Discussion:
Unable to get virtual users set up with database auth
Cliff Hayes
2014-10-16 05:29:55 UTC
Permalink
I can't seem to get imap virtual users to work with database
authentication on new Scientific Linux 6.5 server with Sendmail 8.14.4 &
Dovecot 2.0.9
Apparently I have to also create system users because
sendmail/procmail/dovecot want to check directory ownership.
So I created a database, made entry for the user, created the user
chayes on the system.
But %u always contains just chayes instead of chayes at domain.tld even
though I tried different select statements to put the entire username in
the username field.
This causes the following errors:

Oct 16 00:10:26 avalon sendmail[2536]: s9G5APo9002535: forward
/var/spool/mail/chayes at domain.tld/chayes/.forward.avalon: Group writable
directory
Oct 16 00:10:26 avalon sendmail[2536]: s9G5APo9002535: forward
/var/spool/mail/chayes at domain.tld/chayes/.forward: Group writable directory
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Effective uid=497,
gid=497, home=/var/spool/mail/chayes at domain.tld/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Home dir not found:
/var/spool/mail/chayes at domain.tld/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Namespace :
type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes,
subscriptions=yes
location=mbox:/var/spool/mail/chayes:INBOX=/var/spool/mail/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: fs:
root=/var/spool/mail/chayes, index=, control=, inbox=/var/spool/mail/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Error: user chayes:
Initialization failed: Namespace '': mbox: mbox root directory can't be
a file: /var/spool/mail/chayes (http://wiki.dovecot.org/MailLocation/Mbox)
Oct 16 00:10:26 avalon dovecot: lda(chayes): Fatal: Invalid user
settings. Refer to server log for more information.

protocols = imap

mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u

password_query = SELECT uNameDomain as username, uDomain as domain,
uPass as password FROM users WHERE uName = '%n' AND uDomain = '%d'
also tried
password_query = SELECT uName as username, uDomain as domain, uPass as
password FROM users WHERE uName = '%n' AND uDomain = '%d'

# file: /etc/procmailrc
# system-wide settings for procmail
SHELL="/bin/bash"
SENDMAIL="/usr/sbin/sendmail -oi -t"
LOGFILE="/var/log/procmail.log"
DROPPRIVS=yes
DELIVER="/usr/libexec/dovecot/deliver"
#MAILDIR=$HOME/
#DEFAULT=$HOME/
:0 w
* ^X-Spam-Status: Yes
| $DELIVER -m spam
:0 w
| $DELIVER

Thanks in advance
Steffen Kaiser
2014-10-16 15:45:26 UTC
Permalink
But %u always contains just chayes instead of chayes at domain.tld even though I
tried different select statements to put the entire username in the username
field.
mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u
password_query = SELECT uNameDomain as username, uDomain as domain, uPass as
^^^^^^ From
http://wiki2.dovecot.org/PasswordDatabase username should read just user.
Whereas: "username: Like user, but doesn't drop existing domain name
(e.g. "username=foo" for "user at domain" gives "foo at domain"). "
password FROM users WHERE uName = '%n' AND uDomain = '%d'
- --
Steffen Kaiser
Cliff Hayes
2014-10-16 16:06:30 UTC
Permalink
I tried both ways with same result.
I tried just returning the username as well.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Cliff Hayes
But %u always contains just chayes instead of chayes at domain.tld even
though I tried different select statements to put the entire username
in the username field.
mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u
password_query = SELECT uNameDomain as username, uDomain as domain, uPass as
^^^^^^ From
http://wiki2.dovecot.org/PasswordDatabase username should read just
user. Whereas: "username: Like user, but doesn't drop existing domain
name (e.g. "username=foo" for "user at domain" gives "foo at domain"). "
Post by Cliff Hayes
password FROM users WHERE uName = '%n' AND uDomain = '%d'
- -- Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVD/oFnz1H7kL/d9rAQIawQgAuDCC8VpNDffq8n3tNvHD81YuAVdHO3Xf
Tv1xUftwta3g5c51AxWercHrV+Td79Od4sqfNAElEJOkZGpCHje+R8u74xdidpq3
RhDJaFzxFprJfnPa5SX2meoI98E0HMZRY/18kutK6JytMYzRZ10EV3wN0GuIjh+/
a7bvxFaxQEWZYDlagDEvv2IULHVW5HROU5yacFDDxElnFPIvcUHLrbMCVnh9qUyg
H7dtuySEooZVqPymoYUWTISaQ4mjv4mRI7jTxYYjSIxhWBkxoxUyqZGWds01/eGZ
gzKLcx+PqjAmnpNV/ee/i8fA82UNmlPl4K6E2GWLnKfLiD8kzYIqTQ==
=hVsF
-----END PGP SIGNATURE-----
Gedalya
2014-10-16 16:12:59 UTC
Permalink
Since you have to use system users, why don't you just use that? Why use
SQL?
Post by Cliff Hayes
I tried both ways with same result.
I tried just returning the username as well.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Cliff Hayes
But %u always contains just chayes instead of chayes at domain.tld even
though I tried different select statements to put the entire username
in the username field.
mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u
password_query = SELECT uNameDomain as username, uDomain as domain, uPass as
^^^^^^ From
http://wiki2.dovecot.org/PasswordDatabase username should read just
user. Whereas: "username: Like user, but doesn't drop existing domain
name (e.g. "username=foo" for "user at domain" gives "foo at domain"). "
Post by Cliff Hayes
password FROM users WHERE uName = '%n' AND uDomain = '%d'
- -- Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVD/oFnz1H7kL/d9rAQIawQgAuDCC8VpNDffq8n3tNvHD81YuAVdHO3Xf
Tv1xUftwta3g5c51AxWercHrV+Td79Od4sqfNAElEJOkZGpCHje+R8u74xdidpq3
RhDJaFzxFprJfnPa5SX2meoI98E0HMZRY/18kutK6JytMYzRZ10EV3wN0GuIjh+/
a7bvxFaxQEWZYDlagDEvv2IULHVW5HROU5yacFDDxElnFPIvcUHLrbMCVnh9qUyg
H7dtuySEooZVqPymoYUWTISaQ4mjv4mRI7jTxYYjSIxhWBkxoxUyqZGWds01/eGZ
gzKLcx+PqjAmnpNV/ee/i8fA82UNmlPl4K6E2GWLnKfLiD8kzYIqTQ==
=hVsF
-----END PGP SIGNATURE-----
Gedalya
2014-10-16 16:24:18 UTC
Permalink
well i don't want to use system users. but how do I assign a UID and
GID to virtual users to eliminate the permissions errors?
For dovecot, it is like this:
http://wiki2.dovecot.org/AuthDatabase/SQL#User_database_lookups

I don't know if this would be OK with your sendmail side.

You should really post your complete dovecot config (dovecot -n output +
any ".ext" files) so that we can get a better picture.
Gedalya
2014-10-16 17:46:19 UTC
Permalink
When you reply, try to make sure you reply to the list
(dovecot at dovecot.org), in Thunderbird you should have a Reply List
button, or just use reply to all.

btw I meant: the output of the 'dovecot -n' command, sorry :D

OK so, first of all, lda doesn't do any passdb lookup at all, only
userdb. It doesn't have any password to check.

Just as a comment, your password query could just as well be:

password_query = SELECT uPass as password FROM users WHERE uName = '%n'
AND uDomain = '%d'

auth_username_format = %Lu -- which I believe is set by default, would
lowercase the username for you on the way in from the client, so if all
your usernames are meant to be purely lowercase, there is no need to
return these fields from the database. Set it explicitly just to be
sure. You're using a somewhat old version, I'm not sure how it was back
then. Either way, this shouldn't be affecting lda.

Now, this seems to be wrong.

mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u

You probably want it more like:
mbox:~/mail:INBOX=/var/spool/mail/%u

The first value, ~/mail, will be a /mail directory under the 'home'
directory set in your static userdb, and that's where mailboxes
(folders) other than INBOX will be stored. It must be a directory, not a
file!

I'm a little confused about some of the other details in your log. Let's
try to correct your mail_location first and see where that takes us.

Also, under namespace, you might as well comment out the 'location = '
and 'prefix = ' lines, though I'm not sure it matters.
[root at avalon dovecot]# dovecot -n output
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-431.29.2.el6.x86_64 x86_64 Scientific Linux release
6.5 (Carbon) ext4
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
first_valid_uid = 496
mail_access_groups = mail
mail_debug = yes
mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u
mbox_write_locks = fcntl
namespace {
hidden = no
inbox = yes
list = yes
location =
prefix =
separator = .
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocols = imap
ssl_ca = </etc/pki/dovecot/certs/intermediate.crt
ssl_cert = </etc/pki/dovecot/certs/avalon20140929.crt
ssl_key = </etc/pki/dovecot/private/avalon20140929.key
userdb {
args = uid=497 gid=12 home=/var/email/%u
driver = static
}
verbose_ssl = yes
protocol imap {
imap_id_log = *
}
[root at avalon dovecot]# cat dovecot-sql.conf.ext
driver = mysql
default_pass_scheme = PLAIN
connect = host=localhost dbname=email user=blah password=blah
password_query = SELECT uName as user, uNameDomain as username,
uDomain as domain, uPass as password FROM users WHERE uName = '%n' AND
uDomain = '%d'
Post by Gedalya
well i don't want to use system users. but how do I assign a UID and
GID to virtual users to eliminate the permissions errors?
http://wiki2.dovecot.org/AuthDatabase/SQL#User_database_lookups
I don't know if this would be OK with your sendmail side.
You should really post your complete dovecot config (dovecot -n output +
any ".ext" files) so that we can get a better picture.
Steffen Kaiser
2014-10-17 07:09:14 UTC
Permalink
Post by Gedalya
btw I meant: the output of the 'dovecot -n' command
OK so, first of all, lda doesn't do any passdb lookup at all, only userdb. It
doesn't have any password to check.
Gedalya is correct.
Post by Gedalya
Post by Cliff Hayes
mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u
This makes no sense, either /var/spool/mail/%u is your mail root or INBOX.
Post by Gedalya
Post by Cliff Hayes
mbox_write_locks = fcntl
namespace {
hidden = no
inbox = yes
list = yes
location =
prefix =
comment them out
Post by Gedalya
Post by Cliff Hayes
separator = .
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
args = uid=497 gid=12 home=/var/email/%u
driver = static
}
Oct 16 00:10:26 avalon sendmail[2536]: s9G5APo9002535: forward /var/spool/mail/chayes at domain.tld/chayes/.forward.avalon: Group writable directory
Oct 16 00:10:26 avalon sendmail[2536]: s9G5APo9002535: forward /var/spool/mail/chayes at domain.tld/chayes/.forward: Group writable directory
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Effective uid=497, gid=497, home=/var/spool/mail/chayes at domain.tld/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Home dir not found: /var/spool/mail/chayes at domain.tld/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Namespace : type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes, subscriptions=yes
location=mbox:/var/spool/mail/chayes:INBOX=/var/spool/mail/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: fs: root=/var/spool/mail/chayes, index=, control=, inbox=/var/spool/mail/chayes
Both, sendmail and deliver use a non-existant home directory of user chayes.
The last log line then has the values from your config.

It looks like:

a) /etc/passwd contains wrong values for "home", you need a home directory, which must differ from the the mail root

b) you start Dovecot LDA _without_ -d option and not as root, that means, that the LDA does not query the userdb, but relies on the environment variables. See http://wiki2.dovecot.org/LDA

c) Did you configured sendmail to pass the domain forth to the LDA?

====

Please tell us:

0) do you run sendmail in a multi-domain setup with system users?
1) what's the home directory for chayes,
2) what's the mail root and mailbox format for chayes,
3) what's the location of the INBOX of chayes,
4) what's the system user (name, uid & gid, other /etc/passwd data) the procmail script runs under.

- --
Steffen Kaiser

Cliff Hayes
2014-10-16 16:12:22 UTC
Permalink
ok I tried this as the query:

password_query = SELECT uName as user, uNameDomain as username, uDomain
as domain, uPass as password FROM users WHERE uName = '%n' AND uDomain =
'%d'

and it is still putting mail /var/spool/mail/chayes and erroring trying
to look in chayes at domain.tld/chayes instead of
/var/spool/mail/chayes at domain.tld

Oct 16 11:09:22 avalon sendmail[5047]: s9GG9KVV005046: forward
/var/spool/mail/chayes at domain.tld/chayes/.forward.avalon: Group writable
directory
Oct 16 11:09:22 avalon sendmail[5047]: s9GG9KVV005046: forward
/var/spool/mail/chayes at domain.tld/chayes/.forward: Group writable directory
Oct 16 11:09:22 avalon dovecot: lda(chayes): Debug: Effective uid=497,
gid=497, home=/var/spool/mail/chayes at domain.tld/chayes
Oct 16 11:09:22 avalon dovecot: lda(chayes): Debug: Home dir not found:
/var/spool/mail/chayes at domain.tld/chayes
Oct 16 11:09:22 avalon dovecot: lda(chayes): Debug: Namespace :
type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes,
subscriptions=yes
location=mbox:/var/spool/mail/chayes:INBOX=/var/spool/mail/chayes
Oct 16 11:09:22 avalon dovecot: lda(chayes): Debug: fs:
root=/var/spool/mail/chayes, index=, control=, inbox=/var/spool/mail/chayes
Oct 16 11:09:22 avalon dovecot: lda(chayes): Error: user chayes:
Initialization failed: Namespace '': mbox: mbox root directory can't be
a file: /var/spool/mail/chayes (http://wiki.dovecot.org/MailLocation/Mbox)
Oct 16 11:09:22 avalon dovecot: lda(chayes): Fatal: Invalid user
settings. Refer to server log for more information.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Cliff Hayes
But %u always contains just chayes instead of chayes at domain.tld even
though I tried different select statements to put the entire username
in the username field.
mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u
password_query = SELECT uNameDomain as username, uDomain as domain, uPass as
^^^^^^ From
http://wiki2.dovecot.org/PasswordDatabase username should read just
user. Whereas: "username: Like user, but doesn't drop existing domain
name (e.g. "username=foo" for "user at domain" gives "foo at domain"). "
Post by Cliff Hayes
password FROM users WHERE uName = '%n' AND uDomain = '%d'
- -- Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBVD/oFnz1H7kL/d9rAQIawQgAuDCC8VpNDffq8n3tNvHD81YuAVdHO3Xf
Tv1xUftwta3g5c51AxWercHrV+Td79Od4sqfNAElEJOkZGpCHje+R8u74xdidpq3
RhDJaFzxFprJfnPa5SX2meoI98E0HMZRY/18kutK6JytMYzRZ10EV3wN0GuIjh+/
a7bvxFaxQEWZYDlagDEvv2IULHVW5HROU5yacFDDxElnFPIvcUHLrbMCVnh9qUyg
H7dtuySEooZVqPymoYUWTISaQ4mjv4mRI7jTxYYjSIxhWBkxoxUyqZGWds01/eGZ
gzKLcx+PqjAmnpNV/ee/i8fA82UNmlPl4K6E2GWLnKfLiD8kzYIqTQ==
=hVsF
-----END PGP SIGNATURE-----
Cliff Hayes
2014-10-16 16:02:53 UTC
Permalink
I can't seem to get imap virtual users to work with database
authentication on new Scientific Linux 6.5 server with Sendmail 8.14.4 &
Dovecot 2.0.9
Apparently I have to also create system users because
sendmail/procmail/dovecot want to check directory ownership.
So I created a database, made entry for the user, created the user
chayes on the system.
But %u always contains just chayes instead of chayes at domain.tld even
though I tried different select statements to put the entire username in
the username field.
This causes the following errors:

Oct 16 00:10:26 avalon sendmail[2536]: s9G5APo9002535: forward
/var/spool/mail/chayes at domain.tld/chayes/.forward.avalon: Group writable
directory
Oct 16 00:10:26 avalon sendmail[2536]: s9G5APo9002535: forward
/var/spool/mail/chayes at domain.tld/chayes/.forward: Group writable directory
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Effective uid=497,
gid=497, home=/var/spool/mail/chayes at domain.tld/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Home dir not found:
/var/spool/mail/chayes at domain.tld/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: Namespace :
type=private, prefix=, sep=., inbox=yes, hidden=no, list=yes,
subscriptions=yes
location=mbox:/var/spool/mail/chayes:INBOX=/var/spool/mail/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Debug: fs:
root=/var/spool/mail/chayes, index=, control=, inbox=/var/spool/mail/chayes
Oct 16 00:10:26 avalon dovecot: lda(chayes): Error: user chayes:
Initialization failed: Namespace '': mbox: mbox root directory can't be
a file: /var/spool/mail/chayes (http://wiki.dovecot.org/MailLocation/Mbox)
Oct 16 00:10:26 avalon dovecot: lda(chayes): Fatal: Invalid user
settings. Refer to server log for more information.

protocols = imap

mail_location = mbox:/var/spool/mail/%u:INBOX=/var/spool/mail/%u

password_query = SELECT uNameDomain as username, uDomain as domain,
uPass as password FROM users WHERE uName = '%n' AND uDomain = '%d'
also tried
password_query = SELECT uName as username, uDomain as domain, uPass as
password FROM users WHERE uName = '%n' AND uDomain = '%d'

# file: /etc/procmailrc
# system-wide settings for procmail
SHELL="/bin/bash"
SENDMAIL="/usr/sbin/sendmail -oi -t"
LOGFILE="/var/log/procmail.log"
DROPPRIVS=yes
DELIVER="/usr/libexec/dovecot/deliver"
#MAILDIR=$HOME/
#DEFAULT=$HOME/
:0 w
* ^X-Spam-Status: Yes
| $DELIVER -m spam
:0 w
| $DELIVER

Thanks in advance
Loading...