please help, getting desperate

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

please help, getting desperate

Andras Kemeny
hi,

i have a question regarding the pipe, when being used to contact the LDA
(in my case, dovecot).

my virtual users are in LDAP, but they have their own UID and GID. since
i don't want to do a setuid script for the LDA (and obviously the LDA
needs to run with the correct permissions to be able to affect the
target user's mailbox files), is there a way to use the whole record
object from the LDAP query (which contains the uidNumber and gidNumber
attributes) and use some kind of substitution in the master.cf when
specifying the user=UID:GID parameter? the current situation is:

dovecot   unix  -       n       n       -       -       pipe
   flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f
${sender} -d ${user}
- problem: vmail (uid 5000) is obviously not the UID associated with the
dovecot

Jul 31 03:25:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER
lookup failed
Jul 31 03:25:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't
have lookup permissions for this user: userdb uid (10001) doesn't match
peer uid (5000) (to bypass this check, set: service auth { unix_listener
/var/run/dovecot/auth-userdb { mode=0777 } })

the catch is that at the passwd level, the local unix users and the LDAP
users are separated (they were once connected, but security and
performance considerations made us decide to split them), so i can't and
won't use the local user delivery method.

thanks in advance,
a


Reply | Threaded
Open this post in threaded view
|

Re: please help, getting desperate

Wietse Venema
Andras Kemeny:
> hi,
>
> i have a question regarding the pipe, when being used to contact the LDA
> (in my case, dovecot).

Why not use Dovecot's LMTP support?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: please help, getting desperate

Viktor Dukhovni
In reply to this post by Andras Kemeny


> On Jul 31, 2018, at 7:21 AM, Andras Kemeny <[hidden email]> wrote:
>
> my virtual users are in LDAP, but they have their own UID and GID. since i don't want to do a setuid script for the LDA (and obviously the LDA needs to run with the correct permissions to be able to affect the target user's mailbox files), is there a way to use the whole record object from the LDAP query (which contains the uidNumber and gidNumber attributes) and use some kind of substitution in the master.cf when specifying the user=UID:GID parameter? the current situation is:
>
> dovecot   unix  -       n       n       -       -       pipe
>   flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f ${sender} -d ${user}
> - problem: vmail (uid 5000) is obviously not the UID associated with the dovecot

With dovecot virtual users, all the mail is typically stored under a
single user-id associated with the IMAP server.  Use the same user-id
for the pipe delivery agent.

I use the Postfix built-in virtual(8) delivery agent with a fixed uid/gid
via static virtual_{uid,gid}_maps:

  main.cf:
  indexed = ${default_database_type}:${config_directory}/
  virtual_mailbox_base = /var/spool/virtual
  virtual_mailbox_maps = ${indexed}vmbox
  virtual_uid_maps = static:504
  virtual_gid_maps = static:504

  $ getent passwd 504
  maildir:*:504:504:IMAP mailbox owner:/var/empty:/usr/sbin/nologin

but you can achieve the same effect with a suitable choice of "user="
for the pipe(8) transport (in my case that would be "maildir").

In dovecot.conf I have:

  # Same user for all mailboxes:
  #
  userdb {
    args = uid=504 gid=504 home=/var/spool/virtual mail=maildir:/var/spool/virtual/%n
    driver = static
  }

--
        Viktor.