Hello, Will I be breaking something if I have two users share the same home and/or mail_location (maildir format) in dovecot? Mail will only be delivered to the primary user, the other would be used every now and then to login via imap (webmail). This would be on a CentOS 7 box running dovecot from the packaging system, i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to do this is to have two ways to login to the same mailbox, one using username + password and the other otherusername + otherpassword + otp-token. Basically this "otherusername" would be for cases where I don't trust the client computer to not have a keylogger etc badness in it, but still need to see my mail. I have this kind of a dual-login setup via PAM for regular system user authentication and it's working ok. I'm just wondering about the dovecot part, whether dovecot will do Unexpected Things if more than one user have the same home and mail_location? If it makes any difference, the users can have separate homes, but the mailbox should be the same for usability. Tapio
On 2017-09-23 20:08:35 +0000, Tapio Sokura wrote:> Will I be breaking something if I have two users share the same home and/or > mail_location (maildir format) in dovecot? Mail will only be delivered to > the primary user, the other would be used every now and then to login via > imap (webmail). > > This would be on a CentOS 7 box running dovecot from the packaging system, > i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to do this is to > have two ways to login to the same mailbox, one using username + password > and the other otherusername + otherpassword + otp-token. Basically this > "otherusername" would be for cases where I don't trust the client computer > to not have a keylogger etc badness in it, but still need to see my mail. > > I have this kind of a dual-login setup via PAM for regular system user > authentication and it's working ok. I'm just wondering about the dovecot > part, whether dovecot will do Unexpected Things if more than one user have > the same home and mail_location? If it makes any difference, the users can > have separate homes, but the mailbox should be the same for usability.why not just a shared folder? -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Hello Tapia, You are going to great lengths :) I assume, that PAM working means, "user" and "otheruser" are the names of system-users with the same uid, home etc? Then I do not see, why dovecot, all defaults and authenticating against PAM won't work out of the box, shouldn't it? Peter Am 2017-09-23 um 22:08 schrieb Tapio Sokura:> Hello, > > Will I be breaking something if I have two users share the same home > and/or mail_location (maildir format) in dovecot? Mail will only be > delivered to the primary user, the other would be used every now and > then to login via imap (webmail). > > This would be on a CentOS 7 box running dovecot from the packaging > system, i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to do > this is to have two ways to login to the same mailbox, one using > username + password and the other otherusername + otherpassword + > otp-token. Basically this "otherusername" would be for cases where I > don't trust the client computer to not have a keylogger etc badness in > it, but still need to see my mail. > > I have this kind of a dual-login setup via PAM for regular system user > authentication and it's working ok. I'm just wondering about the dovecot > part, whether dovecot will do Unexpected Things if more than one user > have the same home and mail_location? If it makes any difference, the > users can have separate homes, but the mailbox should be the same for > usability. > > ? Tapio
Hello Peter, I'm using a virtual users model in dovecot where all the mail is stored under the same OS user account anyway, so file/dir permissions won't be a problem. The system users I was referring to are actually completely separate user accounts at the moment with their own uid/gid (and passwordless sudo between them), but I guess they could use same uid/gid and just have separate entries in passwd/shadow. Anyway at the moment I'm not concerned about getting the authentication part working, but whether there's something in dovecot that will bite my sitting muscles if mail_location is the same for two users. I'm aware of the shared folders functionality mentioned by Marcus and that will probably be my fallback, if sharing a mail_location is not viable. Same mail_location would just be simpler. Tapio On 24.9.2017 0:34, Peter Chiochetti wrote:> Hello Tapia, > > You are going to great lengths :) I assume, that PAM working means, > "user" and "otheruser" are the names of system-users with the same uid, > home etc? Then I do not see, why dovecot, all defaults and > authenticating against PAM won't work out of the box, shouldn't it? > > Peter > > Am 2017-09-23 um 22:08 schrieb Tapio Sokura: >> Hello, >> >> Will I be breaking something if I have two users share the same home >> and/or mail_location (maildir format) in dovecot? Mail will only be >> delivered to the primary user, the other would be used every now and >> then to login via imap (webmail). >> >> This would be on a CentOS 7 box running dovecot from the packaging >> system, i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to do >> this is to have two ways to login to the same mailbox, one using >> username + password and the other otherusername + otherpassword + >> otp-token. Basically this "otherusername" would be for cases where I >> don't trust the client computer to not have a keylogger etc badness in >> it, but still need to see my mail. >> >> I have this kind of a dual-login setup via PAM for regular system user >> authentication and it's working ok. I'm just wondering about the >> dovecot part, whether dovecot will do Unexpected Things if more than >> one user have the same home and mail_location? If it makes any >> difference, the users can have separate homes, but the mailbox should >> be the same for usability. >> >> ?? Tapio
> On 23 Sep 2017, at 23.08, Tapio Sokura <oh2kku at iki.fi> wrote: > > Hello, > > Will I be breaking something if I have two users share the same home and/or mail_location (maildir format) in dovecot? Mail will only be delivered to the primary user, the other would be used every now and then to login via imap (webmail). > > This would be on a CentOS 7 box running dovecot from the packaging system, i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to do this is to have two ways to login to the same mailbox, one using username + password and the other otherusername + otherpassword + otp-token. Basically this "otherusername" would be for cases where I don't trust the client computer to not have a keylogger etc badness in it, but still need to see my mail. > > I have this kind of a dual-login setup via PAM for regular system user authentication and it's working ok. I'm just wondering about the dovecot part, whether dovecot will do Unexpected Things if more than one user have the same home and mail_location? If it makes any difference, the users can have separate homes, but the mailbox should be the same for usability.It would break things. Easier is just to owerwrite userid from user2 to user1 after authentication with another passdb. Sami
On 24.9.2017 15:03, Sami Ketola wrote:>> On 23 Sep 2017, at 23.08, Tapio Sokura <oh2kku at iki.fi> wrote: >> I have this kind of a dual-login setup via PAM for regular system user authentication and it's working ok. I'm just wondering about the dovecot part, whether dovecot will do Unexpected Things if more than one user have the same home and mail_location? If it makes any difference, the users can have separate homes, but the mailbox should be the same for usability. > > It would break things. > > Easier is just to owerwrite userid from user2 to user1 after authentication with another passdb.Thanks, overriding the userid seems to be working fine. After getting this to work I realized otp tokens aren't the best for use at the imap layer. The first authentication goes through fine. But on the next imap connections (parallelizing clients and typical webmails) the cached password/otp token has been used already and is rightfully rejected by the backend authentication system. By turning on auth caching in dovecot I jury-rigged this to work (for the duration of the auth cache), but the clean solution would be something else. Anyway I think I'll settle here for now, better than a static password anyway. Thanks for the comments and keep up the good work with Dovecot! Tapio