LMTP, PAM session and home directory autocreating

Ivars Strazdins ivars.strazdins at gmail.com
Tue Apr 9 23:28:37 EEST 2019


Hi,
mail is delivered by Dovecot's lmtp locally and I need user's home directory to be created if it doesn't exist yet.
There is a setting in Dovecot's configuration, "session=yes", in /etc/Dovecot/conf.d/auth-system.conf.ext, which should do that.

passdb {
  driver = pam    
  args = session=yes dovecot
}

But I think it does not work in my setup because I do not see any PAM log entry for Dovecot when this error happens:

Apr  9 13:01:55 mailhost dovecot: lmtp(2935): Connect from local
Apr  9 13:01:55 mailhost dovecot: lmtp(2935, testuser): Error: User initialization failed: Namespace '': mkdir(/home/testuser/Maildir) failed: Permission denied (euid=174000327(testuser) egid=174000327(testuser
) missing +w perm: /home, dir owned by 0:0 mode=0755)
Apr  9 13:01:55 mailhost dovecot: lmtp(2935): Disconnect from local: Successful quit

The error above seems expected, because it is not lmtp agent's job to create user's home directory but pam_oddjob_mkhomedir.so module should do that. Right?

And there are log entries every PAM user session:

Apr  9 13:24:42 mailhost auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=validuser rhost=::1 user= validuser
Apr  9 13:24:42 mailhost auth: pam_unix(dovecot:session): session opened for user validuser by (uid=0)
Apr  9 13:24:42 mailhost auth: pam_unix(dovecot:session): session closed for user validuser

I ask for help how to debug this problem and find out why Dovecot does not open PAM session or - if I am wrong and it does, then what else is going wrong.
Home directory autocreation is configured with command "authconfig --enablemkhomedir --update" and it works if user logs into system manually.

I tried to enable "mail_debug" in Dovecot's settings, but it did not give me any more information on PAM session.

Running on Centos 7.6, with Dovecot 2.2.36.
I sort of remember this was working 2 years ago when I enabled "session=yes" but something has changed along the way with all the Centos updates.

Thank you very much in advance for your time.
Ivars




/etc/pam.d/dovecot
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    include      password-auth




/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so




doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 3.10.0-957.10.1.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)  
# Hostname: mailhost.example.com
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_username_format = %Ln
auth_verbose = yes
default_client_limit = 3500
default_process_limit = 500
disable_plaintext_auth = no
first_valid_uid = 203
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs
mail_plugins = " fts fts_lucene"
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  list = yes
  location = 
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = session=yes dovecot
  driver = pam
}
plugin {
  autocreate = Junk
  autocreate2 = Sent
  autocreate3 = Drafts
  autocreate4 = Trash
  autosubscribe = Junk
  autosubscribe2 = Sent
  autosubscribe3 = Drafts
  autosubscribe4 = Trash
  fts = lucene
  fts_lucene = whitespace_chars=@.
  imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_name = *
  sieve = file:~/sieve;active=~/roundcube.sieve
  sieve_before = /var/lib/sieve/junk.sieve
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
  sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %v.%u
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    group = user
    mode = 0660
    user = root
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = </etc/letsencrypt/live/webmail.example.com/fullchain.pem
ssl_key =  # hidden, use -P to show it
syslog_facility = local0
userdb {
  driver = passwd
}
valid_chroot_dirs = /var/mail:/home
protocol lmtp {
  mail_fsync = never
  mail_plugins = " fts fts_lucene sieve"
  postmaster_address = postmaster at example.com
}
protocol lda {
  mail_fsync = never
  mail_plugins = " fts fts_lucene sieve expire"
}
protocol imap {
  mail_max_userip_connections = 25
  mail_plugins = " fts fts_lucene fts fts_squat expire imap_sieve"
}
protocol sieve {
  managesieve_notify_capability = mailto
  managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
}
protocol pop3 {
  mail_max_userip_connections = 20
  mail_plugins = " fts fts_lucene fts fts_squat expire"
}


More information about the dovecot mailing list