Re: lmtp and virtual users

2019-10-02 Thread Aki Tuomi via dovecot 


As documented e.g. here 
https://doc.dovecot.org/configuration_manual/authentication/ldap/

Aki

> On 02/10/2019 20:47 Jean-Daniel via dovecot  wrote:
> 
> 
> You set ‘auth_bind' to ‘no' and and you make sure ‘dn’ and ‘dnpass’ are 
> properly configured with a user with enough privileges to read users 
> passwords.
> 
> 
> And also, you make sure your pass_attrs contains a password attributes 
> (containing the user password hash).
> 
> 
> 
> > Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot 
> >  a écrit :
> > 
> > 
> > Is there anywhere an example of how this would be setup? I understand the 
> > use of a service account which I already setup but I can't figure out how 
> > to use this service account to retrieve information and authenticate users.
> >  
> >  Thanks!
> >  Best regards,
> >  David Wells.
> >  
> >  
> >  
> > El 02/10/2019 a las 04:29, Aki Tuomi escribió:
> > 
> >  
> > > 
> > > 
> > >  
> > > On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
> > > 
> > >  
> > > > Good morning.
> > > >  
> > > >  I was just reading 
> > > > https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found 
> > > > the following statement
> > > >  
> > > > > When using LDA (https://wiki.dovecot.org/LDA) and static userdb, 
> > > > > deliver can check if destination user exists. With auth binds this 
> > > > > check isn't possible.
> > > >  
> > > >  Is this still relevant? Is there a workaround? It seems like using 
> > > > dovecots lmtp in an active directory environment is not possible, is 
> > > > this correct?
> > > >  
> > > > 
> > > > 
> > > You cannot check user existence with auth binds because auth bind 
> > > requires user credentials.
> > > This is why I suggested you use a "service user" in LDAP to perform the 
> > > database lookups instead of auth binds. You can still authenticate your 
> > > users using kerberos.
> > > 
> > > Aki
> > > 
> >  
> > 
>

Re: lmtp and virtual users

2019-10-02 Thread Jean-Daniel via dovecot 
You set ‘auth_bind' to ‘no' and  and you make sure ‘dn’ and ‘dnpass’ are 
properly configured with a user with enough privileges to read users passwords.

And also, you make sure your pass_attrs contains a password attributes 
(containing the user password hash).


> Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot 
>  a écrit :
> 
> Is there anywhere an example of how this would be setup? I understand the use 
> of a service account which I already setup but I can't figure out how to use 
> this service account to retrieve information and authenticate users.
> 
> Thanks!
> Best regards,
> David Wells.
> 
> 
> El 02/10/2019 a las 04:29, Aki Tuomi escribió:
>> 
>> On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
>>> Good morning.
>>> 
>>> I was just reading 
>>> https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups 
>>>  and found the 
>>> following statement
 When using LDA  and static userdb, deliver 
 can check if destination user exists. With auth binds this check isn't 
 possible.
>>> 
>>> Is this still relevant? Is there a workaround? It seems like using dovecots 
>>> lmtp in an active directory environment is not possible, is this correct?
>>> 
>> You cannot check user existence with auth binds because auth bind requires 
>> user credentials.
>> 
>> This is why I suggested you use a "service user" in LDAP to perform the 
>> database lookups instead of auth binds. You can still authenticate your 
>> users using kerberos.
>> 
>> Aki
>> 
>

Re: lmtp and virtual users

2019-09-30 Thread David Wells - Alfavinil S.A. via dovecot 
Dear Aki, good afternoon.

Thank you very much for your response and thank you again for the tip on
how I could resolve this issue. The problem I'm facing is that I need
dovecot to serve emails with two different authorization methods for
imap and sasl, one through the kerberos ticket as in
https://wiki.dovecot.org/Authentication/Kerberos which I have working
but only with a static userdb and also with plain (over tls of course)
performing an ldap bind. I also need to verify the validity of incoming
emails for the lmtp process. I have only managed to get plain working
with the ldap userdb, or the kerberos solution with static databases and
no address verification working but not both. I believe I could set up
two different dovecot instances listening on different ports or even on
different ip addresses over the same ethernet device but I believe I
would run into problems with the locking of files and I would like a one
solution to serve them all. Is this even possible? Is there information
on how to achieve this somewhere I haven't found?

Thank you very much again.
Best regards,
David Wells.

El 30/09/2019 a las 03:36, Aki Tuomi escribió:
> On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
>> Good afternoon.
>>
>> I have dovecot setup to authenticate virtual users using either gssapi
>> or doind a bind to an ldap server to achieve a single sign on capable
>> imap server connected to a samba active directory DC. What I am also
>> trying to achieve is to have dovecot's lmtp daemon handle the mails
>> passed from postfix. However, the only way I've gotten this to work is
>> setting allow_all_users = yes in the userdb but this causes lmtp to
>> deliver mails to non existant accounts without rejection. I've been
>> searching but haven't found a way to set this same thing up but having
>> dovecots lmtp check the validity of the mails recipient against the same
>> samba AD DC through ldap before delivering it and rejecting unknown
>> email addresses. Could someone please provide some insight into how to
>> achieve this?
>>
>> Thank you very much in advance.
>> Best regards,
>> David Wells.
>>
>>
> You could setup LDAP userdb without bind authentication, and use a
> service account instead.
>
> Aki
>

Re: lmtp and virtual users

2019-09-30 Thread Aki Tuomi via dovecot 


On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
> Good afternoon.
>
> I have dovecot setup to authenticate virtual users using either gssapi
> or doind a bind to an ldap server to achieve a single sign on capable
> imap server connected to a samba active directory DC. What I am also
> trying to achieve is to have dovecot's lmtp daemon handle the mails
> passed from postfix. However, the only way I've gotten this to work is
> setting allow_all_users = yes in the userdb but this causes lmtp to
> deliver mails to non existant accounts without rejection. I've been
> searching but haven't found a way to set this same thing up but having
> dovecots lmtp check the validity of the mails recipient against the same
> samba AD DC through ldap before delivering it and rejecting unknown
> email addresses. Could someone please provide some insight into how to
> achieve this?
>
> Thank you very much in advance.
> Best regards,
> David Wells.
>
>
You could setup LDAP userdb without bind authentication, and use a
service account instead.

Aki