Re: submission message quota
On 8/20/20 2:56 PM, Admin Beckspaced wrote: > If postfix is handling your submission service you can have a look at > postfwd > > https://www.postfwd.org/ > > I use it to limit sending of emails, recipients, etc, etc Thanks for the suggestion! I am using Postfix as the relay host behind dovecot-submissiond. Unfortunately, unless I'm missing something, submissiond does not seem to be able to add the SASL username to the message headers, so I don't have a good way to distinguish sending users on the relay server. Cheers, Gerry
submission message quota
Hello, I am trying to come up with a way to have individual quotas per user for the submission service. Similar to what I could achieve with Postfix and policyd. More specifically, the quota I am most interested in, is limiting the number of messages a single account can send within a given timeframe. Ideally, I'd also like to limit the number of total recipients within a given timeframe, to mitigate the loophole of adding multiple recipients to a single message. Example: account Y is allowed to send 500 messages per 60 minutes, with a maximum of 2000 recipients overall. What would be the best path to take? Thanks! Gerry
Re: Using a separate passdb per service
On 08/10/2015 09:58 AM, Steffen Kaiser wrote: As far as I know, all services use the auth in the back. But you have the %s / service variable. You should be able to craft a SQL query, that returns NULL nopasswd=Y, if postfix is not querying Dovecot. I don't know, which service name postfix passes to Dovecot, though, Hmm, that's an interesting idea. I'll explore it further. Thanks! Gerry
Re: Using a separate passdb per service
On 08/08/2015 05:57 AM, Edgar Pettijohn wrote: I'm not sure if this would work, but possibly having two separate instances of dovecot with separate configs running may work for you. http://wiki2.dovecot.org/RunningDovecot Hi Edgar, Thank you for your suggestion. Yes, that would probably work, but it would be rather fiddly to run two Dovecot instances. I was hoping to be able to do it with just one instance. Gerry
Using a separate passdb per service
Situation: one front-facing server running Dovecot as IMAP/POP3/ ManageSieve proxy, a mixture of IMAP servers (Dovecot, Exchange, ...) in the back-end. Dovecot's passdb does lookups against MySQL which contains a simple user/host mapping, the actual authentication happens on the back-end IMAP servers. The configuration is more or less as described here: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy Now I would like to add a Postfix instance on the front-facing server which listens on the submission port and authenticates users via SASL using the local Dovecot's UNIX socket. The idea being that a user only needs to remember one single hostname, one username and one password for all mail-related services. The problem is that Dovecot is operating in proxy mode, which means that the password_query returns NULL as the password and explicitly returns a field nopasswd containing Y. Thus, users can not authenticate against the UNIX socket. What I think I want to do is convince Dovecot to use one passdb for the imap/pop3/managesieve services and different one for the auth service. The configuration snippet below doesn't work, but it should illustrate what I want to achieve: protocols = imap pop3 sieve service auth { passdb sql { driver = sql args = /etc/dovecot/mysql-auth-sasl.conf.ext } unix_listener /var/spool/postfix/private/auth { user = postfix group = postfix mode = 0666 } } # IMAP/POP3/ManageSieve auth against MySQL passdb sql { driver = sql args = /etc/dovecot/mysql-auth-default.conf.ext } Example mysql-auth-sasl.conf.ext driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom password_query = SELECT password AS password FROM users WHERE login = '%u' Example mysql-auth-default.conf.ext: driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom password_query = SELECT NULL AS password, 'Y' as nopassword, host, 'Y' AS proxy FROM users WHERE login = '%u' Any pointers? Gerry
[Dovecot] Rewriting username at login
I am trying to make a switch from Cyrus to Dovecot which has some historical accidents to it that I have to deal with and ideally would like to get rid of. One of them is that about half of the existing accounts have a different format for their login. All the newer accounts have their email address as login, the old ones use a dot instead of an at: - new: us...@domain.tld - old: user2.domain.tld I would like to migrate away from the all-dots notation since it leads to a lot of support questions, and for that I'd like to run in a compatibility-mode for a few months. Effectively, I want to get rid of all the old users and convert them all to the new scheme, and have the username rewritten at login, so every second to last dot gets rewritten to an at. This would ensure that we have no complaints and allow our users to migrate slowly. All users are currently stored in a MySQL database for Cyrus, but this will be changed to a Dovecot-LDAP combination. Is this possible? How could I achieve this? Kind regards, Gerry.
[Dovecot] deliver triggering SELinux AVC denials
I setup postfix/dovecot on a new machine and now all works well with the small exception of dovecot triggering selinux avc denials on some temp... files here is a sample alert: Summary SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t) link to temp.localhost.678.40caaf5592891c46 (user_home_dir_t). Detailed Description SELinux denied access requested by /usr/libexec/dovecot/deliver. It is not expected that this access is required by /usr/libexec/dovecot/deliver and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for temp.localhost.678.40caaf5592891c46, restorecon -v temp.localhost.678.40caaf5592891c46 If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Contextuser_u:system_r:dovecot_deliver_t Target Contextuser_u:object_r:user_home_dir_t Target Objectstemp.localhost.678.40caaf5592891c46 [ file ] Affected RPM Packages dovecot-1.0.7-16.fc7 [application] Policy RPMselinux-policy-2.6.4-63.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModePermissive Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23.8-34.fc7 #1 SMP Thu Nov 22 23:05:33 EST 2007 i686 athlon Alert Count 1 First SeenTue 01 Jan 2008 09:29:35 PM EST Last Seen Tue 01 Jan 2008 09:29:35 PM EST Local ID 507dd6a2-da46-4541-8c10-a0771bc85042 Line Numbers Raw Audit Messages avc: denied { link } for comm=deliver dev=dm-0 egid=5000 euid=5000 exe=/usr/libexec/dovecot/deliver exit=0 fsgid=5000 fsuid=5000 gid=5000 items=0 name=temp.localhost.678.40caaf5592891c46 pid=678 scontext=user_u:system_r:dovecot_deliver_t:s0 sgid=5000 subj=user_u:system_r:dovecot_deliver_t:s0 suid=5000 tclass=file tcontext=user_u:object_r:user_home_dir_t:s0 tty=(none) uid=5000 and 5000 is user vmail. When I look for these files that it is complaining about they are never in the filesystem. I get about 8 alerts with every email that is delivered. Right now I have SELinux set to permissive so that the mail gets delivered but I would like to find the cause of this problem so that I can set it back to enforcing. Gerry