On 26. Jan 2025, at 18.39, subscriptions--- via dovecot <dovecot@dovecot.org> 
wrote:
> 
> Hi Timo,
> 
> Timo Sirainen wrote:
>> Oh, should clarify these. I was talking about global auth_username_format 
>> setting. With that it behaves as expected. But if you set it only inside 
>> passdb {} or userdb {} then it affects only the lookup user (i.e. lookup 
>> "user", not "user@domain" in passwd-file), but not the %{user} variable (it 
>> will contain "user@domain"). This behavior is intentional, but I wonder if 
>> it could be documented better somewhere.
> 
> Indeed I can confirm that the documentation on this subject is... optimizable.
> 
> Actually, back when I was going through the Dovecot docs for the first time, 
> I found it utterly confusing and chaotic. It's very detailed, which is great, 
> but for first time readers it kind of lacks an "entry point" - a place that 
> says "This is how Dovecot is structured, this is what you have to know first, 
> then probably this is the second thing you'll need...".

We have a new documentation structure, but I don't know if it's any better 
regarding that. For some reason people aren't super interested in spending much 
time on writing documentation. :)

> Once you get used to it, you're able to navigate around and find what you 
> need, but back then it took me like 2 full days to be able to even read (and 
> understand) the sample config. Having it scattered over a dozen files doesn't 
> help, either.

Well, the multiple files are gone now. And all settings are available in a 
single page in web documentation.

> Back to the topic of the username format: Due to the above reasons, I didn't 
> even know there was a global "auth_username_format" setting.

One big idea behind v2.4 config rewrite is that now all settings are global 
settings. You can add any setting inside any filter { .. } section, although it 
might get just ignored there.

> I always used the per-passdb/userdb, because this is what the (pre-2.4) 
> documentation on "passwd-file" says. And yes, I found out the hard way that 
> setting this to "%n" changes the username just for the purpose of the lookup, 
> but afterwards it remains user@domain. My workaround currently is to use a 
> "default_fields = user=%n" in the userdb definition, which then persists for 
> the remainder of the session.

I updated the documentation now for auth_username_format in 
https://github.com/dovecot/documentation/pull/1148

> So my question is: Is this the "right way" to do things, or is it better to 
> use the global "auth_username_format" ?
> On a broader level, the problem I'm facing (and I can't imagine I'm the only 
> one) is that I'd like to achieve the following behavior:
> 
>  1. Authenticate users with plain "username", and NOT accept "user@domain" 
> style usernames.
> This is the reason I'm currently not using "username_format" in the passdb 
> definition, since this would basically allow logging in with arbitrary 
> user@anydomain, as long as the username part exists. I'm guessing this is not 
> what most people using plain usernames want.
> 
>  2. When receiving incoming mail via LMTP, validate the recipient addresses, 
> ideally using the SAME userdb that is used for authentication/login, but 
> accept the mail only if the address is on the "correct" domain.
> The docs suggest using a second userdb definition (referring to the same 
> source user data like SQL, or passwd-file or whatever) and setting 
> "username_format = %n" there.  The problem here is that, again, this would 
> accept any arbitraty recipient address having a valid username part. So 
> user@correctdomain and user@anyrandomdomain would be happily delivered to the 
> same inbox. Currently, the only thing that prevents this from happening (at 
> least in my setup) is that Postfix is configured to only accept 
> @correctdomain mails, and reject all others. However, it would be much better 
> - and safer - to be able to configure this within Dovecot, and not rely on 
> external software.
> 
>  2.1. There is an almost-workaround for this, using the "username_filter" 
> parameter which allows wildcards like "*@domain" and would fail if the user 
> doesn't match the correct domain. Regrettably, this is only supported for 
> passdb definitions, but not for userdb's. However, LMTP and LDA validate 
> incoming mail addresses against the userdb only, and don't perform a passdb 
> lookup. 
> 
>  2.2 The only real solution I can think of is having a separate userdb for 
> incoming mail validation (i.e. not same as the one used for login purposes) 
> where you explicitly list all valid email addresses as user@domain, and use 
> the (default) username_format of "%Lu". This looks like a support nightmare - 
> you have to redundantly manage your users in two separate places, not to 
> mention having the same "@domain" string repeated hundreds of times (and 
> prone to typos, etc.).
> 
> Is there a more "elegant" way to achieve the above behavior (which to me 
> seems like the most basic setup), without using dirty hacks and workarounds? 
> Am I missing something?

How about your passdb/userdb contains only u...@example.com, and then you set 
auth_default_domain=example.com?

Another possibility could be to add a new userdb before the real one, which 
drops the domain for valid domains:

userdb drop-domain {
  driver = passed-file
  passwd_file_path = /etc/dovecot/valid-domains
  result_success = continue
  fields {
    user = %{user | username}
  }
}

valid-domains file would just list all valid domains, one per line

Yet another possibility could be to use %{if} to drop the domain in the 
existing userdb passwd-file { auth_username_format }
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to