acl_groups from LDAP issue
Hi!
I have some trouble with userdb, ldap an extrafields for acl_groups.
There is a script in python, which fetches the groups and sets the
environment-variable ACL_GROUPS to this groups.
It works when i log in to imap (thunderbird for example shows my public
folders which are protected by acl_groups).
But when it try
doveadm mailbox list -u user.name
the mailboxes are not listed and with -Dv i get "permission denied, no
lookup rights".
in my dovecot-ldap-userdb.conf.ext is
hosts = ldap.server.example
dn = cn=service_id,ou=mailserver,ou=system,ou=services,dc=server,dc=example
dnpass = protectedpassword12345
tls = yes
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_require_cert = demand
ldap_version = 3
base = ou=users,dc=server,dc=example
deref = always
scope = subtree
user_attrs =
=home={ldap:dcMailMessageStore},system_groups_user=%u,allow_all_users=yes,=acl_groups=%{env:ACL_GROUPS}
user_filter =
(&(objectClass=posixAccount)(uid=%u)(!(sn=NoLogin))(|(memberof=cn=perm-app-mymail_admins,ou=mymail,ou=apps,ou=services,dc=schuerz,dc=at)(memberof=cn=perm-app-mymail_users,ou=mymail,ou=apps,ou=services,dc=schuerz,dc=at)))
when i change acl_groups=%{env:ACL_GROUPS} to acl_gropus=mygroup, the
doveadm mailbox list command shows my public mailbox
So how do i get my acl_groups from the postlogin-script output into
userdb-query?
Even, when i do on the shell
ACL_GROUPS=mygroup doveadm mailbox list -u user.name
the ACL_GROUPS Environment is ignored by the doveadm-command...
thank you
jakob
Re: acl_groups from LDAP issue
Well, you don't have postlogin scripts when running doveadm. Those are executed
by *-login and usually execute the actual protocol handler.
Try
env ACL_GROUPS=whatever doveadm mailbox list -u test.user
Aki
> On 04 February 2019 at 14:39 Jakobus Schürz wrote:
>
>
> Hi!
>
> I have some trouble with userdb, ldap an extrafields for acl_groups.
>
> There is a script in python, which fetches the groups and sets the
> environment-variable ACL_GROUPS to this groups.
> It works when i log in to imap (thunderbird for example shows my public
> folders which are protected by acl_groups).
>
> But when it try
>
> doveadm mailbox list -u user.name
>
> the mailboxes are not listed and with -Dv i get "permission denied, no
> lookup rights".
>
> in my dovecot-ldap-userdb.conf.ext is
>
> hosts = ldap.server.example
> dn = cn=service_id,ou=mailserver,ou=system,ou=services,dc=server,dc=example
> dnpass = protectedpassword12345
> tls = yes
> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
> tls_require_cert = demand
> ldap_version = 3
> base = ou=users,dc=server,dc=example
> deref = always
> scope = subtree
> user_attrs =
> =home={ldap:dcMailMessageStore},system_groups_user=%u,allow_all_users=yes,=acl_groups=%{env:ACL_GROUPS}
> user_filter =
> (&(objectClass=posixAccount)(uid=%u)(!(sn=NoLogin))(|(memberof=cn=perm-app-mymail_admins,ou=mymail,ou=apps,ou=services,dc=schuerz,dc=at)(memberof=cn=perm-app-mymail_users,ou=mymail,ou=apps,ou=services,dc=schuerz,dc=at)))
>
>
> when i change acl_groups=%{env:ACL_GROUPS} to acl_gropus=mygroup, the
> doveadm mailbox list command shows my public mailbox
>
>
> So how do i get my acl_groups from the postlogin-script output into
> userdb-query?
>
> Even, when i do on the shell
>
> ACL_GROUPS=mygroup doveadm mailbox list -u user.name
>
> the ACL_GROUPS Environment is ignored by the doveadm-command...
>
>
> thank you
>
>
> jakob
>
Re: acl_groups from LDAP issue
Hi Aki!
The command didn't work. The protected mailbox is not shown.
It's not the big problem, when doveadm does not show the public mailbox.
The problem is, i have a sieve-filter, which puts some emails to this
mailboxes... and the sieve-filter does not work too... the same problem
"permission denied" in case of not knowing the acl_groups from ldap...
The sievefilter is a global-filter not a users sievefilter...
how can i handle global mail-filtering for all users into one public
mailbox?
lg jakob
Am 04.02.19 um 13:44 schrieb Aki Tuomi:
> Well, you don't have postlogin scripts when running doveadm. Those are
> executed by *-login and usually execute the actual protocol handler.
>
> Try
>
> env ACL_GROUPS=whatever doveadm mailbox list -u test.user
>
> Aki
>
>> On 04 February 2019 at 14:39 Jakobus Schürz
>> wrote:
>>
>>
>> Hi!
>>
>> I have some trouble with userdb, ldap an extrafields for acl_groups.
>>
>> There is a script in python, which fetches the groups and sets the
>> environment-variable ACL_GROUPS to this groups.
>> It works when i log in to imap (thunderbird for example shows my public
>> folders which are protected by acl_groups).
>>
>> But when it try
>>
>> doveadm mailbox list -u user.name
>>
>> the mailboxes are not listed and with -Dv i get "permission denied, no
>> lookup rights".
>>
>> in my dovecot-ldap-userdb.conf.ext is
>>
>> hosts = ldap.server.example
>> dn = cn=service_id,ou=mailserver,ou=system,ou=services,dc=server,dc=example
>> dnpass = protectedpassword12345
>> tls = yes
>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
>> tls_require_cert = demand
>> ldap_version = 3
>> base = ou=users,dc=server,dc=example
>> deref = always
>> scope = subtree
>> user_attrs =
>> =home={ldap:dcMailMessageStore},system_groups_user=%u,allow_all_users=yes,=acl_groups=%{env:ACL_GROUPS}
>> user_filter =
>> (&(objectClass=posixAccount)(uid=%u)(!(sn=NoLogin))(|(memberof=cn=perm-app-mymail_admins,ou=mymail,ou=apps,ou=services,dc=schuerz,dc=at)(memberof=cn=perm-app-mymail_users,ou=mymail,ou=apps,ou=services,dc=schuerz,dc=at)))
>>
>>
>> when i change acl_groups=%{env:ACL_GROUPS} to acl_gropus=mygroup, the
>> doveadm mailbox list command shows my public mailbox
>>
>>
>> So how do i get my acl_groups from the postlogin-script output into
>> userdb-query?
>>
>> Even, when i do on the shell
>>
>> ACL_GROUPS=mygroup doveadm mailbox list -u user.name
>>
>> the ACL_GROUPS Environment is ignored by the doveadm-command...
>>
>>
>> thank you
>>
>>
>> jakob
>>
Re: Doveadm service as non-root user
On Fri, Feb 1, 2019 at 11:37 PM Aki Tuomi wrote: > > On 01 February 2019 at 23:16 Mark Moseley < moseleym...@gmail.com> wrote: > > > Running: Ubuntu xenial, dovecot 2.2.36 > > I've been working on moving our user base from maildir to mdbox and trying > to come up with solutions for things like moving emails around. In the > past, with maildir, our support guys could just mv the files around and > done. For mdbox, I've been working on getting things set up to use > doveadm. > > One weirdness I've seen is that in imports (i.e. doveadm import), mail > gets > copied correctly but the resulting files are left with root ownership (I > don't have 'service doveadm' 'user' set, so I guess it defaults to root). > It's typically new m.* files as well as the dovecot.list.index > and dovecot.list.index.log files. > > Looking at strace, no chown is done on them, nor was there setuid. The > import had no trouble finding the correct user in the db, so I know that > it > knows the correct UID (I can see it just fine in debug logs too). And it > will happily import to existing m.* files with no permissions issues (but > considering it's running as root, I wouldn't expect it to). > > I've seen this using 'import' via IMAPc as well as with both src and dest > on the same server. I can see this behavior in both scenarios. We have a > single shared UID for mail, so especially in that "src/dest on same > server" > case, it's not a matter of UID-mismatch. > > It's a director setup, so all doveadm commands are coming through the > director. If I run the import directly on the backend (which obviously > would be a bad idea in real life), the ownership of new m.* files seems to > be correct (I can see it setuid'ing to the correct UID from userdb in > strace). If I run the import on the director, I can get a new root-owned > file every time it rolls over to the next m.* file. > > Two questions: > > * Is that a bug? Is this expected behavior? Seems like the expected thing > would be to use the UID from userdb and either do a setuid (just like > running 'doveadm import' locally did) or chown'ing any new files to the > correct UID. I always always assume misconfiguration (vs bug, since it's > almost never a bug) but I'm baffled on this one. > > * I see that it's possible to set a user for service doveadm and the wiki > even suggests that it's a good idea in a single UID setup. If there are no > mailboxes with any other UIDs, *will setting 'service doveadm' to the same > UID possibly break anything*? I can't think of why it would, but I want to > be duly diligent. Plus I'm a little leery about closing the door to ever > having additional UIDs for mailboxes. > > Happy to provide 'doveconf -n' but wanted to check first, before spending > 15 minutes gently obfuscating it :) > > > Can you try > > doveadm import -U victim -u victim ... ? > --- > Aki Tuomi > Is that to test a generic 'import from sourceUser to dest user' (i.e. victim isn't literally the same in both -u and -U) or are you looking for a test where 'sourceUser' is the same email account as the destination? I just want to make sure I'm understanding right. The original tests (that result in the root-owned files) were all -U userA -u userB (i.e. different email accounts for src and dest), if you're asking about the former. If you're asking about the latter, I ran that and got the same result, a root-owned dovecot.list.index.log and dovecot.list.index and freshly created m.* files. The message count in the destination mailbox increases by the right number (no surprise since it's running as root), so the import itself is working. I should add that in both cases (different src/dest email account and same src/dest), the import works ok -- or at least increments the count in the index. It just leaves the email account in a broken state. Re-chown'ing it to the current permissions makes it happy again and the newly imported messages show up.
doveadm import with subfolder oddity
This has got to be something weird in my config. And the standard
disclaimer of '"happy to post doveconf -n, but wanted to see if this is
normal first" :)
Background: Ubuntu Xenial, running 2.2.36. Mailbox type is mdbox and I've
got a period separator in my inbox namespace:
namespace {
hidden = no
inbox = yes
list = yes
location =
mailbox Spam {
auto = no
autoexpunge = 1 weeks
special_use = \Junk
}
mailbox Trash {
auto = no
special_use = \Trash
}
prefix = INBOX.
separator = .
subscriptions = yes
type = private
}
If I do a import for a regular folder under INBOX, it works just fine:
doveadm import -u testbox2@testing.local -U testbox1@testing.local
mdbox:~/mdbox INBOX all mailbox Sent
... returns happily, message count gets incremented
If I try to do the same with a subfolder (and a subfolder that most
definitely exists on both source and destination side), I get an error:
doveadm import -u testbox2@testing.local -U testbox1@testing.local
mdbox:~/mdbox INBOX all mailbox Sub.Sub1
doveadm(testbox2@testing.local): Error: remote(10.1.17.98:4000): Mailbox
Sub.Sub1: Mailbox sync failed: Mailbox doesn't exist: Sub.Sub1
If I use / instead of . in my query, it works:
doveadm import -u testbox2@testing.local -U testbox1@testing.local
mdbox:~/mdbox INBOX all mailbox Sub/Sub1
... returns happily and message count gets incremented.
Since we're using '.' as our separator, that was a bit unexpected :)
Ironically, if I'm doing a IMAPc 'import', it works just fine with a query
of 'all mailbox Sub.Sub1'. It's only when importing from a local src and
local dest (i.e. source_location == mdbox:~/mdbox) that it fails. With
source_location set to 'imapc:', it works. I imagine that's due to using
straight IMAP on the source side.
Likely a misconfig on my part? Expected behavior?
I can see in the strace that the error is triggered when doveadm is looking
at the source mailbox. It looks for mdbox/mailboxes/Sub.Sub1/dbox-Mails
first, then falls back to mdbox/mailboxes/Sub/Sub1/dbox-Mails (which it
finds). Then a little bit later in the strace, it again looks
for mdbox/mailboxes/Sub.Sub1/dbox-Mails (which it doesn't find) but doesn't
try mdbox/mailboxes/Sub/Sub1/dbox-Mails this time, and then spits out
'Mailbox Sub.Sub1: Mailbox sync failed: Mailbox doesn't exist: Sub.Sub1'.
With a query of 'all mailbox Sub/Sub1', the stat() is
for mdbox/mailboxes/Sub/Sub1/dbox-Mails which it finds and uses happily.
Having to substitute the '.'s for '/'s in the 'mailbox' part of the query
isn't an awful workaround, but it very much feels like I'm doing something
wrong. This is a production setup, so everything else is otherwise working
fine. But I've only just begun working with 'doveadm import', so I might be
turning up some issues with my config.
Thanks! Sorry I'm so verbose :)
acl_groups in LDAP
Hi, I found a 9 year old thread (https://www.dovecot.org/list/dovecot/2010-October/054407.html) concerning acl_groups in OpenLDAP. In this thread someone asked, if it is possible to provide ACLs as multi value in OpenLDAP. I know that Dovecot expects acl_groups as a comma separated list, so currently I do this with a single value. Did the code change a little bit and accepts multi values now? Would be nice to have attributes like: ACLAttribute: group1 ACLAttribute: group2 ... Instead of: ACLAttribute: group1,group2 Thanks in advance Christian -- Rößner-Network-Solutions Karl-Bröger-Str. 10, 36304 Alsfeld T: +49 6631 9110725, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner-network-solutions.com smime.p7s Description: S/MIME cryptographic signature
