Re: [Dovecot] Work with auth socket
Thanks, the problem was in base64. Timeout for 1 sec. I use only for testing. 2010/6/29 Steffen Kaiser > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Tue, 29 Jun 2010, Неворотин Вадим wrote: > > my $base64 = encode_base64("\0$login\0$passwd"); >> $sock->send("AUTH\t1\tPLAIN\tservice=$service\tsecured\tresp=$base64\n") >> or >> die "Can't write to $socket"; >> > > There is a wicked side effect of encode_base64(), use this: > > my $base64 = encode_base64("\0$login\0$passwd", ''); > > Try strace -s99 -e recvfrom,sendto,send,recv perl ... > > or similiar command of your system to see the difference. > > > my $i = 10; >> while ($i--) { >> $sel->can_read($timeout) or last; # "Timed out while waiting for >> response"; >> > > If Dovecot starts to answer in less than 1s, the loop terminates. > IMHO you should try with a longer timeout the 1st time can_read() is > called. > > > Regards, > > - -- Steffen Kaiser > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iQEVAwUBTCoH5L+Vh58GPL/cAQKbLQgApMqn+QDNLJnDksrp1/Qb7lbGji8Qxp1+ > BkZTy2Pp/hld4jwr0R6MQgF10MNgt7luatSo3WzvL1KS/zINCoiAMxL3CIcNIIjQ > RW57LhsdBiFUpKvmwrMaHrV+VJM2gDONTPMXRTfLkpTsSYSnVfvGZMDgLr7rPMid > GRT+dLyXuUMxmqSWH4XPPohSuQam1E2g5cNKXp+VHUikxunz0NbPHA5ni0byCmwR > vVx4R0DEjTPw9ydcWPOCPxHwAS48eXrcpo8/1QD5Bp5S7x9CKre6PA+wdcWmHmOk > p17tAG12vGG7MGXy0f7jmI476Dp+fi0han9Z2d7QbtbI1f0yOpfMsw== > =FHUX > -END PGP SIGNATURE-
Re: [Dovecot] Work with auth socket
Yes, but this module doesn't work with my dovecot)) So I've tried to manually debug it - and it really does not work and has an error somewhere. Dovecot 1.2.10 from Debian backports. 2010/6/29 Anton Dollmaier > Hi, > > > > I've wrote such script: >> > > use Authen::SASL::Authd, as suggested by Steffen. > > This code-snippet should help you: > > > >> http://search.cpan.org/~sasha/Authen-SASL-Authd-0.04/lib/Authen/SASL/Authd.pm >> > > > #!/usr/bin/perl >> use Authen::SASL::Authd qw(auth_cyrus auth_dovecot); >> >> $login = "test"; >> $passwd = "test"; >> >> # authenticate user against Dovecot authentication daemon >> auth_dovecot('login', 'passwd') or die "dovecot-auth: FAIL"; >> > > I realized a monitoring-script with this snippet, works great. > > > good luck! >
[Dovecot] Work with auth socket
-- Forwarded message -- From: Неворотин Вадим Date: 2010/6/29 Subject: Re: [Dovecot] Work with auth socket To: Steffen Kaiser Hmm, I have some problems with realization of authentication throw dovecot socket. I've wrote such script: #!/usr/bin/perl $login = "test"; $passwd = "test"; #utf8::encode($login); # I don't know are we really need it #utf8::encode($passwd); my $service = "ejabberd"; my $timeout = 1; my $socket = '/var/spool/postfix/private/auth-client'; my $sock = new IO::Socket::UNIX(Type => SOCK_STREAM, Peer => $socket) or die "Can't open socket."; my $sel = new IO::Select($sock); while (1) { $sel->can_read($timeout) or last; defined recv($sock, my $buf, 256, 0) or warn 'Error while reading response'; print $buf; } send($sock,"VERSION\t1\t0\nCPID\t$$\n",0) or die "Can't write to $socket"; my $base64 = encode_base64("\0$login\0$passwd"); $sock->send("AUTH\t1\tPLAIN\tservice=$service\tsecured\tresp=$base64\n") or die "Can't write to $socket"; my $i = 10; while ($i--) { $sel->can_read($timeout) or last; # "Timed out while waiting for response"; defined recv($sock, my $buf, 256, 0) or warn 'Error while reading response'; print $buf; } And has such log: # ./test.pl MECH PLAIN plaintext MECH LOGIN plaintext VERSION 1 0 SPID 26023 CUID 1818 DONE So dovecot doesn't answer anything after AUTH command. May be http://wiki.dovecot.org/Authentication%20Protocol is not fully describe auth protocol? 2010/6/24 Неворотин Вадим Thank you! > > > 2010/6/24 Steffen Kaiser > > -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On Thu, 24 Jun 2010, Неворотин Вадим wrote: >> >> >> I need to use Dovecot auth socket from my perl script to validate user's >>> passwords (for jabber server). Is there any information about how to >>> communicate with dovecot auth socket? >>> >>> >> >> http://search.cpan.org/~sasha/Authen-SASL-Authd-0.04/lib/Authen/SASL/Authd.pm >> >> "NAME >> >> Authen::SASL::Authd - Client authentication via Cyrus saslauthd or Dovecot >> authentication daemon." >> >> http://wiki.dovecot.org/Authentication+Protocol >> >> Regards, >> >> - -- Steffen Kaiser >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.6 (GNU/Linux) >> >> iQEVAwUBTCNOy7+Vh58GPL/cAQJXEQf/SHlQTrUo/OiNFSLteEuF6kGGY/iYGYZ2 >> CUEKLJQtE92yyGJqt7CYun3Z64llrkzYUGoJDnyPtEFgP2a1uqaEUyusilobuYfB >> E/B7zdRbHOD2+4afdwHocGundcfWB2GxZi+j454rCDWt5haX+cSd5Be561WdpyE0 >> yUc3raXLRz6qeRC/A+vmpbA4sbmm+Fd1fCHtwcQhOVvk+X7fJRLb30HUq1wRjyMi >> LBTv5TxCib+O34MPYpA6xLyrNCkjwAuhdshiw6KihVBx29U9HcoNtUIjfSqL6/gG >> vhKt6RfgahpytJm97LuDwE7GNf6/3oDeHlTJfAS5EfYdSqcnxxyfLw== >> =1C+5 >> -END PGP SIGNATURE- >> > >
Re: [Dovecot] Work with auth socket
Thank you! 2010/6/24 Steffen Kaiser > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On Thu, 24 Jun 2010, Неворотин Вадим wrote: > > I need to use Dovecot auth socket from my perl script to validate user's >> passwords (for jabber server). Is there any information about how to >> communicate with dovecot auth socket? >> > > > http://search.cpan.org/~sasha/Authen-SASL-Authd-0.04/lib/Authen/SASL/Authd.pm > > "NAME > > Authen::SASL::Authd - Client authentication via Cyrus saslauthd or Dovecot > authentication daemon." > > http://wiki.dovecot.org/Authentication+Protocol > > Regards, > > - -- Steffen Kaiser > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iQEVAwUBTCNOy7+Vh58GPL/cAQJXEQf/SHlQTrUo/OiNFSLteEuF6kGGY/iYGYZ2 > CUEKLJQtE92yyGJqt7CYun3Z64llrkzYUGoJDnyPtEFgP2a1uqaEUyusilobuYfB > E/B7zdRbHOD2+4afdwHocGundcfWB2GxZi+j454rCDWt5haX+cSd5Be561WdpyE0 > yUc3raXLRz6qeRC/A+vmpbA4sbmm+Fd1fCHtwcQhOVvk+X7fJRLb30HUq1wRjyMi > LBTv5TxCib+O34MPYpA6xLyrNCkjwAuhdshiw6KihVBx29U9HcoNtUIjfSqL6/gG > vhKt6RfgahpytJm97LuDwE7GNf6/3oDeHlTJfAS5EfYdSqcnxxyfLw== > =1C+5 > -END PGP SIGNATURE-
[Dovecot] Work with auth socket
I need to use Dovecot auth socket from my perl script to validate user's passwords (for jabber server). Is there any information about how to communicate with dovecot auth socket?
Re: [Dovecot] [Bug] Case sensitive usernames and variables
2010/5/5 Steffen Kaiser > > First: > Is it a typo or did you replaced %%u by %Lu ? Note the different number of > %'s. > No, of course I try to replace %u with %Lu. And also %%u with %%Lu. It's not working, so I think it's a bug. > Second: You can have passdb return set/overwrite "user", just return the > "normalized" variant of the username as "user" field: > http://wiki.dovecot.org/PasswordDatabase/ExtraFields > I use LDAP for passdb and I can't be sure that in LDAP all my users has lovercase usernames. But I've found option auth_username_format = %Lu It's look like what I need, thank you!
[Dovecot] [Bug] Case sensitive usernames and variables
Today I've found a very irritating bug: I use mail_location = maildir:/var/mail/%u/ in my dovecot.conf. And if user type Username, username, USERname etc at login dovecot create a different Maildir's for one real user. But LDA works corretly and save all messages to lowercase username mailbox. No problem, add L: mail_location = maildir:/var/mail/%Lu/ Then all works good. But I has also such namespace configuration: namespace shared { separator = / prefix = &BCAEMARBBEEESwQ7BDoEOA-/%%u/ location = maildir:/var/mail/%%u:INDEX=/var/mail/%u/shared/%%u subscriptions = no list = children } And here I can't replace %u with %Lu, because dovecot write to dovecot.log: IMAP(malamut): Error: Namespace '&BCAEMARBBEEESwQ7BDoEOA-/%Lu/': shared: Shared namespace prefix contains unknown variables So user has only one mailbox (with lovercase name), but a lot of different indexes for shared mailboxes, eg /var/mail/username/shared, /var/mail/USERname/shared etc. How can I tune dovecot to use always lowercase username? Dovecot 1.2.10
Re: [Dovecot] Problems with masteruser
Thank you for your answer! I'll try to use it for my autoconfiguration script after weekends)) I use AD as userdb and passdb and have a group mailboxes, but main users for this mailboxes hasn't got any password. And I need automatically subscribe my users to new group maiboxes. So "full-access" masteruser is really good for me[?] 2010/4/16 Timo Sirainen > On Fri, 2010-04-16 at 16:57 +0400, Неворотин Вадим wrote: > > I've add > > > > $ENV{'MASTER_USER'} = $ENV{'USER'}; > > > > to my postlogin-imap script, and it looks like that all is working, thank > > you!!! I'll test it next week, but as I see ACL and base operations work, > so > > I think that all other works too)) > > > > But what does it mean when I return in master_user field current user's > > name?))) > > It means exactly what you do in your post-login script. It sets > master_user to same as user. > > > But if I return in master_user not a current user name, but > > something else?))) What master_user field control?))) (Sorry, I can't > find > > any information about this feature[?]) > > master_user is used for the ACL checks. Currently it doesn't do anything > else. So if you set master_user to "foo", it uses foo's ACLs when > determining access to mailboxes. There's nothing special about master > users after login, they're just usernames as any other usernames are. > > <<349.gif>>
Re: [Dovecot] Problems with masteruser
I've add $ENV{'MASTER_USER'} = $ENV{'USER'}; to my postlogin-imap script, and it looks like that all is working, thank you!!! I'll test it next week, but as I see ACL and base operations work, so I think that all other works too)) But what does it mean when I return in master_user field current user's name?))) As I understand it increase masteruser's rights to full control of user's mailbox. But if I return in master_user not a current user name, but something else?))) What master_user field control?))) (Sorry, I can't find any information about this feature[?]) 2010/4/16 Timo Sirainen > On Fri, 2010-04-16 at 15:30 +0400, Неворотин Вадим wrote: > > Hmm[?] For what can I use masterusers, if I even can't read with > masteruser > > user's mails from INBOX? And where can I read about masterusers in that > way. > > I really can't understand for what there is masterusers if they can't do > > anything))) > > The feature was originally implemented for a voicemail feature. There > would be a "voicemail" master user that would have permission to write > new mails to users' "voicemail" mailbox, but nothing else. > > You could have a similar "spam" master user that only has access to > users' "Spam" mailbox (for training spam bayesian or whatever). > > Anyway, did you try my suggestion on how to make it work the way you > wanted? If it doesn't work yet, I can change the code to make it work: > > > You could try if having your userdb return > > master_user=%u field would make it work the way you want. > > <<362.gif>>
Re: [Dovecot] Problems with masteruser
Hmm[?] For what can I use masterusers, if I even can't read with masteruser user's mails from INBOX? And where can I read about masterusers in that way. I really can't understand for what there is masterusers if they can't do anything))) 2010/4/16 Timo Sirainen > On Fri, 2010-04-09 at 20:53 +0400, Неворотин Вадим wrote: > > Well, the main idea of master users is to able to log in as normal user > with > > master password. So IMAP client shoudn't know at all that it work with > > masteruser password. And IMAP process must be exactly the same. If you > can > > find difference between login*master and login - then there is a bug in > > master users implementation. I see a big difference > > It's not a bug, it's an intentional feature. What you're requesting is a > different feature. You could try if having your userdb return > master_user=%u field would make it work the way you want. > > <<338.gif>>
Re: [Dovecot] Problems with masteruser
Well, the main idea of master users is to able to log in as normal user with master password. So IMAP client shoudn't know at all that it work with masteruser password. And IMAP process must be exactly the same. If you can find difference between login*master and login - then there is a bug in master users implementation. I see a big difference 2010/4/9 Eric Rostetter > Quoting Неворотин Вадим : > > It's look like a big bug. As I understang there shouldn't be any different >> between logging in with masteruser and normal log in. But in my system I >> can't use masteruser at all due to IMAP errors. >> > > It works for me, with two exceptions: > > 1) The acl issue I mentioned. > 2) It doesn't work right in my "webmail" for anything but the e-mail part, > since the webmail retains the user as "master*real" instead of just real. > So it does log me in and show me the mail, but everything else > (preferences, > filters, address book, etc) don't work right. The webmail has "hooks" > which > should allow me to fix this, but I've not had time to figure that out yet. > > So basically, it works for me, which just two little annoyances (one is > dovecot specific, the other is actually my webmail and not dovecot). > > > -- > Eric Rostetter > The Department of Physics > The University of Texas at Austin > > Go Longhorns! >
Re: [Dovecot] Problems with masteruser
It's look like a big bug. As I understang there shouldn't be any different between logging in with masteruser and normal log in. But in my system I can't use masteruser at all due to IMAP errors. 2010/4/9 Eric Rostetter > Quoting ? ? : > > I have very strange problem with masteruser. See two logs below: >> > > I can't help, but I can add my observations... Using dovecot 1.2.11 > and master users, I noticed that if I login with to a user (real-user) > using the master user (master-user), then the mailbox listing shows all > non-acl mailboxes fine, but for acl-controlled mailboxes it shows those > for which "master-user" has access, not those for which "real-user" has > access. > > This really freaked me out the first time I logged in and a shared > folder showed up when it shouldn't have. I thought I had shared it > with everyone! But I was able to verify that a real login to "real-user" > doesn't see the shared folder, while a master login to "real-user" does > see it. So it is the master user login that is messing up the acl checks. > > -- > Eric Rostetter > The Department of Physics > The University of Texas at Austin > > Go Longhorns! >
[Dovecot] Problems with masteruser
I have very strange problem with masteruser. See two logs below: # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Welcome to our post server! x login nevorotin password x OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in x list "" "*" * LIST (\HasNoChildren) "/" "INBOX" x OK List completed. x getacl INBOX * ACL "INBOX" "nevorotin" lrwstipekxacd x OK Getacl completed. All work perfectly. And then I log in throw masteruser: # telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Welcome to our post server! x login nevorotin*master masterpassword x OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS ACL RIGHTS=texk] Logged in x list "" "*" * LIST (\Unmarked) "/" "INBOX" x OK List completed. x getacl INBOX x NO [NONEXISTENT] Mailbox doesn't exist: INBOX I've turned on debug logging, but there aren't any errors. I only see that masteruser succesfully logged in as nevorotin. How can I make a masteruser login to user account exactly the same as simple user login? Now it don't work at all [?] I use 1.2.10 version of dovecot. <<323.gif>>
Re: [Dovecot] Manage mails from server
Thanks! Master Users are very good solution for me. 2010/4/8 Timo Sirainen > On Thu, 2010-04-08 at 01:38 +0400, Неворотин Вадим wrote: > > Hmm, PREAUTH is cool. But all Perl CPAN modules for IMAP can work only > throw > > UNIX local sockets (or usual internet connection). May be there is an > > ability to create a socket when launchind 'dovecot --exec-mail imap' > instead > > of working directly with STDIN/STDOUT? > > With v2.0 you can add a UNIX socket listener to IMAP, but you still have > to log in with it. Maybe you should enable some kind of master user > logins. http://wiki.dovecot.org/Authentication/MasterUsers > > >
Re: [Dovecot] Manage mails from server
Hmm, PREAUTH is cool. But all Perl CPAN modules for IMAP can work only throw UNIX local sockets (or usual internet connection). May be there is an ability to create a socket when launchind 'dovecot --exec-mail imap' instead of working directly with STDIN/STDOUT?
[Dovecot] Per-user flags for shared folders
As I see in 2.0 there willn't be ability to control which flags should be shared, and which should be per-user. But may be there is some plans to implement settings to control that? It'll be great if you can write in dovecot-shared file which flags should be per-user. It's very usefull for group mailboxes, when each user should work with such mailbox like with their own. Now I can't add permission for delete on group mailbox for anybody, because if somebody delete a message, it dissapear for other users of group mailbox. So my group mailboxes look like a big scrapyard[?] I can compile from sources and add also \Deleted flag to private flags, but it's not an elegant solution[?] And my idea is easy to implement :) Only add here: 305 shared_path = t_strconcat(box->path, "/dovecot-shared", NULL); 306 if (stat(shared_path, &st) == 0) 307 box->private_flags_mask = MAIL_SEEN; in maildir-storage.c some code for reading a mask from dovecot-shared file. Unfortunatelly I'm not a good programmer, so I can't make a patch myself((( <<323.gif>><<330.gif>>
[Dovecot] Manage mails from server
I've configure Dovecot with shared namespace and IMAP ACL's to make a group mailboxes. I use maildir mailboxes, and I add dovecot-shared file to each group mailbox. So each user with access to group mailbox has their own \Seen flag. And now I need automatically delete a mail from server after 2 weeks after each user has readed email in shared mailbox. How can I from, e.g. Perl script, get \Seen flag for user and mail and then correctly delete a mail from a server? I need to create fully automatical mail system, maybe there is some HOW-TO's or examples anywhere? And will I can in 2.0 use per-user \Deleted flag, not only \Seen?
[Dovecot] Managing IMAP ACL from script
I need to change ALC for mailboxes from a script on my server. As I understand now I can correctly change ACL only via telnet using IMAP commands. And moreover I need to know user's password for it. Is there any plans to add inheritance of ACL and ability to manage it directly from a server? And if it is in which version? Will 2.0 fully support ACL? Now I use Dovecot 1.2.10.
[Dovecot] Shared folders
I need to create a shared folder (mailbox for group mailing list) with access of several accounts to it. But all peoples with access to this mailbox should be able to work with this folder absolutely in the same way, as with local mailbox. Each user should be able to delete emails and mark it as readed. But this changes must be only for one user, not for others. For example user1 and user2 have access to folder Trades. There is a new incoming mail. User1 read it and delete. But in user2's client this mail must be not readed and not deleted. So there should be only one copy of a email (in group mailbox), but state (unreaded|readed|deleted) of this email shoud be different for each user. Can I do this with dovecot? Yes, I know that I can send a copy of group letter to each user's mailbox, but unfortunately I has a lot of groups and very big letters, so I can't duplicate each letter to many mailboxes. The purpose is to story only one instance of each letter, but to allow users to work with it like with their own letters. Now I use Maildir++ mailboxes.
Re: [Dovecot] Problem with allow_nets passdb parameter and Postfix
Well, I've asked this question in Postfix mail list and after discussion as I understand Postfix 2.7 send all necessary client information to Dovecot socket. But I haven't try this solution yet. 2010/2/18 Timo Sirainen > On Mon, 2010-02-15 at 14:00 +0300, Неворотин Вадим wrote: > > allow_nets check failed: Remote IP not known > > > Problem is clear: smtpd don't send client IP to dovecot authentication > > socket. > > Yep. The only way you can get Postfix to send IP to Dovecot is by > patching Postfix sources. > > > But I need to limit the ability of connection to users only from > > specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot > 1.0.15 > > and Postfix 2.5.5 on Debian Lenny. > > Do you mean all users must connect from only specific IP, or is it a > per-user configuration? If all users, maybe you can do this on Postfix > side some other way. Or require clients to use submission port or a > different IP and use a firewall. >
[Dovecot] Problem with allow_nets passdb parameter and Postfix
I use Dovecot for SASL authentication from Postfix. In Postfix main.cf I have: smtpd_sasl_type = dovecot It works good, but now I need to allow users to connect by IMAP only from given IP adresses. I've added extra field allow_nets to passdb in Dovecot, and IMAP authentication works fine. But now I can't connect to my SMTP server because when smtpd ask dovecot about user authentification, dovecot always denied it. Even if I try to connect to SMTP from correct IP, listed in allow_nets for user. In dovecot log I have messages about incorrect ip like this: dovecot: 2010-02-15 13:28:51 Info: auth(default): passwd-file(malamut): lookup: user=malamut file=/etc/dovecot/temp.users dovecot: 2010-02-15 13:28:51 Info: auth(default): passdb(malamut): allow_nets check failed: Remote IP not known dovecot: 2010-02-15 13:28:53 Info: auth(default): client out: FAIL 7 user=malamut Problem is clear: smtpd don't send client IP to dovecot authentication socket. But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny.