LMTP Post login script for acl_groups

lists at mlserv.org lists at mlserv.org
Wed Aug 28 15:52:51 EEST 2019 

Hi,

I use a post login script for imap, to fetch acl groups from LDAP. Because Dovecot can only deal with a single value, which must be a comma seperated list of groups, I decided to use a post login script do deal with multi values in LDAP:

This looks like this in LDAP:

rnsMSACLGroup: admin
rnsMSACLGroup: automx
rnsMSACLGroup: amavis
rnsMSACLGroup: postfix
rnsMSACLGroup: dovecot
rnsMSACLGroup: rspamd
rnsMSACLGroup: powerdns
rnsMSACLGroup: sogo
rnsMSACLGroup: zabbix
rnsMSACLGroup: dane-users
rnsMSACLGroup: gentoo
rnsMSACLGroup: openbsd

My post login script looks like this:

---------------------------------------------------------
#!/bin/sh

BINDDN='cn=dovecot-postlogin,ou=people,ou=it,dc=roessner-net,dc=de'
BINDPWFILE='/etc/dovecot/ldap-postlogin.secret'
BASE='ou=people,ou=it,dc=roessner-net,dc=de'

LDAPSEARCH="/usr/bin/ldapsearch"
AWK="/usr/bin/awk"

test -x ${LDAPSEARCH} || exec "$@"
test -x ${AWK} || exec "$@"

ACL_GROUPS=$(
       ${LDAPSEARCH} -LLL -ZZ -y ${BINDPWFILE} -xD ${BINDDN} -b ${BASE} "(rnsMSDovecotUser=${USER})" rnsMSACLGroup | \
       grep rnsMSACLGroup | \
       ${AWK} -vORS=, '{ print $2 }' | \
       sed 's/,$/\n/'
)
export ACL_GROUPS
export USERDB_KEYS="${USERDB_KEYS} acl_groups"

exec "$@"
---------------------------------------------------------

This script is included in imap-postlogin executables and works for logged in users.

But it does not work for LMTP. LMTP itself seems not to have any permissions to access the folders associated with these groups. I thought, I simply could add the imap-postlogin block to lmtp-postlogin and that would work, but it doesn't.

So here is the question:

What am I missing in Dovecot that LMTP can also have ACL_GROUPS like the imap service?

Here is my config (non-defaults):

---------------------------------------------------------
doveconf -n
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.19.44-gentoo x86_64 Gentoo Base System release 2.6
# Hostname: mx.roessner-net.de
auth_cache_size = 64 M
auth_master_user_separator = *
auth_mechanisms = plain login
auth_ssl_username_from_cert = yes
auth_verbose = yes
default_client_limit = 5000
default_process_limit = 500
default_vsz_limit = 512 M
disable_plaintext_auth = no
hostname = mail.roessner-net.de
imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags
imap_max_line_length = 4 M
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_rcpt_check_quota = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_access_groups = vmail
mail_attachment_dir = /var/mail/virtual/copymail/attachments
mail_gid = vmail
mail_location = sdbox:~/sdbox
mail_max_keyword_length = 4096
mail_plugins = quota acl fts fts_lucene zlib mail_log notify
mail_privileged_group = mail
mail_save_crlf = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve
mdbox_preallocate_space = yes
mdbox_rotate_size = 128 M
namespace {
 list = children
 location = sdbox:%%h/sdbox
 prefix = Shared/%%u/
 separator = /
 subscriptions = no
 type = shared
}
namespace {
 hidden = no
 list = children
 location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public
 prefix = Public/
 separator = /
 subscriptions = no
 type = public
}
namespace inbox {
 inbox = yes
 location =
 mailbox Archive {
   auto = subscribe
   special_use = \Archive
 }
 mailbox "Deleted Messages" {
   special_use = \Trash
 }
 mailbox Drafts {
   auto = subscribe
   special_use = \Drafts
 }
 mailbox Junk-E-Mail {
   special_use = \Junk
 }
 mailbox Junk {
   auto = subscribe
   special_use = \Junk
 }
 mailbox Sent {
   auto = subscribe
   special_use = \Sent
 }
 mailbox "Sent Messages" {
   special_use = \Sent
 }
 mailbox Trash {
   auto = subscribe
   special_use = \Trash
 }
 prefix =
 separator = /
 type = private
}
passdb {
 args = /etc/dovecot/master-users
 driver = passwd-file
 master = yes
 pass = yes
}
passdb {
 args = /etc/dovecot/dovecot-ldap.conf.ext
 driver = ldap
}
plugin {
 acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300
 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db
 fts = lucene
 fts_autoindex = yes
 fts_lucene = whitespace_chars=@.
 imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve
 imapsieve_mailbox1_causes = COPY FLAG
 imapsieve_mailbox1_name = Junk
 imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve
 imapsieve_mailbox2_causes = COPY
 imapsieve_mailbox2_from = Junk
 imapsieve_mailbox2_name = *
 mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename
 mail_log_fields = box msgid
 quota = count:User quota
 quota_grace = 10%%
 quota_rule = *:storage=300M:messages=20000
 quota_rule2 = Trash:storage=+500M
 quota_rule3 = Sent:storage=+2G
 quota_rule4 = Archive:storage=+2G
 quota_status_nouser = DUNNO
 quota_status_overquota = 552 5.2.2 Mailbox is full
 quota_status_success = DUNNO
 quota_vsizes = yes
 quota_warning = storage=95%% quota-warning 95 %u
 quota_warning2 = storage=80%% quota-warning 80 %u
 quota_warning3 = -storage=100%% quota-warning below %u
 sieve = file:~/sieve;active=~/.dovecot.sieve
 sieve_after = /etc/dovecot/sieve/after
 sieve_before = /etc/dovecot/sieve/before
 sieve_extensions = +vacation-seconds
 sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug
 sieve_pipe_bin_dir = /usr/bin
 sieve_plugins = sieve_imapsieve sieve_extprograms
 sieve_vacation_default_period = 10d
 sieve_vacation_max_period = 30d
 sieve_vacation_min_period = 1h
 zlib_save = gz
 zlib_save_level = 6
}
protocols = imap pop3 lmtp submission sieve
service auth-worker {
 extra_groups = ssl-cert
 unix_listener auth-worker {
   mode = 0600
   user = vmail
 }
 user = vmail
}
service auth {
 extra_groups = ssl-cert
 unix_listener /var/spool/postfix-submission/private/auth {
   group = postfix
   mode = 0666
   user = postfix
 }
 unix_listener auth-userdb {
   mode = 0600
   user = vmail
 }
 user = vmail
}
service config {
 unix_listener config {
   mode = 0600
   user = vmail
 }
}
service dict {
 unix_listener dict {
   mode = 0600
   user = vmail
 }
}
service imap-login {
 inet_listener imap {
   address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
 }
 inet_listener imaps {
   port = 0
 }
}
service imap-postlogin {
 executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh /usr/local/bin/dovecot-aclgroups.sh
 user = vmail
}
service imap {
 executable = imap imap-postlogin
}
service lmtp-postlogin {
 executable = script-login /usr/local/bin/dovecot-aclgroups.sh
 user = vmail
}
service lmtp {
 executable = lmtp lmtp-postlogin
 inet_listener lmtp {
   address = 127.0.0.1
   port = 24
 }
 unix_listener /var/spool/postfix/private/lmtp-dovecot {
   group = postfix
   mode = 0660
   user = postfix
 }
}
service managesieve-login {
 inet_listener sieve {
   address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
 }
}
service pop3-login {
 inet_listener pop3 {
   address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
 }
 inet_listener pop3s {
   port = 0
 }
}
service quota-status {
 client_limit = 1
 executable = quota-status -p postfix
 inet_listener {
   address = 127.0.0.1
   port = 12340
 }
}
service quota-warning {
 executable = script /usr/local/bin/quota-warning.sh
 extra_groups = mail
 unix_listener quota-warning {
   group = vmail
   mode = 0600
   user = vmail
 }
 user = vmail
}
ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem
ssl_client_key = # hidden, use -P to show it
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
submission_client_workarounds = whitespace-before-path
submission_relay_host = mail.roessner-net.de
submission_relay_port = 5870
submission_relay_ssl = starttls
submission_relay_trusted = yes
userdb {
 args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
 driver = ldap
}
verbose_proctitle = yes
protocol lmtp {
 mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve
}
protocol lda {
 mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve
}
protocol imap {
 mail_max_userip_connections = 50
 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve
}
protocol submission {
 login_greeting = ESMTP
}
---------------------------------------------------------

Thanks for any help in advance

Christian

More information about the dovecot mailing list