limit sharing ability to certain users

Simeon Ott simeon.ott at onnet.ch
Tue Aug 7 12:58:29 EEST 2018 

Now the attributes are correctly read for the user test at onnet.ch <mailto:test at onnet.ch>, but other users are not able to authenticate anymore.

root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test at onnet.ch
field	value
uid	5000
gid	5000
home	/var/spool/postfix/virtual/onnet.ch/test/
mail	maildir:~/Maildir
quota_rule	*:bytes=1073741824
acl	vfile:/etc/dovecot/dovecot-acl
acl_globals_only	yes

root at buserver:/etc/dovecot# doveadm user test2 at onnet.ch
field	valueuserdb lookup: user test2 at onnet.ch doesn't exist

I need to add all users to the passwd too to let other users authenticate properly. This is not an option for our productive server, because the LDAP directory should be the main db for user administration. After adding “test at onnet.ch:::::::” to the passwd file, doveadm user works with test2 at onnet.ch

root at buserver:/var/spool/postfix/virtual/onnet.ch/test/Maildir/.super# doveadm user test2 at onnet.ch
field	value
uid	5000
gid	5000
home	/var/spool/postfix/virtual/onnet.ch/test2/
mail	maildir:~/Maildir
quota_rule	*:bytes=1073741824

IMPORTANT NOTE: anyway.. even with this options set (acl and acl_globals_only) the user test at onnet.ch <mailto:test at onnet.ch> is still able to share its own folders?!


> On 7 Aug 2018, at 11:35, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> 
> Ah. You probably need to change ldap userdb so that you add
> 
> userdb {
>  driver = ldap
>   args = /etc/dovecot/dovecot-ldap.conf
>  result_success = continue-ok
> }
> 
> so that the next one is processed. 
> 
> you can use 'doveadm user test at onnet.ch' to verify that the attributes are read for this user, and with another username that they are not.
> 
> Aki
> 
> 
> On 07.08.2018 12:23, Simeon Ott wrote:
>> … attached the dovecot -n, linked files, debug log lines during a
>> standard client login
>> 
>> root at buserver:/etc/dovecot/conf.d# doveconf -n
>> # 2.2.13: /etc/dovecot/dovecot.conf
>> # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 
>> auth_debug = yes
>> auth_debug_passwords = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> debug_log_path = syslog
>> disable_plaintext_auth = no
>> info_log_path = syslog
>> lda_mailbox_autocreate = yes
>> lda_mailbox_autosubscribe = yes
>> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
>> mail_debug = yes
>> mail_gid = 5000
>> mail_location = maildir:~/Maildir
>> mail_plugins = zlib quota acl
>> mail_uid = 5000
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope
>> encoded-character vacation subaddress comparator-i;ascii-numeric
>> relational regex imap4flags copy include variables body enotify
>> environment mailbox date ihave
>> namespace {
>>   hidden = no
>>   ignore_on_failure = no
>>   inbox = no
>>   list = children
>>   location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u
>>   prefix = shared/%%u/
>>   separator = /
>>   subscriptions = yes
>>   type = shared
>> }
>> namespace inbox {
>>   inbox = yes
>>   location = 
>>   mailbox Drafts {
>>     auto = subscribe
>>     special_use = \Drafts
>>   }
>>   mailbox Sent {
>>     auto = subscribe
>>     special_use = \Sent
>>   }
>>   mailbox "Sent Messages" {
>>     special_use = \Sent
>>   }
>>   mailbox Spam {
>>     auto = subscribe
>>     special_use = \Junk
>>   }
>>   mailbox Trash {
>>     auto = subscribe
>>     special_use = \Trash
>>   }
>>   prefix = 
>>   separator = /
>>   type = private
>> }
>> passdb {
>>   args = /etc/dovecot/dovecot-ldap.conf
>>   driver = ldap
>> }
>> plugin {
>>   acl = vfile
>>   acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes
>>   quota = maildir:User quota
>>   quota_exceeded_message = 4.2.2 Mailbox full
>>   quota_rule = *:storage=1G
>>   quota_rule2 = INBOX.Trash:storage=+100M
>>   quota_rule3 = INBOX.Spam:ignore
>>   quota_warning = storage=95%% quota-warning 95 %u
>>   sieve = ~/.dovecot.sieve
>>   sieve_before = /var/lib/dovecot/sieve/default.sieve
>>   sieve_dir = ~/sieve
>>   sieve_max_actions = 32
>>   sieve_max_redirects = 4
>>   sieve_max_script_size = 1M
>>   sieve_quota_max_scripts = 0
>>   sieve_quota_max_storage = 0
>> }
>> protocols = " imap lmtp sieve pop3"
>> service auth {
>>   group = dovecot
>>   unix_listener /var/spool/postfix/private/auth {
>>     group = postfix
>>     mode = 0666
>>     user = postfix
>>   }
>>   unix_listener auth-master {
>>     group = vmail
>>     mode = 0666
>>     user = vmail
>>   }
>>   unix_listener auth-userdb {
>>     group = vmail
>>     mode = 0666
>>     user = vmail
>>   }
>>   user = dovecot
>> }
>> service lmtp {
>>   unix_listener lmtp {
>>     mode = 0666
>>   }
>> }
>> service managesieve-login {
>>   inet_listener sieve {
>>     port = 4190
>>   }
>>   inet_listener sieve_deprecated {
>>     port = 2000
>>   }
>>   process_min_avail = 0
>>   service_count = 1
>>   vsz_limit = 64 M
>> }
>> ssl = no
>> userdb {
>>   args = /etc/dovecot/dovecot-ldap.conf
>>   driver = ldap
>> }
>> userdb {
>>   args = username_format=%Lu /etc/dovecot/share.passwd
>>   driver = passwd-file
>> }
>> protocol lmtp {
>>   mail_plugins = zlib quota acl sieve
>> }
>> protocol lda {
>>   auth_socket_path = /var/run/dovecot/auth-master
>>   deliver_log_format = msgid=%m: %$
>>   mail_plugins = zlib quota acl sieve
>>   postmaster_address = postmaster at onnet.ch <mailto:postmaster at onnet.ch>
>> }
>> protocol imap {
>>   mail_plugins = zlib quota acl imap_quota imap_acl
>> }
>> protocol sieve {
>>   info_log_path = /var/log/sieve.log
>>   log_path = /var/log/sieve.log
>>   mail_max_userip_connections = 10
>>   managesieve_implementation_string = Dovecot Pigeonhole
>>   managesieve_logout_format = bytes=%i/%o
>>   managesieve_max_compile_errors = 5
>>   managesieve_max_line_length = 65536
>> }
>> 
>> root at buserver:/etc/dovecot# cat dovecot-acl
>> root at buserver:/etc/dovecot#
>> 
>> —> means empty file
>> 
>> root at buserver:/etc/dovecot# cat share.passwd 
>> test at onnet.ch
>> <mailto:test at onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl
>> userdb_acl_globals_only=yes
>> 
>> root at buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf
>> hosts = localhost
>> uris = ldap://localhost:389/
>> debug_level = 10
>> auth_bind = yes
>> ldap_version = 3
>> base = ou=domains,dc=intra,dc=onnet,dc=ch
>> deref = never
>> scope = subtree
>> user_attrs =
>> homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$
>> user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
>> pass_attrs = mail=user,userPassword=password
>> pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
>> iterate_attrs = mail=user
>> iterate_filter = (objectClass=CourierMailAccount)
>> default_pass_scheme = CRYPT
>> 
>> root at buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug  7 11:17:27"
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl vfile: file
>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
>> <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1
>> 1/dovecot-acl not found
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl vfile: reading file
>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl
>> <http://onnet.ch/test//Maildir/.super/dovecot-acl>
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl vfile: reading file
>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello
>> <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl vfile: file
>> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
>> <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: auth client connected
>> (pid=3203)
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: client in:
>> AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng==
>> (previous base64 data may contain sensitive data)
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search:
>> base=ou=domains,dc=intra,dc=onnet,dc=ch
>> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch
>> <mailto:mail=test at onnet.ch>))
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>> mail=test at onnet.ch <mailto:mail=test at onnet.ch>; mail unused
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>> mail=test at onnet.ch <mailto:mail=test at onnet.ch>
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: client passdb out:
>> OK#0111#011user=test at onnet.ch <mailto:OK#0111#011user=test at onnet.ch>
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: master in:
>> REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search:
>> base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree
>> filter=(&(objectClass=CourierMailAccount)(mail=test at onnet.ch
>> <mailto:mail=test at onnet.ch>))
>> fields=homeDirectory,uidNumber,gidNumber,quota
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>> uidNumber=5000 quota=1073741824 gidNumber=5000
>> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>;
>> homeDirectory,uidNumber,quota,gidNumber unused
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(test at onnet.ch
>> <mailto:test at onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
>> uidNumber=5000 quota=1073741824 gidNumber=5000
>> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>
>> Aug  7 11:17:27 buserver dovecot: auth: Debug: master userdb out:
>> USER#0113718250497#011test at onnet.ch
>> <mailto:USER#0113718250497#011test at onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201
>> <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201>
>> Aug  7 11:17:27 buserver dovecot: imap-login: Login:
>> user=<test at onnet.ch <mailto:test at onnet.ch>>, method=PLAIN,
>> rip=192.168.56.1, lip=192.168.56.50, mpid=3206
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Loading modules from
>> directory: /usr/lib/dovecot/modules
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>> /usr/lib/dovecot/modules/lib01_acl_plugin.so
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>> /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>> /usr/lib/dovecot/modules/lib10_quota_plugin.so
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>> /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
>> /usr/lib/dovecot/modules/lib20_zlib_plugin.so
>> Aug  7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting:
>> plugin/quota_rule=*:bytes=1073741824
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Effective uid=5000, gid=5000,
>> home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/>
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Quota root: name=User quota
>> backend=maildir args=
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota mailbox=*
>> bytes=1073741824 messages=0
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota
>> mailbox=INBOX.Trash bytes=+104857600 messages=0
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Quota rule: root=User quota
>> mailbox=INBOX.Spam ignored
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%)
>> messages=0 reverse=no command=quota-warning 95 test at onnet.ch
>> <mailto:test at onnet.ch>
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Quota grace: root=User quota
>> bytes=107374182 (10%)
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Namespace inbox: type=private,
>> prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
>> location=maildir:~/Maildir
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: maildir++:
>> root=/var/spool/postfix/virtual/onnet.ch/test//Maildir
>> <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=,
>> inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir
>> <http://onnet.ch/test//Maildir>, alt=
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data: vfile
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch
>> <mailto:test at onnet.ch>
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl: owner = 1
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: Namespace : type=shared,
>> prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children,
>> subscriptions=yes
>> location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u
>> <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u>
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: shared: root=/var/run/dovecot, index=,
>> indexpvt=, control=, inbox=, alt=
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl: initializing backend with data: vfile
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl: acl username = test at onnet.ch
>> <mailto:test at onnet.ch>
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl: owner = 0
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Debug: acl vfile: Global ACLs disabled
>> Aug  7 11:17:27 buserver dovecot: imap(test at onnet.ch
>> <mailto:test at onnet.ch>): Disconnected: Logged out in=30 out=457
>> 
>> thanks for looking into this
>> 
>>> On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tuomi at dovecot.fi
>>> <mailto:aki.tuomi at dovecot.fi>> wrote:
>>> 
>>> Can you provide your doveconf -n after adding the database *after* LDAP.
>>> 
>>> You probably need to add 'noauthenticate' as one parameter after the
>>> userdb ones.
>>> 
>>> Aki
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/d9d98411/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3696 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180807/d9d98411/attachment-0001.p7s>

More information about the dovecot mailing list