Re: [courier-users] calling session PAM modules
On 06/08/2015 05:01 PM, Sam Varshavchik wrote: > That's another option. If that's all that pam session is used for, is to > invoke the pam_mkhomedir.so module, this should work. That's probably not a great idea while the pam configurations include system-auth. It's standard setup on CentOS 7 looks like: session optional pam_keyinit.so revoke I don't understand the kernel keyring system entirely, but I think this will connect authdaemond to the user's login keyring if one exists. The documentation doesn't indicate if this connection is closed. authdaemond might end up with a persistent connection to user data. session required pam_limits.so This will cause authdaemond to get whatever limits are configured for the user who logs in. close() won't revert that change. -session optional pam_systemd.so The docs for pam_systemd make this look expensive, if nothing else. session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Logs that the user logged in/out. session optional pam_sss.so Docs don't indicate what this module does for session. It might work better if authdaemond forked and ran the session bits in the child process? But especially with systemd, it's worth benchmarking the number of auth calls / second authdaemond can handle with and without the session calls. -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
Bowie Bailey writes: Did you intend to test the link between /tmp and new, or between the two directories that you just created in the previous commands? Should it be this instead? mkdir tmp mkdir new cp /dev/null tmp/foo ln tmp/foo new/foo Yes, but we all have it figured out anyway. pgpuOkXsKLTvC.pgp Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
Ivan Pintori writes: I agree. Unraid is a kinda thingy that works, actually pretty well: I had it in operation for 3 years with no issues. But I never used it for a more dynamic storage like this. What you actually see over Nfs is a merge of the different storage disks plus any available data held on the cache drive. For a home setup unraid is just brilliant, but I wouldn't use it in a business production environment. That's fine, except that it's returning the wrong error code. It should be rejecting hard links with EXDEV, and not EIO. EXDEV Improper link (POSIX.1) That's the right error code to return in this situation. pgpgSJdEoG0kG.pgp Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] calling session PAM modules
Matus UHLAR - fantomas writes:
On 08.06.15 08:30, Sam Varshavchik wrote:
>Unfortunately, this is not architecturely possible. authdaemond runs
>as a standalone daemon, and it handles all authentication requests.
>It has no direct knowledge of when individual processes get created,
>and when they terminate.
but it could call session init after successful verification, and session
close immediately after, right?
(of course, only if admin sets it up, to prevent others from useless pam
calls)
That's another option. If that's all that pam session is used for, is to
invoke the pam_mkhomedir.so module, this should work.
>However, it might be possible to implement this directly.
do you mean directly in smtp/imap/pop3 servers?
Yes.
But let's try the other way, first. Can you try patching courier-authlib as
follows, and see how well it works. If this works, then all that needs to be
done is make this part conditional upon a setting.
diff --git a/courier-authlib/authpam.c b/courier-authlib/authpam.c
index 9d40e69..49d9bb6 100644
--- a/courier-authlib/authpam.c
+++ b/courier-authlib/authpam.c
@@ -150,6 +150,25 @@ static int dopam(pam_handle_t **pamh, int *started)
DPRINTF("pam_acct_mgmt failed, result %d", retval);
}
}
+
+ if (retval == PAM_SUCCESS)
+ {
+ retval=pam_open_session(*pamh, 0);
+ if (retval != PAM_SUCCESS)
+ {
+ DPRINTF("pam_open_session failed, result %d", retval);
+ }
+ }
+
+ if (retval == PAM_SUCCESS)
+ {
+ retval=pam_close_session(*pamh, 0);
+ if (retval != PAM_SUCCESS)
+ {
+ DPRINTF("pam_close_session failed, result %d", retval);
+ }
+ }
+
if (retval == PAM_SUCCESS)
{
DPRINTF("dopam successful");
pgp2MesCJoGqC.pgp
Description: PGP signature
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
I think he meant that too. Anyhow, I did try to run a hard link of the unRAID server itself. A hard link at different levels: - On the Array pseudo Filesystem (the one that merges together all data from all drivers) - FAILS as not implemented - On the btrfs cache drive - Works - On the single raisersfs disk - Works So, the issue is with unRAID that does not support hard linking on his Filesystem, which is the one that governs all the parity, caching, and merging. Thanks to all for the help. ivan Il giorno 08/giu/2015, alle ore 17:17, Bowie Bailey ha scritto: > On 6/7/2015 8:39 PM, Sam Varshavchik wrote: >> Ivan Pintori writes: >> >>> Permissions seem fine: the whole path is owned by courier, and the >>> owner can RWX on the parents as well as tmp and new. >>> >>> The host/NFS storage is running unRAID working on reiserfs (unRAID is >>> a superset of slackware). >>> >>> I did try to change some of the export configuration, but that didn’t >>> matter. Current applied is: sec=sys,rw,no_root_squash,sync >>> >>> I am doing something wrong, but I am no NFS guru. >> >> Do the following experiment, in some empty directory: >> >> mkdir tmp >> mkdir new >> cp /dev/null /tmp/foo >> ln /tmp/foo new/foo >> >> And see what happens. > > Did you intend to test the link between /tmp and new, or between the two > directories that you just created in the previous commands? > > Should it be this instead? > > mkdir tmp > mkdir new > cp /dev/null tmp/foo > ln tmp/foo new/foo > > -- > Bowie > > -- > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
On 6/7/2015 8:39 PM, Sam Varshavchik wrote: > Ivan Pintori writes: > >> Permissions seem fine: the whole path is owned by courier, and the >> owner can RWX on the parents as well as tmp and new. >> >> The host/NFS storage is running unRAID working on reiserfs (unRAID is >> a superset of slackware). >> >> I did try to change some of the export configuration, but that didn’t >> matter. Current applied is: sec=sys,rw,no_root_squash,sync >> >> I am doing something wrong, but I am no NFS guru. > > Do the following experiment, in some empty directory: > > mkdir tmp > mkdir new > cp /dev/null /tmp/foo > ln /tmp/foo new/foo > > And see what happens. Did you intend to test the link between /tmp and new, or between the two directories that you just created in the previous commands? Should it be this instead? mkdir tmp mkdir new cp /dev/null tmp/foo ln tmp/foo new/foo -- Bowie -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
I agree. Unraid is a kinda thingy that works, actually pretty well: I had it in operation for 3 years with no issues. But I never used it for a more dynamic storage like this. What you actually see over Nfs is a merge of the different storage disks plus any available data held on the cache drive. For a home setup unraid is just brilliant, but I wouldn't use it in a business production environment. :) Sent from my iPhone > On 08/giu/2015, at 09:43, Gordon Messmer wrote: > >> On 06/07/2015 11:30 PM, Ivan Pintori wrote: >> [courier@edge testmbox]$ ln /tmp/foo new/foo >> ln: failed to create hard link ‘new/foo’ => ‘/tmp/foo’: Invalid >> cross-device link > > You know what occurs to me? That non-RAID array with a parity disk > might be doing some weird union FS thing, and might not allow hard links > between directories. That'd explain the error you're seeing. > > -- > ___ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] calling session PAM modules
>Matus UHLAR - fantomas writes: >>could courier-authlib use PAM session functions? >> >>We use AD authentication so we can't create home directories when users are >>created (because on client we don't know when a user is created). >> >>I would like to create homedir/maildir at first access, either from >>maildrop, or from courier, whichever happens first. However courier-authlib >>does not call session functions, so we currently can not use courier, unless >>we find OK that users' logins will fail before first mail is received... >>we do not. >> >>this was discussed already few years ago, but I believe here we have proper >>reason to support PAM sessions. On 08.06.15 08:30, Sam Varshavchik wrote: >Unfortunately, this is not architecturely possible. authdaemond runs >as a standalone daemon, and it handles all authentication requests. >It has no direct knowledge of when individual processes get created, >and when they terminate. but it could call session init after successful verification, and session close immediately after, right? (of course, only if admin sets it up, to prevent others from useless pam calls) >However, it might be possible to implement this directly. do you mean directly in smtp/imap/pop3 servers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] calling session PAM modules
Matus UHLAR - fantomas writes: Hello, could courier-authlib use PAM session functions? We use AD authentication so we can't create home directories when users are created (because on client we don't know when a user is created). I would like to create homedir/maildir at first access, either from maildrop, or from courier, whichever happens first. However courier-authlib does not call session functions, so we currently can not use courier, unless we find OK that users' logins will fail before first mail is received... we do not. this was discussed already few years ago, but I believe here we have proper reason to support PAM sessions. Unfortunately, this is not architecturely possible. authdaemond runs as a standalone daemon, and it handles all authentication requests. It has no direct knowledge of when individual processes get created, and when they terminate. However, it might be possible to implement this directly. pgpJr91DeoTpU.pgp Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] calling session PAM modules
Hello, could courier-authlib use PAM session functions? We use AD authentication so we can't create home directories when users are created (because on client we don't know when a user is created). I would like to create homedir/maildir at first access, either from maildrop, or from courier, whichever happens first. However courier-authlib does not call session functions, so we currently can not use courier, unless we find OK that users' logins will fail before first mail is received... we do not. this was discussed already few years ago, but I believe here we have proper reason to support PAM sessions. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
Ivan Pintori writes: « HTML content follows » @Sam I am having domain difficulties so I read your reply online, but did to receive it. (so, yeah, tonight has been a great night ;) ) Did the test, and doesn’t look good: [courier@edge ~]$ cd /usr/local/mbox/ [courier@edge mbox]$ cd http://pintori.it/>pintori.it/ [courier@edge http://pintori.it>pintori.it]$ mkdir testmbox [courier@edge http://pintori.it>pintori.it]$ cd testmbox/ [courier@edge testmbox]$ mkdir tmp [courier@edge testmbox]$ mkdir new [courier@edge testmbox]$ cp /dev/null /tmp/foo [courier@edge testmbox]$ ln /tmp/foo new/foo ln: failed to create hard link ‘new/foo’ => ‘/tmp/foo’: Invalid cross-device link [courier@edge testmbox]$ cp /dev/null tmp/foo [courier@edge testmbox]$ ln tmp/foo new/foo ln: failed to create hard link ‘new/foo’ => ‘tmp/foo’: Input/output error [courier@edge testmbox]$ mount /dev/mapper/fedora--server-root on / type ext4 (rw,relatime,data=ordered) tmpfs on /tmp type tmpfs (rw) xx.xx.xx.xx:/mnt/user/mailbox on /usr/local/mbox type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,tim eo=600,retrans=2,sec=sys,mountaddr=xx.xx.xx.xx,mountvers=3,mountport=35864,mo untproto=udp,local_lock=none,addr=xx.xx.xx.xx) So I did try hard linking between /tmp and the NFS mounted directory, and it tells me it’s invalid. This is the expected result. Did try hard linking within the same mount, and got an IO error.. And that's the problem. I'm sure that hard links on a traditional NFS volume have worked for decades. So your question is what exactly are you mounting via NFS, that refuses to create hard links. Now, the fact that it fails to create a hard link, by itself, is not a showstopper. maildrop will fallback to using rename(), but it expects the get an EXDEV, like the case with an attempted cross-mount link, and not EIO. AFS always returns EXDEV when attempting to link files across directories, since any directory in an AFS hierarchy could be migrated to a different cell. EXDEV is a proper POSIX errno, when a hard link cannot be supported. EIO really indicates filesystem corruption. pgp8U7muRgA7g.pgp Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
On 06/07/2015 11:30 PM, Ivan Pintori wrote: > [courier@edge testmbox]$ ln /tmp/foo new/foo > ln: failed to create hard link ‘new/foo’ => ‘/tmp/foo’: Invalid > cross-device link You know what occurs to me? That non-RAID array with a parity disk might be doing some weird union FS thing, and might not allow hard links between directories. That'd explain the error you're seeing. -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
On 06/07/2015 04:43 PM, Ivan Pintori wrote: > The host/NFS storage is running unRAID working on reiserfs (unRAID is > a superset of slackware). Are you talking about http://lime-technology.com/ ? This sounds... weird. They vaguely describe an aggregate of disks with a single disk for parity. I don't understand how that's not RAID 4. Which no one uses, because the one disk used for parity is a bottleneck for writes. Reiserfs? Generally considered less reliable, less capable, and slower than ext4 and XFS. I know you're not asking for advice in that area, but every part of that stack (RAID4 or something very like it, reiserfs, and 9p) sounds extra janky. -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Blocking/whitelist precedence
On 06/07/2015 10:29 PM, Lindsay Haisley wrote: > > So, e.g., if I'm using BLOCK2, BLOCK3 and BLOCK4, (but not BLOCK) in the > BLACKLISTS list in /etc/courier/esmtpd (I deal with these in a maildrop > script) and I have "w.x.y.zaccess,BLOCK" > in /etc/courier/smtpaccess/webadmin to whitelist w.x.y.z would I not > need instead to set _every_ BLOCKn listed in BLACKLISTS? You need to set every variable that you want to override. The access file is checked first, and environment variables are set. Later, when a DNS check specified by -block are run, that section of code first checks to see if the environment variable that it might set is already set. If it is already set, the code returns immediately, without checking DNS. > The logic of how this _should_ work is pretty simple. Without filtering > or blocking, courier accepts everything. Adding filtering or blocking > modulates this behavior. Specific exemptions should then easily be able > to trump this filtering or blocking just as a more specific whitelist > will carve out an exception to, say, a /24 group IP address block. I think that's how it works, but the code is easier to read than that description. :) -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Maildrop not working on NFS/9p based maildirs
On 06/07/2015 11:30 PM, Ivan Pintori wrote: > So I did try hard linking between /tmp and the NFS mounted directory, > and it tells me it’s invalid. Can you try the same thing on the server hosting the filesystem? If the error exists there, then it's the filesystem that causes the problem. If not, it's the network filesystem protocol. -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
