I wrapped the LDA command in a script. I can see that Postfix passes "@@mydomain.tld" as the -d argument, without quotes. I then adapted the script to specifically replace this address with "@"@mydomain.tld, but this results in the following error message by Dovecot: ??? auth: Info: userdb(?): Username character disallowed by auth_username_chars: 0x22 (username: "@"@mydomain.tld) So what would be the appropriate quoting/setting for this address? Kind regards, Philipp Am 06-Mar-18 um 15:08 schrieb Stephan Bosch:> > > Op 6-3-2018 om 14:34 schreef Philipp Berger: >> I upgraded to Dovecot 2.3.0.1 as advised, but it still seems broken. In >> the Postfix log I now see: >> >> Mar? 6 13:49:03 myhost amavis[7165]: (07165-10) K00VtLRHdrYw FWD from >> <admin at mydomain.tld> -> <"@"@mydomain.tld>, BODY=7BIT 250 2.0.0 from >> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37 >> Mar? 6 13:49:03 myhost amavis[7165]: (07165-10) Passed CLEAN >> {RelayedInbound}, [someIp]:11439 [someIp] <admin at mydomain.tld> -> >> <"@"@mydomain.tld>, Queue-ID: D27792DA167C, Message-ID: >> <22b95756-e95e-86cf-219c-3b603f7587c8 at mydomain.tld>, mail_id: >> K00VtLRHdrYw, Hits: -3, size: 7472, queued_as: B8CA22DA1B37, 1863 ms >> Mar? 6 13:49:03 myhost postfix/smtp[2329]: D27792DA167C: >> to=<@@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, >> delays=0.15/0.01/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from >> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37) >> Mar? 6 13:49:03 myhost postfix/pipe[2282]: B8CA22DA1B37: >> to=<@@mydomain.tld>, relay=dovecot, delay=0.2, delays=0.11/0/0/0.09, >> dsn=5.1.1, status=bounced (user unknown) >> Mar? 6 13:49:03 myhost postfix/cleanup[2280]: EA37E2DA1F80: >> message-id=<20180306124903.EA37E2DA1F80 at mydomain.tld> >> Mar? 6 13:49:04 myhost postfix/bounce[2334]: B8CA22DA1B37: sender >> non-delivery notification: EA37E2DA1F80 >> Mar? 6 13:49:04 myhost postfix/qmgr[21911]: EA37E2DA1F80: from=<>, >> size=9830, nrcpt=1 (queue active) >> Mar? 6 13:49:04 myhost postfix/qmgr[21911]: B8CA22DA1B37: removed >> Mar? 6 13:49:04 myhost postfix/pipe[2282]: EA37E2DA1F80: >> to=<admin at mydomain.tld>, relay=dovecot, delay=0.07, >> delays=0.05/0/0/0.02, dsn=5.3.0, status=bounced (command line usage >> error. Command output: lda: Fatal: Invalid -f parameter: Missing >> domain ) >> >> I can see in my MySQL Log that Dovecot queried at the same time with %n >> = "" (empty) and %d = "@mydomain.tld". So now the "@" is dropped >> entirely. >> >> What does the "Fatal: Invalid -f parameter: Missing domain" tell us? Do >> I need to change the way Postfix calls Dovecot? Add more quotes? :D > > Can you check what Postfix is feeding to Dovecot exactly (i.e., > whether it is properly escaped)? Maybe wrap dovecot-lda in some shell > script and see what is passed. > > Regards, > > Stephan. > >> >> Kind regards, >> Philipp >> >> Am 04-Mar-18 um 21:12 schrieb Stephan Bosch: >>> Op 3/1/2018 om 2:07 PM schreef Philipp Berger: >>>> Dear all, >>>> >>>> I have a working setup with Postfix + Dovecot, storing users in a >>>> MySQL >>>> table. >>>> >>>> I ran into problems setting up and using a mail address like >>>> a"@"b at mydomain.tld, which by RFC should be valid, but leads to >>>> problems >>>> in Dovecot. From my debugging, I can see that on the lookup, Dovecot >>>> replaces %n with "a" (quotes added by me) and %d with "b at mydomain.tld" >>>> (quotes added by me). So the original quotes are gone, and the >>>> domain/user split is incorrect. >>>> >>>> I am not sure of Postfix passes the address without quotes to >>>> Dovecot or >>>> whether Dovecot can not handle quotes correctly, but I was hoping that >>>> someone with more insight into Dovecot could help me out here. >>>> >>>> System Info: Debian 9, Postifx 3.1.6-0+deb9u1, Dovecot 2.2.27-3+deb9u1 >>>> Postfix master.cf for Dovecot: >>>> dovecot unix? -?????? n?????? n?????? -?????? -?????? pipe >>>> ?? flags=DRhu user=virtual:virtual >>>> argv=/usr/lib/dovecot/dovecot-lda -f >>>> ${sender} -d ${user}@${nexthop} >>>> >>>> I am grateful for any hints :) >>>> >>>> Thank you in advance, kind regards, >>> Yeah, Dovecot v2.2 is doing some funky stuff with SMTP address parsing. >>> Dovecot v2.3 should do a better job. I am still not sure if this can be >>> fixed well for Dovecot v2.2. >>> >>> Regards, >>> >>> Stephan. >> >> >
Hello! Maybe experiment with auth_username_chars: # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ Good luck, Reio On 07.03.18 14:46, Philipp Berger wrote:> I wrapped the LDA command in a script. I can see that Postfix passes > "@@mydomain.tld" as the -d argument, without quotes. > I then adapted the script to specifically replace this address with > "@"@mydomain.tld, but this results in the following error message by > Dovecot: > > auth: Info: userdb(?): Username character disallowed by > auth_username_chars: 0x22 (username: "@"@mydomain.tld) > > So what would be the appropriate quoting/setting for this address? > > Kind regards, > Philipp > > Am 06-Mar-18 um 15:08 schrieb Stephan Bosch: >> >> Op 6-3-2018 om 14:34 schreef Philipp Berger: >>> I upgraded to Dovecot 2.3.0.1 as advised, but it still seems broken. In >>> the Postfix log I now see: >>> >>> Mar 6 13:49:03 myhost amavis[7165]: (07165-10) K00VtLRHdrYw FWD from >>> <admin at mydomain.tld> -> <"@"@mydomain.tld>, BODY=7BIT 250 2.0.0 from >>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37 >>> Mar 6 13:49:03 myhost amavis[7165]: (07165-10) Passed CLEAN >>> {RelayedInbound}, [someIp]:11439 [someIp] <admin at mydomain.tld> -> >>> <"@"@mydomain.tld>, Queue-ID: D27792DA167C, Message-ID: >>> <22b95756-e95e-86cf-219c-3b603f7587c8 at mydomain.tld>, mail_id: >>> K00VtLRHdrYw, Hits: -3, size: 7472, queued_as: B8CA22DA1B37, 1863 ms >>> Mar 6 13:49:03 myhost postfix/smtp[2329]: D27792DA167C: >>> to=<@@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, >>> delays=0.15/0.01/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from >>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37) >>> Mar 6 13:49:03 myhost postfix/pipe[2282]: B8CA22DA1B37: >>> to=<@@mydomain.tld>, relay=dovecot, delay=0.2, delays=0.11/0/0/0.09, >>> dsn=5.1.1, status=bounced (user unknown) >>> Mar 6 13:49:03 myhost postfix/cleanup[2280]: EA37E2DA1F80: >>> message-id=<20180306124903.EA37E2DA1F80 at mydomain.tld> >>> Mar 6 13:49:04 myhost postfix/bounce[2334]: B8CA22DA1B37: sender >>> non-delivery notification: EA37E2DA1F80 >>> Mar 6 13:49:04 myhost postfix/qmgr[21911]: EA37E2DA1F80: from=<>, >>> size=9830, nrcpt=1 (queue active) >>> Mar 6 13:49:04 myhost postfix/qmgr[21911]: B8CA22DA1B37: removed >>> Mar 6 13:49:04 myhost postfix/pipe[2282]: EA37E2DA1F80: >>> to=<admin at mydomain.tld>, relay=dovecot, delay=0.07, >>> delays=0.05/0/0/0.02, dsn=5.3.0, status=bounced (command line usage >>> error. Command output: lda: Fatal: Invalid -f parameter: Missing >>> domain ) >>> >>> I can see in my MySQL Log that Dovecot queried at the same time with %n >>> = "" (empty) and %d = "@mydomain.tld". So now the "@" is dropped >>> entirely. >>> >>> What does the "Fatal: Invalid -f parameter: Missing domain" tell us? Do >>> I need to change the way Postfix calls Dovecot? Add more quotes? :D >> Can you check what Postfix is feeding to Dovecot exactly (i.e., >> whether it is properly escaped)? Maybe wrap dovecot-lda in some shell >> script and see what is passed. >> >> Regards, >> >> Stephan. >> >>> Kind regards, >>> Philipp >>> >>> Am 04-Mar-18 um 21:12 schrieb Stephan Bosch: >>>> Op 3/1/2018 om 2:07 PM schreef Philipp Berger: >>>>> Dear all, >>>>> >>>>> I have a working setup with Postfix + Dovecot, storing users in a >>>>> MySQL >>>>> table. >>>>> >>>>> I ran into problems setting up and using a mail address like >>>>> a"@"b at mydomain.tld, which by RFC should be valid, but leads to >>>>> problems >>>>> in Dovecot. From my debugging, I can see that on the lookup, Dovecot >>>>> replaces %n with "a" (quotes added by me) and %d with "b at mydomain.tld" >>>>> (quotes added by me). So the original quotes are gone, and the >>>>> domain/user split is incorrect. >>>>> >>>>> I am not sure of Postfix passes the address without quotes to >>>>> Dovecot or >>>>> whether Dovecot can not handle quotes correctly, but I was hoping that >>>>> someone with more insight into Dovecot could help me out here. >>>>> >>>>> System Info: Debian 9, Postifx 3.1.6-0+deb9u1, Dovecot 2.2.27-3+deb9u1 >>>>> Postfix master.cf for Dovecot: >>>>> dovecot unix - n n - - pipe >>>>> flags=DRhu user=virtual:virtual >>>>> argv=/usr/lib/dovecot/dovecot-lda -f >>>>> ${sender} -d ${user}@${nexthop} >>>>> >>>>> I am grateful for any hints :) >>>>> >>>>> Thank you in advance, kind regards, >>>> Yeah, Dovecot v2.2 is doing some funky stuff with SMTP address parsing. >>>> Dovecot v2.3 should do a better job. I am still not sure if this can be >>>> fixed well for Dovecot v2.2. >>>> >>>> Regards, >>>> >>>> Stephan.
Op 7-3-2018 om 13:46 schreef Philipp Berger:> I wrapped the LDA command in a script. I can see that Postfix passes > "@@mydomain.tld" as the -d argument, without quotes. > I then adapted the script to specifically replace this address with > "@"@mydomain.tld, but this results in the following error message by > Dovecot: > > ??? auth: Info: userdb(?): Username character disallowed by > auth_username_chars: 0x22 (username: "@"@mydomain.tld) > > So what would be the appropriate quoting/setting for this address?Adding " to auth_username_chars would help. But why are you trying to accept such incredibly horrible email-addresses/usernames? Regards, Stephan.> Kind regards, > Philipp > > Am 06-Mar-18 um 15:08 schrieb Stephan Bosch: >> >> Op 6-3-2018 om 14:34 schreef Philipp Berger: >>> I upgraded to Dovecot 2.3.0.1 as advised, but it still seems broken. In >>> the Postfix log I now see: >>> >>> Mar? 6 13:49:03 myhost amavis[7165]: (07165-10) K00VtLRHdrYw FWD from >>> <admin at mydomain.tld> -> <"@"@mydomain.tld>, BODY=7BIT 250 2.0.0 from >>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37 >>> Mar? 6 13:49:03 myhost amavis[7165]: (07165-10) Passed CLEAN >>> {RelayedInbound}, [someIp]:11439 [someIp] <admin at mydomain.tld> -> >>> <"@"@mydomain.tld>, Queue-ID: D27792DA167C, Message-ID: >>> <22b95756-e95e-86cf-219c-3b603f7587c8 at mydomain.tld>, mail_id: >>> K00VtLRHdrYw, Hits: -3, size: 7472, queued_as: B8CA22DA1B37, 1863 ms >>> Mar? 6 13:49:03 myhost postfix/smtp[2329]: D27792DA167C: >>> to=<@@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, >>> delays=0.15/0.01/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from >>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37) >>> Mar? 6 13:49:03 myhost postfix/pipe[2282]: B8CA22DA1B37: >>> to=<@@mydomain.tld>, relay=dovecot, delay=0.2, delays=0.11/0/0/0.09, >>> dsn=5.1.1, status=bounced (user unknown) >>> Mar? 6 13:49:03 myhost postfix/cleanup[2280]: EA37E2DA1F80: >>> message-id=<20180306124903.EA37E2DA1F80 at mydomain.tld> >>> Mar? 6 13:49:04 myhost postfix/bounce[2334]: B8CA22DA1B37: sender >>> non-delivery notification: EA37E2DA1F80 >>> Mar? 6 13:49:04 myhost postfix/qmgr[21911]: EA37E2DA1F80: from=<>, >>> size=9830, nrcpt=1 (queue active) >>> Mar? 6 13:49:04 myhost postfix/qmgr[21911]: B8CA22DA1B37: removed >>> Mar? 6 13:49:04 myhost postfix/pipe[2282]: EA37E2DA1F80: >>> to=<admin at mydomain.tld>, relay=dovecot, delay=0.07, >>> delays=0.05/0/0/0.02, dsn=5.3.0, status=bounced (command line usage >>> error. Command output: lda: Fatal: Invalid -f parameter: Missing >>> domain ) >>> >>> I can see in my MySQL Log that Dovecot queried at the same time with %n >>> = "" (empty) and %d = "@mydomain.tld". So now the "@" is dropped >>> entirely. >>> >>> What does the "Fatal: Invalid -f parameter: Missing domain" tell us? Do >>> I need to change the way Postfix calls Dovecot? Add more quotes? :D >> Can you check what Postfix is feeding to Dovecot exactly (i.e., >> whether it is properly escaped)? Maybe wrap dovecot-lda in some shell >> script and see what is passed. >> >> Regards, >> >> Stephan. >> >>> Kind regards, >>> Philipp >>> >>> Am 04-Mar-18 um 21:12 schrieb Stephan Bosch: >>>> Op 3/1/2018 om 2:07 PM schreef Philipp Berger: >>>>> Dear all, >>>>> >>>>> I have a working setup with Postfix + Dovecot, storing users in a >>>>> MySQL >>>>> table. >>>>> >>>>> I ran into problems setting up and using a mail address like >>>>> a"@"b at mydomain.tld, which by RFC should be valid, but leads to >>>>> problems >>>>> in Dovecot. From my debugging, I can see that on the lookup, Dovecot >>>>> replaces %n with "a" (quotes added by me) and %d with "b at mydomain.tld" >>>>> (quotes added by me). So the original quotes are gone, and the >>>>> domain/user split is incorrect. >>>>> >>>>> I am not sure of Postfix passes the address without quotes to >>>>> Dovecot or >>>>> whether Dovecot can not handle quotes correctly, but I was hoping that >>>>> someone with more insight into Dovecot could help me out here. >>>>> >>>>> System Info: Debian 9, Postifx 3.1.6-0+deb9u1, Dovecot 2.2.27-3+deb9u1 >>>>> Postfix master.cf for Dovecot: >>>>> dovecot unix? -?????? n?????? n?????? -?????? -?????? pipe >>>>> ?? flags=DRhu user=virtual:virtual >>>>> argv=/usr/lib/dovecot/dovecot-lda -f >>>>> ${sender} -d ${user}@${nexthop} >>>>> >>>>> I am grateful for any hints :) >>>>> >>>>> Thank you in advance, kind regards, >>>> Yeah, Dovecot v2.2 is doing some funky stuff with SMTP address parsing. >>>> Dovecot v2.3 should do a better job. I am still not sure if this can be >>>> fixed well for Dovecot v2.2. >>>> >>>> Regards, >>>> >>>> Stephan. >>> >
Op 7-3-2018 om 15:40 schreef Stephan Bosch:> > > Op 7-3-2018 om 13:46 schreef Philipp Berger: >> I wrapped the LDA command in a script. I can see that Postfix passes >> "@@mydomain.tld" as the -d argument, without quotes. >> I then adapted the script to specifically replace this address with >> "@"@mydomain.tld, but this results in the following error message by >> Dovecot: >> >> ???? auth: Info: userdb(?): Username character disallowed by >> auth_username_chars: 0x22 (username: "@"@mydomain.tld) >> >> So what would be the appropriate quoting/setting for this address? > > Adding " to auth_username_chars would help. > > But why are you trying to accept such incredibly horrible > email-addresses/usernames? >Also, -d is used to provide the username. For -d, you could leave out the double quotes and provide the full e-mail address--including the required quotes--to the -r argument. It all depends on what your userdb expects. Regards, Stephan.>> Am 06-Mar-18 um 15:08 schrieb Stephan Bosch: >>> >>> Op 6-3-2018 om 14:34 schreef Philipp Berger: >>>> I upgraded to Dovecot 2.3.0.1 as advised, but it still seems >>>> broken. In >>>> the Postfix log I now see: >>>> >>>> Mar? 6 13:49:03 myhost amavis[7165]: (07165-10) K00VtLRHdrYw FWD from >>>> <admin at mydomain.tld> -> <"@"@mydomain.tld>, BODY=7BIT 250 2.0.0 from >>>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37 >>>> Mar? 6 13:49:03 myhost amavis[7165]: (07165-10) Passed CLEAN >>>> {RelayedInbound}, [someIp]:11439 [someIp] <admin at mydomain.tld> -> >>>> <"@"@mydomain.tld>, Queue-ID: D27792DA167C, Message-ID: >>>> <22b95756-e95e-86cf-219c-3b603f7587c8 at mydomain.tld>, mail_id: >>>> K00VtLRHdrYw, Hits: -3, size: 7472, queued_as: B8CA22DA1B37, 1863 ms >>>> Mar? 6 13:49:03 myhost postfix/smtp[2329]: D27792DA167C: >>>> to=<@@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, >>>> delays=0.15/0.01/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from >>>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37) >>>> Mar? 6 13:49:03 myhost postfix/pipe[2282]: B8CA22DA1B37: >>>> to=<@@mydomain.tld>, relay=dovecot, delay=0.2, delays=0.11/0/0/0.09, >>>> dsn=5.1.1, status=bounced (user unknown) >>>> Mar? 6 13:49:03 myhost postfix/cleanup[2280]: EA37E2DA1F80: >>>> message-id=<20180306124903.EA37E2DA1F80 at mydomain.tld> >>>> Mar? 6 13:49:04 myhost postfix/bounce[2334]: B8CA22DA1B37: sender >>>> non-delivery notification: EA37E2DA1F80 >>>> Mar? 6 13:49:04 myhost postfix/qmgr[21911]: EA37E2DA1F80: from=<>, >>>> size=9830, nrcpt=1 (queue active) >>>> Mar? 6 13:49:04 myhost postfix/qmgr[21911]: B8CA22DA1B37: removed >>>> Mar? 6 13:49:04 myhost postfix/pipe[2282]: EA37E2DA1F80: >>>> to=<admin at mydomain.tld>, relay=dovecot, delay=0.07, >>>> delays=0.05/0/0/0.02, dsn=5.3.0, status=bounced (command line usage >>>> error. Command output: lda: Fatal: Invalid -f parameter: Missing >>>> domain ) >>>> >>>> I can see in my MySQL Log that Dovecot queried at the same time >>>> with %n >>>> = "" (empty) and %d = "@mydomain.tld". So now the "@" is dropped >>>> entirely. >>>> >>>> What does the "Fatal: Invalid -f parameter: Missing domain" tell >>>> us? Do >>>> I need to change the way Postfix calls Dovecot? Add more quotes? :D >>> Can you check what Postfix is feeding to Dovecot exactly (i.e., >>> whether it is properly escaped)? Maybe wrap dovecot-lda in some shell >>> script and see what is passed. >>> >>> Regards, >>> >>> Stephan. >>> >>>> Kind regards, >>>> Philipp >>>> >>>> Am 04-Mar-18 um 21:12 schrieb Stephan Bosch: >>>>> Op 3/1/2018 om 2:07 PM schreef Philipp Berger: >>>>>> Dear all, >>>>>> >>>>>> I have a working setup with Postfix + Dovecot, storing users in a >>>>>> MySQL >>>>>> table. >>>>>> >>>>>> I ran into problems setting up and using a mail address like >>>>>> a"@"b at mydomain.tld, which by RFC should be valid, but leads to >>>>>> problems >>>>>> in Dovecot. From my debugging, I can see that on the lookup, Dovecot >>>>>> replaces %n with "a" (quotes added by me) and %d with >>>>>> "b at mydomain.tld" >>>>>> (quotes added by me). So the original quotes are gone, and the >>>>>> domain/user split is incorrect. >>>>>> >>>>>> I am not sure of Postfix passes the address without quotes to >>>>>> Dovecot or >>>>>> whether Dovecot can not handle quotes correctly, but I was hoping >>>>>> that >>>>>> someone with more insight into Dovecot could help me out here. >>>>>> >>>>>> System Info: Debian 9, Postifx 3.1.6-0+deb9u1, Dovecot >>>>>> 2.2.27-3+deb9u1 >>>>>> Postfix master.cf for Dovecot: >>>>>> dovecot unix? -?????? n?????? n?????? -?????? - pipe >>>>>> ??? flags=DRhu user=virtual:virtual >>>>>> argv=/usr/lib/dovecot/dovecot-lda -f >>>>>> ${sender} -d ${user}@${nexthop} >>>>>> >>>>>> I am grateful for any hints :) >>>>>> >>>>>> Thank you in advance, kind regards, >>>>> Yeah, Dovecot v2.2 is doing some funky stuff with SMTP address >>>>> parsing. >>>>> Dovecot v2.3 should do a better job. I am still not sure if this >>>>> can be >>>>> fixed well for Dovecot v2.2. >>>>> >>>>> Regards, >>>>> >>>>> Stephan. >>>> >> >