dovecot - Aug 2019 - [SOLVED] Re: LMTP Post login script for acl_groups

> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org>
wrote:
> 
>  
> > Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot <dovecot
at dovecot.org>:
> > 
> > I think, i had the same problem as you.
> > 
> > When dovecot runs lmtp, no user is logged in, so there is no user from
> > which you can get groups. So i think, my solution is (not really sure,
> > if this is right, it's a long time ago, i played around) this
transport
> > in exim for local delivery
> > 
> > dovecot_delivery:             
> >   debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
> > translates to GET_LOCAL_MAIL"
> >   driver = pipe               
> >   command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
> >   message_prefix > >   message_suffix > >  
delivery_date_add
> >   envelope_to_add             
> >   return_path_add             
> >   log_output
> >   user = MAILUSER
> >   group = MAILUSER
> > 
> > I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
> > MAILUSER are makros which get the email-adress and the mailuser for
the
> > receiving emailadress.
> > 
> > GET_LOCAL_MAIL could be $local_part@$domain
> > MAILUSER is vmail in my setup, the user who owns all mailboxes
> > 
> > /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
> 
> Unfortunately this way Postfix and Dovecot need to run on the same host.
> 
> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in
sieve configuration to solve this?
> 
> Is there nobody from @Dovecot who could give some feedback :-) please :-)
> 
> Thanks
> 
> Christian
It could be possible to solve this with auth lua script that would allow
returning the acl groups as a string, instead of using post-login script.

Aki

> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
> 
> 
>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org>
wrote:
>> 
>> 
>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot
<dovecot at dovecot.org>:
>>> 
>>> I think, i had the same problem as you.
>>> 
>>> When dovecot runs lmtp, no user is logged in, so there is no user
from
>>> which you can get groups. So i think, my solution is (not really
sure,
>>> if this is right, it's a long time ago, i played around) this
transport
>>> in exim for local delivery
>>> 
>>> dovecot_delivery:             
>>>  debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>> translates to GET_LOCAL_MAIL"
>>>  driver = pipe               
>>>  command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>  message_prefix >>>  message_suffix >>> 
delivery_date_add
>>>  envelope_to_add             
>>>  return_path_add             
>>>  log_output
>>>  user = MAILUSER
>>>  group = MAILUSER
>>> 
>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL
and
>>> MAILUSER are makros which get the email-adress and the mailuser for
the
>>> receiving emailadress.
>>> 
>>> GET_LOCAL_MAIL could be $local_part@$domain
>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>> 
>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>> 
>> Unfortunately this way Postfix and Dovecot need to run on the same
host.
>> 
>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done
in sieve configuration to solve this?
>> 
>> Is there nobody from @Dovecot who could give some feedback :-) please
:-)
>> 
>> Thanks
>> 
>> Christian
> 
> It could be possible to solve this with auth lua script that would allow
returning the acl groups as a string, instead of using post-login script.
Does that mean, I would give a second userdb with a Lua script?

Can I combine LDAP and Lua backends? Are both read together or is it a
first-match-wins decision?

Christian

> On 28/08/2019 21:07 R.N.S. via dovecot <dovecot at dovecot.org>
wrote:
> 
>  
> > Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
> > 
> > 
> >> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at
dovecot.org> wrote:
> >> 
> >> 
> >>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot
<dovecot at dovecot.org>:
> >>> 
> >>> I think, i had the same problem as you.
> >>> 
> >>> When dovecot runs lmtp, no user is logged in, so there is no
user from
> >>> which you can get groups. So i think, my solution is (not
really sure,
> >>> if this is right, it's a long time ago, i played around)
this transport
> >>> in exim for local delivery
> >>> 
> >>> dovecot_delivery:             
> >>>  debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
> >>> translates to GET_LOCAL_MAIL"
> >>>  driver = pipe               
> >>>  command = /usr/lib/dovecot/deliver -d
"GET_LOCAL_MAIL"
> >>>  message_prefix > >>>  message_suffix >
>>>  delivery_date_add
> >>>  envelope_to_add             
> >>>  return_path_add             
> >>>  log_output
> >>>  user = MAILUSER
> >>>  group = MAILUSER
> >>> 
> >>> I have a really sophisticated setup with ldap... so
GET_LOCAL_MAIL and
> >>> MAILUSER are makros which get the email-adress and the
mailuser for the
> >>> receiving emailadress.
> >>> 
> >>> GET_LOCAL_MAIL could be $local_part@$domain
> >>> MAILUSER is vmail in my setup, the user who owns all mailboxes
> >>> 
> >>> /usr/lib/dovecot/deliver is an alternative for the
lmtp-delivery.
> >> 
> >> Unfortunately this way Postfix and Dovecot need to run on the same
host.
> >> 
> >> I wonder, if this is a LMTP or Sieve issue. Maybe something can be
done in sieve configuration to solve this?
> >> 
> >> Is there nobody from @Dovecot who could give some feedback :-)
please :-)
> >> 
> >> Thanks
> >> 
> >> Christian
> > 
> > It could be possible to solve this with auth lua script that would
allow returning the acl groups as a string, instead of using post-login script.
> 
> Does that mean, I would give a second userdb with a Lua script?
> 
> Can I combine LDAP and Lua backends? Are both read together or is it a
first-match-wins decision?
> 
> Christian
You can combine them, dovecot allows you to decide if you want first-match or
all of them.

See
https://doc.dovecot.org/configuration_manual/authentication/user_databases_userdb

Aki

>>> I think, i had the same problem as you.
>>> 
>>> When dovecot runs lmtp, no user is logged in, so there is no user
from
>>> which you can get groups. So i think, my solution is (not really
sure,
>>> if this is right, it's a long time ago, i played around) this
transport
>>> in exim for local delivery
>>> 
>>> dovecot_delivery:             
>>>  debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>> translates to GET_LOCAL_MAIL"
>>>  driver = pipe               
>>>  command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>  message_prefix >>>  message_suffix >>> 
delivery_date_add
>>>  envelope_to_add             
>>>  return_path_add             
>>>  log_output
>>>  user = MAILUSER
>>>  group = MAILUSER
>>> 
>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL
and
>>> MAILUSER are makros which get the email-adress and the mailuser for
the
>>> receiving emailadress.
>>> 
>>> GET_LOCAL_MAIL could be $local_part@$domain
>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>> 
>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>> 
>> Unfortunately this way Postfix and Dovecot need to run on the same
host.
>> 
>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done
in sieve configuration to solve this?
>> 
>> Is there nobody from @Dovecot who could give some feedback :-) please
:-)
>> 
>> Thanks
>> 
>> Christian
> 
> It could be possible to solve this with auth lua script that would allow
returning the acl groups as a string, instead of using post-login script.
I fear I can not implement this on my system. I need pipes, which would be part
of Lua posix, which depends on a bit32 backported module, which I do not have. I
run Lua-5.1.5 here. Bit32 might be in Lua 5.2.

Is there some solution possible with the checkpassword backend? In the comments
it seems that this backend is not necessarily usable with userdb.

Thanks in advance

Christian

> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
> 
> 
>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org>
wrote:
>> 
>> 
>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot
<dovecot at dovecot.org>:
>>> 
>>> I think, i had the same problem as you.
>>> 
>>> When dovecot runs lmtp, no user is logged in, so there is no user
from
>>> which you can get groups. So i think, my solution is (not really
sure,
>>> if this is right, it's a long time ago, i played around) this
transport
>>> in exim for local delivery
>>> 
>>> dovecot_delivery:             
>>>  debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>> translates to GET_LOCAL_MAIL"
>>>  driver = pipe               
>>>  command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>  message_prefix >>>  message_suffix >>> 
delivery_date_add
>>>  envelope_to_add             
>>>  return_path_add             
>>>  log_output
>>>  user = MAILUSER
>>>  group = MAILUSER
>>> 
>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL
and
>>> MAILUSER are makros which get the email-adress and the mailuser for
the
>>> receiving emailadress.
>>> 
>>> GET_LOCAL_MAIL could be $local_part@$domain
>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>> 
>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>> 
>> Unfortunately this way Postfix and Dovecot need to run on the same
host.
>> 
>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done
in sieve configuration to solve this?
>> 
>> Is there nobody from @Dovecot who could give some feedback :-) please
:-)
>> 
>> Thanks
>> 
>> Christian
> 
> It could be possible to solve this with auth lua script that would allow
returning the acl groups as a string, instead of using post-login script.
I finally got it working with Lua.

Changes to the auth-ldap.conf.ext file:
--------------------------------------------------
userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext

  # Fetch acl_groups from LDAP with the Lua userdb script
  skip = never
  result_success = continue
  result_failure = return-fail

  # Default fields can be used to specify defaults that LDAP may override
  #default_fields = home=/home/virtual/%u
}
--------------------------------------------------

I created this auth-lua.conf.ext:
--------------------------------------------------
# https://wiki.dovecot.org/AuthDatabase/Lua

userdb {
   driver = lua
   args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
}
--------------------------------------------------

I added it in 10-auth.conf behind the LDAP auth include statement.

The Lua script looks like this:
--------------------------------------------------
require('io')

function auth_userdb_lookup(req)
  local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
  local base = "ou=people,ou=it,dc=roessner-net,dc=de"
  local binddn = "cn=dovecot," .. base

  local cmd = [=[
    /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base
'(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
      grep rnsMSACLGroup | \
      awk -vORS=, '{ print \$2 }' | \
      sed 's/,$/\n/'"
  ]=]

  cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
  cmd = cmd:gsub('$(%w+)', { binddn = binddn })
  cmd = cmd:gsub('$(%w+)', { base = base })
  cmd = cmd:gsub('$(%w+)', { user = req.user })

  local handle = io.popen(cmd)
  local acl_groups = handle:read("*a")

  return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
end

function script_init()
  return 0
end

function script_deinit()
end

-- vim: expandtab ts=2 sw=2
--------------------------------------------------

And this works for me :-)

Many thanks

Christian

On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>
>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
>>
>>
>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at
dovecot.org> wrote:
>>>
>>>
>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot
<dovecot at dovecot.org>:
>>>>
>>>> I think, i had the same problem as you.
>>>>
>>>> When dovecot runs lmtp, no user is logged in, so there is no
user from
>>>> which you can get groups. So i think, my solution is (not
really sure,
>>>> if this is right, it's a long time ago, i played around)
this transport
>>>> in exim for local delivery
>>>>
>>>> dovecot_delivery:             
>>>>  debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>>> translates to GET_LOCAL_MAIL"
>>>>  driver = pipe               
>>>>  command = /usr/lib/dovecot/deliver -d
"GET_LOCAL_MAIL"
>>>>  message_prefix >>>>  message_suffix
>>>>  delivery_date_add
>>>>  envelope_to_add             
>>>>  return_path_add             
>>>>  log_output
>>>>  user = MAILUSER
>>>>  group = MAILUSER
>>>>
>>>> I have a really sophisticated setup with ldap... so
GET_LOCAL_MAIL and
>>>> MAILUSER are makros which get the email-adress and the mailuser
for the
>>>> receiving emailadress.
>>>>
>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>>>
>>>> /usr/lib/dovecot/deliver is an alternative for the
lmtp-delivery.
>>> Unfortunately this way Postfix and Dovecot need to run on the same
host.
>>>
>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be
done in sieve configuration to solve this?
>>>
>>> Is there nobody from @Dovecot who could give some feedback :-)
please :-)
>>>
>>> Thanks
>>>
>>> Christian
>> It could be possible to solve this with auth lua script that would
allow returning the acl groups as a string, instead of using post-login script.
> I finally got it working with Lua.
>
> Changes to the auth-ldap.conf.ext file:
> --------------------------------------------------
> userdb {
>   driver = ldap
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>
>   # Fetch acl_groups from LDAP with the Lua userdb script
>   skip = never
>   result_success = continue
>   result_failure = return-fail
>
>   # Default fields can be used to specify defaults that LDAP may override
>   #default_fields = home=/home/virtual/%u
> }
> --------------------------------------------------
>
> I created this auth-lua.conf.ext:
> --------------------------------------------------
> # https://wiki.dovecot.org/AuthDatabase/Lua
>
> userdb {
>    driver = lua
>    args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
> }
> --------------------------------------------------
>
> I added it in 10-auth.conf behind the LDAP auth include statement.
>
> The Lua script looks like this:
> --------------------------------------------------
> require('io')
>
> function auth_userdb_lookup(req)
>   local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>   local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>   local binddn = "cn=dovecot," .. base
>
>   local cmd = [=[
>     /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b
$base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>       grep rnsMSACLGroup | \
>       awk -vORS=, '{ print \$2 }' | \
>       sed 's/,$/\n/'"
>   ]=]
>
>   cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>   cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>   cmd = cmd:gsub('$(%w+)', { base = base })
>   cmd = cmd:gsub('$(%w+)', { user = req.user })
>
>   local handle = io.popen(cmd)
>   local acl_groups = handle:read("*a")
>
>   return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" ..
acl_groups
> end
>
> function script_init()
>   return 0
> end
>
> function script_deinit()
> end
>
> -- vim: expandtab ts=2 sw=2
> --------------------------------------------------
>
> And this works for me :-)
>
> Many thanks
>
> Christian
There really is no LDAP module for your LUA?

Aki