Re: Different users having same home/mail_location?

[Tapio Sokura]

On 24.9.2017 15:03, Sami Ketola wrote:

On 23 Sep 2017, at 23.08, Tapio Sokura  wrote:
I have this kind of a dual-login setup via PAM for regular system user 
authentication and it's working ok. I'm just wondering about the dovecot part, 
whether dovecot will do Unexpected Things if more than one user have the same 
home and mail_location? If it makes any difference, the users can have separate 
homes, but the mailbox should be the same for usability.


It would break things.

Easier is just to owerwrite userid from user2 to user1 after authentication 
with another passdb.


Thanks, overriding the userid seems to be working fine.

After getting this to work I realized otp tokens aren't the best for use 
at the imap layer. The first authentication goes through fine. But on 
the next imap connections (parallelizing clients and typical webmails) 
the cached password/otp token has been used already and is rightfully 
rejected by the backend authentication system.


By turning on auth caching in dovecot I jury-rigged this to work (for 
the duration of the auth cache), but the clean solution would be 
something else. Anyway I think I'll settle here for now, better than a 
static password anyway. Thanks for the comments and keep up the good 
work with Dovecot!


  Tapio

Re: librmb: Mail storage on RADOS with Dovecot

[Danny Al-Gaaf]

Am 24.09.2017 um 02:43 schrieb Timo Sirainen:
> On 22 Sep 2017, at 14.18, mj  wrote:
>> First, the Github link: 
>> https://github.com/ceph-dovecot/dovecot-ceph-plugin
>> 
>> I am not going to repeat everything which is on Github, put a short
>> summary:
>> 
>> - CephFS is used for storing Mailbox Indexes - E-Mails are stored
>> directly as RADOS objects - It's a Dovecot plugin
>> 
>> We would like everybody to test librmb and report back issues on
>> Github so that further development can be done.
>> 
>> It's not finalized yet, but all the help is welcome to make librmb
>> the best solution for storing your e-mails on Ceph with Dovecot.
> 
> It would be have been nicer if RADOS support was implemented as
> lib-fs driver, and the fs-API had been used all over the place
> elsewhere. So 1) LibRadosMailBox wouldn't have been relying so much
> on RADOS specifically and 2) fs-rados could have been used for other
> purposes. There are already fs-dict and dict-fs drivers, so the RADOS
> dict driver may not have been necessary to implement if fs-rados was
> implemented instead (although I didn't check it closely enough to
> verify). (We've had fs-rados on our TODO list for a while also.)

Please note: librmb is not Dovecot specific. The goal of this library is
to abstract email storage at Ceph independent of Dovecot to allow also
other mail systems to store emails in RADOS via one library. This is
also the reason why it's relying on RADOS.

[...]
> And using rmb-mailbox format, my main worries would be: 
> * doesn't store index files (= message flags) - not necessarily a problem, as
> long as you don't want geo-replication 

The index files are stored via Dovecot's lib-index on CephFS. This is
only an intermediate step. The goal is to store also index data directly
in RADOS/Ceph omap key-value store. Currently geo-replication isn't an
important topic for our PoC setup at Deutsche Telekom.

> * index corruption means > rebuilding them, which means rescanning list of 
> mail files, which
> means rescanning the whole RADOS namespace, which practically means
> rescanning the RADOS pool. That most likely is a very very slow
> operation, which you want to avoid unless it's absolutely necessary.
> Need to be very careful to avoid that happening, and in general to
> avoid losing mails in case of crashes or other bugs.

This could be may avoided by snapshot on CephFS currently, at least
partially. But we will take a look at it during the PoC phase.

> * I think copying/moving mails physically copies the full data on disk
> * Each IMAP/POP3/LMTP/etc process connects to RADOS separately from each
> others - some connection pooling would likely help here

I'm not so deep in what Dovecot is currently doing. It's still under
heavy development and any comment and feedback is really welcome as Wido
already pointed out.

Danny

Re: Different users having same home/mail_location?

[Sami Ketola]

> On 23 Sep 2017, at 23.08, Tapio Sokura  wrote:
> 
> Hello,
> 
> Will I be breaking something if I have two users share the same home and/or 
> mail_location (maildir format) in dovecot? Mail will only be delivered to the 
> primary user, the other would be used every now and then to login via imap 
> (webmail).
> 
> This would be on a CentOS 7 box running dovecot from the packaging system, 
> i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to do this is to 
> have two ways to login to the same mailbox, one using username + password and 
> the other otherusername + otherpassword + otp-token. Basically this 
> "otherusername" would be for cases where I don't trust the client computer to 
> not have a keylogger etc badness in it, but still need to see my mail.
> 
> I have this kind of a dual-login setup via PAM for regular system user 
> authentication and it's working ok. I'm just wondering about the dovecot 
> part, whether dovecot will do Unexpected Things if more than one user have 
> the same home and mail_location? If it makes any difference, the users can 
> have separate homes, but the mailbox should be the same for usability.


It would break things.

Easier is just to owerwrite userid from user2 to user1 after authentication 
with another passdb.

Sami

Re: Different users having same home/mail_location?

[Peter Chiochetti]

Am 2017-09-24 um 00:43 schrieb Tapio Sokura:

Hello Peter,

I'm using a virtual users model in dovecot where all the mail is stored 
under the same OS user account anyway, so file/dir permissions won't be 
a problem. The system users I was referring to are actually completely 
separate user accounts at the moment with their own uid/gid (and 
passwordless sudo between them), but I guess they could use same uid/gid 
and just have separate entries in passwd/shadow.


Hello Tapio,

I see, then they are not the same user to the (mail) system and they do 
not concern dovecot that mutch, at least for now, so my point was moot.


Anyway at the moment I'm not concerned about getting the authentication 
part working, but whether there's something in dovecot that will bite my 
sitting muscles if mail_location is the same for two users. I'm aware of 
the shared folders functionality mentioned by Marcus and that will 
probably be my fallback, if sharing a mail_location is not viable. Same 
mail_location would just be simpler.


I can tell you though, that I manage a system where several virtual 
users (static userdb) share the same home and therefore mail_location 
too. That has been working very well now for years, even though most 
often four (4) of them access mail concurrently with quite some turnover.


Happy hacking on the authentication part!

Peter



On 24.9.2017 0:34, Peter Chiochetti wrote:

Hello Tapia,

You are going to great lengths :) I assume, that PAM working means, 
"user" and "otheruser" are the names of system-users with the same 
uid, home etc? Then I do not see, why dovecot, all defaults and 
authenticating against PAM won't work out of the box, shouldn't it?


Peter

Am 2017-09-23 um 22:08 schrieb Tapio Sokura:

Hello,

Will I be breaking something if I have two users share the same home 
and/or mail_location (maildir format) in dovecot? Mail will only be 
delivered to the primary user, the other would be used every now and 
then to login via imap (webmail).


This would be on a CentOS 7 box running dovecot from the packaging 
system, i.e. dovecot-2.2.10-8.el7 currently. The reason I'd like to 
do this is to have two ways to login to the same mailbox, one using 
username + password and the other otherusername + otherpassword + 
otp-token. Basically this "otherusername" would be for cases where I 
don't trust the client computer to not have a keylogger etc badness 
in it, but still need to see my mail.


I have this kind of a dual-login setup via PAM for regular system 
user authentication and it's working ok. I'm just wondering about the 
dovecot part, whether dovecot will do Unexpected Things if more than 
one user have the same home and mail_location? If it makes any 
difference, the users can have separate homes, but the mailbox should 
be the same for usability.


   Tapio