[SOLVED] Re: LMTP Post login script for acl_groups
lists at mlserv.org
lists at mlserv.org
Thu Aug 29 12:58:55 EEST 2019
> Am 29.08.2019 um 11:30 schrieb R.N.S. via dovecot <dovecot at dovecot.org>:
>
>
>
>> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>
>>
>> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>>>
>>>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>>>
>>>>
>>>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org> wrote:
>>>>>
>>>>>
>>>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot <dovecot at dovecot.org>:
>>>>>>
>>>>>> I think, i had the same problem as you.
>>>>>>
>>>>>> When dovecot runs lmtp, no user is logged in, so there is no user from
>>>>>> which you can get groups. So i think, my solution is (not really sure,
>>>>>> if this is right, it's a long time ago, i played around) this transport
>>>>>> in exim for local delivery
>>>>>>
>>>>>> dovecot_delivery:
>>>>>> debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
>>>>>> translates to GET_LOCAL_MAIL"
>>>>>> driver = pipe
>>>>>> command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>>>> message_prefix =
>>>>>> message_suffix =
>>>>>> delivery_date_add
>>>>>> envelope_to_add
>>>>>> return_path_add
>>>>>> log_output
>>>>>> user = MAILUSER
>>>>>> group = MAILUSER
>>>>>>
>>>>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
>>>>>> MAILUSER are makros which get the email-adress and the mailuser for the
>>>>>> receiving emailadress.
>>>>>>
>>>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>>>>>
>>>>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>>>>> Unfortunately this way Postfix and Dovecot need to run on the same host.
>>>>>
>>>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in sieve configuration to solve this?
>>>>>
>>>>> Is there nobody from @Dovecot who could give some feedback :-) please :-)
>>>>>
>>>>> Thanks
>>>>>
>>>>> Christian
>>>> It could be possible to solve this with auth lua script that would allow returning the acl groups as a string, instead of using post-login script.
>>> I finally got it working with Lua.
>>>
>>> Changes to the auth-ldap.conf.ext file:
>>> --------------------------------------------------
>>> userdb {
>>> driver = ldap
>>> args = /etc/dovecot/dovecot-ldap.conf.ext
>>>
>>> # Fetch acl_groups from LDAP with the Lua userdb script
>>> skip = never
>>> result_success = continue
>>> result_failure = return-fail
>>>
>>> # Default fields can be used to specify defaults that LDAP may override
>>> #default_fields = home=/home/virtual/%u
>>> }
>>> --------------------------------------------------
>>>
>>> I created this auth-lua.conf.ext:
>>> --------------------------------------------------
>>> # https://wiki.dovecot.org/AuthDatabase/Lua
>>>
>>> userdb {
>>> driver = lua
>>> args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes
>>> }
>>> --------------------------------------------------
>>>
>>> I added it in 10-auth.conf behind the LDAP auth include statement.
>>>
>>> The Lua script looks like this:
>>> --------------------------------------------------
>>> require('io')
>>>
>>> function auth_userdb_lookup(req)
>>> local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>>> local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>>> local binddn = "cn=dovecot," .. base
>>>
>>> local cmd = [=[
>>> /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>>> grep rnsMSACLGroup | \
>>> awk -vORS=, '{ print \$2 }' | \
>>> sed 's/,$/\n/'"
>>> ]=]
>>>
>>> cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>>> cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>>> cmd = cmd:gsub('$(%w+)', { base = base })
>>> cmd = cmd:gsub('$(%w+)', { user = req.user })
>>>
>>> local handle = io.popen(cmd)
>>> local acl_groups = handle:read("*a")
>>>
>>> return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
>>> end
>>>
>>> function script_init()
>>> return 0
>>> end
>>>
>>> function script_deinit()
>>> end
>>>
>>> -- vim: expandtab ts=2 sw=2
>>> --------------------------------------------------
>>>
>>> And this works for me :-)
>>>
>>> Many thanks
>>>
>>> Christian
>>
>> There really is no LDAP module for your LUA?
>
> I was too early with success :-(
>
> Even the doveadm acl debug command shows that I would have all rights, mails are insert into the INBOX :-(
>
> ...
> doveadm(lists at srvint.net): Info: User lists at srvint.net has rights: lookup read write write-seen write-deleted insert post expunge
> doveadm(lists at srvint.net): Info: Mailbox found from dovecot-acl-list
> doveadm(lists at srvint.net): Info: Mailbox is in public namespace
> doveadm(lists at srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is visible in LIST
>
> Why can't LMTP/Sieve insert the Mail to that place?
>
> If I use a LDAP attribute with a comma separated list in the dovecot-ldap.conf.ext file, everything works. So what is different to the second Lua backend?
>
> It is really a pain that acl_groups does not simply support multi values.
>
> Maybe I will spend some more time for the Lua LDAP module, but for now, it is really frustrating.
Have been minor issues in the Lua script. I now will spend some time to dive into the Lua-LDAP module. For now, the posted solution works.
If I have a module that talks directly to LDAP, I will return later here and post the results.
Christian
More information about the dovecot
mailing list