[SOLVED] Re: LMTP Post login script for acl_groups

lists at mlserv.org lists at mlserv.org
Thu Aug 29 15:34:57 EEST 2019 


> Am 29.08.2019 um 11:58 schrieb R.N.S. via dovecot <dovecot at dovecot.org>:
> 
> 
> 
>> Am 29.08.2019 um 11:30 schrieb R.N.S. via dovecot <dovecot at dovecot.org>:
>> 
>> 
>> 
>>> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>> 
>>> 
>>> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>>>> 
>>>>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>>>> 
>>>>> 
>>>>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org> wrote:
>>>>>> 
>>>>>> 
>>>>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot <dovecot at dovecot.org>:
>>>>>>> 
>>>>>>> I think, i had the same problem as you.
>>>>>>> 
>>>>>>> When dovecot runs lmtp, no user is logged in, so there is no user from
>>>>>>> which you can get groups. So i think, my solution is (not really sure,
>>>>>>> if this is right, it's a long time ago, i played around) this transport
>>>>>>> in exim for local delivery
>>>>>>> 
>>>>>>> dovecot_delivery:             
>>>>>>> debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
>>>>>>> translates to GET_LOCAL_MAIL"
>>>>>>> driver = pipe               
>>>>>>> command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>>>>> message_prefix =
>>>>>>> message_suffix =
>>>>>>> delivery_date_add
>>>>>>> envelope_to_add             
>>>>>>> return_path_add             
>>>>>>> log_output
>>>>>>> user = MAILUSER
>>>>>>> group = MAILUSER
>>>>>>> 
>>>>>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
>>>>>>> MAILUSER are makros which get the email-adress and the mailuser for the
>>>>>>> receiving emailadress.
>>>>>>> 
>>>>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>>>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>>>>>> 
>>>>>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>>>>>> Unfortunately this way Postfix and Dovecot need to run on the same host.
>>>>>> 
>>>>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in sieve configuration to solve this?
>>>>>> 
>>>>>> Is there nobody from @Dovecot who could give some feedback :-) please :-)
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> Christian
>>>>> It could be possible to solve this with auth lua script that would allow returning the acl groups as a string, instead of using post-login script.
>>>> I finally got it working with Lua.
>>>> 
>>>> Changes to the auth-ldap.conf.ext file:
>>>> --------------------------------------------------
>>>> userdb {
>>>> driver = ldap
>>>> args = /etc/dovecot/dovecot-ldap.conf.ext
>>>> 
>>>> # Fetch acl_groups from LDAP with the Lua userdb script
>>>> skip = never
>>>> result_success = continue
>>>> result_failure = return-fail
>>>> 
>>>> # Default fields can be used to specify defaults that LDAP may override
>>>> #default_fields = home=/home/virtual/%u
>>>> }
>>>> --------------------------------------------------
>>>> 
>>>> I created this auth-lua.conf.ext:
>>>> --------------------------------------------------
>>>> # https://wiki.dovecot.org/AuthDatabase/Lua
>>>> 
>>>> userdb {
>>>> driver = lua
>>>> args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
>>>> }
>>>> --------------------------------------------------
>>>> 
>>>> I added it in 10-auth.conf behind the LDAP auth include statement.
>>>> 
>>>> The Lua script looks like this:
>>>> --------------------------------------------------
>>>> require('io')
>>>> 
>>>> function auth_userdb_lookup(req)
>>>> local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>>>> local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>>>> local binddn = "cn=dovecot," .. base
>>>> 
>>>> local cmd = [=[
>>>>  /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>>>>    grep rnsMSACLGroup | \
>>>>    awk -vORS=, '{ print \$2 }' | \
>>>>    sed 's/,$/\n/'"
>>>> ]=]
>>>> 
>>>> cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>>>> cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>>>> cmd = cmd:gsub('$(%w+)', { base = base })
>>>> cmd = cmd:gsub('$(%w+)', { user = req.user })
>>>> 
>>>> local handle = io.popen(cmd)
>>>> local acl_groups = handle:read("*a")
>>>> 
>>>> return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
>>>> end
>>>> 
>>>> function script_init()
>>>> return 0
>>>> end
>>>> 
>>>> function script_deinit()
>>>> end
>>>> 
>>>> -- vim: expandtab ts=2 sw=2
>>>> --------------------------------------------------
>>>> 
>>>> And this works for me :-)
>>>> 
>>>> Many thanks
>>>> 
>>>> Christian
>>> 
>>> There really is no LDAP module for your LUA?
>> 
>> I was too early with success :-(
>> 
>> Even the doveadm acl debug command shows that I would have all rights, mails are insert into the INBOX :-(
>> 
>> ...
>> doveadm(lists at srvint.net): Info: User lists at srvint.net has rights: lookup read write write-seen write-deleted insert post expunge
>> doveadm(lists at srvint.net): Info: Mailbox found from dovecot-acl-list
>> doveadm(lists at srvint.net): Info: Mailbox is in public namespace
>> doveadm(lists at srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is visible in LIST
>> 
>> Why can't LMTP/Sieve insert the Mail to that place?
>> 
>> If I use a LDAP attribute with a comma separated list in the dovecot-ldap.conf.ext file, everything works. So what is different to the second Lua backend?
>> 
>> It is really a pain that acl_groups does not simply support multi values.
>> 
>> Maybe I will spend some more time for the Lua LDAP module, but for now, it is really frustrating.
> 
> Have been minor issues in the Lua script. I now will spend some time to dive into the Lua-LDAP module. For now, the posted solution works.
> 
> If I have a module that talks directly to LDAP, I will return later here and post the results.
> 
> Christian

This version uses lualdap:
--------------------------------------------------
require('io')
local ldap = require "lualdap"
assert(ldap)

-- Global LDAP settings
local uri = "ldap://db.roessner-net.de"
local cacertfile = "/etc/ssl/certs/rnscacert.pem"
local base = "ou=people,ou=it,dc=roessner-net,dc=de"
local binddn = "cn=dovecot," .. base
local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
local attrs = "rnsMSACLGroup"
local filter = "(rnsMSRecipientAddress=$user)"

function auth_userdb_lookup(req)

  -- read bind password
  local handle = io.open(bindpwfile)
  local password = handle:read("*all")
  handle:close()

  -- connect to LDAP
  local session, err = ldap.open_simple({
    uri = uri,
    who = binddn,
    password = password,
    starttls = true,
    cacertfile = cacertfile
  })
  assert(err == nil)
  assert(session)

  -- read acl_groups from LDAP
  local acl_groups = nil
  for dn, attribs in session:search{
    attrs = attrs,
    base = base,
    scope = "sub",
    filter = filter:gsub('$(%w+)', { user = req.user })
  } do
    for name, values in pairs(attribs) do
      if type(values) == "string" then
        acl_groups = values
      elseif type(values) == "table" then
        acl_groups = table.concat(values, ",")
      end
    end
  end

  dovecot.i_info("user=" .. req.user .. " acl_groups=" .. acl_groups)

  return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
end

function script_init()
  return 0
end

function script_deinit()
end

-- vim: expandtab ts=2 sw=2
--------------------------------------------------

Have fun

Christian

More information about the dovecot mailing list