[SOLVED] LMTP Post login script for acl_groups

lists at mlserv.org lists at mlserv.org
Tue Sep 3 10:59:12 EEST 2019 

Am 30.08.2019 um 08:10 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
> 
> 
> On 29.8.2019 12.30, R.N.S. via dovecot wrote:
>> 
>>> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>> 
>>> 
>>> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>>>>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>>>> 
>>>>> 
>>>>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org> wrote:
>>>>>> 
>>>>>> 
>>>>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot <dovecot at dovecot.org>:
>>>>>>> 
>>>>>>> I think, i had the same problem as you.
>>>>>>> 
>>>>>>> When dovecot runs lmtp, no user is logged in, so there is no user from
>>>>>>> which you can get groups. So i think, my solution is (not really sure,
>>>>>>> if this is right, it's a long time ago, i played around) this transport
>>>>>>> in exim for local delivery
>>>>>>> 
>>>>>>> dovecot_delivery:             
>>>>>>> debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
>>>>>>> translates to GET_LOCAL_MAIL"
>>>>>>> driver = pipe               
>>>>>>> command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>>>>> message_prefix =
>>>>>>> message_suffix =
>>>>>>> delivery_date_add
>>>>>>> envelope_to_add             
>>>>>>> return_path_add             
>>>>>>> log_output
>>>>>>> user = MAILUSER
>>>>>>> group = MAILUSER
>>>>>>> 
>>>>>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
>>>>>>> MAILUSER are makros which get the email-adress and the mailuser for the
>>>>>>> receiving emailadress.
>>>>>>> 
>>>>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>>>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>>>>>> 
>>>>>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>>>>>> Unfortunately this way Postfix and Dovecot need to run on the same host.
>>>>>> 
>>>>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in sieve configuration to solve this?
>>>>>> 
>>>>>> Is there nobody from @Dovecot who could give some feedback :-) please :-)
>>>>>> 
>>>>>> Thanks
>>>>>> 
>>>>>> Christian
>>>>> It could be possible to solve this with auth lua script that would allow returning the acl groups as a string, instead of using post-login script.
>>>> I finally got it working with Lua.
>>>> 
>>>> Changes to the auth-ldap.conf.ext file:
>>>> --------------------------------------------------
>>>> userdb {
>>>> driver = ldap
>>>> args = /etc/dovecot/dovecot-ldap.conf.ext
>>>> 
>>>> # Fetch acl_groups from LDAP with the Lua userdb script
>>>> skip = never
>>>> result_success = continue
>>>> result_failure = return-fail
>>>> 
>>>> # Default fields can be used to specify defaults that LDAP may override
>>>> #default_fields = home=/home/virtual/%u
>>>> }
>>>> --------------------------------------------------
>>>> 
>>>> I created this auth-lua.conf.ext:
>>>> --------------------------------------------------
>>>> # https://wiki.dovecot.org/AuthDatabase/Lua
>>>> 
>>>> userdb {
>>>>  driver = lua
>>>>  args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
>>>> }
>>>> --------------------------------------------------
>>>> 
>>>> I added it in 10-auth.conf behind the LDAP auth include statement.
>>>> 
>>>> The Lua script looks like this:
>>>> --------------------------------------------------
>>>> require('io')
>>>> 
>>>> function auth_userdb_lookup(req)
>>>> local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>>>> local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>>>> local binddn = "cn=dovecot," .. base
>>>> 
>>>> local cmd = [=[
>>>>   /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>>>>     grep rnsMSACLGroup | \
>>>>     awk -vORS=, '{ print \$2 }' | \
>>>>     sed 's/,$/\n/'"
>>>> ]=]
>>>> 
>>>> cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>>>> cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>>>> cmd = cmd:gsub('$(%w+)', { base = base })
>>>> cmd = cmd:gsub('$(%w+)', { user = req.user })
>>>> 
>>>> local handle = io.popen(cmd)
>>>> local acl_groups = handle:read("*a")
>>>> 
>>>> return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
>>>> end
>>>> 
>>>> function script_init()
>>>> return 0
>>>> end
>>>> 
>>>> function script_deinit()
>>>> end
>>>> 
>>>> -- vim: expandtab ts=2 sw=2
>>>> --------------------------------------------------
>>>> 
>>>> And this works for me :-)
>>>> 
>>>> Many thanks
>>>> 
>>>> Christian
>>> There really is no LDAP module for your LUA?
>> I was too early with success :-(
>> 
>> Even the doveadm acl debug command shows that I would have all rights, mails are insert into the INBOX :-(
>> 
>> ...
>> doveadm(lists at srvint.net): Info: User lists at srvint.net has rights: lookup read write write-seen write-deleted insert post expunge
>> doveadm(lists at srvint.net): Info: Mailbox found from dovecot-acl-list
>> doveadm(lists at srvint.net): Info: Mailbox is in public namespace
>> doveadm(lists at srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is visible in LIST
>> 
>> Why can't LMTP/Sieve insert the Mail to that place?
>> 
>> If I use a LDAP attribute with a comma separated list in the dovecot-ldap.conf.ext file, everything works. So what is different to the second Lua backend?
>> 
>> It is really a pain that acl_groups does not simply support multi values.
>> 
>> Maybe I will spend some more time for the Lua LDAP module, but for now, it is really frustrating.
>> 
>> Christian
> 
> I am not seeing that sieve can't insert the mail. Can you try enabling
> mail_debug=yes and try again?

The Lua script works. It was a minor bug in it. With the second userdb backend all problems are solved.

Christian

More information about the dovecot mailing list