Re: limit sharing ability to certain users

Aki Tuomi Tue, 07 Aug 2018 02:35:57 -0700

Ah. You probably need to change ldap userdb so that you add

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf
  result_success = continue-ok
}


so that the next one is processed. 

you can use 'doveadm user t...@onnet.ch' to verify that the attributes are read 
for this user, and with another username that they are not.

Aki


On 07.08.2018 12:23, Simeon Ott wrote:
> … attached the dovecot -n, linked files, debug log lines during a
> standard client login
>
> root@buserver:/etc/dovecot/conf.d# doveconf -n
> # 2.2.13: /etc/dovecot/dovecot.conf
> # OS: Linux 3.16.0-6-amd64 x86_64 Debian 8.11 
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> debug_log_path = syslog
> disable_plaintext_auth = no
> info_log_path = syslog
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
> mail_debug = yes
> mail_gid = 5000
> mail_location = maildir:~/Maildir
> mail_plugins = zlib quota acl
> mail_uid = 5000
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date ihave
> namespace {
>   hidden = no
>   ignore_on_failure = no
>   inbox = no
>   list = children
>   location = maildir:%%h/Maildir:INDEX=%h/shared/%%u:CONTROL=%h/shared/%%u
>   prefix = shared/%%u/
>   separator = /
>   subscriptions = yes
>   type = shared
> }
> namespace inbox {
>   inbox = yes
>   location = 
>   mailbox Drafts {
>     auto = subscribe
>     special_use = \Drafts
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox "Sent Messages" {
>     special_use = \Sent
>   }
>   mailbox Spam {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Trash {
>     auto = subscribe
>     special_use = \Trash
>   }
>   prefix = 
>   separator = /
>   type = private
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf
>   driver = ldap
> }
> plugin {
>   acl = vfile
>   acl_shared_dict = file:/var/spool/postfix/virtual/shared-mailboxes
>   quota = maildir:User quota
>   quota_exceeded_message = 4.2.2 Mailbox full
>   quota_rule = *:storage=1G
>   quota_rule2 = INBOX.Trash:storage=+100M
>   quota_rule3 = INBOX.Spam:ignore
>   quota_warning = storage=95%% quota-warning 95 %u
>   sieve = ~/.dovecot.sieve
>   sieve_before = /var/lib/dovecot/sieve/default.sieve
>   sieve_dir = ~/sieve
>   sieve_max_actions = 32
>   sieve_max_redirects = 4
>   sieve_max_script_size = 1M
>   sieve_quota_max_scripts = 0
>   sieve_quota_max_storage = 0
> }
> protocols = " imap lmtp sieve pop3"
> service auth {
>   group = dovecot
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0666
>     user = postfix
>   }
>   unix_listener auth-master {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
>   user = dovecot
> }
> service lmtp {
>   unix_listener lmtp {
>     mode = 0666
>   }
> }
> service managesieve-login {
>   inet_listener sieve {
>     port = 4190
>   }
>   inet_listener sieve_deprecated {
>     port = 2000
>   }
>   process_min_avail = 0
>   service_count = 1
>   vsz_limit = 64 M
> }
> ssl = no
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf
>   driver = ldap
> }
> userdb {
>   args = username_format=%Lu /etc/dovecot/share.passwd
>   driver = passwd-file
> }
> protocol lmtp {
>   mail_plugins = zlib quota acl sieve
> }
> protocol lda {
>   auth_socket_path = /var/run/dovecot/auth-master
>   deliver_log_format = msgid=%m: %$
>   mail_plugins = zlib quota acl sieve
>   postmaster_address = postmas...@onnet.ch <mailto:postmas...@onnet.ch>
> }
> protocol imap {
>   mail_plugins = zlib quota acl imap_quota imap_acl
> }
> protocol sieve {
>   info_log_path = /var/log/sieve.log
>   log_path = /var/log/sieve.log
>   mail_max_userip_connections = 10
>   managesieve_implementation_string = Dovecot Pigeonhole
>   managesieve_logout_format = bytes=%i/%o
>   managesieve_max_compile_errors = 5
>   managesieve_max_line_length = 65536
> }
>
> root@buserver:/etc/dovecot# cat dovecot-acl
> root@buserver:/etc/dovecot#
>
> —> means empty file
>
> root@buserver:/etc/dovecot# cat share.passwd 
> t...@onnet.ch
> <mailto:t...@onnet.ch>:::::::userdb_acl=vfile:/etc/dovecot/dovecot-acl
> userdb_acl_globals_only=yes
>
> root@buserver:/etc/dovecot# sed -e '/^#/d' dovecot-ldap.conf
> hosts = localhost
> uris = ldap://localhost:389/
> debug_level = 10
> auth_bind = yes
> ldap_version = 3
> base = ou=domains,dc=intra,dc=onnet,dc=ch
> deref = never
> scope = subtree
> user_attrs =
> homeDirectory=home=/var/spool/postfix/virtual/%$,uidNumber=uid,gidNumber=gid,quota=quota_rule=*:bytes=%$
> user_filter = (&(objectClass=CourierMailAccount)(mail=%u))
> pass_attrs = mail=user,userPassword=password
> pass_filter = (&(objectClass=CourierMailAccount)(mail=%u))
> iterate_attrs = mail=user
> iterate_filter = (objectClass=CourierMailAccount)
> default_pass_scheme = CRYPT
>
> root@buserver:/etc/dovecot# cat /var/log/mail.log | grep "Aug  7 11:17:27"
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl vfile: file
> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
> <http://onnet.ch/test//Maildir/.test> folder 1.sub folder 1
> 1/dovecot-acl not found
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl vfile: reading file
> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super/dovecot-acl
> <http://onnet.ch/test//Maildir/.super/dovecot-acl>
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl vfile: reading file
> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.super.hello
> <http://onnet.ch/test//Maildir/.super.hello> du/dovecot-acl
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl vfile: file
> /var/spool/postfix/virtual/onnet.ch/test//Maildir/.test
> <http://onnet.ch/test//Maildir/.test> folder 1/dovecot-acl not found
> Aug  7 11:17:27 buserver dovecot: auth: Debug: auth client connected
> (pid=3203)
> Aug  7 11:17:27 buserver dovecot: auth: Debug: client in:
> AUTH#0111#011PLAIN#011service=imap#011session=lkbV3NRyyQDAqDgB#011lip=192.168.56.50#011rip=192.168.56.1#011lport=143#011rport=52169#011resp=dGVzdEBvbm5ldC5jaAB0ZXN0QG9ubmV0LmNoAG5vdmVsbDEyMzQ1Ng==
> (previous base64 data may contain sensitive data)
> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(t...@onnet.ch
> <mailto:t...@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): bind search:
> base=ou=domains,dc=intra,dc=onnet,dc=ch
> filter=(&(objectClass=CourierMailAccount)(mail=t...@onnet.ch
> <mailto:mail=t...@onnet.ch>))
> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(t...@onnet.ch
> <mailto:t...@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
> mail=t...@onnet.ch <mailto:mail=t...@onnet.ch>; mail unused
> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(t...@onnet.ch
> <mailto:t...@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
> mail=t...@onnet.ch <mailto:mail=t...@onnet.ch>
> Aug  7 11:17:27 buserver dovecot: auth: Debug: client passdb out:
> OK#0111#011user=t...@onnet.ch <mailto:OK#0111#011user=t...@onnet.ch>
> Aug  7 11:17:27 buserver dovecot: auth: Debug: master in:
> REQUEST#0113718250497#0113203#0111#011089fd1d9e1a2c66586786422f24c51cd#011session_pid=3206#011request_auth_token
> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(t...@onnet.ch
> <mailto:t...@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): user search:
> base=ou=domains,dc=intra,dc=onnet,dc=ch scope=subtree
> filter=(&(objectClass=CourierMailAccount)(mail=t...@onnet.ch
> <mailto:mail=t...@onnet.ch>))
> fields=homeDirectory,uidNumber,gidNumber,quota
> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(t...@onnet.ch
> <mailto:t...@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
> uidNumber=5000 quota=1073741824 gidNumber=5000
> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>;
> homeDirectory,uidNumber,quota,gidNumber unused
> Aug  7 11:17:27 buserver dovecot: auth: Debug: ldap(t...@onnet.ch
> <mailto:t...@onnet.ch>,192.168.56.1,<lkbV3NRyyQDAqDgB>): result:
> uidNumber=5000 quota=1073741824 gidNumber=5000
> homeDirectory=onnet.ch/test/ <http://onnet.ch/test/>
> Aug  7 11:17:27 buserver dovecot: auth: Debug: master userdb out:
> USER#0113718250497#011t...@onnet.ch
> <mailto:USER#0113718250497#011t...@onnet.ch>#011home=/var/spool/postfix/virtual/onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201
> <http://onnet.ch/test/#011uid=5000#011gid=5000#011quota_rule=*:bytes=1073741824#011auth_token=913bee7c974e18d4527fc38d90457411e7e61201>
> Aug  7 11:17:27 buserver dovecot: imap-login: Login:
> user=<t...@onnet.ch <mailto:t...@onnet.ch>>, method=PLAIN,
> rip=192.168.56.1, lip=192.168.56.50, mpid=3206
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Loading modules from
> directory: /usr/lib/dovecot/modules
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
> /usr/lib/dovecot/modules/lib01_acl_plugin.so
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
> /usr/lib/dovecot/modules/lib02_imap_acl_plugin.so
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
> /usr/lib/dovecot/modules/lib10_quota_plugin.so
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
> /usr/lib/dovecot/modules/lib11_imap_quota_plugin.so
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Module loaded:
> /usr/lib/dovecot/modules/lib20_zlib_plugin.so
> Aug  7 11:17:27 buserver dovecot: imap: Debug: Added userdb setting:
> plugin/quota_rule=*:bytes=1073741824
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Effective uid=5000, gid=5000,
> home=/var/spool/postfix/virtual/onnet.ch/test/ <http://onnet.ch/test/>
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Quota root: name=User quota
> backend=maildir args=
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Quota rule: root=User quota mailbox=*
> bytes=1073741824 messages=0
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Quota rule: root=User quota
> mailbox=INBOX.Trash bytes=+104857600 messages=0
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Quota rule: root=User quota
> mailbox=INBOX.Spam ignored
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Quota warning: bytes=1020054732 (95%)
> messages=0 reverse=no command=quota-warning 95 t...@onnet.ch
> <mailto:t...@onnet.ch>
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Quota grace: root=User quota
> bytes=107374182 (10%)
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Namespace inbox: type=private,
> prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes
> location=maildir:~/Maildir
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: maildir++:
> root=/var/spool/postfix/virtual/onnet.ch/test//Maildir
> <http://onnet.ch/test//Maildir>, index=, indexpvt=, control=,
> inbox=/var/spool/postfix/virtual/onnet.ch/test//Maildir
> <http://onnet.ch/test//Maildir>, alt=
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl: initializing backend with data: vfile
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl: acl username = t...@onnet.ch
> <mailto:t...@onnet.ch>
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl: owner = 1
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl vfile: Global ACLs disabled
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: Namespace : type=shared,
> prefix=shared/%u/, sep=/, inbox=no, hidden=no, list=children,
> subscriptions=yes
> location=maildir:%h/Maildir:INDEX=/var/spool/postfix/virtual/onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u
> <http://onnet.ch/test//shared/%u:CONTROL=/var/spool/postfix/virtual/onnet.ch/test//shared/%u>
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: shared: root=/var/run/dovecot, index=,
> indexpvt=, control=, inbox=, alt=
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl: initializing backend with data: vfile
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl: acl username = t...@onnet.ch
> <mailto:t...@onnet.ch>
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl: owner = 0
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Debug: acl vfile: Global ACLs disabled
> Aug  7 11:17:27 buserver dovecot: imap(t...@onnet.ch
> <mailto:t...@onnet.ch>): Disconnected: Logged out in=30 out=457
>
> thanks for looking into this
>
>> On 7 Aug 2018, at 10:34, Aki Tuomi <aki.tu...@dovecot.fi
>> <mailto:aki.tu...@dovecot.fi>> wrote:
>>
>> Can you provide your doveconf -n after adding the database *after* LDAP.
>>
>> You probably need to add 'noauthenticate' as one parameter after the
>> userdb ones.
>>
>> Aki
>>
>

Re: limit sharing ability to certain users

Reply via email to