Apologies if this has already been raised here (which I suspect it has ?). I tried to raise it as an issue over on github but issues are not enabled for the repository. The support for mixing virtual users, with fully-qualified email addresses, and system users could be simpler. Assuming it doesn?t mess up other stuff in the code base, of course ?. The problem appears to be that the PAM passwd module requires just user names without a domain (which makes sense given that they?re system users) but does not, so far as I can see, support the username_format argument. In my setup, the default structure of 10-auth.conf demonstrates this: auth_username_format = %n That means all username arguments lack the domain part?which complicates using fully-qualified ones for virtual users. I realize I could assign arbitrary unique names to the virtual accounts in the lookup file. But that complicates administering the system, so I want to be able to include the domain for virtual users. After about five hair-pulling hours of wrestling with the configuration I stumbled across an answer utilizing conditionals<https://serverfault.com/questions/260488/dovecot-user-lookup-fails-when-using-usernamedomain-format> on ServerFault. It works fine. But being able to pass a username_format parameter to the PAM module (which I tried, but it was rejected) would be a lot simpler, and a lot more intuitive. - Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220326/6c68c7bb/attachment-0001.htm>
> > > The support for mixing virtual users, with fully-qualified email > addresses, and system users could be simpler. Assuming it doesn?t mess > up other stuff in the code base, of course ?. >You can define multiple passdb's not?> > The problem appears to be that the PAM passwd module requires just user > names without a domainI am not even sure this is true, but the idea behind PAM (pluggable authentication module) you create your own or add any you like. Can't imagine there is nothing that takes an email address.> (which makes sense given that they?re system > users) but does not, so far as I can see, support the username_format > argument. In my setup, the default structure of 10-auth.conf > demonstrates this: > > > > auth_username_format = %n >So do not change it? Leave it as how people enter it.
> On 26. Mar 2022, at 19.32, Mark Olbert <Mark at arcabama.com> wrote: > > Apologies if this has already been raised here (which I suspect it has ?). I tried to raise it as an issue over on github but issues are not enabled for the repository. > > The support for mixing virtual users, with fully-qualified email addresses, and system users could be simpler. Assuming it doesn?t mess up other stuff in the code base, of course ?. > > The problem appears to be that the PAM passwd module requires just user names without a domain (which makes sense given that they?re system users) but does not, so far as I can see, support the username_format argument. In my setup, the default structure of 10-auth.conf demonstrates this: > > auth_username_format = %n > > That means all username arguments lack the domain part?which complicates using fully-qualified ones for virtual users. I realize I could assign arbitrary unique names to the virtual accounts in the lookup file. But that complicates administering the system, so I want to be able to include the domain for virtual users.Change that. use auth_username_format = %Lu (which is the default, not %n) then for the PAM passdb use username_filter = !*@* that will then skip all usernames that have @ included. Dovecot 2.2.30 or later required for that. Sami -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220328/d6de80de/attachment.htm>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I do have a solution for this - one which you probably don't want to hear ... I keep all email separate from system accounts, for any system accounts that are going to generate, or receive email I alias them. On Sat, 2022-03-26 at 17:32 +0000, Mark Olbert wrote:> The support for mixing virtual users, with fully-qualified email > addresses, and system users could be simpler. Assuming it doesn?t mess > up other stuff in the code base, of course ?.Question you are mixing virtual, and system users for domain "A" - is this the only domain hosted on the server? If so then there is probably an easy way to do this. Assuming you MTA is Postfix are you mixing Virtual Mailbox Domains, Virtual Alias Domains? Virtual Alias Domains can mix virtual accounts with UNIX system accounts: (https://www.postfix.org/VIRTUAL_README.html#virtual_alias)> The problem appears to be that the PAM passwd module requires just > user names without a domain (which makes sense given that they?re > system users) but does not, so far as I can see, support the > username_format argument. In my setup, the default structure of 10- > auth.conf demonstrates this:I see that someone else has answered this in another post - I would refer you to them. My approach of making all the domains I host completely virtual does have benefits: 1) Adding a user system account doesn't mean they get an email ? acccount 2) Migrating email service from one machine to another is trivial? since all information regarding email account is kept in an external source (in my case LDAP, but could be another database or flat files) 3) If you want the option to create mail accounts with system accounts then all you need to do is augment the solution you use for adding system accounts so that the appropriate entries get added where need be - LDAP is good for this since it can also be used to auth your system accounts, and with the correct additions to the schema you can easily flag accounts as being able to receive email or not. (When I met Wietse at a conference in 2006 I asked him about Postfix LDAP schema - he advised me to write my own, which is what I have done. The resulting LDAP search that Postfix carries out before handing messages off to Dovecot for delivery includes a check to see if the account is allowed to receive email at all, or if it is aliased to a different address). The search Dovecot runs is similarly enabled. In this day and age it is odd that a system would be hosting email for a domain for delivery to system users - normally your system users have different email addresses for email delivery. - -- Nikolai Lusan <nikolai at lusan.id.au> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAmJC87sACgkQ4ZaDRV2V L6S2zw/+JepsnV9nrVQa8q67QNgaLuH9u5fVUlFK2LxDqb0B2r7AoOi289+u8Pqu ZBnF73bPR5WzDDc4wRV+nnW47hnck+oWsxXaqV/ogkBckflg5U7l9QtXtngFOluM EAPQyUH4vIDxrsfkXA2T4mS1qen9dyWnH6fUaQVwQuwZFpK0ety9rDPEK5bvX/M/ 0PeG/6j/ibmZ4MjY/fadLAJwegBYb92QkTgI1W8s42AojF+G13pg2Yd1Kim6xfta JVvpTDzRfy82BHGMOy9snTUJrNndqSD6++n3EuXwzt3WuuNiZWoMUDM8pkhupKty A0zpCqAH1oKKbo3O6c0WlbtW2SVJCwO357TyxeYizww102O9E98PgqJQo70S2jur XgsP6mM0CgolFUt5ATF9ZmiEfsnXWahHsaKq/sucpIx+DPrqlviSv9tcB0Bxunar 2IZKm63gIJ9yEtO1uVwtyekK8AQja/3GxULOZLnb7/iRVnY/rl2aoPj+QVF2qlH/ H8H4u3e7u9mLBO365lPsm0DepF9hQX64XSzbG6mfnZDXKgF7tOxebXQLe+PraPEE h8hjel/EJwKwGbJVlbY+MQ8RSlfYAYjNygqgOYTv2bKQfS+x+j7ujlPNKPKN7Zlv GeAcZ8S/NhISX/6Xq1CHco16Qg9n6ynt4wTg+a/J0cUm1jebs6E=qTQQ -----END PGP SIGNATURE-----
I just use all virtual user accounts. these virtual users have a flag that I set, if I want that account to be a system account, for things such as ssh/shell/... usage. But a single user registry makes things much simpler than having several, and then attempting to integrate them into a single list, vs separating a single list into several uses. Quoting Mark Olbert <Mark at arcabama.com>:> Apologies if this has already been raised here (which I suspect it > has ?). I tried to raise it as an issue over on github but issues > are not enabled for the repository. > > The support for mixing virtual users, with fully-qualified email > addresses, and system users could be simpler. Assuming it doesn?t > mess up other stuff in the code base, of course ?. > > The problem appears to be that the PAM passwd module requires just > user names without a domain (which makes sense given that they?re > system users) but does not, so far as I can see, support the > username_format argument. In my setup, the default structure of > 10-auth.conf demonstrates this: > > auth_username_format = %n > > That means all username arguments lack the domain part?which > complicates using fully-qualified ones for virtual users. I realize > I could assign arbitrary unique names to the virtual accounts in the > lookup file. But that complicates administering the system, so I > want to be able to include the domain for virtual users. > > After about five hair-pulling hours of wrestling with the > configuration I stumbled across an answer utilizing > conditionals<https://serverfault.com/questions/260488/dovecot-user-lookup-fails-when-using-usernamedomain-format> on ServerFault. It works > fine. > > But being able to pass a username_format parameter to the PAM module > (which I tried, but it was rejected) would be a lot simpler, and a > lot more intuitive. > > - Mark