[SOLVED] Re: LMTP Post login script for acl_groups

lists at mlserv.org lists at mlserv.org
Thu Aug 29 12:18:59 EEST 2019



> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
> 
> 
>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org> wrote:
>> 
>> 
>>> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot <dovecot at dovecot.org>:
>>> 
>>> I think, i had the same problem as you.
>>> 
>>> When dovecot runs lmtp, no user is logged in, so there is no user from
>>> which you can get groups. So i think, my solution is (not really sure,
>>> if this is right, it's a long time ago, i played around) this transport
>>> in exim for local delivery
>>> 
>>> dovecot_delivery:             
>>>  debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
>>> translates to GET_LOCAL_MAIL"
>>>  driver = pipe               
>>>  command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>  message_prefix =
>>>  message_suffix =
>>>  delivery_date_add
>>>  envelope_to_add             
>>>  return_path_add             
>>>  log_output
>>>  user = MAILUSER
>>>  group = MAILUSER
>>> 
>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
>>> MAILUSER are makros which get the email-adress and the mailuser for the
>>> receiving emailadress.
>>> 
>>> GET_LOCAL_MAIL could be $local_part@$domain
>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>> 
>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>> 
>> Unfortunately this way Postfix and Dovecot need to run on the same host.
>> 
>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in sieve configuration to solve this?
>> 
>> Is there nobody from @Dovecot who could give some feedback :-) please :-)
>> 
>> Thanks
>> 
>> Christian
> 
> It could be possible to solve this with auth lua script that would allow returning the acl groups as a string, instead of using post-login script.

I finally got it working with Lua.

Changes to the auth-ldap.conf.ext file:
--------------------------------------------------
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext

  # Fetch acl_groups from LDAP with the Lua userdb script
  skip = never
  result_success = continue
  result_failure = return-fail

  # Default fields can be used to specify defaults that LDAP may override
  #default_fields = home=/home/virtual/%u
}
--------------------------------------------------

I created this auth-lua.conf.ext:
--------------------------------------------------
# https://wiki.dovecot.org/AuthDatabase/Lua

userdb {
   driver = lua
   args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
}
--------------------------------------------------

I added it in 10-auth.conf behind the LDAP auth include statement.

The Lua script looks like this:
--------------------------------------------------
require('io')

function auth_userdb_lookup(req)
  local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
  local base = "ou=people,ou=it,dc=roessner-net,dc=de"
  local binddn = "cn=dovecot," .. base

  local cmd = [=[
    /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
      grep rnsMSACLGroup | \
      awk -vORS=, '{ print \$2 }' | \
      sed 's/,$/\n/'"
  ]=]

  cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
  cmd = cmd:gsub('$(%w+)', { binddn = binddn })
  cmd = cmd:gsub('$(%w+)', { base = base })
  cmd = cmd:gsub('$(%w+)', { user = req.user })

  local handle = io.popen(cmd)
  local acl_groups = handle:read("*a")

  return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
end

function script_init()
  return 0
end

function script_deinit()
end

-- vim: expandtab ts=2 sw=2
--------------------------------------------------

And this works for me :-)

Many thanks

Christian


More information about the dovecot mailing list