Re: sasl service for other app
So this should allow postfix to piggyback on top of whatever dovecot auth
is being used.
On Thursday, December 8, 2022 4:49:06 AM AKST, Shawn Heisey wrote:
On 12/7/22 21:53, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
I am using dovecot to provide authentication for postfix
submission. This is the config in postfix:
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
In /etc/dovecot/conf.d/10-master.conf I have this:
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
If the application supports using a socket for sasl, then I
would imagine that Dovecot should work.
Postfix is using the same postfixadmin database for email
addresses that Dovecot is, but for authentication, it's all
Dovecot.
I should probably look into Dovecot's submission support so I
don't need to have postfix using that auth socket, just haven't
found the time.
Thanks,
Shawn
--
https://justina.abeja.colmena.biz/
Re: sasl service for other app
https://doc.dovecot.org/configuration_manual/authentication/sql/#password-verification-by-sql-server
Perfect. However on Postfix it is more finicky.
https://www.postfix.org/SASL_README.html#auxprop_sql
Tip
If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead,
see section "Using saslauthd with PAM", and configure PAM to look up the
encrypted passwords with, for example, the pam_mysql module. You will not be able to use
any of the methods that require access to plaintext passwords, such as the shared-secret
methods CRAM-MD5 and DIGEST-MD5.
On Thursday, December 8, 2022 10:17:11 AM AKST, Alessio Cecchi wrote:
Yes,
we are using dovecot, also, for SASL only as authentication provider.
Here some relevants parts of the configuration:
# probably not necessary but dovecot requires it so i set it to /tmp/
mail_location = maildir:/tmp/%u/Maildir:INDEX=memory
# setup a mysql database with your users and password
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
# here is the most important part, with this you can query SASL
via port "12345" or via socket
service auth {
inet_listener {
port = 12345
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
# SASL don't support SSL
ssl = no
Ciao
Il 08/12/22 05:53, Henry R ha scritto:
can dovecot run as a general sasl service for other apps? such as webdav.
Thanks.
Re: sasl service for other app
On 2022-12-07 20:53, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. Almost anything can use dovecot (or any other system) as an authentication SASL service, but it is the 'gotchas' that you have to think about. * Does this open your SASL mechanism to new brute force attacks? * How do you pass additional information to the SASL, eg country of origin, IP Address * How do you pass 2FA through? * Rate Limiting? * What about policies such as the use of TOR Proxies? * Will this create excessive demand on dovecot? On the surface, the authentication part is the most simple. However, you might want to consider connecting directly to the underlying mechanism that your dovecot is using. With a middle layer of course, that addresses all of the other issues. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
Re: Seen Flags per User
Hello, now i found another error. When i click on an email in the client its marked an read or unread when i mark it that way. Now when i change the folder and come back to the shared folder the mail i just read is unread again. When i restart the Mail client it will be displayed like it should be but it always needs that restart of the mail client. I also tried 3 different mail clients to exclude the error from the mail client. Am 08.12.22 um 10:58 schrieb Aki Tuomi: Either configure mail_home, return home from ldap, or use absolute directory instead of %h. I see you have mail_location which points to /var/mail/user, this makes everyone use the same location, unless you overwrite this in your ldap query. You could replace %h/public with /var/mail/user/%u/shared/public i guess. Aki On 08/12/2022 11:56 EET Maurice Kunze wrote: Hey, thanks for the explanation. I implemented it but then i get the following error in the logs: Error: userdb didn't return a home directory, but location used it (%h): maildir:/var/mail/public:INDEXPVT=%h/public I authenticate the users via LDAP (Active Directory) Am 08.12.22 um 10:28 schrieb Aki Tuomi: location = maildir:/var/mail/public:INDEXPVT=%h/public Probably works better. INDEXPVT needs to point to a *per-user* location. Now you're just sharing them with everyone. Aki On 08/12/2022 11:07 EET Maurice Kunze wrote: Hello, i want to configure seen flags per user for shared public mailboxes in dovecot. I have added the INDEVPVT Option to the location parameter in the namespace and restarted the services and the server. Unfortunately nothing changed and there are still global seen flags in the configuration. In a post i read that i have to manually add some files to the location but this isnt specified in the documentation. below is the version we use and the config. dovecot --version 2.3.13 (89f716dc2) dovecot -n
Re: sasl service for other app
On 12/7/22 21:53, Henry R wrote:
can dovecot run as a general sasl service for other apps? such as webdav.
I am using dovecot to provide authentication for postfix submission.
This is the config in postfix:
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
In /etc/dovecot/conf.d/10-master.conf I have this:
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
If the application supports using a socket for sasl, then I would
imagine that Dovecot should work.
Postfix is using the same postfixadmin database for email addresses that
Dovecot is, but for authentication, it's all Dovecot.
I should probably look into Dovecot's submission support so I don't need
to have postfix using that auth socket, just haven't found the time.
Thanks,
Shawn
Re: access dict in lua auth script
Getting back to the old topic. It's not yet possible to get dict objects on demand in Lua scripts. I assume it's also not possible to get a predefined dict in Lua `auth_passdb_lookup` functions. Can this be added? This will make using Lua for pass- and userdb, and event push notification more powerful. Cheers, Tobi
Re: Seen Flags per User
Hello, thanks for that hint. I changed the path for our environment to /var/mail/user/%u/Maildir/shared/public and now its working. Thanks for helping. Am 08.12.22 um 10:58 schrieb Aki Tuomi: Either configure mail_home, return home from ldap, or use absolute directory instead of %h. I see you have mail_location which points to /var/mail/user, this makes everyone use the same location, unless you overwrite this in your ldap query. You could replace %h/public with /var/mail/user/%u/shared/public i guess. Aki On 08/12/2022 11:56 EET Maurice Kunze wrote: Hey, thanks for the explanation. I implemented it but then i get the following error in the logs: Error: userdb didn't return a home directory, but location used it (%h): maildir:/var/mail/public:INDEXPVT=%h/public I authenticate the users via LDAP (Active Directory) Am 08.12.22 um 10:28 schrieb Aki Tuomi: location = maildir:/var/mail/public:INDEXPVT=%h/public Probably works better. INDEXPVT needs to point to a *per-user* location. Now you're just sharing them with everyone. Aki On 08/12/2022 11:07 EET Maurice Kunze wrote: Hello, i want to configure seen flags per user for shared public mailboxes in dovecot. I have added the INDEVPVT Option to the location parameter in the namespace and restarted the services and the server. Unfortunately nothing changed and there are still global seen flags in the configuration. In a post i read that i have to manually add some files to the location but this isnt specified in the documentation. below is the version we use and the config. dovecot --version 2.3.13 (89f716dc2) dovecot -n
Re: Seen Flags per User
Either configure mail_home, return home from ldap, or use absolute directory instead of %h. I see you have mail_location which points to /var/mail/user, this makes everyone use the same location, unless you overwrite this in your ldap query. You could replace %h/public with /var/mail/user/%u/shared/public i guess. Aki > On 08/12/2022 11:56 EET Maurice Kunze wrote: > > > Hey, > > > thanks for the explanation. I implemented it but then i get the > following error in the logs: > > > Error: userdb didn't return a home directory, but location used it (%h): > maildir:/var/mail/public:INDEXPVT=%h/public > > I authenticate the users via LDAP (Active Directory) > > Am 08.12.22 um 10:28 schrieb Aki Tuomi: > > location = maildir:/var/mail/public:INDEXPVT=%h/public > > > > Probably works better. INDEXPVT needs to point to a *per-user* location. > > Now you're just sharing them with everyone. > > > > Aki > > > >> On 08/12/2022 11:07 EET Maurice Kunze wrote: > >> > >> > >> Hello, > >> > >> i want to configure seen flags per user for shared public mailboxes in > >> dovecot. I have added the INDEVPVT Option to the location parameter in > >> the namespace and restarted the services and the server. > >> Unfortunately nothing changed and there are still global seen flags in > >> the configuration. In a post i read that i have to manually add some > >> files to the location but this isnt specified in the documentation. > >> > >> below is the version we use and the config. > >> > >> dovecot --version > >> 2.3.13 (89f716dc2) > >> > >> dovecot -n > >
Re: Seen Flags per User
Hey, thanks for the explanation. I implemented it but then i get the following error in the logs: Error: userdb didn't return a home directory, but location used it (%h): maildir:/var/mail/public:INDEXPVT=%h/public I authenticate the users via LDAP (Active Directory) Am 08.12.22 um 10:28 schrieb Aki Tuomi: location = maildir:/var/mail/public:INDEXPVT=%h/public Probably works better. INDEXPVT needs to point to a *per-user* location. Now you're just sharing them with everyone. Aki On 08/12/2022 11:07 EET Maurice Kunze wrote: Hello, i want to configure seen flags per user for shared public mailboxes in dovecot. I have added the INDEVPVT Option to the location parameter in the namespace and restarted the services and the server. Unfortunately nothing changed and there are still global seen flags in the configuration. In a post i read that i have to manually add some files to the location but this isnt specified in the documentation. below is the version we use and the config. dovecot --version 2.3.13 (89f716dc2) dovecot -n
Re: Question about line length limit in lmtp.
On 12/8/22 17:41, Aki Tuomi wrote: > This is something that is usually handled automatically and does not affect > the mails you see in your MUA. The folding is done within the protocol. Again, I find this statement quite strange. I'm not relying on any MUA when I say long lines appear to be kept unfolded in storage. The scenario is an MTA e.g. exim delivering mail with long lines to dovecot LMTP. If you're saying I'm definitely wrong then I'd have to test again. As for submission, are you saying that if a client is submitting mail with long lines, submission will fold the lines before passing it on? And this would make sense because DKIM signing occurs later?
Re: Question about line length limit in lmtp.
> On 08/12/2022 11:39 EET Gedalya wrote: > > > On 12/8/22 17:29, Aki Tuomi wrote: > > Dovecot LMTP and Submission enforce the RFC line length, which is 1000, > > including \r\n. > > Can you elaborate on this? > > I often get mail coming in from the wild with long lines and I find the most > practical approach is to pass it on to dovecot LMTP as is, and it just works, > and the message is stored with long lines, not folded. > > I haven't tried dovecot's submission yet. > > What exactly can you tell me about line length limits in LMTP and submission > and can it be configured? This is something that is usually handled automatically and does not affect the mails you see in your MUA. The folding is done within the protocol. Aki
Re: Question about line length limit in lmtp.
On 12/8/22 17:29, Aki Tuomi wrote: > Dovecot LMTP and Submission enforce the RFC line length, which is 1000, > including \r\n. Can you elaborate on this? I often get mail coming in from the wild with long lines and I find the most practical approach is to pass it on to dovecot LMTP as is, and it just works, and the message is stored with long lines, not folded. I haven't tried dovecot's submission yet. What exactly can you tell me about line length limits in LMTP and submission and can it be configured?
Re: Question about line length limit in lmtp.
> On 04/12/2022 18:25 EET Kamil Jońca wrote: > > > I have postfix + dovecot server. > Mail for local users are saved by dovecot lmtp. > Recently I got some messages from postfix: > > --8<---cut here---start->8--- > 4NQ07L4h4LztXXr: breaking line > 998 bytes with SPAC > --8<---cut here---end--->8--- > > This is because postfix has configured with default value > lmtp_line_length_limit (990). > I can turn off this limit (set to 0) but I am curious if dovecot lmtp > will accept so lengthty lines? > Does dovecot lmtp has any line limits? > > KJ > > -- > http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Dovecot LMTP and Submission enforce the RFC line length, which is 1000, including \r\n. Aki
Re: Seen Flags per User
location = maildir:/var/mail/public:INDEXPVT=%h/public Probably works better. INDEXPVT needs to point to a *per-user* location. Now you're just sharing them with everyone. Aki > On 08/12/2022 11:07 EET Maurice Kunze wrote: > > > Hello, > > i want to configure seen flags per user for shared public mailboxes in > dovecot. I have added the INDEVPVT Option to the location parameter in > the namespace and restarted the services and the server. > Unfortunately nothing changed and there are still global seen flags in > the configuration. In a post i read that i have to manually add some > files to the location but this isnt specified in the documentation. > > below is the version we use and the config. > > dovecot --version > 2.3.13 (89f716dc2) > > dovecot -n
Question about line length limit in lmtp.
I have postfix + dovecot server. Mail for local users are saved by dovecot lmtp. Recently I got some messages from postfix: --8<---cut here---start->8--- 4NQ07L4h4LztXXr: breaking line > 998 bytes with SPAC --8<---cut here---end--->8--- This is because postfix has configured with default value lmtp_line_length_limit (990). I can turn off this limit (set to 0) but I am curious if dovecot lmtp will accept so lengthty lines? Does dovecot lmtp has any line limits? KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Seen Flags per User
Hello,
i want to configure seen flags per user for shared public mailboxes in
dovecot. I have added the INDEVPVT Option to the location parameter in
the namespace and restarted the services and the server.
Unfortunately nothing changed and there are still global seen flags in
the configuration. In a post i read that i have to manually add some
files to the location but this isnt specified in the documentation.
below is the version we use and the config.
dovecot --version
2.3.13 (89f716dc2)
dovecot -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-17-amd64 x86_64 Debian 11.4 ext4
# Hostname:
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
mail_debug = yes
mail_gid = vmail
mail_location = maildir:/var/mail/user
mail_plugins = acl
mail_privileged_group = vmail
mail_uid = vmail
namespace {
list = yes
location = maildir:/var/mail/public:INDEXPVT=/var/mail/public
prefix = public/
separator = /
subscriptions = no
type = public
}
namespace {
list = yes
location =
maildir:/var/mail/user/%u/Maildir:INDEX=/var/mail/user/%u/shared/%u:CONTROL=/var/mail/user/%u/shared/%u
prefix = shared/%%u/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
hidden = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
subscriptions = yes
type = private
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile
acl_anyone = allow
acl_shared_dict = file:/var/mail/database/shared-mailboxes.db
}
protocols = " imap"
service stats {
unix_listener stats-reader {
group = vmail
mode = 0660
user = vmail
}
unix_listener stats-writer {
group = vmail
mode = 0660
user = vmail
}
}
ssl_cert =
Re: sasl service for other app
I suppose. Essentially create a database table and supply a custom SQL query for authentication. Program a PHP web form with a token to reset user password with a recovery email, etc. Postgres/nginx should be just as easy as mysql/apache. -- On Wednesday, December 7, 2022 10:48:27 PM AKST, Robert Schetterer wrote: Am 08.12.22 um 06:14 schrieb justina colmena ~biz: On Wednesday, December 7, 2022 7:53:43 PM AKST, Henry R wrote: can dovecot run as a general sasl service for other apps? such as webdav. Thanks. For some reason I use cyrus-sasl with postfix, but I can't get it to work with dovecot. Ideas? Pointers to docs online? usally its more easy to configure dovecot,postfix with a database like mysql, mysql auth with i.e apache should be easy then
