lists at mlserv.org
2019-Sep-04 13:31 UTC
Different passdb backends for different services
> Am 04.09.2019 um 08:24 schrieb Sami Ketola via dovecot <dovecot at dovecot.org>: > > > >> On 3 Sep 2019, at 19.08, R.N.S. via dovecot <dovecot at dovecot.org> wrote: >> >> I tried this, but I have done something wrong probably. >> >> I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the protocol sections. I also disabled the passdb section from the auth-ldap.conf.ext in 10-auth and left over the userdb part. >> >> Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. >> my pid=16106, input bytes=0 >> Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. >> my pid=16107, input bytes=0 >> >> Can somebody tell me which "things" need the userdb and which the passdb sections? >> >> I am a little bit confused. Or do I have to add the above lines and is some inheritance working here? >> >> Thanks in advance >> >> Christian > > I always use one flat dovecot.conf file. It is just so much more simpler and that way you can more easily ensure loading order of all settings. > > Maybe you should too gather all settings you want to change to one config file and stop loading those in conf.d. > > Also you can post your doveconf -n somewhere so that we can see what goes wrong.I have created a doveconf -n output. ------------------------------------------------------------------------------- auth_cache_size = 64 M auth_master_user_separator = * auth_mechanisms = plain login auth_ssl_username_from_cert = yes auth_verbose = yes default_client_limit = 5000 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it hostname = mail.roessner-net.de imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags imap_max_line_length = 4 M lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k mail_access_groups = vmail mail_attachment_dir = /var/mail/virtual/copymail/attachments mail_gid = vmail mail_location = sdbox:~/sdbox mail_max_keyword_length = 4096 mail_plugins = quota acl fts fts_lucene zlib mail_log notify mail_privileged_group = mail mail_save_crlf = yes mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve mdbox_preallocate_space = yes mdbox_rotate_size = 128 M namespace { list = children location = sdbox:%%h/sdbox prefix = Shared/%%u/ separator = / subscriptions = no type = shared } namespace { hidden = yes list = children location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public prefix = Public/ separator = / subscriptions = no type = public } namespace inbox { inbox = yes location mailbox Archive { auto = subscribe special_use = \Archive } mailbox "Deleted Messages" { special_use = \Trash } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk-E-Mail { special_use = \Junk } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix separator = / type = private } passdb { args = /etc/dovecot/master-users driver = passwd-file master = yes pass = yes } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db fts = lucene fts_autoindex = yes fts_lucene = whitespace_chars=@. imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve imapsieve_mailbox1_causes = COPY FLAG imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename mail_log_fields = box msgid quota = count:User quota quota_grace = 10%% quota_rule = *:storage=300M:messages=20000 quota_rule2 = Trash:storage=+500M quota_rule3 = Sent:storage=+2G quota_rule4 = Archive:storage=+2G quota_status_nouser = DUNNO quota_status_overquota = 552 5.2.2 Mailbox is full quota_status_success = DUNNO quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u quota_warning3 = -storage=100%% quota-warning below %u sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /etc/dovecot/sieve/after sieve_before = /etc/dovecot/sieve/before sieve_extensions = +vacation-seconds sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 10d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h zlib_save = gz zlib_save_level = 6 } protocols = imap pop3 lmtp submission sieve service auth-worker { extra_groups = ssl-cert unix_listener auth-worker { mode = 0600 user = vmail } user = vmail } service auth { extra_groups = ssl-cert unix_listener /var/spool/postfix-submission/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service config { unix_listener config { mode = 0600 user = vmail } } service dict { unix_listener dict { mode = 0600 user = vmail } } service doveadm { inet_listener http { port = 9080 ssl = yes } } service imap-login { inet_listener imap { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener imaps { port = 0 } } service imap-postlogin { executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh user = vmail } service imap { executable = imap imap-postlogin } service lmtp { inet_listener lmtp { address = 127.0.0.1 port = 24 } unix_listener /var/spool/postfix/private/lmtp-dovecot { group = postfix mode = 0660 user = postfix } } service managesieve-login { inet_listener sieve { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } } service pop3-login { inet_listener pop3 { address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 } inet_listener pop3s { port = 0 } } service quota-status { client_limit = 1 executable = quota-status -p postfix inet_listener { address = 127.0.0.1 port = 12340 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh extra_groups = mail unix_listener quota-warning { group = vmail mode = 0600 user = vmail } user = vmail } ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem ssl_client_key = # hidden, use -P to show it ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes submission_client_workarounds = whitespace-before-path submission_relay_host = mail.roessner-net.de submission_relay_port = 5870 submission_relay_ssl = starttls submission_relay_trusted = yes userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue } userdb { args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes driver = lua } verbose_proctitle = yes protocol lmtp { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol lda { mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve } protocol imap { mail_max_userip_connections = 50 mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name } } protocol sieve { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name } } protocol pop3 { passdb { args = /etc/dovecot/dovecot-ldap-incoming.conf.ext driver = ldap name } } protocol submission { login_greeting = ESMTP passdb { args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext driver = ldap name } } ------------------------------------------------------------------------------- If I remove the outer userdb settings (not the ones inside the protocol), the auth-worker startes struggling: ------------------------------------------------------------------------------- userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap result_failure = return-fail result_success = continue } ------------------------------------------------------------------------------- Removing this part. Am I missing some place, where the userdb is also needed? Thanks in advance -) Christian
lists at mlserv.org
2019-Sep-04 13:38 UTC
Different passdb backends for different services
> Am 04.09.2019 um 15:31 schrieb R.N.S. via dovecot <dovecot at dovecot.org>: > > > >> Am 04.09.2019 um 08:24 schrieb Sami Ketola via dovecot <dovecot at dovecot.org>: >> >> >> >>> On 3 Sep 2019, at 19.08, R.N.S. via dovecot <dovecot at dovecot.org> wrote: >>> >>> I tried this, but I have done something wrong probably. >>> >>> I added this to 20-imap 20-pop 20-managesieve and 20-submission. Always in the protocol sections. I also disabled the passdb section from the auth-ldap.conf.ext in 10-auth and left over the userdb part. >>> >>> Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. >>> my pid=16106, input bytes=0 >>> Sep 3 17:57:24 mx dovecot: imap-login: Error: auth-client: conn unix:login: Timeout waiting for handshake from auth server. >>> my pid=16107, input bytes=0 >>> >>> Can somebody tell me which "things" need the userdb and which the passdb sections? >>> >>> I am a little bit confused. Or do I have to add the above lines and is some inheritance working here? >>> >>> Thanks in advance >>> >>> Christian >> >> I always use one flat dovecot.conf file. It is just so much more simpler and that way you can more easily ensure loading order of all settings. >> >> Maybe you should too gather all settings you want to change to one config file and stop loading those in conf.d. >> >> Also you can post your doveconf -n somewhere so that we can see what goes wrong. > > I have created a doveconf -n output. > > ------------------------------------------------------------------------------- > auth_cache_size = 64 M > auth_master_user_separator = * > auth_mechanisms = plain login > auth_ssl_username_from_cert = yes > auth_verbose = yes > default_client_limit = 5000 > default_process_limit = 500 > default_vsz_limit = 512 M > disable_plaintext_auth = no > doveadm_api_key = # hidden, use -P to show it > hostname = mail.roessner-net.de > imap_client_workarounds = tb-extra-mailbox-sep tb-lsub-flags > imap_max_line_length = 4 M > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > lmtp_rcpt_check_quota = yes > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k > mail_access_groups = vmail > mail_attachment_dir = /var/mail/virtual/copymail/attachments > mail_gid = vmail > mail_location = sdbox:~/sdbox > mail_max_keyword_length = 4096 > mail_plugins = quota acl fts fts_lucene zlib mail_log notify > mail_privileged_group = mail > mail_save_crlf = yes > mail_uid = vmail > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds imapsieve vnd.dovecot.imapsieve > mdbox_preallocate_space = yes > mdbox_rotate_size = 128 M > namespace { > list = children > location = sdbox:%%h/sdbox > prefix = Shared/%%u/ > separator = / > subscriptions = no > type = shared > } > namespace { > hidden = yes > list = children > location = maildir:/var/mail/virtual/public:INDEXPVT=~/Maildir/public > prefix = Public/ > separator = / > subscriptions = no > type = public > } > namespace inbox { > inbox = yes > location > mailbox Archive { > auto = subscribe > special_use = \Archive > } > mailbox "Deleted Messages" { > special_use = \Trash > } > mailbox Drafts { > auto = subscribe > special_use = \Drafts > } > mailbox Junk-E-Mail { > special_use = \Junk > } > mailbox Junk { > auto = subscribe > special_use = \Junk > } > mailbox Sent { > auto = subscribe > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > auto = subscribe > special_use = \Trash > } > prefix > separator = / > type = private > } > passdb { > args = /etc/dovecot/master-users > driver = passwd-file > master = yes > pass = yes > } > passdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > } > plugin { > acl = vfile:/etc/dovecot/dovecot-acl:cache_secs=300 > acl_shared_dict = file:/var/mail/virtual/shared-mailboxes.db > fts = lucene > fts_autoindex = yes > fts_lucene = whitespace_chars=@. > imapsieve_mailbox1_before = file:/etc/dovecot/sieve/rspamd.d/report-spam.sieve > imapsieve_mailbox1_causes = COPY FLAG > imapsieve_mailbox1_name = Junk > imapsieve_mailbox2_before = file:/etc/dovecot/sieve/rspamd.d/report-ham.sieve > imapsieve_mailbox2_causes = COPY > imapsieve_mailbox2_from = Junk > imapsieve_mailbox2_name = * > mail_log_events = delete undelete expunge copy save mailbox_create mailbox_delete mailbox_rename > mail_log_fields = box msgid > quota = count:User quota > quota_grace = 10%% > quota_rule = *:storage=300M:messages=20000 > quota_rule2 = Trash:storage=+500M > quota_rule3 = Sent:storage=+2G > quota_rule4 = Archive:storage=+2G > quota_status_nouser = DUNNO > quota_status_overquota = 552 5.2.2 Mailbox is full > quota_status_success = DUNNO > quota_vsizes = yes > quota_warning = storage=95%% quota-warning 95 %u > quota_warning2 = storage=80%% quota-warning 80 %u > quota_warning3 = -storage=100%% quota-warning below %u > sieve = file:~/sieve;active=~/.dovecot.sieve > sieve_after = /etc/dovecot/sieve/after > sieve_before = /etc/dovecot/sieve/before > sieve_extensions = +vacation-seconds > sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute +vnd.dovecot.debug > sieve_pipe_bin_dir = /usr/bin > sieve_plugins = sieve_imapsieve sieve_extprograms > sieve_vacation_default_period = 10d > sieve_vacation_max_period = 30d > sieve_vacation_min_period = 1h > zlib_save = gz > zlib_save_level = 6 > } > protocols = imap pop3 lmtp submission sieve > service auth-worker { > extra_groups = ssl-cert > unix_listener auth-worker { > mode = 0600 > user = vmail > } > user = vmail > } > service auth { > extra_groups = ssl-cert > unix_listener /var/spool/postfix-submission/private/auth { > group = postfix > mode = 0666 > user = postfix > } > unix_listener auth-userdb { > mode = 0600 > user = vmail > } > user = vmail > } > service config { > unix_listener config { > mode = 0600 > user = vmail > } > } > service dict { > unix_listener dict { > mode = 0600 > user = vmail > } > } > service doveadm { > inet_listener http { > port = 9080 > ssl = yes > } > } > service imap-login { > inet_listener imap { > address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 > } > inet_listener imaps { > port = 0 > } > } > service imap-postlogin { > executable = script-login /usr/local/bin/dovecot-masteruser.sh /usr/local/bin/dovecot-lastlogin.sh > user = vmail > } > service imap { > executable = imap imap-postlogin > } > service lmtp { > inet_listener lmtp { > address = 127.0.0.1 > port = 24 > } > unix_listener /var/spool/postfix/private/lmtp-dovecot { > group = postfix > mode = 0660 > user = postfix > } > } > service managesieve-login { > inet_listener sieve { > address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 > } > } > service pop3-login { > inet_listener pop3 { > address = 127.0.0.1 134.255.226.248 ::1 2a05:bec0:28:1:134:255:226:248 > } > inet_listener pop3s { > port = 0 > } > } > service quota-status { > client_limit = 1 > executable = quota-status -p postfix > inet_listener { > address = 127.0.0.1 > port = 12340 > } > } > service quota-warning { > executable = script /usr/local/bin/quota-warning.sh > extra_groups = mail > unix_listener quota-warning { > group = vmail > mode = 0600 > user = vmail > } > user = vmail > } > ssl_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem > ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > ssl_client_cert = </etc/ssl/mail.roessner-net.de/cert/fullchain.pem > ssl_client_key = # hidden, use -P to show it > ssl_dh = # hidden, use -P to show it > ssl_key = # hidden, use -P to show it > ssl_min_protocol = TLSv1.2 > ssl_prefer_server_ciphers = yes > submission_client_workarounds = whitespace-before-path > submission_relay_host = mail.roessner-net.de > submission_relay_port = 5870 > submission_relay_ssl = starttls > submission_relay_trusted = yes > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > result_failure = return-fail > result_success = continue > } > userdb { > args = file=/etc/dovecot/dovecot-auth-userdb.lua blocking=yes > driver = lua > } > verbose_proctitle = yes > protocol lmtp { > mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve > } > protocol lda { > mail_plugins = quota acl fts fts_lucene zlib mail_log notify sieve > } > protocol imap { > mail_max_userip_connections = 50 > mail_plugins = quota acl fts fts_lucene zlib mail_log notify imap_quota imap_acl imap_zlib imap_sieve > passdb { > args = /etc/dovecot/dovecot-ldap-incoming.conf.ext > driver = ldap > name > } > } > protocol sieve { > passdb { > args = /etc/dovecot/dovecot-ldap-incoming.conf.ext > driver = ldap > name > } > } > protocol pop3 { > passdb { > args = /etc/dovecot/dovecot-ldap-incoming.conf.ext > driver = ldap > name > } > } > protocol submission { > login_greeting = ESMTP > passdb { > args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext > driver = ldap > name > } > } > ------------------------------------------------------------------------------- > > If I remove the outer userdb settings (not the ones inside the protocol), the auth-worker startes struggling: > > ------------------------------------------------------------------------------- > userdb { > args = /etc/dovecot/dovecot-ldap.conf.ext > driver = ldap > result_failure = return-fail > result_success = continue > } > -------------------------------------------------------------------------------*plonk* Of course not userdb, I mean the passdb block. Anyways the problem is the same. Christian
> On 4 Sep 2019, at 16.38, R.N.S. via dovecot <dovecot at dovecot.org> wrote: >> >> passdb { >> args = /etc/dovecot/master-users >> driver = passwd-file >> master = yes >> pass = yes >> } >> passdb { >> args = /etc/dovecot/dovecot-ldap.conf.ext >> driver = ldap >> } >>...>> protocol sieve { >> passdb { >> args = /etc/dovecot/dovecot-ldap-incoming.conf.ext >> driver = ldap >> name >> } >> } >> protocol pop3 { >> passdb { >> args = /etc/dovecot/dovecot-ldap-incoming.conf.ext >> driver = ldap >> name >> } >> } >> protocol submission { >> login_greeting = ESMTP >> passdb { >> args = /etc/dovecot/dovecot-ldap-outgoing.conf.ext >> driver = ldap >> name >> } >> }So the problem really is in order of things. Your protocol specific passdbs are AFTER your global passdb. Global passdb {} returns return-ok on successful authentication and rest of the passdbs are never processed. Sami -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190904/85ad4874/attachment.html>