Re: separate passdb for unix_listener
You can have a separate dovecot instance for smtp-auth and use that
socket in postfix config.
Just use a small config like the one below for the "auth only instance"
and fire it up with "dovecot -F -c /etc/dovecot/dovecot-auth.conf"
you can then copy and adapt the systemd script or what ever to start it
automatically. in that sql-conf you just need a password_query, no
user_query.
---
base_dir = /var/run/dovecot-auth
instance_name = dovecot-auth
passdb {
driver = sql
args = /etc/dovecot/dovecot-auth-sql.conf.ext
}
# disable listeners
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 0
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 0
}
}
service auth {
unix_listener auth-userdb {
#mode = 0666
#user =
#group = virtual_mail
}
# Postfix smtp-auth socket
unix_listener /var/spool/postfix/private/auth-smtp {
mode = 0660
group = virtual_mail
}
# Auth process is run as this user.
#user = $default_internal_user
}
---
On 06.10.2015 17:53, Damon wrote:
> I want to use a separate passed for the unix_listener (postfix smtp-auth) so
> i can limit access to the smtp server by user/domain using the postfixadmin
> database.
> I want to let users access map to receive email but not be able to send.
>
> Any ideas?
>
> Thanks
> Damon
Re: mirroring one domain.tld to domain.tld.au
On 28.09.2015 16:47, voy...@sbt.net.au wrote: > I have Postfix/Dovecot/postfixadmin/MySQL with several virtual mailbox > domains > > one of the domains is like aname.com.au, the user also now has aname.com, > and, would like to 'mirror' most of the addresses to be u...@aname.com, > THOUGH, some are to remain as us...@aname.com.au I usually do this by having 4 tables in mysql: hosting (links everything together, links to a product table, quota, what ever) domains (domainnames) accounts (homedir, password, etc.) usernames - one hosting has many accounts - one hosting has many domains (domain aliases) - one account has many usernames (localpart aliases for same account) then you can match like anything you want out of this and you use similar queries for postfix and dovecot. in the domains table you could have a column boolean "maindomain" and in the account table you have a column "maindomain_only"... for my use, users don't care if there are other alias combinations - they just don't use it then. but they can login with any combination of @ and it's still only one mail directory per account. it's also a good idea to name the maildirectory like /, so you don't have the domain / username hardcoded anywhere. just some thoughts, works great for me - but depends on your exact use case. you can do like anything you want in SQL for postfix and dovecot keep performance in mind though :-) > > so, both u...@aname.com as well as u...@aname.com.au should be one user > > the users retrive emails as u...@aname.com.au > > longer term... some would want to use aname.com.au. some, aname.com > > what's the best/proper way to do so in Dovecot ? > > I think I can do Postfix with postfixadmin to "Mirror addresses of one of > your domains to another." > > but what do I do at the Dovecot end...? > > thanks for any pointers, suggestions or advice
Re: distuguish between different domains
>> the dovecot service does not care about the server dns name. the dns >> name resolves to the IP address on the client (roundcube) and the client >> connects to the server. if the same dovecot instance listens to all / >> both IP address, client will end up on this dovecot instance and all >> valid user-password combinations are authorized. that's the way it has >> to be, otherwise virtual / mass virtual domain hosting would not be >> possible as you cannot spawn 1000 instances on the same machine (ok, in >> theory you could do that :D) > No, it's only impossible if you are using passdb or otherwise > authenticating against real users of the system. If you are using > virtual users (SQL, LDAP, etc.), you can include the domain name in the > auth lookups. > > Andreas was asking about the fqdn where the imap client is connecting to, not the user name / e-mail address. you can use localpart and domain from the email address in passdb / userdb lookups but dovecot (imap) is nothing like http where you send the a hostname of the site you're conncting to in the header.
Re: distuguish between different domains
On 28.09.2015 10:48, Andreas Meyer wrote: > Hello! > > Marco Fretz <marco.fr...@gmail.com> schrieb am 28.09.15 um 08:29:59 Uhr: > >> Hi Andreas, >> >> I'm not 100% sure what you're trying to accomplish. >> >> smtp_server in roundcube is the outgoing server (submission server, i.e. >> postfix). Mailbox is IMAP (dovecot). >> You can easily spawn 2 instances of dovecot, one serving aaa.de and one >> serving bbb.de on different IPs. > How do I do this? http://wiki2.dovecot.org/RunningDovecot I do this by creating a 2nd startup script / systemd service you can then use another dovecot config file and specify different listen IPs (and Ports). This is also useful for different SSL certs per domain / ip, etc. > >> What exactly is the problem with 2 domains on one dovecot? I mean user >> @aaa.de usually does not have the password for @bbb.de and vise versa. > What is irritating me is that when there are two domains served by > dovecot, in the client I can specify server.aaa.de although I have > an email-address u...@bbb.de and connect as such. > > For my understanding it should not be possible to connect to server > server.aaa.de with an address line u...@bbb.de and dovecot serves > the mailbox of that user. the dovecot service does not care about the server dns name. the dns name resolves to the IP address on the client (roundcube) and the client connects to the server. if the same dovecot instance listens to all / both IP address, client will end up on this dovecot instance and all valid user-password combinations are authorized. that's the way it has to be, otherwise virtual / mass virtual domain hosting would not be possible as you cannot spawn 1000 instances on the same machine (ok, in theory you could do that :D) > >> About the sending server in roundcube: I don't think there is a way to >> have a different submission server for different sender domains in >> roundcubde. But you could use the postfix configuration to map sender >> domains to different outgoing connection IPs. > Postfix is not the problem. It's the login into the IMAP-server that > is irritating me. Or am I completely wrong? > > Regards > > Andreas
Re: distuguish between different domains
Hi Andreas, I'm not 100% sure what you're trying to accomplish. smtp_server in roundcube is the outgoing server (submission server, i.e. postfix). Mailbox is IMAP (dovecot). You can easily spawn 2 instances of dovecot, one serving aaa.de and one serving bbb.de on different IPs. What exactly is the problem with 2 domains on one dovecot? I mean user @aaa.de usually does not have the password for @bbb.de and vise versa. About the sending server in roundcube: I don't think there is a way to have a different submission server for different sender domains in roundcubde. But you could use the postfix configuration to map sender domains to different outgoing connection IPs. Does this help? If not, please tell us more about what you're trying to do. regards Marco On 27.09.2015 19:53, Andreas Meyer wrote: > Hello! > > I asked myself wether it is possible to distinguish between > different doamins in dovecot so that a user only sees his > mailbox when he is connecting with us...@aaa.de specifying > the server with mail.aaa.de for example. > > So the server does not handout the mailbox for us...@bbb.de > when the client connects to mail.aaa.de as us...@bbb.de > > I have this problem with roundcube. Dovecot is responisble > for two domains. With roundcube I can login as us...@aaa.de > altough the client is configured like so: > $config['smtp_server'] = 'tls://mail.bbb.de'; > and I am landing in the mailbox of us...@aaa.de > > Is there a way to striktly differentiate between doamins? > Both domains have their own IP-addresses. > > Regards > > Andreas
Re: Problem with SHA2/Geotrust and dovecot 2.0.9
Hi, does the cert work if you open and output it as text with openssl command? not sure if 2.0.9 does support sha2, I think it should - I guess it actually depends on openssl libs not dovecot. On 08.09.2015 15:17, Il Neofita wrote: > Hi > I have renew my geotrust certificate using sha2, and I have problem with > Dovecot 2.0.9 and redhat 6.7. > The same certificate is working in Apache. > > The error is > > dovecot: imap-login: Fatal: Can't load ssl_cert: There is no valid PEM > certificate. > > and the configuration file is > > ssl_cert= ssl_key = ssl_ca = > What I should do?
Re: Sieve and forward
Hi, I think the problem is you cannot resign the forwarded message... and if you keep the original sender domain it looses the signature? I'm not a DKIM guru though :-) Maybe just forward it as attachment from the users address... regards Marco On 18.09.2015 00:36, Il Neofita wrote: > Hi > I have already posted to the postfix group, however, I believe that sieve > and dovecot should be able to fix this problem. > When I receive a message from yahoo and the user forward it to a gmail or > yahoo acount this email is considered as spam or rejected. > From yahoo is rejected since it seems that I am try to send spam since the > email should be signed with dkim. > Is there a way to encpuslated or sign in some way. > > Thank you
Re: Multiple passwords for a user (SQL)
I managed to write a ugly but working checkpassword script for dovecot, having multiple passwords for a user. But now I found this: https://github.com/dweuthen/roundcube-application_passwords I think this is the better way to go. the crypt passwords are the biggest problem because you need the stored hash to generate the input hash. I know this is safer, but in my opinion SHA2 or what ever is best available hash in mysql something should do it as well. having application passwords is a bigger security advantage than having stronger hashes in the database. correct me if I'm wrong :-) best regards Marco On 06.10.2014 16:46, Marco Fretz wrote: > > Thank you Steffen, > > This sounds like a plan. checkpassword looks quite simple to use and I > could still use default userdb with dovecot-sql for userhome, quota, etc. > I'll give this a try. > > thanks > Marco > > Am 06.10.2014 13:52, schrieb Steffen Kaiser: > > On Mon, 6 Oct 2014, Marco Fretz wrote: > > >> corresponding user in the users table - one use has many passwords > (1:n). > >> for dovecot this means that it will get multiple rows with passwords > >> back from the "password_query". is there a way to tell dovecot to check > >> all those returned passwords and "pass" the request if one of those > >> passwords match? > > > I think no, but you could craft a PAM module and use the pam passdb or > supply a checkpassword script: > > > http://wiki2.dovecot.org/PasswordDatabase > > > -- Steffen Kaiser >
Multiple passwords for a user (SQL)
Hi everyone, I'm not sure if this has been discuessed already as I coun't find anything in the archives - maybe I'm looking for the wrong thing. I want to build something similar to googles app passwords where your use a different password (strong, auto generated) for each device / app. In general I think this is pretty easy on the database side as I just need a password table and link say the passwords with an user_id to the corresponding user in the users table - one use has many passwords (1:n). for dovecot this means that it will get multiple rows with passwords back from the password_query. is there a way to tell dovecot to check all those returned passwords and pass the request if one of those passwords match? thank you, best regards Marco
Re: Multiple passwords for a user (SQL)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank you Steffen, This sounds like a plan. checkpassword looks quite simple to use and I could still use default userdb with dovecot-sql for userhome, quota, etc. I'll give this a try. thanks Marco Am 06.10.2014 13:52, schrieb Steffen Kaiser: On Mon, 6 Oct 2014, Marco Fretz wrote: corresponding user in the users table - one use has many passwords (1:n). for dovecot this means that it will get multiple rows with passwords back from the password_query. is there a way to tell dovecot to check all those returned passwords and pass the request if one of those passwords match? I think no, but you could craft a PAM module and use the pam passdb or supply a checkpassword script: http://wiki2.dovecot.org/PasswordDatabase -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJUMqs9AAoJEKxm7Ju3UATuwIcP/jOLvioR1EsJCkhsHMG2GgoV bvafQznk8KOhTcTW0X3CrPRoV7D7Lmotw+2W3Z/YFR9w48ra/Tlf25PRGg7tv+KE Wx5xTFKZDzoXgW3Nn7Jg0ylBvgYTQQRFEZWBbwn+N/7hMfHagw0H66iaMqw3LV6A d6BnxjHI+Iq1w7EPPpplsMeqLMxSEbv1t7YrqC5n/ydnllRe7j4WFbkMYywAYxR5 WN8SfhuhvxFec3nSOftCVbVvVSFsAPN/n2OYxgVl5LvgLUdI9NUyqpxA/Rj2KVhb +V+/NB/TKEpIBe1Byeb1W8cLeijmgDWXiEQQhG8+3ld21cabqEyQvrRN93FJzHBx n71NTpNul98bZW4BPh4U2uzJMdDzbo8aD5WMJFwczrLwDj/CNhU2W2gh14F4AyhG W9eNRXn9ntdJ2hxhlCb8csLMf9rHd/XgzZkfGEzyvJKPRDONdD7HslP3gFAKo0du xoGe6fw3FJuGg16KkRFWE/dE25fk2y34iliqS1G3j4owMlj79pLV1JsDDI5A1heV f3JNUfMhb1b5lGAI31YoqG5/Ls/0bkMUT6p+BU2ZezYFAUSA2M3EwpsaJkwyu7Ov YTbAG7JOzp7dp/bk6R1PGg11qc9yDHBS4Rm4J+rdLFZ3ibImZ/+0Meb1pRbKLGwV iRaVYK07ag276MQqoLg3 =krqF -END PGP SIGNATURE-
Re: [Dovecot] Log successful login plain text password
On 08/28/2013 10:36 AM, wk...@yahoo.com wrote: Maybe you can find a way in this direction http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes This looks interesting. Looks like I could automate also a lot of other stuff this way, e.g. imap syncing accounts to new server, etc. I found out that auth_debug_passwords=yes does log passwords (also successful logins) in proxy mode. But it does not in normal imap/pop server mode, or I did something wrong... It logs something like this: Aug 28 11:13:03 barney dovecot: auth: Debug: client out: OK#0111#011user=ma...@example.com#011host=imap.example.com#011nologin#011proxy#011pass=CLEARPASWORD where CLEARPASWORD is the plain text password.that's pretty much what I need. but using some postlogin script might be the more beautiful way... thanks you all for the responses. all the best On 28.08.2013, at 09:14, Marco Fretz wrote: On 08/28/2013 09:08 AM, wk...@yahoo.com wrote: Hi Marco when running dovecot -a you will find auth_* I think you could you auth_verbose_passwords to fit your needs. thanks. I've already tried this, but it doesn't log the password on successful logins, only when there is password missmatch: from the conf / manual: # In case of password mismatches, log the attempted password. Valid values are # no, plain and sha1. sha1 can be useful for detecting brute force password # attempts vs. user simply trying the same password over and over again. #auth_verbose_passwords = no any other ideas? :) all the best On 28.08.2013, at 08:57, Marco Fretz wrote: Hi everyone, I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too. I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system. I played around with auth_debug_passwords and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords. Any hint welcome. Thanks a lot, Marco
[Dovecot] Log successful login plain text password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too. I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system. I played around with auth_debug_passwords and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords. Any hint welcome. Thanks a lot, Marco -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSHZ9tAAoJEKxm7Ju3UATui2cP/A3cf2TrNvOjjtP1TCgZZ5EC igsgngPlKiXU/RwHO9shBLXUyhKDHPGihNf9KL/RjoFnrgX1asPd/RF/2b080IU3 bNO49BLs8QqoroKz5E+TL8UNixlO5YQjnerKfJ5GIJbSUTC3MaxmN62Cl9jEaTWu 4dX3MXoB3ghoxt6FETSLXz6cEXsGd6KvqxolQC13NYtvpZED+qk7z3RywK8Xp/Au Ipx3xEnDRc/YvG3PeJlsjF9Ge80GxVVH0nudNOV/zmyuNfh4PkPRerk1R4Px01zI sxnXvcNjjenCJ6DMKBmOCyBii9Wl9i4opw9k4X4Z6MFEZGiodRz1usKWJMT0VqUG NBEJDOWsoWpasWMCtduBRrNQS3JI+o1tebDAI5n3K4lJ2d27+nosDvdQ8vNlVszM 8nhSn228RQNy9SJZNAvspOYQBM2gt5IQyWGA4jhrMUkwKeTfHZik8vh8lEcwbK9q H6Myue+i+G8wVa57F1V7/7x2LNGn56BWxTDlBrtKdK3KphCgEoCny/f5VYerO8It MnCMLPXI2oCC8qqkK7x45SYSe/eQhgV93LHpI5z25TqyeJ6R+7dglderRDQcNN0n OtbYMYkqlF8xJ4k+rVFwOC5VD7Bq+S2Q4LyLEf7wFH32Dc12pI/SnAL8DPvkNgbL FshgaVOXUEkb0WhnvROl =oEzx -END PGP SIGNATURE-
Re: [Dovecot] Log successful login plain text password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/28/2013 09:08 AM, wk...@yahoo.com wrote: Hi Marco when running dovecot -a you will find auth_* I think you could you auth_verbose_passwords to fit your needs. thanks. I've already tried this, but it doesn't log the password on successful logins, only when there is password missmatch: from the conf / manual: # In case of password mismatches, log the attempted password. Valid values are # no, plain and sha1. sha1 can be useful for detecting brute force password # attempts vs. user simply trying the same password over and over again. #auth_verbose_passwords = no any other ideas? :) all the best On 28.08.2013, at 08:57, Marco Fretz wrote: Hi everyone, I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too. I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system. I played around with auth_debug_passwords and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords. Any hint welcome. Thanks a lot, Marco -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSHaM2AAoJEKxm7Ju3UATuaDcQAIIisd1T999xbuP8fBP19gAV c0/rMGZxy69P2QLp7Y3Lwn6LXXeAiICFWRBtXkoOsVzGXazM+IB6OMr2H3Xa/37v kyO3nfS9+nD3crzPIVM6pQKnDH5ON8Jwr1Y7pufnwb5cvxZzrcB4hZk+dFcLu9eN wwAAB0mRuT1b3gqnX8rtVqqDQPF+vgefrEDEDxysO7fq7I+RlWsbHDKV4porGkd8 3mf+PoQ+QmStgMyVh906taGpainYaARe0O5yoeAO/5/jTOODrzT6vcwv4ffDcp/p NGZUtpomPw9+C4/BXBwPPlYcUNCktaxpVFp5LyBnOLs9WckDZzNpzD0m/HjvFmEI WvgFh3QPK1APTKwsLD1YArfHGqs7/tJRhPDPTI9oO7Y55WP6hJvMNNji0eihDwoG SO7dQkfs/3jIx0AwNN/2M/cT/zBTCPsuqyhAimRMStxR/TYbp9pXxBwAjRv16NS5 NwoL0nXnyPUt+l3deYiYF+wMJG8LVVn11UXTrwEJ7hzIfkiOs9EHKAdKznw74ryl FaqVL3D52cLdYUpfVVj1GaLQT+eIxP9uRbzIKLGzTR6bYWYX4W3YwflicPt9HozH 5H/1eiXXbEu44/h5jbZ2+AAncwsLomBC5fJYRiyZVZcXSozpRFhKkk5q7LSwZtVM WgX/qVgpWSKAsuTPbgtG =C9DH -END PGP SIGNATURE-
