very intrigued by your solution Timo, have attempted something similar in the past to no avail.
When I tried I was unable to retain the user@domain when setting the domain as extra field - protected is new to me and can't find documentation - but also doesn't work :( # cat passwd.domains 10.100.1.1:::::::domain:protected=foo.org 10.100.1.2:::::::domain:protected=bar.org # cat imap.passwd u...@bar.org:{plain}password:::::: u...@foo.org:{plain}password:::::: dovecot.conf: passdb { args = username_format=%l /etc/dovecot/passwd.domains default_fields = nopassword=y driver = passwd-file result_success = continue } passdb { args = scheme=plain-md5 username_format=%u /etc/dovecot/imap.passwd driver = passwd-file } 1. user without domain localip 10.100.1.1 - adds foo.org: # doveadm auth lookup -x lip=10.100.1.1 user passdb: user user : u...@foo.org 2. user without domain localip 10.100.1.2 - adds bar.org # doveadm auth lookup -x lip=10.100.1.2 user passdb: user user : u...@bar.org 3. user WITH domain bar.org on localip 10.100.1.1 - still adds foo.org??? # doveadm auth lookup -x lip=10.100.1.1 u...@bar.org passdb: u...@bar.org user : u...@foo.org Is the protected suffix supposed protect domain and not change it here? On Sun, Feb 21, 2016 at 1:20 PM Timo Sirainen <t...@iki.fi> wrote: > How about: > > passdb { > driver = passwd-file > args = username_format=%l /etc/dovecot/passwd.domains > result_success = continue > } > > passdb { > .. the real passdb for authentication .. > } > > Where /etc/dovecot/passwd.domains contains: > > 10.0.0.100:::::domain=foo.org > 10.0.0.101:::::domain=bar.org > > So the first passdb lookup would set the domain based on IP and then > continue for the actual authentication. Or if you don't want it to override > an explicit user@domain authentication, this should also work: > > 10.0.0.100:::::domain:protected=foo.org > 10.0.0.101:::::domain:protected=bar.org > > Not tested, but should work I think. At least with new enough Dovecot > versions. > > > On 19 Feb 2016, at 23:10, Gabriel L. Somlo <gso...@gmail.com> wrote: > > > > On Fri, Feb 19, 2016 at 08:41:15AM +0100, Steffen Kaiser wrote: > >>> I'm trying to allow domain-less logins for a multi-domain virtual IMAP > >>> server, and wondering if I can automatically infer the domain (value of > >>> variable %d) from the local IP (%l) or the hostname used by the client > >>> when connecting to my server. > >>> > >>> Let's say I have two host names: mail.foo.org (10.0.0.100) and > >>> mail.bar.com (10.0.0.200), with forward and reverse DNS configured to > >>> resolve A and PTR records in either direction. > >>> > >>> Let's also say I have 10.0.0.100 and 10.0.0.200 set up as secondaries > >>> on my server's loopback interface, and routing is set up to bring > client > >>> traffic to me for both of those IP addresses. > >> > >> Hm, it should be possible like so: > >> > >> 1) keep the file you have now as 2nd passdb, in order to let your users > >> login like now from anywhere > >> > >>> us...@foo.org:{PLAIN}user1foo > >> > >> 2) from this file create another passwd-file with ExtraField via script > / > >> cron jobs, that defines > >> > >> user1@10.0.0.100:{PLAIN}user1foo:::::user=us...@foo.org > >> > >> see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields > >> > >> Maybe allow_nets could limit the clients further. > >> > >> Then add another passdb section pointing to that file using > >> username_format=%n@%l > >> > >> http://wiki2.dovecot.org/AuthDatabase/PasswdFile > >> > >> That will map domain-less logins to full mail addresses, which in turn > sets > >> %d, too. > > > > That *almost* worked :) > > > > I now have > > > > passdb { > > driver = passwd-file > > args = username_format=%n@%l /var/lib/topgen/etc/postfix/users > > } > > > > pointing to a "users" file with entries such as > > > > user1@10.0.0.100:{PLAIN}user1foo:::::user=us...@foo.org > > > > The only trouble is, %d does not get set; I get new "user1" and > > "user2" folders created directly under /var/lib/vmail/, which > > indicates the %d portion is equal to the empty string. > > > > I also tried > > > > user1@111.0.10.10:{PLAIN}tartans1:::::domain=foo.org > > > > which the PasswordDatabase wiki page says should override %d, but > > still no luck... > > > > Thanks for the pointer though, now that I read the relevant bits of > > documentation it feels like I'm really close, and this *should* work. > > I'm still either missing something, or tickling a bug (probably the > > former :) > > > > Thanks, > > --Gabriel > > > >> > >>> > >>> The relevant bits of my dovecot.conf are: > >>> > >>> ---%<------------------------------------------------------------------ > >>> mail_location = maildir:/var/lib/vmail/%d/%n > >>> passdb { > >>> driver = passwd-file > >>> args = /var/lib/vmail/etc/postfix/userdb > >>> } > >>> userdb { > >>> driver = static > >>> args = uid=dovenull gid=dovenull home=/var/lib/vmail/%d/%n > >>> } > >>> ---%<------------------------------------------------------------------ > >>> > >>> And my userdb passwd-file right now includes: > >>> > >>> ---%<------------------------------------------------------------------ > >>> us...@foo.org:{PLAIN}user1foo > >>> us...@foo.org:{PLAIN}user2foo > >>> us...@bar.com:{PLAIN}user1bar > >>> us...@bar.com:{PLAIN}user2bar > >>> ---%<------------------------------------------------------------------ > >>> > >>> Right now, us...@foo.org must configure their imap client like so: > >>> > >>> IMAP server: mail.foo.org > >>> username: us...@foo.org > >>> password: user1foo > >>> > >>> I would like to require this (and other) users to only have to set: > >>> > >>> IMAP server: mail.foo.org > >>> username: user1 > >>> password: ... > >>> > >>> and have dovecot somehow infer the "@foo.org" domain based on the fact > >>> that the connection was made to 10.0.0.100, which is mail.foo.org, and > >>> therefore the domain can *only* be "@foo.org". > >>> > >>> I could start out by splitting my user database into two files: > >>> > >>> userdb.foo.org > >>> ---%<------------------------------------------------------------------ > >>> user1:{PLAIN}user1foo > >>> user2:{PLAIN}user2foo > >>> ---%<------------------------------------------------------------------ > >>> > >>> userdb.bar.com > >>> ---%<------------------------------------------------------------------ > >>> user1:{PLAIN}user1bar > >>> user2:{PLAIN}user2bar > >>> ---%<------------------------------------------------------------------ > >>> > >>> ... then modify dovecot.conf's passdb setup like so: > >>> > >>> ---%<------------------------------------------------------------------ > >>> passdb { > >>> driver = passwd-file > >>> args = /var/lib/vmail/etc/postfix/userdb.%d > >>> } > >>> ---%<------------------------------------------------------------------ > >>> > >>> ... but how would I insure that %d is set to the proper value based > >>> on e.g. a reverse lookup of %l, which, in foo.org's case would be > >>> 10.0.0.100, and resolve to mail.foo.org, and *somehow* that would > >>> match %d == "@foo.org" ? > >>> > >>> Is this even possible in the first place, or am I just being too fussy > >>> about the aesthetics of my users' imap client config files ? :) :) > >>> > >>> Thanks much, > >>> --Gabriel > >>> > >> > >> - -- Steffen Kaiser > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v1 > >> > >> iQEVAwUBVsbHG3z1H7kL/d9rAQLzRggAoBVJDWXDakkqLD+Gye/9KjHvfcIFkf+5 > >> u3W7ZlPSvyePaAM8u0TDnIPJ15aeyO6XZbTTqB9iKQXzluCusvhNOUl14nVO4CjW > >> gJASzpo1Kc9moWW7sWXTF/MCO+O4zVSBtJWdVmJch80hQT8LJxG3jU45FJAd1Jj3 > >> j+Rso5vEtH3Qw8i1cePaRc6FpDQ+7wboUI53OVjSKJGXbsyK5MXJFhoyvOo8UnvU > >> KdbyFoGkYR4n3zaSrkwof6TrRqqgcGA2TUyeQIS8j+ArhDpi7ilOU6x904KK7LoE > >> Ff2CzskTaTwEyTW1DZgJzLPc38PzMv9PX7QNUhdPHLFnYrhrutOfww== > >> =CFD6 > >> -----END PGP SIGNATURE----- >