dovecot - Oct 2008 - How to bypass checking of system users by virtual users?

Hi, I have one real domain (abusar.org) and the others are
virtual. So I configured dovecot.conf as the following:


# for abusar.org, real domain
mail_location = mbox:~/.mail/:INBOX=/var/mail/%n

# for the remaining virtual domains
userdb static {
        args = uid=17 gid=17 home=/var/spool/virtual/%d/.home/%n
mail=mbox:/var/spool/virtual/%d/home/%n:INBOX=/var/spool/virtual/%d/%n
}

passdb passwd-file {
        args = username_format=%n /etc/virtual/%d/passwd  
}

	***

	Everything works perfectly except for the fact that when virtual users
authenticate, dovecot uses the configuration for
real users first and then authenticate succesfully with the virtual
configuration, generating those annoying log error messages:

Oct  3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Oct  3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=belforts at ragio.com.br
rhost=201.6.150.188
Oct  3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Oct  3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=belforts at telecomex.com.br
rhost=201.6.150.188
Oct  3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Oct  3 03:11:40 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=info at
mostrasocioambiental.com.br rhost=201.6.150.188
Oct  3 03:12:00 teleporto dovecot-auth: pam_unix(dovecot:auth): check pass; user
unknown
Oct  3 03:12:00 teleporto dovecot-auth: pam_unix(dovecot:auth): authentication
failure; logname= uid=0 euid=0 tty=dovecot ruser=comprovante at ragio.com.br
rhost=200.204.124.212

	This messages happen because dovecot is trying to check virtual
users in the system password file (which just contains real users and
not virtual users).

	So is there a way to force it to check virtual users just on
the /etc/virtual/%d/passwd? I mean, if the domain is the real one,
abusar.org, or it doesn't have a domain, it will check in the system
passwords, but if it's some other domain except abusar.org, it should
skip checking system passwords and check directly in the
/etc/virtual/%d/passwd.

	I just don't know how to do that.

	Any hints? Thank you!

-- 
Linux 2.6.27-rc8: Rotary Wombat
http://u-br.net

http://www.soninha23.can.br

On Fri, 2008-10-03 at 03:22 -0300, D?niel Fraga wrote:
> 	This messages happen because dovecot is trying to check virtual
> users in the system password file (which just contains real users and
> not virtual users).
> 
> 	So is there a way to force it to check virtual users just on
> the /etc/virtual/%d/passwd? I mean, if the domain is the real one,
> abusar.org, or it doesn't have a domain, it will check in the system
> passwords, but if it's some other domain except abusar.org, it should
> skip checking system passwords and check directly in the
> /etc/virtual/%d/passwd.
You can't really tell that to Dovecot, but you could move passdb
passwd-file {} before passdb pam {} so it'll first check the virtual
users and you'll avoid the PAM messages.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20081005/84ba4fed/attachment-0002.bin>

On Sun, 05 Oct 2008 14:26:26 +0300
Timo Sirainen <tss at iki.fi> wrote:
> You can't really tell that to Dovecot, but you could move passdb
> passwd-file {} before passdb pam {} so it'll first check the virtual
> users and you'll avoid the PAM messages.
	Ok, I would see less error messages, since there are more
virtual users than real ones, but do you agree with me that I would keep
seeing some error messages when real users try to authenticate? Because
then, real users would be checked first against virtual passwd,
giving the error.

	Or not?

	Thanks.

--