dovecot - Aug 2019 - [SOLVED] Re: LMTP Post login script for acl_groups

On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>
>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
>>
>>
>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at
dovecot.org> wrote:
>>>
>>>
>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot
<dovecot at dovecot.org>:
>>>>
>>>> I think, i had the same problem as you.
>>>>
>>>> When dovecot runs lmtp, no user is logged in, so there is no
user from
>>>> which you can get groups. So i think, my solution is (not
really sure,
>>>> if this is right, it's a long time ago, i played around)
this transport
>>>> in exim for local delivery
>>>>
>>>> dovecot_delivery:             
>>>>  debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>>> translates to GET_LOCAL_MAIL"
>>>>  driver = pipe               
>>>>  command = /usr/lib/dovecot/deliver -d
"GET_LOCAL_MAIL"
>>>>  message_prefix >>>>  message_suffix
>>>>  delivery_date_add
>>>>  envelope_to_add             
>>>>  return_path_add             
>>>>  log_output
>>>>  user = MAILUSER
>>>>  group = MAILUSER
>>>>
>>>> I have a really sophisticated setup with ldap... so
GET_LOCAL_MAIL and
>>>> MAILUSER are makros which get the email-adress and the mailuser
for the
>>>> receiving emailadress.
>>>>
>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>>>
>>>> /usr/lib/dovecot/deliver is an alternative for the
lmtp-delivery.
>>> Unfortunately this way Postfix and Dovecot need to run on the same
host.
>>>
>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be
done in sieve configuration to solve this?
>>>
>>> Is there nobody from @Dovecot who could give some feedback :-)
please :-)
>>>
>>> Thanks
>>>
>>> Christian
>> It could be possible to solve this with auth lua script that would
allow returning the acl groups as a string, instead of using post-login script.
> I finally got it working with Lua.
>
> Changes to the auth-ldap.conf.ext file:
> --------------------------------------------------
> userdb {
>   driver = ldap
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>
>   # Fetch acl_groups from LDAP with the Lua userdb script
>   skip = never
>   result_success = continue
>   result_failure = return-fail
>
>   # Default fields can be used to specify defaults that LDAP may override
>   #default_fields = home=/home/virtual/%u
> }
> --------------------------------------------------
>
> I created this auth-lua.conf.ext:
> --------------------------------------------------
> # https://wiki.dovecot.org/AuthDatabase/Lua
>
> userdb {
>    driver = lua
>    args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
> }
> --------------------------------------------------
>
> I added it in 10-auth.conf behind the LDAP auth include statement.
>
> The Lua script looks like this:
> --------------------------------------------------
> require('io')
>
> function auth_userdb_lookup(req)
>   local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>   local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>   local binddn = "cn=dovecot," .. base
>
>   local cmd = [=[
>     /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b
$base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>       grep rnsMSACLGroup | \
>       awk -vORS=, '{ print \$2 }' | \
>       sed 's/,$/\n/'"
>   ]=]
>
>   cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>   cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>   cmd = cmd:gsub('$(%w+)', { base = base })
>   cmd = cmd:gsub('$(%w+)', { user = req.user })
>
>   local handle = io.popen(cmd)
>   local acl_groups = handle:read("*a")
>
>   return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" ..
acl_groups
> end
>
> function script_init()
>   return 0
> end
>
> function script_deinit()
> end
>
> -- vim: expandtab ts=2 sw=2
> --------------------------------------------------
>
> And this works for me :-)
>
> Many thanks
>
> Christian
There really is no LDAP module for your LUA?

Aki

> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
> 
> 
> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>> 
>>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
>>> 
>>> 
>>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at
dovecot.org> wrote:
>>>> 
>>>> 
>>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via dovecot
<dovecot at dovecot.org>:
>>>>> 
>>>>> I think, i had the same problem as you.
>>>>> 
>>>>> When dovecot runs lmtp, no user is logged in, so there is
no user from
>>>>> which you can get groups. So i think, my solution is (not
really sure,
>>>>> if this is right, it's a long time ago, i played
around) this transport
>>>>> in exim for local delivery
>>>>> 
>>>>> dovecot_delivery:             
>>>>> debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>>>> translates to GET_LOCAL_MAIL"
>>>>> driver = pipe               
>>>>> command = /usr/lib/dovecot/deliver -d
"GET_LOCAL_MAIL"
>>>>> message_prefix >>>>> message_suffix
>>>>> delivery_date_add
>>>>> envelope_to_add             
>>>>> return_path_add             
>>>>> log_output
>>>>> user = MAILUSER
>>>>> group = MAILUSER
>>>>> 
>>>>> I have a really sophisticated setup with ldap... so
GET_LOCAL_MAIL and
>>>>> MAILUSER are makros which get the email-adress and the
mailuser for the
>>>>> receiving emailadress.
>>>>> 
>>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>>> MAILUSER is vmail in my setup, the user who owns all
mailboxes
>>>>> 
>>>>> /usr/lib/dovecot/deliver is an alternative for the
lmtp-delivery.
>>>> Unfortunately this way Postfix and Dovecot need to run on the
same host.
>>>> 
>>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can
be done in sieve configuration to solve this?
>>>> 
>>>> Is there nobody from @Dovecot who could give some feedback :-)
please :-)
>>>> 
>>>> Thanks
>>>> 
>>>> Christian
>>> It could be possible to solve this with auth lua script that would
allow returning the acl groups as a string, instead of using post-login script.
>> I finally got it working with Lua.
>> 
>> Changes to the auth-ldap.conf.ext file:
>> --------------------------------------------------
>> userdb {
>>  driver = ldap
>>  args = /etc/dovecot/dovecot-ldap.conf.ext
>> 
>>  # Fetch acl_groups from LDAP with the Lua userdb script
>>  skip = never
>>  result_success = continue
>>  result_failure = return-fail
>> 
>>  # Default fields can be used to specify defaults that LDAP may
override
>>  #default_fields = home=/home/virtual/%u
>> }
>> --------------------------------------------------
>> 
>> I created this auth-lua.conf.ext:
>> --------------------------------------------------
>> # https://wiki.dovecot.org/AuthDatabase/Lua
>> 
>> userdb {
>>   driver = lua
>>   args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
>> }
>> --------------------------------------------------
>> 
>> I added it in 10-auth.conf behind the LDAP auth include statement.
>> 
>> The Lua script looks like this:
>> --------------------------------------------------
>> require('io')
>> 
>> function auth_userdb_lookup(req)
>>  local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>>  local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>>  local binddn = "cn=dovecot," .. base
>> 
>>  local cmd = [=[
>>    /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b
$base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>>      grep rnsMSACLGroup | \
>>      awk -vORS=, '{ print \$2 }' | \
>>      sed 's/,$/\n/'"
>>  ]=]
>> 
>>  cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>>  cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>>  cmd = cmd:gsub('$(%w+)', { base = base })
>>  cmd = cmd:gsub('$(%w+)', { user = req.user })
>> 
>>  local handle = io.popen(cmd)
>>  local acl_groups = handle:read("*a")
>> 
>>  return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" ..
acl_groups
>> end
>> 
>> function script_init()
>>  return 0
>> end
>> 
>> function script_deinit()
>> end
>> 
>> -- vim: expandtab ts=2 sw=2
>> --------------------------------------------------
>> 
>> And this works for me :-)
>> 
>> Many thanks
>> 
>> Christian
> 
> There really is no LDAP module for your LUA?
I was too early with success :-(

Even the doveadm acl debug command shows that I would have all rights, mails are
insert into the INBOX :-(

...
doveadm(lists at srvint.net): Info: User lists at srvint.net has rights: lookup
read write write-seen write-deleted insert post expunge
doveadm(lists at srvint.net): Info: Mailbox found from dovecot-acl-list
doveadm(lists at srvint.net): Info: Mailbox is in public namespace
doveadm(lists at srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is
visible in LIST

Why can't LMTP/Sieve insert the Mail to that place?

If I use a LDAP attribute with a comma separated list in the
dovecot-ldap.conf.ext file, everything works. So what is different to the second
Lua backend?

It is really a pain that acl_groups does not simply support multi values.

Maybe I will spend some more time for the Lua LDAP module, but for now, it is
really frustrating.

Christian

> Am 29.08.2019 um 11:30 schrieb R.N.S. via dovecot <dovecot at
dovecot.org>:
> 
> 
> 
>> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
>> 
>> 
>> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>>> 
>>>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot
<dovecot at dovecot.org>:
>>>> 
>>>> 
>>>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at
dovecot.org> wrote:
>>>>> 
>>>>> 
>>>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via
dovecot <dovecot at dovecot.org>:
>>>>>> 
>>>>>> I think, i had the same problem as you.
>>>>>> 
>>>>>> When dovecot runs lmtp, no user is logged in, so there
is no user from
>>>>>> which you can get groups. So i think, my solution is
(not really sure,
>>>>>> if this is right, it's a long time ago, i played
around) this transport
>>>>>> in exim for local delivery
>>>>>> 
>>>>>> dovecot_delivery:             
>>>>>> debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>>>>> translates to GET_LOCAL_MAIL"
>>>>>> driver = pipe               
>>>>>> command = /usr/lib/dovecot/deliver -d
"GET_LOCAL_MAIL"
>>>>>> message_prefix >>>>>> message_suffix
>>>>>> delivery_date_add
>>>>>> envelope_to_add             
>>>>>> return_path_add             
>>>>>> log_output
>>>>>> user = MAILUSER
>>>>>> group = MAILUSER
>>>>>> 
>>>>>> I have a really sophisticated setup with ldap... so
GET_LOCAL_MAIL and
>>>>>> MAILUSER are makros which get the email-adress and the
mailuser for the
>>>>>> receiving emailadress.
>>>>>> 
>>>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>>>> MAILUSER is vmail in my setup, the user who owns all
mailboxes
>>>>>> 
>>>>>> /usr/lib/dovecot/deliver is an alternative for the
lmtp-delivery.
>>>>> Unfortunately this way Postfix and Dovecot need to run on
the same host.
>>>>> 
>>>>> I wonder, if this is a LMTP or Sieve issue. Maybe something
can be done in sieve configuration to solve this?
>>>>> 
>>>>> Is there nobody from @Dovecot who could give some feedback
:-) please :-)
>>>>> 
>>>>> Thanks
>>>>> 
>>>>> Christian
>>>> It could be possible to solve this with auth lua script that
would allow returning the acl groups as a string, instead of using post-login
script.
>>> I finally got it working with Lua.
>>> 
>>> Changes to the auth-ldap.conf.ext file:
>>> --------------------------------------------------
>>> userdb {
>>> driver = ldap
>>> args = /etc/dovecot/dovecot-ldap.conf.ext
>>> 
>>> # Fetch acl_groups from LDAP with the Lua userdb script
>>> skip = never
>>> result_success = continue
>>> result_failure = return-fail
>>> 
>>> # Default fields can be used to specify defaults that LDAP may
override
>>> #default_fields = home=/home/virtual/%u
>>> }
>>> --------------------------------------------------
>>> 
>>> I created this auth-lua.conf.ext:
>>> --------------------------------------------------
>>> # https://wiki.dovecot.org/AuthDatabase/Lua
>>> 
>>> userdb {
>>>  driver = lua
>>>  args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
>>> }
>>> --------------------------------------------------
>>> 
>>> I added it in 10-auth.conf behind the LDAP auth include statement.
>>> 
>>> The Lua script looks like this:
>>> --------------------------------------------------
>>> require('io')
>>> 
>>> function auth_userdb_lookup(req)
>>> local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>>> local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>>> local binddn = "cn=dovecot," .. base
>>> 
>>> local cmd = [=[
>>>   /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn
-b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>>>     grep rnsMSACLGroup | \
>>>     awk -vORS=, '{ print \$2 }' | \
>>>     sed 's/,$/\n/'"
>>> ]=]
>>> 
>>> cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>>> cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>>> cmd = cmd:gsub('$(%w+)', { base = base })
>>> cmd = cmd:gsub('$(%w+)', { user = req.user })
>>> 
>>> local handle = io.popen(cmd)
>>> local acl_groups = handle:read("*a")
>>> 
>>> return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" ..
acl_groups
>>> end
>>> 
>>> function script_init()
>>> return 0
>>> end
>>> 
>>> function script_deinit()
>>> end
>>> 
>>> -- vim: expandtab ts=2 sw=2
>>> --------------------------------------------------
>>> 
>>> And this works for me :-)
>>> 
>>> Many thanks
>>> 
>>> Christian
>> 
>> There really is no LDAP module for your LUA?
> 
> I was too early with success :-(
> 
> Even the doveadm acl debug command shows that I would have all rights,
mails are insert into the INBOX :-(
> 
> ...
> doveadm(lists at srvint.net): Info: User lists at srvint.net has rights:
lookup read write write-seen write-deleted insert post expunge
> doveadm(lists at srvint.net): Info: Mailbox found from dovecot-acl-list
> doveadm(lists at srvint.net): Info: Mailbox is in public namespace
> doveadm(lists at srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is
visible in LIST
> 
> Why can't LMTP/Sieve insert the Mail to that place?
> 
> If I use a LDAP attribute with a comma separated list in the
dovecot-ldap.conf.ext file, everything works. So what is different to the second
Lua backend?
> 
> It is really a pain that acl_groups does not simply support multi values.
> 
> Maybe I will spend some more time for the Lua LDAP module, but for now, it
is really frustrating.
Have been minor issues in the Lua script. I now will spend some time to dive
into the Lua-LDAP module. For now, the posted solution works.

If I have a module that talks directly to LDAP, I will return later here and
post the results.

Christian

On 29.8.2019 12.30, R.N.S. via dovecot wrote:
>
>> Am 29.08.2019 um 11:23 schrieb Aki Tuomi via dovecot <dovecot at
dovecot.org>:
>>
>>
>> On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>>>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot
<dovecot at dovecot.org>:
>>>>
>>>>
>>>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at
dovecot.org> wrote:
>>>>>
>>>>>
>>>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Sch?rz via
dovecot <dovecot at dovecot.org>:
>>>>>>
>>>>>> I think, i had the same problem as you.
>>>>>>
>>>>>> When dovecot runs lmtp, no user is logged in, so there
is no user from
>>>>>> which you can get groups. So i think, my solution is
(not really sure,
>>>>>> if this is right, it's a long time ago, i played
around) this transport
>>>>>> in exim for local delivery
>>>>>>
>>>>>> dovecot_delivery:             
>>>>>> debug_print = "T: dovecot_delivery_pipe for
$local_part@$domain
>>>>>> translates to GET_LOCAL_MAIL"
>>>>>> driver = pipe               
>>>>>> command = /usr/lib/dovecot/deliver -d
"GET_LOCAL_MAIL"
>>>>>> message_prefix >>>>>> message_suffix
>>>>>> delivery_date_add
>>>>>> envelope_to_add             
>>>>>> return_path_add             
>>>>>> log_output
>>>>>> user = MAILUSER
>>>>>> group = MAILUSER
>>>>>>
>>>>>> I have a really sophisticated setup with ldap... so
GET_LOCAL_MAIL and
>>>>>> MAILUSER are makros which get the email-adress and the
mailuser for the
>>>>>> receiving emailadress.
>>>>>>
>>>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>>>> MAILUSER is vmail in my setup, the user who owns all
mailboxes
>>>>>>
>>>>>> /usr/lib/dovecot/deliver is an alternative for the
lmtp-delivery.
>>>>> Unfortunately this way Postfix and Dovecot need to run on
the same host.
>>>>>
>>>>> I wonder, if this is a LMTP or Sieve issue. Maybe something
can be done in sieve configuration to solve this?
>>>>>
>>>>> Is there nobody from @Dovecot who could give some feedback
:-) please :-)
>>>>>
>>>>> Thanks
>>>>>
>>>>> Christian
>>>> It could be possible to solve this with auth lua script that
would allow returning the acl groups as a string, instead of using post-login
script.
>>> I finally got it working with Lua.
>>>
>>> Changes to the auth-ldap.conf.ext file:
>>> --------------------------------------------------
>>> userdb {
>>>  driver = ldap
>>>  args = /etc/dovecot/dovecot-ldap.conf.ext
>>>
>>>  # Fetch acl_groups from LDAP with the Lua userdb script
>>>  skip = never
>>>  result_success = continue
>>>  result_failure = return-fail
>>>
>>>  # Default fields can be used to specify defaults that LDAP may
override
>>>  #default_fields = home=/home/virtual/%u
>>> }
>>> --------------------------------------------------
>>>
>>> I created this auth-lua.conf.ext:
>>> --------------------------------------------------
>>> # https://wiki.dovecot.org/AuthDatabase/Lua
>>>
>>> userdb {
>>>   driver = lua
>>>   args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
>>> }
>>> --------------------------------------------------
>>>
>>> I added it in 10-auth.conf behind the LDAP auth include statement.
>>>
>>> The Lua script looks like this:
>>> --------------------------------------------------
>>> require('io')
>>>
>>> function auth_userdb_lookup(req)
>>>  local bindpwfile =
"/etc/dovecot/ldap-auth-userdb.secret"
>>>  local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>>>  local binddn = "cn=dovecot," .. base
>>>
>>>  local cmd = [=[
>>>    /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn
-b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>>>      grep rnsMSACLGroup | \
>>>      awk -vORS=, '{ print \$2 }' | \
>>>      sed 's/,$/\n/'"
>>>  ]=]
>>>
>>>  cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>>>  cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>>>  cmd = cmd:gsub('$(%w+)', { base = base })
>>>  cmd = cmd:gsub('$(%w+)', { user = req.user })
>>>
>>>  local handle = io.popen(cmd)
>>>  local acl_groups = handle:read("*a")
>>>
>>>  return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" ..
acl_groups
>>> end
>>>
>>> function script_init()
>>>  return 0
>>> end
>>>
>>> function script_deinit()
>>> end
>>>
>>> -- vim: expandtab ts=2 sw=2
>>> --------------------------------------------------
>>>
>>> And this works for me :-)
>>>
>>> Many thanks
>>>
>>> Christian
>> There really is no LDAP module for your LUA?
> I was too early with success :-(
>
> Even the doveadm acl debug command shows that I would have all rights,
mails are insert into the INBOX :-(
>
> ...
> doveadm(lists at srvint.net): Info: User lists at srvint.net has rights:
lookup read write write-seen write-deleted insert post expunge
> doveadm(lists at srvint.net): Info: Mailbox found from dovecot-acl-list
> doveadm(lists at srvint.net): Info: Mailbox is in public namespace
> doveadm(lists at srvint.net): Info: Mailbox Public/Mailinglisten/Dovecot is
visible in LIST
>
> Why can't LMTP/Sieve insert the Mail to that place?
>
> If I use a LDAP attribute with a comma separated list in the
dovecot-ldap.conf.ext file, everything works. So what is different to the second
Lua backend?
>
> It is really a pain that acl_groups does not simply support multi values.
>
> Maybe I will spend some more time for the Lua LDAP module, but for now, it
is really frustrating.
>
> Christian
I am not seeing that sieve can't insert the mail. Can you try enabling
mail_debug=yes and try again?

Aki