[Dovecot] Postfix/Dovecot/lmtp with virtual and local users

Discussion:

David Obando

2013-03-21 14:10:22 UTC

Hi all,

I'm about to change my Debian mailserver setup from
Postfix/dovecot1/procmail to Postfix/dovecot2/sieve with lmtp enabled.
After enabling lmtp the virtual users can receive e-mails but not the
local users:

Mar 21 14:21:40 orange postfix/lmtp[4119]: DE62226216:
to=<user at orange.domain.de>,
relay=orange.domain.de[private/dovecot-lmtp], delay=7627,
delays=7627/0/0/0.02, dsn=5.1.1, status=bounced (host
orange.domain.de[private/dovecot-lmtp] said: 550 5.1.1
<user at orange.domain.de> User doesn't exist: user at orange.domain.de (in
reply to RCPT TO command))

In 10-auth.conf I have the setting "auth_username_format = %Lu".

When changing it to "auth_username_format = %n" the local users can be
found but not the virtual users anymore.

Is there a way to define "if <user> is local then auth_username_format =
%n else auth_username_format = %Lu"?

Thanks and best regards,
David

--
The day microsoft makes something that doesn't suck is the day they start making vacuum cleaners.
gpg --keyserver pgp.mit.edu --recv-keys 1920BD87
Key fingerprint = 3326 32CE 888B DFF1 DED3 B8D2 105F 29CB 1920 BD87

Timo Sirainen

2013-03-22 08:48:56 UTC

Permalink

Post by David Obando
Is there a way to define "if <user> is local then auth_username_format =
%n else auth_username_format = %Lu"?

Maybe. Depends on your Dovecot version and passdb/userdb configuration.
So, doveconf -n output?

David Obando

2013-03-22 09:53:02 UTC

Permalink

Post by Timo Sirainen
Maybe. Depends on your Dovecot version and passdb/userdb
configuration. So, doveconf -n output?

I use version 2.1.7 from the backports repo on Debian Squeeze.

My doveconf -n:

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-5-686-bigmem i686 Debian 6.0.7
auth_cache_size = 10 M
auth_debug = yes
auth_mechanisms = plain login digest-md5
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_verbose_passwords = sha1
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
first_valid_uid = 105
listen = *
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
mail_location = maildir:~/Maildir
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir =
}
protocols = " imap lmtp sieve pop3"
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
}
service imap-login {
inet_listener imap {
address = localhost
port = 999
}
inet_listener imaps {
port = 993
ssl = yes
}
service_count = 1
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
ssl_ca = </etc/ssl/certs/cacert.org.pem
ssl_cert = </etc/ssl/certs/mail.orange.cryptix.de.crt
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
ssl_key = </etc/ssl/private/mail.orange.cryptix.de.key
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = passwd
}
protocol imap {
imap_idle_notify_interval = 2 mins
imap_logout_format = bytes=%i/%o
mail_max_userip_connections = 20
mail_plugins =
}
protocol lmtp {
mail_plugins = " sieve"
}
protocol pop3 {
mail_max_userip_connections = 20
pop3_uidl_format = %08Xu%08Xv
}

Thanks,
David

/dev/rob0

2013-03-29 14:45:16 UTC

Permalink

I'm interested in this as well, and having looked over the wiki2
pages on LDA and LMTP, and the files conf.d/15-lda.conf and
conf.d/20-lmtp.conf to which they refer, I still don't see how the
lmtpd knows a given user at domain is a system user. For virtual
domains, I guess the assumption is that the Dovecot username is
user at domain. (Even that assumption is not necessarily valid; there
is no requirement to format virtual usernames that way.)

The closest I can find is "hostname" in 15-lda.conf, but that does
not really say anything about it being used to identify a system
user.

--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Timo Sirainen

2013-03-31 08:53:29 UTC

Permalink

Post by David Obando

Post by Timo Sirainen
Maybe. Depends on your Dovecot version and passdb/userdb
configuration. So, doveconf -n output?

I use version 2.1.7 from the backports repo on Debian Squeeze.
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
passdb {
driver = pam
}

Nope, you can't currently do "user at domain" auth for sql and "user" for PAM. You could try using passdb checkpassword instead though, which allows you to script it any way you want.

Post by David Obando
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = passwd
}

Also userdb passwd can't do that.

I've thought of adding a generic passdb/userdb { auth_username_format } setting, but that doesn't exist yet. Would be easy to do though..

David Obando

2013-04-11 09:04:19 UTC

Permalink

Hi,

thanks for the answer.
Do I understand you right that currently it's not possible to manage
both system users and virtual users in a dovecot 2 and lmtp setup?

You were talking about "adding a generic passdb/userdb {
auth_username_format } setting". Are there any plans to do so?

What are your recommendations about migrating from dovecot 1.2.15 to
dovecot 2 regarding system and virtual users? Should I use LDA instead
of LMTP then?

Thank you very much,
David

Post by Timo Sirainen

Post by David Obando

Post by Timo Sirainen
Maybe. Depends on your Dovecot version and passdb/userdb
configuration. So, doveconf -n output?

I use version 2.1.7 from the backports repo on Debian Squeeze.
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
passdb {
driver = pam
}

Nope, you can't currently do "user at domain" auth for sql and "user" for PAM. You could try using passdb checkpassword instead though, which allows you to script it any way you want.

Post by David Obando
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
driver = passwd
}

Also userdb passwd can't do that.
I've thought of adding a generic passdb/userdb { auth_username_format } setting, but that doesn't exist yet. Would be easy to do though..

Timo Sirainen

2013-04-11 10:22:06 UTC

Permalink

Post by David Obando
Hi,
thanks for the answer.
Do I understand you right that currently it's not possible to manage
both system users and virtual users in a dovecot 2 and lmtp setup?

If you have only a single domain, set auth_username_format=%Ln and
configure your virtual userdb to work without @domain.

Or you could switch to using only virtual users, and have your MTA
forward the local users' mails to virtual users.

Or you could use userdb checkpassword instead of passwd, which strips
away the domain before doing a passwd lookup.

Post by David Obando
You were talking about "adding a generic passdb/userdb {
auth_username_format } setting". Are there any plans to do so?

Sure, but as to when I'll actually implement it, no idea. It's not a big
priority right now (although it would probably be pretty quick to
implement).

Post by David Obando
What are your recommendations about migrating from dovecot 1.2.15 to
dovecot 2 regarding system and virtual users? Should I use LDA instead
of LMTP then?

That's one possibility too, yes.