imapc and masteruser
Computerisms Corporation
bob at computerisms.ca
Thu Sep 28 20:50:36 EEST 2017
Hi,
My end goal is to set up shared mailboxes on a cluster as per:
https://wiki.dovecot.org/SharedMailboxes/ClusterSetup
I was having very little luck with it, so I had been trying to break
down into pieces and get individual components working. So I have
things setup on a single server, with a working dovecot instance. I
have no director or any thing else running yet, and I am just trying to
get the imapc portion of things working. Eventually I came across a
post from Sven Hartge:
https://www.dovecot.org/list/dovecot/2012-November/087046.html
This is from several years ago, but I set up a separate dovecot instance
on port 9993 specifically to run the shared folders as he describes, and
copied his configuration suggestions pretty much verbatim. The only
signficant difference is that I needed to not configure the imapc_user
as he had done, and instead as the wiki suggests remove that config
option entirely. With this, the imapc connection is being made from the
primary instance on port 993 to the shared instance on port 9993.
My problem is that it doesn't appear that the imapc_master_user is being
fully acknowledged. The imapc connection must be made with the original
user logging in as the master user to the shared user's account, else
the ACLs can't do what they are supposed to do. It does appear the
original user is being used to authenticate, maybe, at the very least it
is being offered in the imapc connection, but not as a master user.
To illustrate, I have two snippets of logs below.
The first is from the shared folders instance on port 9993 after logging
into the primary server on port 993, which triggers the imapc
connection. This shows the user bob.test, who is the imapc_master_user
as defined by %u, being acknowledged and then having the username
changed to that of my shared user, in this case authapps. Further down,
we can see that the auth_user is bob.test, but there is no master user,
and the acl username at the bottom of the snipped remains that of my
shared user.
Below that, I have the same snippet of log, as obtained by connecting
with openssl s_client to the shared instance on port 9993, with the string:
a login authapps*bob.test XXXXXXX
In order to get this working, I need to add to the shared instance's
config file a static userdb like so:
userdb {
driver = static
}
this snippet shows the masteruser working as expected, and the acl
username being that of the master user. Unfortunately, it has no
apparent effect on the imapc login.
So it seems master user logins work, just not through imapc.
I note at the top of the first snippet, before the change in username,
it appears the imapc connection is being directed to the static passdb,
which I think is triggering the username change, where as the second
snippet, the connection is starting with the ldap passdb. but no amount
of playing "configuration file options" chairs has led me to a working
solution.
I am hoping someone can provide some insight as to what I am missing here.
doveconf -n for both instances are pasted below the log snippets. If
you are still reading, you have my gratitude for your attention this far...
2017-09-27 13:20:13.725943500 Sep 27 13:20:13 auth: Debug:
static(bob.test,192.168.120.70,<y0vvhDFaYqDAqHhG>): lookup
2017-09-27 13:20:13.725960500 Sep 27 13:20:13 auth: Debug:
static(bob.test,192.168.120.70,<y0vvhDFaYqDAqHhG>): username changed
bob.test -> authapps
2017-09-27 13:20:13.726011500 Sep 27 13:20:13 auth: Debug: client passdb
out: OK 1 user=authapps original_user=bob.test
2017-09-27 13:20:13.728299500 Sep 27 13:20:13 auth: Debug: master in:
REQUEST 2523398145 13259 1 ba830ae1c199401e5dbee28e31025ac1
session_pid=13335 request_auth_token
2017-09-27 13:20:13.728344500 Sep 27 13:20:13 auth: Debug: master userdb
out: USER 2523398145 authapps uid=509 gid=509
home=/CTFN/SharedMailboxes/CTFN/
auth_token=5e3d02714e82441cbbb3de8ff80f35bc3dc4b291 auth_user=bob.test
2017-09-27 13:20:13.728459500 Sep 27 13:20:13 imap-login: Info: Login:
user=<authapps>, method=PLAIN, rip=192.168.120.70, lip=192.168.120.70,
mpid=13335, TLS, session=<y0vvhDFaYqDAqHhG>
2017-09-27 13:20:13.729092500 Sep 27 13:20:13 imap(authapps): Debug:
Loading modules from directory: /usr/local/lib/dovecot
2017-09-27 13:20:13.729781500 Sep 27 13:20:13 imap(authapps): Debug:
Module loaded: /usr/local/lib/dovecot/lib01_acl_plugin.so
2017-09-27 13:20:13.729841500 Sep 27 13:20:13 imap(authapps): Debug:
Module loaded: /usr/local/lib/dovecot/lib02_imap_acl_plugin.so
2017-09-27 13:20:13.730026500 Sep 27 13:20:13 imap(authapps): Debug:
Effective uid=509, gid=509, home=/CTFN/SharedMailboxes/CTFN/
2017-09-27 13:20:13.732014500 Sep 27 13:20:13 imap(authapps): Debug:
Namespace CTFN: type=public, prefix=CTFN/, sep=/, inbox=yes, hidden=no,
list=yes, subscriptions=yes location=maildir:/CTFN/SharedMailboxes/
2017-09-27 13:20:13.732050500 Sep 27 13:20:13 imap(authapps): Debug:
maildir++: root=/CTFN/SharedMailboxes, index=, indexpvt=, control=,
inbox=/CTFN/SharedMailboxes, alt=
2017-09-27 13:20:13.732053500 Sep 27 13:20:13 imap(authapps): Debug:
acl: initializing backend with data: vfile
2017-09-27 13:20:13.732055500 Sep 27 13:20:13 imap(authapps): Debug:
acl: acl username = authapps
2017-09-27 18:33:37.008636500 Sep 27 18:33:37 auth: Debug:
ldap(bob.test,192.168.120.50,master,<y56y5TVaAYHAqHgy>): Master user
lookup for login: authapps
2017-09-27 18:33:37.021400500 Sep 27 18:33:37 auth: Info:
ldap(bob.test,192.168.120.50,master,<y56y5TVaAYHAqHgy>): Master user
logging in as authapps
2017-09-27 18:33:37.021425500 Sep 27 18:33:37 auth: Debug: client passdb
out: OK 1 user=authapps original_user=bob.test auth_user=bob.test
2017-09-27 18:33:37.023658500 Sep 27 18:33:37 auth: Debug: master in:
REQUEST 2776498177 9162 1 2d247ac65c17769575edb6c9db86fdee
session_pid=27552 request_auth_token
2017-09-27 18:33:37.023703500 Sep 27 18:33:37 auth: Debug:
ldap(authapps,192.168.120.50,<y56y5TVaAYHAqHgy>): user search:
base=CN=Users,dn=ctfn,dn=ca scope=onelevel
filter=(&(sAMAccountName=authapps)) fields=homeDirectory,uidNumber,gidNumber
2017-09-27 18:33:37.026953500 Sep 27 18:33:37 auth: Error:
ldap(authapps,192.168.120.50,<y56y5TVaAYHAqHgy>):
ldap_search(base=CN=Users,dn=ctfn,dn=ca
filter=(&(sAMAccountName=authapps))) failed: Operations error
2017-09-27 18:33:37.026984500 Sep 27 18:33:37 auth: Debug: master userdb
out: USER 2776498177 authapps uid=509 gid=509
home=/CTFN/SharedMailboxes/CTFN/ master_user=bob.test
auth_token=12961a562e9ef0698b363714d758d95cea9ff3f2 auth_user=bob.test
2017-09-27 18:33:37.027163500 Sep 27 18:33:37 imap-login: Info: Login:
user=<authapps>, method=PLAIN, rip=192.168.120.50, lip=192.168.120.70,
mpid=27552, TLS, session=<y56y5TVaAYHAqHgy>
2017-09-27 18:33:37.027826500 Sep 27 18:33:37 imap(authapps): Debug:
Loading modules from directory: /usr/local/lib/dovecot
2017-09-27 18:33:37.028479500 Sep 27 18:33:37 imap(authapps): Debug:
Module loaded: /usr/local/lib/dovecot/lib01_acl_plugin.so
2017-09-27 18:33:37.028561500 Sep 27 18:33:37 imap(authapps): Debug:
Module loaded: /usr/local/lib/dovecot/lib02_imap_acl_plugin.so
2017-09-27 18:33:37.028607500 Sep 27 18:33:37 imap(authapps): Debug:
Added userdb setting: plugin/master_user=bob.test
2017-09-27 18:33:37.028685500 Sep 27 18:33:37 imap(authapps): Debug:
Effective uid=509, gid=509, home=/CTFN/SharedMailboxes/CTFN/
2017-09-27 18:33:37.030993500 Sep 27 18:33:37 imap(authapps): Debug:
Namespace CTFN: type=public, prefix=CTFN/, sep=/, inbox=yes, hidden=no,
list=yes, subscriptions=yes location=maildir:/CTFN/SharedMailboxes/CTFN
2017-09-27 18:33:37.031019500 Sep 27 18:33:37 imap(authapps): Debug:
maildir++: root=/CTFN/SharedMailboxes/CTFN, index=, indexpvt=, control=,
inbox=/CTFN/SharedMailboxes/CTFN, alt=
2017-09-27 18:33:37.031040500 Sep 27 18:33:37 imap(authapps): Debug:
acl: initializing backend with data: vfile
2017-09-27 18:33:37.031047500 Sep 27 18:33:37 imap(authapps): Debug:
acl: acl username = bob.test
PRIMARY SERVER ON PORT 993:
doveconf -i dovecotserver -n
# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_verbose_passwords = plain
hostname = imap.ctfn.ca
imapc_host = masterchieflian.ctfn.ca
imapc_master_user = %u
imapc_password = # hidden, use -P to show it
imapc_port = 9993
imapc_ssl = imaps
instance_name = dovecotserver
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = 192.168.120.70
log_path = /dev/stderr
login_greeting = CTFN IMAP server
mail_debug = yes
mail_fsync = always
mail_location = maildir:~/Maildir
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = stats quota
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext vacation-seconds
mmap_disable = yes
namespace CTFN {
list = yes
location = imapc:/CTFN/mail/CTFN:INDEXPVT=/CTFN/mail/%n/Maildir/CTFN
prefix = CTFN/
separator = /
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Archives {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox LearnAsSpam {
auto = subscribe
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
master = yes
}
plugin {
acl_shared_dict = fs:posix:prefix=/CTFN/
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
mail_log_fields = uid box msgid size vsize from subject flags
sieve = ~/.dovecot.sieve
sieve_default = /usr/local/lib/dovecot/default.sieve
sieve_dir = ~/sieve
sieve_extensions = +vacation +vacation-seconds
sieve_max_actions = 92
sieve_max_redirects = 24
sieve_max_script_size = 10M
sieve_quota_max_scripts = 20
sieve_quota_max_storage = 200000
}
protocols = imap sieve
service auth {
client_limit = 1024
unix_listener auth-userdb {
group = vmail
mode = 0660
user = dovecot
}
}
service doveadm {
inet_listener {
address = 192.168.120.70
port = 9092
}
}
service imap-login {
inet_listener imap {
address = 127.0.0.1
port = 143
ssl = no
}
inet_listener imaps {
address = 192.168.120.70
port = 993
ssl = yes
}
process_min_avail = 5
service_count = 0
}
service managesieve-login {
inet_listener sieve-local {
address = 127.0.0.1
port = 4190
}
inet_listener sieve {
address = 192.168.120.70
port = 4190
}
process_min_avail = 5
service_count = 1
vsz_limit = 64 M
}
ssl = required
ssl_ca = /var/CA/ctfn.ca/RapidSSLWildcard/2017/geotrust.intermediate.pem
ssl_cert = <//var/CA/ctfn.ca/RapidSSLWildcard/2017/ctfn.ca.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = # hidden, use -P to show it
userdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
default_fields = uid=vmail gid=vmail imapc_password=%w
home=/CTFN/mail/%Ln
driver = ldap
}
userdb {
args = uid=vmail gid=vmail home=/CTFN/mail/%n
driver = static
}
verbose_proctitle = yes
protocol imap {
imap_id_log = *
}
protocol lda {
mail_plugins = stats quota sieve
submission_host = 127.0.0.1:25
}
protocol sieve {
mail_max_userip_connections = 10
mail_plugins =
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_logout_format = bytes=%i/%o
managesieve_max_compile_errors = 5
managesieve_max_line_length = 65536
managesieve_notify_capability =
managesieve_sieve_capability =
}
SHARED SERVER ON PORT 9993
doveconf -i dovshare -n
# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovshare.conf
# Pigeonhole version 0.4.19 (e5c7051)
# OS: Linux 4.9.0-3-amd64 x86_64 Debian 9.1
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_verbose_passwords = plain
base_dir = /usr/local/var/run/dovshare/
hostname = imapshare.ctfn.ca
instance_name = dovshare
listen = 192.168.120.70
log_path = /dev/stderr
login_greeting = CTFN IMAP Shared Mailboxes
mail_debug = yes
mail_fsync = always
mail_gid = vmail
mail_location = maildir:~
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = stats quota acl
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
mmap_disable = yes
namespace CTFN {
inbox = yes
location = maildir:/CTFN/SharedMailboxes/CTFN
prefix = CTFN/
separator = /
type = public
}
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
master = yes
}
passdb {
args = user=authapps password=XXXXXXXXXX
driver = static
}
plugin {
acl = vfile
acl_shared_dict = fs:posix:prefix=/CTFN/Config/dovecot/dovecot.acls/
mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename
mail_log_fields = uid box msgid size vsize from subject flags
}
protocols = imap
service auth {
client_limit = 1024
unix_listener auth-userdb {
group = vmail
mode = 0660
user = dovecot
}
}
service imap-login {
inet_listener imaps {
address = 192.168.120.70
port = 9993
ssl = yes
}
process_min_avail = 5
service_count = 0
}
ssl = required
ssl_ca = </var/CA/ctfn.ca/RapidSSLWildcard/2017/geotrust.intermediate.pem
ssl_cert = <//var/CA/ctfn.ca/RapidSSLWildcard/2017/ctfn.ca.pem
ssl_client_ca_file =
</var/CA/ctfn.ca/RapidSSLWildcard/2017/geotrust.intermediate.pem
ssl_key = # hidden, use -P to show it
userdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
userdb {
driver = static
}
verbose_proctitle = yes
protocol imap {
imap_id_log = *
mail_plugins = acl imap_acl
}
--
Bob Miller
Cell: 867-334-7117
Office: 867-633-3760
www.computerisms.ca
More information about the dovecot
mailing list