Re: Mapping usernames used for authentication to UNIX usernames

[Florian Effenberger]

Hello,


Frank> Would it be possible to configure something that will map an
Frank> email address to the UNIX account name and use the account name
Frank> for authentication and obtaining the related information (uid,
Frank> gid, home dir)?


https://dovecot.org/pipermail/dovecot/2018-September/113025.html should 
be what you are looking for. I used that to map legacy accounts to 
username@domain accounts in SQL, but it should also work the other way 
round.


Florian

Re: N-way replication, multiple masters

[Henry]

  

 1 GB data per day is very little volume ,I think dovecot replication, rsync 
also suitable.


Hi
Mail replication – honestly, I don’t have any hard metrics for that. I’m 
anticipating its less than 1 GB per day.
Link speed – being AWS inter AZ its 100Mbps-1GBps. I’m conscious if I go inter 
region the strategy may need to change.

Thanks


Raymond


Raymond Sellars () 在 2021年6月17日星期四 
上午11:30:23 [GMT+8] 寫道：  
 
 #yiv6469694122 #yiv6469694122 -- _filtered {} _filtered {} _filtered {} 
_filtered {} _filtered {}#yiv6469694122 #yiv6469694122 
p.yiv6469694122MsoNormal, #yiv6469694122 li.yiv6469694122MsoNormal, 
#yiv6469694122 div.yiv6469694122MsoNormal 
{margin:0cm;font-size:11.0pt;font-family:sans-serif;}#yiv6469694122 a:link, 
#yiv6469694122 span.yiv6469694122MsoHyperlink 
{color:blue;text-decoration:underline;}#yiv6469694122 
span.yiv6469694122EmailStyle19 
{font-family:sans-serif;color:#1F497D;font-weight:normal;font-style:normal;}#yiv6469694122
 .yiv6469694122MsoChpDefault {font-size:10.0pt;} _filtered {}#yiv6469694122 
div.yiv6469694122WordSection1 {}#yiv6469694122 
Hi

Mail replication – honestly, I don’t have any hard metrics for that. I’m 
anticipating its less than 1 GB per day.
Link speed – being AWS inter AZ its 100Mbps-1GBps. I’m conscious if I go inter 
region the strategy may need to change.

Thanks

Raymond



 

From: Henry  
Sent: Thursday, 17 June 2021 3:20 PM
To: Raymond Sellars 
Subject: Re: N-way replication, multiple masters

 

How many data for mail replication ?

and the link speed?

 

Raymond Sellars () 在 2021年6月17日星期四 上午11:10:23 
[GMT+8] 寫道： 

 
  

N-way replication, multiple masters

[Raymond Sellars]

Hi

Looking for some guidance on how to setup a dovecot cluster with more than
2 servers. Ideally as multiple masters so I don't have the complexity of
back recovery/synchronisation in failover situations. And I can utilised
upstream load balancers (director or other) to automatically move between
available nodes.

Current pattern is:
High availability at one site (AWS availability zone) with two active
servers behind dovecot directors and an AWS network load balancer in front
of the directors.

A third dovecot server as a disaster recovery instance (another
availability zone or region), with ideally real time and bidirectional
replication. Behind a different network and NLB access path.
Dovecot --version = 2.3.14
Centos 7

Previously for the HA pair we utilised NFS but the AWS EFS equivalent
doesn't perform  ( very high latency and NFS meta data caching required).
And then for DR we utilised the dovecot replication. 2 way so I have
automated recovery and could do active active testing/verification as
required with no down time. This help verify recovery pathways.

https://doc.dovecot.org/configuration_manual/replication/# - reading the
documentation is seems clear that replication only supports a PAIR of
masters. Any ideas on how I can add in a 3rd replication node? Two pairs?
I'm happy to utilise a star pattern. HA 1 <-> HA2, HA 1 <-> DR.

Not possible?
Can I run more than one replicator?
Or should I utilise doveadm sync via cron jobs and 2-way sync.

Any thoughts, suggestions most welcome. How are others achieving > 2
clusters for dovecot servers supporting the same domain? Most of this is
for availability rather than purely performance scaling.

Thanks
Raymond

Re: Mapping usernames used for authentication to UNIX usernames

[John Stoffel]

Frank> I'm looking for some advice or pointers how to best solve a
Frank> small problem that I have. I have no doubt that this can be
Frank> done in dovecot, but I'm struggling to find the easiest way to
Frank> implement it.

Frank> First of all, what I have:
Frank> I have a relative small dovecot setup for a dozen domains, and about 50 
Frank> users in total. All users use IMAP to retrieve mail, and SMTP submission 
Frank> protocol to submit email.

Frank> Because of the small size, every user has its own UNIX account,
Frank> authentication is done using PAM and mail is stored in a
Frank> Maildir folder in their home directory.  Works perfectly!

Do these users ever login and use their Unix account?  Or do they only
access the system via IMAP to read email?  If this, then I would
completely move away from local accounts and unix home dirs and just
use virtual users instead.  Then you login with your email address and
password to get mail.  Much simpler!

Frank> There is one minor inconvenience. When a new mail client is
Frank> configured, users (often guided by the auto config generator of
Frank> the mail client) tend to use their email address as the
Frank> username to authenticate instead of their UNIX account name,
Frank> which fails of course.

Frank> Would it be possible to configure something that will map an
Frank> email address to the UNIX account name and use the account name
Frank> for authentication and obtaining the related information (uid,
Frank> gid, home dir)?

Frank> I do have two concerns:

Frank> 1) I do not want to break existing mail configurations, so 
Frank> authentication with the UNIX username should still be possible.

I think you can have multiple usernames pointing to the same backend
account, so moving to virtual users would be even simpler.

Frank> 2)  I cannot do a simple reg. exp for the translation because
Frank> every email domain has e.g. an i...@domain.com mailbox, and I
Frank> do not want them all to go to UNIX user "info".

Even if you do offer Unix logins, I would still seperate the user
email logins from the Unix logins.  Just having all email access
happen via IMAP makes things simpler.  And if they want to read email
from their unix acocunt, a text based IMAP tool like mutt should be
good enough.

John

working locally not externally, how to check what failed?

[Voytek Eymont]

this morning I noticed not getting any email on remote to server mail
client, though, in webmail/squirellmail on mail host there were new emails

restarting with doveadm stop/dovecot 'fixed it'

what could've gone wrong, what to look for in the logs ?
thanks for any pointers

long running dovecot/postfix/mysql setup

dovecot --version
2.3.14 (cee3cbc0d)

Re: Piping to doveadm pw

[Kevin N.]

Bernardo Reino  wrote:

> On Wed, 16 Jun 2021, Kevin N. wrote:
> 
> > Thanks. Reading the manual was the first thing I did before posting to the 
> > list.
> >
> > I'm not sure if this is relevant for the question, but I forgot to mention 
> > that the user enters it's password through a 'dialog --passwordbox'.
> >
> > I guess my question is: it possible to pipe that into 'doveadm pw' directly 
> > from memory, without using any kind of on-disk temp file?
> 
> $ dialog --passwordbox .. | sed p | doveadm pw
> 
> with "sed p" you print explicitly (p) and implicitly (default in sed) the 
> input 
> lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as 
> required.
> 
> Cheers.

Thanks Bernardo. The "sed p" seems to do the trick.

I do have to do some validation before I pass the password to "doveadm pw", so 
my code looks something like:

-
input_password=$(dialog --passwordbox ...)
#... some validation here ...

hashed_password=$(echo "${input_password}" | sed p | doveadm pw -s SHA512-CRYPT)
-

In this case will the password still be safe and hidden from a "ps" for example?

I am still new to all this and I wouldn't want to end up with a false sense of 
security regarding this password passing :)

Doing an 'strace' on the script does show up the password in some reads, in the 
form of: read(3, "password_here", ),
but not in execve(...) as parameter.

Cheers.

Re: Piping to doveadm pw

[Bernardo Reino]

On Wed, 16 Jun 2021, Kevin N. wrote:

Thanks. Reading the manual was the first thing I did before posting to the 
list.


I'm not sure if this is relevant for the question, but I forgot to mention 
that the user enters it's password through a 'dialog --passwordbox'.


I guess my question is: it possible to pipe that into 'doveadm pw' directly 
from memory, without using any kind of on-disk temp file?


$ dialog --passwordbox .. | sed p | doveadm pw

with "sed p" you print explicitly (p) and implicitly (default in sed) the input 
lines (i.e. whatever dialog returns), so doveadm gets the same line twice, as 
required.


Cheers.

Re: Piping to doveadm pw

[Kevin N.]

Oscar del Rio  wrote:

> On 2021-06-16 5:23 a.m., Kevin N. wrote:
> > I am using 'doveadm pw' from inside a bash script to generate the salted 
> > hash for a user provided password.
> > I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password
> >
> > Is there any possible way to use piping (so it won't show up in ps for 
> > example) to pass the username and password to 'doveadm pw' instead of using 
> > arguments?
> 
> % man doveadm-pw
> 
> -p password
>  ?? The plain text password for which the hash should 
> be 
> generated.?? If no password was given doveadm(1)?? will?? prompt interac???
>  ?? tively for one.
> -u user
>  ?? When the DIGEST-MD5 scheme is used, also the user 
> name 
> must be given...?? (so -u not needed here)
> 
> % doveadm pw -s SHA256-CRYPT
> Enter new password: **
> Retype new password: **
> {SHA256-CRYPT}$5$yatls3zWaSMgSrue$FOlWYSb...
> 
> % cat /tmp/test
> test123
> test123
> 
> % cat /tmp/test | doveadm pw -s SHA256-CRYPT
> {SHA256-CRYPT}$5$rq.EciaKLycIT61g$smeKtkpQ

Thanks. Reading the manual was the first thing I did before posting to the list.

I'm not sure if this is relevant for the question, but I forgot to mention that 
the user enters it's password through a 'dialog --passwordbox'.

I guess my question is: it possible to pipe that into 'doveadm pw' directly 
from memory, without using any kind of on-disk temp file?

Re: Piping to doveadm pw

[Oscar del Rio]

On 2021-06-16 5:23 a.m., Kevin N. wrote:

I am using 'doveadm pw' from inside a bash script to generate the salted hash 
for a user provided password.
I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password

Is there any possible way to use piping (so it won't show up in ps for example) 
to pass the username and password to 'doveadm pw' instead of using arguments?


% man doveadm-pw

-p password
  The plain text password for which the hash should be 
generated.  If no password was given doveadm(1)  will  prompt interac‐

  tively for one.
-u user
  When the DIGEST-MD5 scheme is used, also the user name 
must be given...  (so -u not needed here)


% doveadm pw -s SHA256-CRYPT
Enter new password: **
Retype new password: **
{SHA256-CRYPT}$5$yatls3zWaSMgSrue$FOlWYSb...

% cat /tmp/test
test123
test123

% cat /tmp/test | doveadm pw -s SHA256-CRYPT
{SHA256-CRYPT}$5$rq.EciaKLycIT61g$smeKtkpQ

Re: Mapping usernames used for authentication to UNIX usernames

[Michael Peddemors]

probably thinking about this backwards, use the full email address by 
default, and if they only provide the user name, then concatonate the 
proper domain before authentication.


full email address should be the preferred default moving forward.

On 2021-06-16 6:58 a.m., Frank Volf wrote:


Hi,

I'm looking for some advice or pointers how to best solve a small 
problem that I have. I have no doubt that this can be done in dovecot, 
but I'm struggling to find the easiest way to implement it.


First of all, what I have:
I have a relative small dovecot setup for a dozen domains, and about 50 
users in total. All users use IMAP to retrieve mail, and SMTP submission 
protocol to submit email.
Because of the small size, every user has its own UNIX account, 
authentication is done using PAM and mail is stored in a Maildir folder 
in their home directory.

Works perfectly!

There is one minor inconvenience. When a new mail client is configured, 
users (often guided by the auto config generator of the mail client) 
tend to use their email address as the username to authenticate instead 
of their UNIX account name, which fails of course.


Would it be possible to configure something that will map an email 
address to the UNIX account name and use the account name for 
authentication and obtaining the related information (uid, gid, home dir)?


I do have two concerns:

1) I do not want to break existing mail configurations, so 
authentication with the UNIX username should still be possible.
2)  I cannot do a simple reg. exp for the translation because every 
email domain has e.g. an i...@domain.com mailbox, and I do not want them 
all to go to UNIX user "info".


As said, I would appreciate any advice on how this can be configured the 
easiest.


Thanks in advance.

Kind regards,

Frank





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

Re: LMTP with hardlinks ?

[Vladislav Kurz]

Dne úterý 25. května 2021 0:31:20 CEST, Vladislav Kurz napsal(a):
> Hello,
> 
> I'm looking for deduplication of mails via hardlinks during delivery. I.e. a
> mail that is sent to multiple recipients (to, cc, bcc) should be stored
> only once.
> 
> I did some search and found only some non-complete information.
> 
> dovecot-lda has a "-p path" option that does the delivery using symlinks if
> possible (i.e. same uid/gid and same filesystem). This is working by hand,
> but could not find any hints how to use this with postfix. Found only
> suggestion of a wrapper, that was probably never implemented - in this
> thread:
> https://dovecot.org/pipermail/dovecot/2008-June/031158.html
> 
> In this message: https://dovecot.org/list/dovecot/2013-February/088540.html
> there is statement that: LMTP always delivers the mail to the first user.
> Then it tries to copy the first mail to the second user, because in some
> setups this can be done using hard links.
> 
> I was not able to get this in my setup, and I'd like to know if this
> statement is really true. I have all mail in /var/vmail, all owned by vmail
> user, but still mail delivered to multiple users is duplicated.
> 
> If this is really supposed to make hardlinks (which would be great), is
> there any way to debug it? E.g. see if the hardlink was attempted but
> failed for some reason, or if the message was delivered in the same LMTP
> session ?

I will answer to myself, to provide further information for others bumping 
into the same issue.

It seems so, that LMTP does hard links, only if the recipients do not have any 
sieve scripts.

But repeated delivery with "dovecot-lda -p  -f  -d " 
makes hardlinks even if users do have sieve scripts.

So I made a wrapper that takes all recipients on command line, mail message on 
stdin, dumps the mail to tempfile and loops over all recipients with dovecot-
lda. So far it seems to be working nice (with postfix as SMTP server).

-- 
Best regards
Vladislav Kurz

Mapping usernames used for authentication to UNIX usernames

[Frank Volf]

Hi,

I'm looking for some advice or pointers how to best solve a small 
problem that I have. I have no doubt that this can be done in dovecot, 
but I'm struggling to find the easiest way to implement it.


First of all, what I have:
I have a relative small dovecot setup for a dozen domains, and about 50 
users in total. All users use IMAP to retrieve mail, and SMTP submission 
protocol to submit email.
Because of the small size, every user has its own UNIX account, 
authentication is done using PAM and mail is stored in a Maildir folder 
in their home directory.

Works perfectly!

There is one minor inconvenience. When a new mail client is configured, 
users (often guided by the auto config generator of the mail client) 
tend to use their email address as the username to authenticate instead 
of their UNIX account name, which fails of course.


Would it be possible to configure something that will map an email 
address to the UNIX account name and use the account name for 
authentication and obtaining the related information (uid, gid, home dir)?


I do have two concerns:

1) I do not want to break existing mail configurations, so 
authentication with the UNIX username should still be possible.
2)  I cannot do a simple reg. exp for the translation because every 
email domain has e.g. an i...@domain.com mailbox, and I do not want them 
all to go to UNIX user "info".


As said, I would appreciate any advice on how this can be configured the 
easiest.


Thanks in advance.

Kind regards,

Frank

Piping to doveadm pw

[Kevin N.]

Hello everybody,

I am using 'doveadm pw' from inside a bash script to generate the salted hash 
for a user provided password.
I call it like: doveadm pw -s SHA256-CRYPT -u $user -p $password

Is there any possible way to use piping (so it won't show up in ps for example) 
to pass the username and password to 'doveadm pw' instead of using arguments?

Dovecot version: 2.3.14

Many thanks,

Kevin