dovecot - Jul 2017 - System users lookup via PAM: strip the domain name?

I have a need for the following:

Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) wirhOUT
@domain in /etc/passwd

Virtual Users in SQL (with full user at domain in the DB)

 

When I have auth_username_format = %Ln I can?t auth the Virtual Users, and if I
have auth_username_format = %Lu I can?t auth System users.

 

Is there a compromise somewhere?

 

Current doveconf ?n with %Ln

thebighonker.lerctr.org /usr/local/etc/dovecot/conf.d $ doveconf -n

# 2.2.31 (65cde28): /usr/local/etc/dovecot/dovecot.conf

# Pigeonhole version 0.4.19 (e5c7051)

# OS: FreeBSD 11.1-PRERELEASE amd64

auth_debug = yes

auth_debug_passwords = yes

auth_mechanisms = plain login

auth_realms = lerctr.org thebighonker.lerctr.org tbh.lerctr.org jonesonair.com
jonesonair.net

auth_username_format = %Ln

default_vsz_limit = 1 G

deliver_log_format = msgid=%m: %$ (subject=%s from=%f size=%w)

doveadm_password =? # hidden, use -P to show it

lda_mailbox_autocreate = yes

listen = 192.147.25.65, ::

lmtp_save_to_detail_mailbox = yes

login_access_sockets = tcpwrap

mail_attribute_dict = file:%h/mail/.imap/dovecot-mail-attributes

mail_location = mbox:~/mail:INBOX=~/mail/INBOX

mail_log_prefix = "%s(%u/%p): "

mail_plugins = " fts fts_solr notify stats virtual"

mail_privileged_group = mail

mail_server_admin = mailto:ler at lerctr.org

mail_server_comment = LERCTR Mail Server

mailbox_list_index = yes

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext vacation-seconds editheader mboxmetadata
servermetadata imapsieve vnd.dovecot.imapsieve

namespace archive {

? hidden = no

? list = no

? location = mbox:~/MAIL-ARCHIVE

? prefix = ARCHIVE/

? separator = /

}

namespace inbox {

? inbox = yes

? location 
? mailbox Drafts {

??? special_use = \Drafts

? }

? mailbox INBOX {

??? auto = create

? }

? mailbox SENT {

??? special_use = \Sent

? }

? mailbox SPAM {

??? special_use = \Junk

? }

? mailbox "Sent Messages" {

??? special_use = \Sent

? }

? mailbox Trash {

??? special_use = \Trash

? }

? mailbox virtual/Flagged {

??? special_use = \Flagged

? }

? mailbox virtual/all {

??? special_use = \All

? }

? prefix 
}

namespace virtual {

? hidden = no

? list = yes

? location = virtual:~/MAIL-VIRTUAL:INDEX=MEMORY

? prefix = Virtual/

? separator = /

}

passdb {

? args = /usr/local/etc/dovecot/dovecot-sql.conf.ext

? driver = sql

}

passdb {

? args = failure_show_msg=yes session=yes max_requests=20

? driver = pam

}

plugin {

? fts = solr

? fts_autoindex = yes

? fts_solr = url=http://thebighonker.lerctr.org:8983/solr/dovecot/

? fts_tika = http://localhost:9998/tika/

? imapsieve_mailbox1_before =
file:/usr/local/share/dovecot-pigeonhole/sieve/report-spam.sieve

? imapsieve_mailbox1_causes = COPY

? imapsieve_mailbox1_name = SPAM

? imapsieve_mailbox2_before =
file:/usr/local/share/dovecot-pigeonhole/sieve/report-ham.sieve

? imapsieve_mailbox2_causes = COPY

? imapsieve_mailbox2_from = SPAM

? imapsieve_mailbox2_name = *

? imapsieve_url = sieve://thebighonker.lerctr.org

? mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
flag_change append

? mail_log_fields = uid box msgid size from subject vsize flags

? recipient_delimiter = +

? sieve = ~/.dovecot.sieve

? sieve_dir = ~/sieve

? sieve_execute_bin_dir = /usr/local/share/dovecot-pigeonhole/sieve

? sieve_extensions = +editheader +vacation-seconds +mboxmetadata +servermetadata

? sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute

? sieve_pipe_bin_dir = /usr/local/share/dovecot-pigeonhole/sieve

? sieve_plugins = sieve_imapsieve sieve_extprograms

? stats_command_min_time = 1 mins

? stats_domain_min_time = 12 hours

? stats_ip_min_time = 12 hours

? stats_memory_limit = 16 M

? stats_refresh = 5s

? stats_session_min_time = 15 mins

? stats_track_cmds = yes

? stats_user_min_time = 1 hours

}

protocols = imap pop3 lmtp sieve

service auth {

? unix_listener auth-client {

??? mode = 0666

? }

? unix_listener auth-master {

??? mode = 0666

? }

}

service doveadm {

? inet_listener http {

??? port = 8080

??? ssl = yes

? }

}

service indexer-worker {

? drop_priv_before_exec = yes

}

service managesieve-login {

? inet_listener sieve {

??? port = 4190

? }

? inet_listener sieve_deprecated {

??? port = 2000

? }

}

service stats {

? chroot = empty

? client_limit = 0

? drop_priv_before_exec = no

? executable = stats

? extra_groups 
? fifo_listener stats-mail {

??? group 
??? mode = 0666

??? user 
? }

? fifo_listener stats-user {

??? group 
??? mode = 0666

??? user 
? }

? group 
? idle_kill = 4294967295 secs

? privileged_group 
? process_limit = 1

? process_min_avail = 0

? protocol 
? service_count = 0

? type 
? unix_listener stats {

??? group 
??? mode = 0666

??? user 
? }

? user = $default_internal_user

? vsz_limit = 18446744073709551615 B

}

service tcpwrap {

? unix_listener login/tcpwrap {

??? group = $default_login_user

??? mode = 0600

??? user = $default_login_user

? }

}

ssl_cert = </home/ler/letsencrypt-home/lerctr.org/fullchain.cer

ssl_cipher_list =
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS

ssl_key =? # hidden, use -P to show it

ssl_protocols = !SSLv2 !SSLv3

userdb {

? args = /usr/local/etc/dovecot/dovecot-sql.conf.ext

? driver = sql

}

userdb {

? driver = passwd

}

verbose_proctitle = yes

protocol lmtp {

? mail_plugins = " fts fts_solr notify stats virtual sieve mail_log"

}

protocol lda {

? mail_plugins = " fts fts_solr notify stats virtual sieve mail_log"

}

protocol pop3 {

? mail_plugins = " fts fts_solr notify stats virtual mail_log"

}

protocol !doveadm {

? mail_plugins = " fts fts_solr notify stats virtual mail_log"

}

protocol imap {

? imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags

? imap_logout_format = in=%i out=%o fhc=%{fetch_hdr_count}
fhb=%{fetch_hdr_bytes} fbc=%{fetch_body_count} fbb=%{fetch_body_bytes}
del=%{deleted} exp=%{expunged} trash=%{trashed}

? imap_metadata = yes

? mail_max_userip_connections = 50

? mail_plugins = " fts fts_solr notify stats virtual mail_log imap_sieve
imap_stats stats"

}

thebighonker.lerctr.org /usr/local/etc/dovecot/conf.d $

 

-- 

Larry Rosenman                     http://www.lerctr.org/~ler

Phone: +1 214-642-9640                 E-Mail: larryrtx at gmail.com

US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281

> On July 13, 2017 at 4:27 AM Larry Rosenman <larryrtx at gmail.com>
wrote:
> 
> 
> I have a need for the following:
> 
> Real system users in /etc/{passwd,shadow} (actually PAM on FreeBSD) wirhOUT
@domain in /etc/passwd
> 
> Virtual Users in SQL (with full user at domain in the DB)
> 
>  
> 
> When I have auth_username_format = %Ln I can?t auth the Virtual Users, and
if I have auth_username_format = %Lu I can?t auth System users.
> 
>  
> 
> Is there a compromise somewhere?
> 
>
You could try using %{original_username} in SQL.

Or you can try removing the auth_username_format and instead

passdb {
  driver = sql
  args = ...
}
passdb {
  driver = static
  args = user=%Ln noauthenticate
# you can remove next line if you want to always normalize your usernames
  skip = authenticated
}
passdb {
  driver = pam
  args = ...
  skip = authenticated
}

Aki