Re: submission message quota
On 8/20/20 2:56 PM, Admin Beckspaced wrote: > If postfix is handling your submission service you can have a look at > postfwd > > https://www.postfwd.org/ > > I use it to limit sending of emails, recipients, etc, etc Thanks for the suggestion! I am using Postfix as the relay host behind dovecot-submissiond. Unfortunately, unless I'm missing something, submissiond does not seem to be able to add the SASL username to the message headers, so I don't have a good way to distinguish sending users on the relay server. Cheers, Gerry
submission message quota
Hello, I am trying to come up with a way to have individual quotas per user for the submission service. Similar to what I could achieve with Postfix and policyd. More specifically, the quota I am most interested in, is limiting the number of messages a single account can send within a given timeframe. Ideally, I'd also like to limit the number of total recipients within a given timeframe, to mitigate the loophole of adding multiple recipients to a single message. Example: account Y is allowed to send 500 messages per 60 minutes, with a maximum of 2000 recipients overall. What would be the best path to take? Thanks! Gerry
Re: Using a separate passdb per service
On 08/10/2015 09:58 AM, Steffen Kaiser wrote: As far as I know, all services use the auth in the back. But you have the %s / service variable. You should be able to craft a SQL query, that returns NULL nopasswd=Y, if postfix is not querying Dovecot. I don't know, which service name postfix passes to Dovecot, though, Hmm, that's an interesting idea. I'll explore it further. Thanks! Gerry
Re: Using a separate passdb per service
On 08/08/2015 05:57 AM, Edgar Pettijohn wrote: I'm not sure if this would work, but possibly having two separate instances of dovecot with separate configs running may work for you. http://wiki2.dovecot.org/RunningDovecot Hi Edgar, Thank you for your suggestion. Yes, that would probably work, but it would be rather fiddly to run two Dovecot instances. I was hoping to be able to do it with just one instance. Gerry
Using a separate passdb per service
Situation: one front-facing server running Dovecot as IMAP/POP3/
ManageSieve proxy, a mixture of IMAP servers (Dovecot, Exchange, ...)
in the back-end. Dovecot's passdb does lookups against MySQL which
contains a simple user/host mapping, the actual authentication happens
on the back-end IMAP servers. The configuration is more or less as
described here: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
Now I would like to add a Postfix instance on the front-facing server
which listens on the submission port and authenticates users via SASL
using the local Dovecot's UNIX socket. The idea being that a user only
needs to remember one single hostname, one username and one password
for all mail-related services.
The problem is that Dovecot is operating in proxy mode, which means
that the password_query returns NULL as the password and explicitly
returns a field nopasswd containing Y. Thus, users can not
authenticate against the UNIX socket.
What I think I want to do is convince Dovecot to use one passdb for the
imap/pop3/managesieve services and different one for the auth service.
The configuration snippet below doesn't work, but it should illustrate
what I want to achieve:
protocols = imap pop3 sieve
service auth {
passdb sql {
driver = sql
args = /etc/dovecot/mysql-auth-sasl.conf.ext
}
unix_listener /var/spool/postfix/private/auth {
user = postfix
group = postfix
mode = 0666
}
}
# IMAP/POP3/ManageSieve auth against MySQL
passdb sql {
driver = sql
args = /etc/dovecot/mysql-auth-default.conf.ext
}
Example mysql-auth-sasl.conf.ext
driver = mysql
connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom
password_query = SELECT password AS password FROM users WHERE login = '%u'
Example mysql-auth-default.conf.ext:
driver = mysql
connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom
password_query = SELECT NULL AS password, 'Y' as nopassword, host, 'Y' AS
proxy FROM users WHERE login = '%u'
Any pointers?
Gerry
[Dovecot] Rewriting username at login
I am trying to make a switch from Cyrus to Dovecot which has some historical accidents to it that I have to deal with and ideally would like to get rid of. One of them is that about half of the existing accounts have a different format for their login. All the newer accounts have their email address as login, the old ones use a dot instead of an at: - new: us...@domain.tld - old: user2.domain.tld I would like to migrate away from the all-dots notation since it leads to a lot of support questions, and for that I'd like to run in a compatibility-mode for a few months. Effectively, I want to get rid of all the old users and convert them all to the new scheme, and have the username rewritten at login, so every second to last dot gets rewritten to an at. This would ensure that we have no complaints and allow our users to migrate slowly. All users are currently stored in a MySQL database for Cyrus, but this will be changed to a Dovecot-LDAP combination. Is this possible? How could I achieve this? Kind regards, Gerry.
[Dovecot] deliver triggering SELinux AVC denials
I setup postfix/dovecot on a new machine and now all works well with the
small exception of dovecot triggering selinux avc denials on some
temp... files here is a sample alert:
Summary
SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t)
link to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).
Detailed Description
SELinux denied access requested by /usr/libexec/dovecot/deliver. It
is not
expected that this access is required by
/usr/libexec/dovecot/deliver and
this access may signal an intrusion attempt. It is also possible
that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for
temp.localhost.678.40caaf5592891c46, restorecon -v
temp.localhost.678.40caaf5592891c46 If this does not work, there is
currently no automatic way to allow this access. Instead, you can
generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Contextuser_u:system_r:dovecot_deliver_t
Target Contextuser_u:object_r:user_home_dir_t
Target Objectstemp.localhost.678.40caaf5592891c46 [ file ]
Affected RPM Packages dovecot-1.0.7-16.fc7 [application]
Policy RPMselinux-policy-2.6.4-63.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModePermissive
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.23.8-34.fc7 #1 SMP Thu Nov
22 23:05:33 EST 2007 i686 athlon
Alert Count 1
First SeenTue 01 Jan 2008 09:29:35 PM EST
Last Seen Tue 01 Jan 2008 09:29:35 PM EST
Local ID 507dd6a2-da46-4541-8c10-a0771bc85042
Line Numbers
Raw Audit Messages
avc: denied { link } for comm=deliver dev=dm-0 egid=5000 euid=5000
exe=/usr/libexec/dovecot/deliver exit=0 fsgid=5000 fsuid=5000 gid=5000
items=0
name=temp.localhost.678.40caaf5592891c46 pid=678
scontext=user_u:system_r:dovecot_deliver_t:s0 sgid=5000
subj=user_u:system_r:dovecot_deliver_t:s0 suid=5000 tclass=file
tcontext=user_u:object_r:user_home_dir_t:s0 tty=(none) uid=5000
and 5000 is user vmail.
When I look for these files that it is complaining about they are never
in the filesystem. I get about 8 alerts with every email that is
delivered. Right now I have SELinux set to permissive so that the mail
gets delivered but I would like to find the cause of this problem so
that I can set it back to enforcing.
Gerry
