug: auth client connected 
(pid=3660)
Jan 23 09:16:33 localhost dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011session=PsbzT/DT+gCTeiwf#011lip=192.168.129.109#011rip=192.168.44.31#011lport=143#011rport=53754
Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: 
CONT#0111#011
Jan 23 09:16:33 localhost dovecot: auth: Debug: client in: 
CONT#0111#011AHByb3ZhZm0AY2hlcGFsbGU=
Jan 23 09:16:33 localhost dovecot: auth: Debug: 
ldap(prova,147.122.44.31,<PsbzT/DT+gCTeiwf>): pass search: 
base=ou=People,dc=example,dc=it scope=subtree 
filter=(&(objectClass=qmailUser)(uid=prova)(accountStatus=active)) 
fields=uid,userPassword,uidNumber,gidNumber,uid,uid
Jan 23 09:16:33 localhost dovecot: auth: Debug: 
ldap(prova,192.168.44.31,<PsbzT/DT+gCTeiwf>): result: uid=prova 
uidNumber=2944 gidNumber=650 userPassword={MD5}BjbsTtSovVAs1csswBTI7Q==
Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: 
OK#0111#011user=prova#011proxy#011host=imap.example.it#011nologin#011hostip=192.168.11.136#011pass=password
Jan 23 09:16:33 localhost dovecot: imap-login: proxy(prova): started 
proxying to imap.example.it:143: user=<prova>, method=PLAIN, 
rip=192.168.44.31, lip=192.168.129.109, session=<PsbzT/DT+gCTeiwf>

As you can see 'nologin' field is present in 'passdb' answer, but it 
doesn't seem to work.

If instead I try to disable login with 'allow_nets' extra field, it 
works as expected:

'dovecot-ldap.conf.ext':
...
pass_attrs = uid=user,userPassword=password,\
   
=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,\
   =proxy=y,=host=imap.example.it,\
   =allow_nets=127.0.0.0/8

dovecot log:

Jan 22 18:28:19 localhost dovecot: master: Dovecot v2.1.13 starting up 
(core dumps disabled)
Jan 22 18:28:32 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_mysql.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: auth client connected 
(pid=3178)
Jan 22 18:28:32 localhost dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011lip=192.168.129.109#011rip=192.168.44.31#
011lport=143#011rport=53218
Jan 22 18:28:32 localhost dovecot: auth: Debug: client out: CONT#0111#011
Jan 22 18:28:32 localhost dovecot: auth: Debug: client in: 
CONT#0111#011AHByb3ZhZm0AY2hlcGFsbGU=
Jan 22 18:28:32 localhost dovecot: auth: Debug: 
ldap(prova,192.168.44.31): pass search: base=ou=People,dc=example,dc=it 
scope=subtree filt
er=(&(objectClass=qmailUser)(uid=prova)(accountStatus=active)) 
fields=uid,userPassword,uidNumber,gidNumber
Jan 22 18:28:32 localhost dovecot: auth: Debug: 
auth(prova,192.168.44.31): allow_nets: Matching for network 127.0.0.0/8
Jan 22 18:28:32 localhost dovecot: auth: passdb(prova,192.168.44.31): 
allow_nets check failed: IP not in allowed networks
Jan 22 18:28:32 localhost dovecot: auth: Debug: 
ldap(prova,192.168.44.31): result: uid=prova uidNumber=2944 
gidNumber=650 userPassword={MD5}BjbsTtSovGGs1csswBTI7Q==
Jan 22 18:28:34 localhost dovecot: auth: Debug: client out: 
FAIL#0111#011user=prova


I don't understand what is wrong with my configuration with 'nologin'.  
Do someone have any clue ??

Cheers,
   Marco

More information about the dovecot mailing list