LMTP, PAM session and home directory autocreating
Ivars Strazdins
ivars.strazdins at gmail.com
Tue Apr 9 23:28:37 EEST 2019
Hi,
mail is delivered by Dovecot's lmtp locally and I need user's home directory to be created if it doesn't exist yet.
There is a setting in Dovecot's configuration, "session=yes", in /etc/Dovecot/conf.d/auth-system.conf.ext, which should do that.
passdb {
driver = pam
args = session=yes dovecot
}
But I think it does not work in my setup because I do not see any PAM log entry for Dovecot when this error happens:
Apr 9 13:01:55 mailhost dovecot: lmtp(2935): Connect from local
Apr 9 13:01:55 mailhost dovecot: lmtp(2935, testuser): Error: User initialization failed: Namespace '': mkdir(/home/testuser/Maildir) failed: Permission denied (euid=174000327(testuser) egid=174000327(testuser
) missing +w perm: /home, dir owned by 0:0 mode=0755)
Apr 9 13:01:55 mailhost dovecot: lmtp(2935): Disconnect from local: Successful quit
The error above seems expected, because it is not lmtp agent's job to create user's home directory but pam_oddjob_mkhomedir.so module should do that. Right?
And there are log entries every PAM user session:
Apr 9 13:24:42 mailhost auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=validuser rhost=::1 user= validuser
Apr 9 13:24:42 mailhost auth: pam_unix(dovecot:session): session opened for user validuser by (uid=0)
Apr 9 13:24:42 mailhost auth: pam_unix(dovecot:session): session closed for user validuser
I ask for help how to debug this problem and find out why Dovecot does not open PAM session or - if I am wrong and it does, then what else is going wrong.
Home directory autocreation is configured with command "authconfig --enablemkhomedir --update" and it works if user logs into system manually.
I tried to enable "mail_debug" in Dovecot's settings, but it did not give me any more information on PAM session.
Running on Centos 7.6, with Dovecot 2.2.36.
I sort of remember this was working 2 years ago when I enabled "session=yes" but something has changed along the way with all the Centos updates.
Thank you very much in advance for your time.
Ivars
/etc/pam.d/dovecot
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 3.10.0-957.10.1.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)
# Hostname: mailhost.example.com
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_username_format = %Ln
auth_verbose = yes
default_client_limit = 3500
default_process_limit = 500
disable_plaintext_auth = no
first_valid_uid = 203
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs
mail_plugins = " fts fts_lucene"
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
list = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = session=yes dovecot
driver = pam
}
plugin {
autocreate = Junk
autocreate2 = Sent
autocreate3 = Drafts
autocreate4 = Trash
autosubscribe = Junk
autosubscribe2 = Sent
autosubscribe3 = Drafts
autosubscribe4 = Trash
fts = lucene
fts_lucene = whitespace_chars=@.
imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
sieve = file:~/sieve;active=~/roundcube.sieve
sieve_before = /var/lib/sieve/junk.sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %v.%u
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = user
mode = 0660
user = root
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl_cert = </etc/letsencrypt/live/webmail.example.com/fullchain.pem
ssl_key = # hidden, use -P to show it
syslog_facility = local0
userdb {
driver = passwd
}
valid_chroot_dirs = /var/mail:/home
protocol lmtp {
mail_fsync = never
mail_plugins = " fts fts_lucene sieve"
postmaster_address = postmaster at example.com
}
protocol lda {
mail_fsync = never
mail_plugins = " fts fts_lucene sieve expire"
}
protocol imap {
mail_max_userip_connections = 25
mail_plugins = " fts fts_lucene fts fts_squat expire imap_sieve"
}
protocol sieve {
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
}
protocol pop3 {
mail_max_userip_connections = 20
mail_plugins = " fts fts_lucene fts fts_squat expire"
}
More information about the dovecot
mailing list