LMTP, PAM session and home directory autocreation

Ivars Strazdins ivars.strazdins at gmail.com
Thu Apr 11 17:43:07 EEST 2019


Hi,
mail is delivered by Dovecot's LMTP locally and I need user's home directory to be created if it doesn't exist yet.
There is a setting in Dovecot's configuration, "session=yes", in /etc/Dovecot/conf.d/auth-system.conf.ext, which should do that.

passdb {
 driver = pam    
 args = session=yes dovecot
}

But I think it does not work in my setup because I do not see any PAM log entry for Dovecot in system log when this error happens:

Apr  9 13:01:55 mailhost dovecot: lmtp(2935): Connect from local
Apr  9 13:01:55 mailhost dovecot: lmtp(2935, testuser): Error: User initialization failed: Namespace '': mkdir(/home/testuser/Maildir) failed: Permission denied (euid=174000327(testuser) egid=174000327(testuser
) missing +w perm: /home, dir owned by 0:0 mode=0755)
Apr  9 13:01:55 mailhost dovecot: lmtp(2935): Disconnect from local: Successful quit

The error above seems expected, because it is not LMTP agent's job to create user's home directory but pam_oddjob_mkhomedir.so module should do that.
Right?

And there are common PAM log entries for every user session:

Apr  9 13:24:42 mailhost auth: pam_sss(dovecot:auth): authentication success; logname= uid=0 euid=0 tty=dovecot ruser=validuser rhost=::1 user= validuser
Apr  9 13:24:42 mailhost auth: pam_unix(dovecot:session): session opened for user validuser by (uid=0)
Apr  9 13:24:42 mailhost auth: pam_unix(dovecot:session): session closed for user validuser

How to debug this problem and find out why Dovecot does not open PAM session or - if I am wrong and it does, then what else is going wrong?
Home directory autocreation is configured with command "authconfig --enablemkhomedir --update" and it works if user logs into system via shell or webmail.

I tried to enable "mail_debug" in Dovecot's settings, but it did not give me any more information on PAM session.

Running on Centos 7.6, with Dovecot 2.2.36.

It looks like a common mistake or issue, because I am not alone: http://tinyurl.com/y6kjhsnw
Thank you very much in advance for your time.
Ivars


/etc/pam.d/dovecot
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    include      password-auth




/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so




doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 3.10.0-957.10.1.el7.x86_64 x86_64 CentOS Linux release 7.6.1810 (Core)  
# Hostname: mailhost.example.com
auth_mechanisms = plain login
auth_socket_path = /var/run/dovecot/auth-master
auth_username_format = %Ln
auth_verbose = yes
default_client_limit = 3500
default_process_limit = 500
disable_plaintext_auth = no
first_valid_uid = 203
imap_client_workarounds = tb-lsub-flags tb-extra-mailbox-sep
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_save_to_detail_mailbox = yes
mail_location = maildir:~/Maildir:INBOX=~/Maildir:LAYOUT=fs
mail_plugins = " fts fts_lucene"
mail_privileged_group = mail
maildir_very_dirty_syncs = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mbox_write_locks = fcntl
namespace inbox {
 inbox = yes
 list = yes
 location = 
 mailbox Drafts {
   auto = subscribe
   special_use = \Drafts
 }
 mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
 mailbox "Sent Messages" {
   auto = subscribe
   special_use = \Sent
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }
 prefix = 
 separator = /
 type = private
}
passdb {
 args = session=yes dovecot
 driver = pam
}
plugin {
 autocreate = Junk
 autocreate2 = Sent
 autocreate3 = Drafts
 autocreate4 = Trash
 autosubscribe = Junk
 autosubscribe2 = Sent
 autosubscribe3 = Drafts
 autosubscribe4 = Trash
 fts = lucene
 fts_lucene = whitespace_chars=@.
 imapsieve_mailbox1_before = file:/usr/lib64/dovecot/sieve/report-spam.sieve
 imapsieve_mailbox1_causes = COPY
 imapsieve_mailbox1_name = Junk
 imapsieve_mailbox2_before = file:/usr/lib64/dovecot/sieve/report-ham.sieve
 imapsieve_mailbox2_causes = COPY
 imapsieve_mailbox2_from = Junk
 imapsieve_mailbox2_name = *
 sieve = file:~/sieve;active=~/roundcube.sieve
 sieve_before = /var/lib/sieve/junk.sieve
 sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
 sieve_pipe_bin_dir = /usr/lib64/dovecot/sieve
 sieve_plugins = sieve_imapsieve sieve_extprograms
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %v.%u
protocols = imap pop3 lmtp sieve
service auth {
 unix_listener /var/spool/postfix/private/dovecot-auth {
   group = postfix
   mode = 0660
   user = postfix
 }
 unix_listener auth-master {
   group = user
   mode = 0660
   user = root
 }
}
service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
   group = postfix
   mode = 0600
   user = postfix
 }
}
ssl_cert = </etc/letsencrypt/live/webmail.example.com/fullchain.pem
ssl_key =  # hidden, use -P to show it
syslog_facility = local0
userdb {
 driver = passwd
}
valid_chroot_dirs = /var/mail:/home
protocol lmtp {
 mail_fsync = never
 mail_plugins = " fts fts_lucene sieve"
 postmaster_address = postmaster at example.com
}
protocol lda {
 mail_fsync = never
 mail_plugins = " fts fts_lucene sieve expire"
}
protocol imap {
 mail_max_userip_connections = 25
 mail_plugins = " fts fts_lucene fts fts_squat expire imap_sieve"
}
protocol sieve {
 managesieve_notify_capability = mailto
 managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
}
protocol pop3 {
 mail_max_userip_connections = 20
 mail_plugins = " fts fts_lucene fts fts_squat expire"
}


More information about the dovecot mailing list