LMTP Post login script for acl_groups
lists at mlserv.org
lists at mlserv.org
Wed Aug 28 15:52:51 EEST 2019
Hi,
I use a post login script for imap, to fetch acl groups from LDAP. Because Dovecot can only deal with a single value, which must be a comma seperated list of groups, I decided to use a post login script do deal with multi values in LDAP:
This looks like this in LDAP:
rnsMSACLGroup: admin
rnsMSACLGroup: automx
rnsMSACLGroup: amavis
rnsMSACLGroup: postfix
rnsMSACLGroup: dovecot
rnsMSACLGroup: rspamd
rnsMSACLGroup: powerdns
rnsMSACLGroup: sogo
rnsMSACLGroup: zabbix
rnsMSACLGroup: dane-users
rnsMSACLGroup: gentoo
rnsMSACLGroup: openbsd
My post login script looks like this:
---------------------------------------------------------
#!/bin/sh
BINDDN='cn=dovecot-postlogin,ou=people,ou=it,dc=roessner-net,dc=de'
BINDPWFILE='/etc/dovecot/ldap-postlogin.secret'
BASE='ou=people,ou=it,dc=roessner-net,dc=de'
LDAPSEARCH="/usr/bin/ldapsearch"
AWK="/usr/bin/awk"
test -x ${LDAPSEARCH} || exec "$@"
test -x ${AWK} || exec "$@"
ACL_GROUPS=$(
${LDAPSEARCH} -LLL -ZZ -y ${BINDPWFILE} -xD ${BINDDN} -b ${BASE} "(rnsMSDovecotUser=${USER})" rnsMSACLGroup | \
grep rnsMSACLGroup | \
${AWK} -vORS=, '{ print $2 }' | \
sed 's/,$/\n/'
)
export ACL_GROUPS
export USERDB_KEYS="${USERDB_KEYS} acl_groups"
exec "$@"
---------------------------------------------------------
This script is included in imap-postlogin executables and works for logged in users.
But it does not work for LMTP. LMTP itself seems not to have any permissions to access the folders associated with these groups. I thought, I simply could add the imap-postlogin block to lmtp-postlogin and that would work, but it doesn't.
So here is the question:
What am I missing in Dovecot that LMTP can also have ACL_GROUPS like the imap service?
Here is my config (non-defaults):
---------------------------------------------------------
doveconf -n
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.19.44-gentoo x86_64 Gentoo Base System release 2.6
# Hostname: mx.roessner-net.de
auth_cache_size = 64 M
auth_master_user_separator = *
auth_mechanisms = plain login
auth_ssl_username_from_cert = yes
auth_verbose = yes
default_client_limit = 5000
default_process_limit = 500
default_vsz_limit = 512 M
disable_plaintext_auth = no
hostname = mail.roessner-net.de
imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags
imap_max_line_length = 4 M
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lmtp_rcpt_check_quota = yes
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_access_groups = vmail
mail_attachment_dir = /var/mail/virtual/copymail/attachments
mail_gid = vmail
mail_location = sdbox:~/sdbox
mail_max_keyword_length = 4096
mail_plugins = quota acl fts fts_lucene zlib mail_log notify
mail_privileged_group = mail
mail_save_crlf = yes
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve
mdbox_preallocate_space = yes
mdbox_rotate_size = 128 M
namespace {
list = children
location = sdbox:%%h/sdbox
prefix = Shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace {
hidden = no
list = children
location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public
prefix = Public/
separator = /
subscriptions = no
type = public
}
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox "Deleted Messages" {
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk-E-Mail {
special_use = \Junk
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
pass = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300
acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db
fts = lucene
fts_autoindex = yes
fts_lucene = whitespace_chars=@.
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve
imapsieve_mailbox1_causes = COPY FLAG
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename
mail_log_fields = box msgid
quota = count:User quota
quota_grace = 10%%
quota_rule = *:storage=300M:messages=20000
quota_rule2 = Trash:storage=+500M
quota_rule3 = Sent:storage=+2G
quota_rule4 = Archive:storage=+2G
quota_status_nouser = DUNNO
quota_status_overquota = 552 5.2.2 Mailbox is full
quota_status_success = DUNNO
quota_vsizes = yes
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=80%% quota-warning 80 %u
quota_warning3 = -storage=100%% quota-warning below %u
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /etc/dovecot/sieve/after
sieve_before = /etc/dovecot/sieve/before
sieve_extensions = +vacation-seconds
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug
sieve_pipe_bin_dir = /usr/bin
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_vacation_default_period = 10d
sieve_vacation_max_period = 30d
sieve_vacation_min_period = 1h
zlib_save = gz
zlib_save_level = 6
}
protocols = imap pop3 lmtp submission sieve
service auth-worker {
extra_groups = ssl-cert
unix_listener auth-worker {
mode = 0600
user = vmail
}
user = vmail
}
service auth {
extra_groups = ssl-cert
unix_listener /var/spool/postfix-submission/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = vmail
}
service config {
unix_listener config {
mode = 0600
user = vmail
}
}
service dict {
unix_listener dict {
mode = 0600
user = vmail
}
}
service imap-login {
inet_listener imap {
address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
}
inet_listener imaps {
port = 0
}
}
service imap-postlogin {
executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh /usr/local/bin/dovecot-aclgroups.sh
user = vmail
}
service imap {
executable = imap imap-postlogin
}
service lmtp-postlogin {
executable = script-login /usr/local/bin/dovecot-aclgroups.sh
user = vmail
}
service lmtp {
executable = lmtp lmtp-postlogin
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
unix_listener /var/spool/postfix/private/lmtp-dovecot {
group = postfix
mode = 0660
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
}
}
service pop3-login {
inet_listener pop3 {
address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248
}
inet_listener pop3s {
port = 0
}
}
service quota-status {
client_limit = 1
executable = quota-status -p postfix
inet_listener {
address = 127.0.0.1
port = 12340
}
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
extra_groups = mail
unix_listener quota-warning {
group = vmail
mode = 0600
user = vmail
}
user = vmail
}
ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem
ssl_client_key = # hidden, use -P to show it
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
submission_client_workarounds = whitespace-before-path
submission_relay_host = mail.roessner-net.de
submission_relay_port = 5870
submission_relay_ssl = starttls
submission_relay_trusted = yes
userdb {
args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
driver = ldap
}
verbose_proctitle = yes
protocol lmtp {
mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve
}
protocol lda {
mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve
}
protocol imap {
mail_max_userip_connections = 50
mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve
}
protocol submission {
login_greeting = ESMTP
}
---------------------------------------------------------
Thanks for any help in advance
Christian
More information about the dovecot
mailing list