Andreas Ntaflos
2010-Nov-25 18:31 UTC
[Dovecot] Static userdb with LDAP passdb but without "allow_all_users=yes"?
Hi, Is it possible to have a static user database along with an LDAP password database and *not* be forced to set "allow_all_users=yes" for the userdb? The wiki page on static user database says "Normally static userdb handles this by doing a passdb lookup instead." How should the passdb behave in order for this to work? In my tests (on a test server) I am using Dovecot 2.0.7 and Postfix 2.7.0 on Ubuntu 10.04.1. I use (or am trying to use) LMTP with Dovecot and Postfix according to the HOWTO in the wiki [1] as well as dynamic address verification with LMTP [2]. Users are virtual, using a static userdb and passwords from LDAP. I also serve local system users which is why I also have userdb and passdb pam, but this isn't the issue here. Delivering mail to an existing virtual user works fine as far as I can see but when a non-existent user is the recipient Dovecot complains that the passdb doesn't support lookups: postfix/smtpd[26469]: connect from remote-smtp.example.net[10.0.0.10] postfix/cleanup[26474]: 772A760B25: message- id=<20101125172409.772A760B25 at mailtest.example.com> postfix/qmgr[27672]: 772A760B25: from=<double- bounce at mailtest.example.com>, size=276, nrcpt=1 (queue active) dovecot: lmtp(22109): Connect from local dovecot: auth: Error: static(not-a-user at test01.example.com): passdb doesn't support lookups, can't verify user's existence dovecot: lmtp(22109): Error: user not-a-user at test01.example.com: Auth USER lookup failed dovecot: lmtp(22109): Disconnect from local: Client quit postfix/lmtp[26475]: 772A760B25: to=<not-a-user at test01.example.com>, relay=mailtest.example.com[private/dovecot-lmtp], delay=0.18, delays=0.17/0.01/0/0, dsn=4.3.0, status=undeliverable (host mailtest.example.com[private/dovecot-lmtp] said: 451 4.3.0 <not-a- user at test01.example.com> Internal error occurred. Refer to server log for more information. (in reply to RCPT TO command)) postfix/qmgr[27672]: 772A760B25: removed postfix/smtpd[26469]: NOQUEUE: reject: RCPT from remote- smtp.example.net[10.0.0.10]: 450 4.1.1 <not-a-user at test01.example.com>: Recipient address rejected: unverified address: ho st mailtest.example.com[private/dovecot-lmtp] said: 451 4.3.0 <not-a- user at test01.example.com> Internal error occurred. Refer to server log for more information. (in reply to RCPT TO command); from=<andreas.ntaflos at example.net> to=<not-a-user at test01.example.com> proto=ESMTP helo=<remote-smtp.example.net> postfix/smtpd[26469]: disconnect from remote-smtp.example.net[10.0.0.10] I've uploaded this log file excerpt for your viewing convenience to https://daff.pseudoterminal.org/misc/dovecot/failed_delivery.log More relevant information (doveconf -n, dovecot-ldap.conf) is found below. I can also provide a log excerpt from a successful delivery to an existing virtual user, if needed. To summarise: I want to use LMTP, dynamic address verification, a static user database and an LDAP password database. Can it be done without having to rely on the MTA (Postfix) to verify existing users? Thanks in advance! Andreas [1] http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP [2] http://wiki2.dovecot.org/LDA/Postfix dovecot-ldap.conf: uris = ldap://ldap.example.com:389 tls = yes tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt base = ou=virtualDomains,dc=example,dc=com dn = uid=dovecot,ou=services,dc=example,dc=com dnpass = xxx pass_attrs=uid=user, userPassword=password pass_filter=(&(objectClass=hostedAccount)(uid=%u)(accountEnabled=TRUE)) iterate_attrs = uid=user iterate_filter = (objectClass=hostedAccount) doveconf -n: https://daff.pseudoterminal.org/misc/dovecot/doveconf-n.txt -- Andreas Ntaflos Vienna, Austria GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <http://dovecot.org/pipermail/dovecot/attachments/20101125/73899c24/attachment-0002.bin>
Timo Sirainen
2010-Nov-26 16:30 UTC
[Dovecot] Static userdb with LDAP passdb but without "allow_all_users=yes"?
On Thu, 2010-11-25 at 19:31 +0100, Andreas Ntaflos wrote:> Is it possible to have a static user database along with an LDAP > password database and *not* be forced to set "allow_all_users=yes" for > the userdb?Yes.> dovecot: auth: Error: static(not-a-user at test01.example.com): passdb > doesn't support lookups, can't verify user's existenceSet auth_debug=yes and see what it logs. passdb ldap should support it, as long as you don't set auth_bind=yes. I just verified that it works: Nov 26 16:28:57 auth: Debug: master in: USER 1 tss service=lda Nov 26 16:28:57 auth: Debug: ldap(tss): pass search: base=ou=people,dc=example,dc=com scope=subtree filter=(&(objectClass=posixAccount)(uid=tss)) fields=uid,userPassword Nov 26 16:28:57 auth: Debug: ldap(tss): result: uid(user)=tss userPassword(password)=pass