On 22/02/16 18:56, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 21 Feb 2016, Leon Kyneur wrote:Date: Sun, 21 Feb 2016 10:51:21 +0000 From: Leon Kyneur <l...@dexterous.org>To: Dovecot Mailing List <dovecot@dovecot.org>, Timo Sirainen <t...@iki.fi> Subject: Re: Automatically inferring %d on multi-domain virtual install ?very intrigued by your solution Timo, have attempted something similar inthe past to no avail.When I tried I was unable to retain the user@domain when setting the domain as extra field - protected is new to me and can't find documentation - butalso doesn't work :( # cat passwd.domains 10.100.1.1:::::::domain:protected=foo.org 10.100.1.2:::::::domain:protected=bar.org # cat imap.passwd u...@bar.org:{plain}password:::::: u...@foo.org:{plain}password:::::: dovecot.conf: passdb { args = username_format=%l /etc/dovecot/passwd.domainsWhat, if you use: args = username_format=%l@%d /etc/dovecot/passwd.domains and: 10.100.1.1@:::::::domain:protected=foo.org in the file ....
This works! Thankyou, this is a little simpler than my current fix which relies on SQL to make this work, and a series of %{domain_first} in later passdbs to ensure the right domain is being checked (it's ugly, believe me).
I still do not understand what 'protected' does though?
default_fields = nopassword=y driver = passwd-file result_success = continue } passdb { args = scheme=plain-md5 username_format=%u /etc/dovecot/imap.passwd driver = passwd-file } 1. user without domain localip 10.100.1.1 - adds foo.org: # doveadm auth lookup -x lip=10.100.1.1 user passdb: user user : u...@foo.org 2. user without domain localip 10.100.1.2 - adds bar.org # doveadm auth lookup -x lip=10.100.1.2 user passdb: user user : u...@bar.org3. user WITH domain bar.org on localip 10.100.1.1 - still adds foo.org???# doveadm auth lookup -x lip=10.100.1.1 u...@bar.org passdb: u...@bar.org user : u...@foo.org Is the protected suffix supposed protect domain and not change it here? On Sun, Feb 21, 2016 at 1:20 PM Timo Sirainen <t...@iki.fi> wrote:How about: passdb { driver = passwd-file args = username_format=%l /etc/dovecot/passwd.domains result_success = continue } passdb { .. the real passdb for authentication .. } Where /etc/dovecot/passwd.domains contains: 10.0.0.100:::::domain=foo.org 10.0.0.101:::::domain=bar.org So the first passdb lookup would set the domain based on IP and thencontinue for the actual authentication. Or if you don't want it to overridean explicit user@domain authentication, this should also work: 10.0.0.100:::::domain:protected=foo.org 10.0.0.101:::::domain:protected=bar.org Not tested, but should work I think. At least with new enough Dovecot versions.On 19 Feb 2016, at 23:10, Gabriel L. Somlo <gso...@gmail.com> wrote: On Fri, Feb 19, 2016 at 08:41:15AM +0100, Steffen Kaiser wrote:I'm trying to allow domain-less logins for a multi-domain virtual IMAP server, and wondering if I can automatically infer the domain (value of variable %d) from the local IP (%l) or the hostname used by the clientwhen connecting to my server. Let's say I have two host names: mail.foo.org (10.0.0.100) andmail.bar.com (10.0.0.200), with forward and reverse DNS configured toresolve A and PTR records in either direction.Let's also say I have 10.0.0.100 and 10.0.0.200 set up as secondarieson my server's loopback interface, and routing is set up to bringclienttraffic to me for both of those IP addresses.Hm, it should be possible like so:1) keep the file you have now as 2nd passdb, in order to let your userslogin like now from anywhereus...@foo.org:{PLAIN}user1foo2) from this file create another passwd-file with ExtraField via script/cron jobs, that defines user1@10.0.0.100:{PLAIN}user1foo:::::user=us...@foo.org see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields Maybe allow_nets could limit the clients further. Then add another passdb section pointing to that file using username_format=%n@%l http://wiki2.dovecot.org/AuthDatabase/PasswdFileThat will map domain-less logins to full mail addresses, which in turnsets%d, too.That *almost* worked :) I now have passdb { driver = passwd-file args = username_format=%n@%l /var/lib/topgen/etc/postfix/users } pointing to a "users" file with entries such as user1@10.0.0.100:{PLAIN}user1foo:::::user=us...@foo.org The only trouble is, %d does not get set; I get new "user1" and "user2" folders created directly under /var/lib/vmail/, which indicates the %d portion is equal to the empty string. I also tried user1@111.0.10.10:{PLAIN}tartans1:::::domain=foo.org which the PasswordDatabase wiki page says should override %d, but still no luck... Thanks for the pointer though, now that I read the relevant bits of documentation it feels like I'm really close, and this *should* work. I'm still either missing something, or tickling a bug (probably the former :) Thanks, --GabrielThe relevant bits of my dovecot.conf are:---%<------------------------------------------------------------------mail_location = maildir:/var/lib/vmail/%d/%n passdb { driver = passwd-file args = /var/lib/vmail/etc/postfix/userdb } userdb { driver = static args = uid=dovenull gid=dovenull home=/var/lib/vmail/%d/%n }---%<------------------------------------------------------------------And my userdb passwd-file right now includes:---%<------------------------------------------------------------------us...@foo.org:{PLAIN}user1foo us...@foo.org:{PLAIN}user2foo us...@bar.com:{PLAIN}user1bar us...@bar.com:{PLAIN}user2bar---%<------------------------------------------------------------------Right now, us...@foo.org must configure their imap client like so: IMAP server: mail.foo.org username: us...@foo.org password: user1foo I would like to require this (and other) users to only have to set: IMAP server: mail.foo.org username: user1 password: ...and have dovecot somehow infer the "@foo.org" domain based on the fact that the connection was made to 10.0.0.100, which is mail.foo.org, andtherefore the domain can *only* be "@foo.org". I could start out by splitting my user database into two files: userdb.foo.org---%<------------------------------------------------------------------user1:{PLAIN}user1foo user2:{PLAIN}user2foo---%<------------------------------------------------------------------userdb.bar.com---%<------------------------------------------------------------------user1:{PLAIN}user1bar user2:{PLAIN}user2bar---%<------------------------------------------------------------------... then modify dovecot.conf's passdb setup like so:---%<------------------------------------------------------------------passdb { driver = passwd-file args = /var/lib/vmail/etc/postfix/userdb.%d }---%<------------------------------------------------------------------... but how would I insure that %d is set to the proper value based on e.g. a reverse lookup of %l, which, in foo.org's case would be 10.0.0.100, and resolve to mail.foo.org, and *somehow* that would match %d == "@foo.org" ?Is this even possible in the first place, or am I just being too fussyabout the aesthetics of my users' imap client config files ? :) :) Thanks much, --Gabriel- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVsbHG3z1H7kL/d9rAQLzRggAoBVJDWXDakkqLD+Gye/9KjHvfcIFkf+5 u3W7ZlPSvyePaAM8u0TDnIPJ15aeyO6XZbTTqB9iKQXzluCusvhNOUl14nVO4CjW gJASzpo1Kc9moWW7sWXTF/MCO+O4zVSBtJWdVmJch80hQT8LJxG3jU45FJAd1Jj3 j+Rso5vEtH3Qw8i1cePaRc6FpDQ+7wboUI53OVjSKJGXbsyK5MXJFhoyvOo8UnvU KdbyFoGkYR4n3zaSrkwof6TrRqqgcGA2TUyeQIS8j+ArhDpi7ilOU6x904KK7LoE Ff2CzskTaTwEyTW1DZgJzLPc38PzMv9PX7QNUhdPHLFnYrhrutOfww== =CFD6 -----END PGP SIGNATURE------ -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVsq/OHz1H7kL/d9rAQI0zAgAmJoE93zZ4qwc+xsJKuhGBIYIhyTZ7rmv 8i62HsBzznqxBf2r0OWd4QDmWuyPE+vD3jAsD4pZvrLvbSXbkTrLUxUJwDhxoRtT Ox37JS4y4LawGbeIbwvPkKOn6IuktGqZPEfj0PObuCcdjHwS3oETgRP3FUYIrqEq ujyK7l7VSq8idHqLYa+9SA2YunBeq+LVVskB8z50+ut764nQq/bcqT3gn7MXER5I KIUUzWsFJXFpEkhadxfarLz1sI0dXapbS1SpMgOZMG2MCr54pbClviy+CuvVBP4Q 8LSN9mLl3DFqa0vLHVrRrmOJNjRN4UUdQ4XFewkgjLvEJTNGiv4XlA== =Hbr4 -----END PGP SIGNATURE-----