Dovecot Master User: Access user's mailbox without owner's password

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Dovecot Master User: Access user's mailbox without owner's password

Dovecot mailing list
Hi, I hope you're all right. I describe below the scenario where the
problem occurs.
I'm trying to activate a master user [1] to be able to access all the
boxes of all users by imap.
I have configured the dovecot-master-users [2] file with the
appropriate permissions.
When I try to access, for example with roundcube, through
[hidden email]*[hidden email]
I see in the log, that it seems to ignore the master-user (*) and
tries to authenticate the Active Directory but with the master user's
password. Then it shows in the log the messages

auth: Info: ldap([hidden email],127.0.0.1,<6sFGXE6XLwB/AAAB> )
invalid credentials
auth: Debug: client passdb out: FAIL 1 user=[hidden email]

I have other test cases, but I need to validate the master user login that way.

I would appreciate any comments you can make and I am waiting to
answer any questions.

Regards,

[1] https://doc.dovecot.org/configuration_manual/authentication/master_users/
[2] https://docs.iredmail.org/dovecot.master.user.html

---------------------------------------------------------------------------------------

root@mail-01:/etc/dovecot# cat /etc/issue
Ubuntu 14.04.5 LTS \n \l

root@mail-01:/etc/dovecot# dpkg -l | grep dovecot | awk {'print $2" "$3'}
dovecot-core 1:2.2.9-1ubuntu2.6
dovecot-imapd 1:2.2.9-1ubuntu2.6
dovecot-ldap 1:2.2.9-1ubuntu2.6
dovecot-lmtpd 1:2.2.9-1ubuntu2.6
dovecot-managesieved 1:2.2.9-1ubuntu2.6
dovecot-mysql 1:2.2.9-1ubuntu2.6
dovecot-pop3d 1:2.2.9-1ubuntu2.6
dovecot-sieve 1:2.2.9-1ubuntu2.6

root@mail-01:/etc/dovecot# cat dovecot.conf | grep -v '#' | grep -v -e
'^$' | sed  "s/REALDOMAIN/mydomain/g"
listen = * [::]
mail_plugins = quota mailbox_alias acl
protocols = pop3 imap sieve lmtp
mail_uid = 2000
mail_gid = 2000
first_valid_uid = 2000
last_valid_uid = 2000
log_path = /var/log/dovecot.log
auth_verbose = yes
auth_debug = yes
ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_ca = </etc/ssl/certs/mydomain.com.ca-bundle
ssl_cert = </etc/ssl/certs/mydomain.com.crt
ssl_key = </etc/ssl/private/mydomain.com.key
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh_parameters_length = 2048
ssl_prefer_server_ciphers = yes
disable_plaintext_auth = no
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
auth_default_realm = mydomain.com
auth_mechanisms = PLAIN LOGIN
service auth {
    unix_listener /var/spool/postfix/private/dovecot-auth {
        user = postfix
        group = postfix
        mode = 0666
    }
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
    unix_listener auth-userdb {
        user = vmail
        group = vmail
        mode = 0660
    }
}
service lmtp {
    user = vmail
    process_min_avail = 5
    executable = lmtp -L
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        user = postfix
        group = postfix
        mode = 0600
    }
    inet_listener lmtp {
        address = 127.0.0.1
        port = 24
    }
}
auth_master_user_separator = *
passdb {
    driver = passwd-file
    args = /etc/dovecot/dovecot-master-users
    master = yes
}
userdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}
passdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}
plugin {
    auth_socket_path = /var/run/dovecot/auth-master
    quota = dict:user::proxy::quotadict
    quota_rule = *:storage=3G
    quota_warning = storage=100%% quota-warning 100 %u
    quota_warning2 = storage=95%% quota-warning 95 %u
    quota_warning3 = storage=90%% quota-warning 90 %u
    quota_warning4 = storage=85%% quota-warning 85 %u
    quota_grace = 10%%
    acl = vfile
    acl_shared_dict = proxy::acl
    sieve_dir = %Lh/sieve
    sieve = %Lh/sieve/dovecot.sieve
    sieve_global_dir = /var/vmail/sieve
    sieve_before = /var/vmail/sieve/dovecot.sieve
    mailbox_alias_old = Sent
    mailbox_alias_new = Sent Messages
    mailbox_alias_old2 = Sent
    mailbox_alias_new2 = Sent Items
}
service quota-warning {
    executable = script /usr/local/bin/dovecot-quota-warning.sh
    unix_listener quota-warning {
        user = vmail
        group = vmail
        mode = 0660
    }
}
service dict {
    unix_listener dict {
        mode = 0660
        user = vmail
        group = vmail
    }
}
dict {
    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
    acl = mysql:/etc/dovecot/dovecot-share-folder.conf
}
protocol lda {
    mail_plugins = $mail_plugins sieve
    auth_socket_path = /var/run/dovecot/auth-master
    log_path = /var/log/dovecot-sieve.log
    lda_mailbox_autocreate = yes
    lda_mailbox_autosubscribe = yes
    postmaster_address = [hidden email]
}
protocol lmtp {
    info_log_path = /var/log/dovecot-lmtp.log
    mail_plugins = quota sieve
    postmaster_address = postmaster
    lmtp_save_to_detail_mailbox = yes
    recipient_delimiter = +
}
protocol imap {
    mail_plugins = $mail_plugins imap_quota imap_acl
    imap_client_workarounds = tb-extra-mailbox-sep
    mail_max_userip_connections = 30
}
protocol pop3 {
    mail_plugins = $mail_plugins
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_uidl_format = %08Xu%08Xv
    mail_max_userip_connections = 30
}
service imap-login {
    service_count = 1
    process_limit = 500
}
service pop3-login {
    service_count = 1
}
service managesieve-login {
    inet_listener sieve {
        address = 127.0.0.1
        port = 4190
    }
}
namespace {
    type = private
    separator = /
    prefix =
    inbox = yes
    mailbox Sent {
        auto = subscribe
        special_use = \Sent
    }
    mailbox "Sent Messages" {
        auto = no
        special_use = \Sent
    }
    mailbox "Sent Items" {
        auto = no
        special_use = \Sent
    }
    mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
    }
    mailbox Trash {
        auto = subscribe
        special_use = \Trash
    }
    mailbox "Deleted Messages" {
        auto = no
        special_use = \Trash
    }
    mailbox Junk {
        auto = subscribe
        special_use = \Junk
    }
    mailbox Spam {
        auto = no
        special_use = \Junk
    }
    mailbox "Junk E-mail" {
        auto = no
        special_use = \Junk
    }
    mailbox Archive {
        auto = subscribe
        special_use = \Archive
    }
    mailbox Archives {
        auto = no
        special_use = \Archive
    }
}
namespace {
    type = shared
    separator = /
    prefix = Shared/%%u/
    location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%u
    subscriptions = yes
    list = children
}

root@mail-01:/etc/dovecot# cat dovecot-ldap.conf | sed
"s/realdomain/mydomain/g"
hosts           = active-directory:389
ldap_version    = 3
auth_bind       = yes
dn              = domain\vmail
dnpass          = Str0ngP4ssw0rd
base            = ou=Organizational Unit,dc=domain,dc=com
scope           = subtree
deref           = never
user_filter     =
(&(userPrincipalName=%[hidden email])(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     =
(&(userPrincipalName=%[hidden email])(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#user_filter     =
(&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#pass_filter     =
(&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = \
                #=mail=master_user, \
#mail=user, \
=user=%[hidden email], \
=home=/var/vmail/vmail1/mydomain.com/%Ln/Maildir/, \
=mail=maildir:/var/vmail/vmail1/mydomain.com/%Ln/Maildir/, \
maxStorage=quota_rule=*:bytes=%$


root@mail-01:/etc/dovecot# ls -al dovecot-master-users
-r-x------ 1 dovecot dovecot 120 Nov 13 14:45 dovecot-master-users
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot Master User: Access user's mailbox without owner's password

Dovecot mailing list

Sounds a lot like my problem, which I described some days ago here on the list, but no luck. Please report to the list if you make any progress.

Regards,

Em 14/11/2019 10:41, Dav Rdrz via dovecot escreveu:
Hi, I hope you're all right. I describe below the scenario where the
problem occurs.
I'm trying to activate a master user [1] to be able to access all the
boxes of all users by imap.
I have configured the dovecot-master-users [2] file with the
appropriate permissions.
When I try to access, for example with roundcube, through
[hidden email]
I see in the log, that it seems to ignore the master-user (*) and
tries to authenticate the Active Directory but with the master user's
password. Then it shows in the log the messages

auth: Info: ldap([hidden email],<6sFGXE6XLwB/AAAB> )
invalid credentials
auth: Debug: client passdb out: FAIL 1 [hidden email]

I have other test cases, but I need to validate the master user login that way.

I would appreciate any comments you can make and I am waiting to
answer any questions.

Regards,

[1] https://doc.dovecot.org/configuration_manual/authentication/master_users/
[2] https://docs.iredmail.org/dovecot.master.user.html

---------------------------------------------------------------------------------------

root@mail-01:/etc/dovecot# cat /etc/issue
Ubuntu 14.04.5 LTS \n \l

root@mail-01:/etc/dovecot# dpkg -l | grep dovecot | awk {'print $2" "$3'}
dovecot-core 1:2.2.9-1ubuntu2.6
dovecot-imapd 1:2.2.9-1ubuntu2.6
dovecot-ldap 1:2.2.9-1ubuntu2.6
dovecot-lmtpd 1:2.2.9-1ubuntu2.6
dovecot-managesieved 1:2.2.9-1ubuntu2.6
dovecot-mysql 1:2.2.9-1ubuntu2.6
dovecot-pop3d 1:2.2.9-1ubuntu2.6
dovecot-sieve 1:2.2.9-1ubuntu2.6

root@mail-01:/etc/dovecot# cat dovecot.conf | grep -v '#' | grep -v -e
'^$' | sed  "s/REALDOMAIN/mydomain/g"
listen = * [::]
mail_plugins = quota mailbox_alias acl
protocols = pop3 imap sieve lmtp
mail_uid = 2000
mail_gid = 2000
first_valid_uid = 2000
last_valid_uid = 2000
log_path = /var/log/dovecot.log
auth_verbose = yes
auth_debug = yes
ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_ca = </etc/ssl/certs/mydomain.com.ca-bundle
ssl_cert = </etc/ssl/certs/mydomain.com.crt
ssl_key = </etc/ssl/private/mydomain.com.key
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_dh_parameters_length = 2048
ssl_prefer_server_ciphers = yes
disable_plaintext_auth = no
mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
auth_default_realm = mydomain.com
auth_mechanisms = PLAIN LOGIN
service auth {
    unix_listener /var/spool/postfix/private/dovecot-auth {
        user = postfix
        group = postfix
        mode = 0666
    }
    unix_listener auth-master {
        user = vmail
        group = vmail
        mode = 0666
    }
    unix_listener auth-userdb {
        user = vmail
        group = vmail
        mode = 0660
    }
}
service lmtp {
    user = vmail
    process_min_avail = 5
    executable = lmtp -L
    unix_listener /var/spool/postfix/private/dovecot-lmtp {
        user = postfix
        group = postfix
        mode = 0600
    }
    inet_listener lmtp {
        address = 127.0.0.1
        port = 24
    }
}
auth_master_user_separator = *
passdb {
    driver = passwd-file
    args = /etc/dovecot/dovecot-master-users
    master = yes
}
userdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}
passdb {
    args = /etc/dovecot/dovecot-ldap.conf
    driver = ldap
}
plugin {
    auth_socket_path = /var/run/dovecot/auth-master
    quota = dict:user::proxy::quotadict
    quota_rule = *:storage=3G
    quota_warning = storage=100%% quota-warning 100 %u
    quota_warning2 = storage=95%% quota-warning 95 %u
    quota_warning3 = storage=90%% quota-warning 90 %u
    quota_warning4 = storage=85%% quota-warning 85 %u
    quota_grace = 10%%
    acl = vfile
    acl_shared_dict = proxy::acl
    sieve_dir = %Lh/sieve
    sieve = %Lh/sieve/dovecot.sieve
    sieve_global_dir = /var/vmail/sieve
    sieve_before = /var/vmail/sieve/dovecot.sieve
    mailbox_alias_old = Sent
    mailbox_alias_new = Sent Messages
    mailbox_alias_old2 = Sent
    mailbox_alias_new2 = Sent Items
}
service quota-warning {
    executable = script /usr/local/bin/dovecot-quota-warning.sh
    unix_listener quota-warning {
        user = vmail
        group = vmail
        mode = 0660
    }
}
service dict {
    unix_listener dict {
        mode = 0660
        user = vmail
        group = vmail
    }
}
dict {
    quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
    acl = mysql:/etc/dovecot/dovecot-share-folder.conf
}
protocol lda {
    mail_plugins = $mail_plugins sieve
    auth_socket_path = /var/run/dovecot/auth-master
    log_path = /var/log/dovecot-sieve.log
    lda_mailbox_autocreate = yes
    lda_mailbox_autosubscribe = yes
    postmaster_address = [hidden email]
}
protocol lmtp {
    info_log_path = /var/log/dovecot-lmtp.log
    mail_plugins = quota sieve
    postmaster_address = postmaster
    lmtp_save_to_detail_mailbox = yes
    recipient_delimiter = +
}
protocol imap {
    mail_plugins = $mail_plugins imap_quota imap_acl
    imap_client_workarounds = tb-extra-mailbox-sep
    mail_max_userip_connections = 30
}
protocol pop3 {
    mail_plugins = $mail_plugins
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
    pop3_uidl_format = %08Xu%08Xv
    mail_max_userip_connections = 30
}
service imap-login {
    service_count = 1
    process_limit = 500
}
service pop3-login {
    service_count = 1
}
service managesieve-login {
    inet_listener sieve {
        address = 127.0.0.1
        port = 4190
    }
}
namespace {
    type = private
    separator = /
    prefix =
    inbox = yes
    mailbox Sent {
        auto = subscribe
        special_use = \Sent
    }
    mailbox "Sent Messages" {
        auto = no
        special_use = \Sent
    }
    mailbox "Sent Items" {
        auto = no
        special_use = \Sent
    }
    mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
    }
    mailbox Trash {
        auto = subscribe
        special_use = \Trash
    }
    mailbox "Deleted Messages" {
        auto = no
        special_use = \Trash
    }
    mailbox Junk {
        auto = subscribe
        special_use = \Junk
    }
    mailbox Spam {
        auto = no
        special_use = \Junk
    }
    mailbox "Junk E-mail" {
        auto = no
        special_use = \Junk
    }
    mailbox Archive {
        auto = subscribe
        special_use = \Archive
    }
    mailbox Archives {
        auto = no
        special_use = \Archive
    }
}
namespace {
    type = shared
    separator = /
    prefix = Shared/%%u/
    location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%u
    subscriptions = yes
    list = children
}

root@mail-01:/etc/dovecot# cat dovecot-ldap.conf | sed
"s/realdomain/mydomain/g"
hosts           = active-directory:389
ldap_version    = 3
auth_bind       = yes
dn              = domain\vmail
dnpass          = Str0ngP4ssw0rd
base            = ou=Organizational Unit,dc=domain,dc=com
scope           = subtree
deref           = never
user_filter     =
(&([hidden email])(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     =
(&([hidden email])(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#user_filter     =
(&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#pass_filter     =
(&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = \
                #=mail=master_user, \
#mail=user, \
=user=%[hidden email], \
=home=/var/vmail/vmail1/mydomain.com/%Ln/Maildir/, \
=mail=maildir:/var/vmail/vmail1/mydomain.com/%Ln/Maildir/, \
maxStorage=quota_rule=*:bytes=%$


root@mail-01:/etc/dovecot# ls -al dovecot-master-users
-r-x------ 1 dovecot dovecot 120 Nov 13 14:45 dovecot-master-users
--
Marcio Merlone
TI - Administrador de redes

A1 Engenharia - Unidade Corporativa
Fone: +55 41 3616-3797
Cel: +55 41 99689-0036
https://a1.ind.br/
Reply | Threaded
Open this post in threaded view
|

Re: Dovecot Master User: Access user's mailbox without owner's password

Dovecot mailing list
>>>>> "Marcio" == Marcio Merlone via dovecot <[hidden email]> writes:

Marcio> Sounds a lot like my problem, which I described some days ago
Marcio> here on the list, but no luck.  Please report to the list if
Marcio> you make any progress.

Marcio,
Looking at your passdb { } block, you don't have the "result_sucess =
continue" option.  Have you tried adding that to make it work?  

Marcio> Em 14/11/2019 10:41, Dav Rdrz via dovecot escreveu:

Marcio>     Hi, I hope you're all right. I describe below the scenario where the
Marcio>     problem occurs.
Marcio>     I'm trying to activate a master user [1] to be able to access all the
Marcio>     boxes of all users by imap.
Marcio>     I have configured the dovecot-master-users [2] file with the
Marcio>     appropriate permissions.
Marcio>     When I try to access, for example with roundcube, through
Marcio>     [hidden email]*[hidden email]
Marcio>     I see in the log, that it seems to ignore the master-user (*) and
Marcio>     tries to authenticate the Active Directory but with the master user's
Marcio>     password. Then it shows in the log the messages
   
Marcio>     auth: Info: ldap([hidden email],127.0.0.1,<6sFGXE6XLwB/AAAB> )
Marcio>     invalid credentials
Marcio>     auth: Debug: client passdb out: FAIL 1 user=[hidden email]
   
Marcio>     I have other test cases, but I need to validate the master user login that way.
   
Marcio>     I would appreciate any comments you can make and I am waiting to
Marcio>     answer any questions.
   
Marcio>     Regards,
   
Marcio>     [1] https://doc.dovecot.org/configuration_manual/authentication/master_users/
Marcio>     [2] https://docs.iredmail.org/dovecot.master.user.html
   
Marcio>     ---------------------------------------------------------------------------------------
   
Marcio>     root@mail-01:/etc/dovecot# cat /etc/issue
Marcio>     Ubuntu 14.04.5 LTS \n \l
   
Marcio>     root@mail-01:/etc/dovecot# dpkg -l | grep dovecot | awk {'print $2" "$3'}
Marcio>     dovecot-core 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-imapd 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-ldap 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-lmtpd 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-managesieved 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-mysql 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-pop3d 1:2.2.9-1ubuntu2.6
Marcio>     dovecot-sieve 1:2.2.9-1ubuntu2.6
   
Marcio>     root@mail-01:/etc/dovecot# cat dovecot.conf | grep -v '#' | grep -v -e
Marcio>     '^$' | sed  "s/REALDOMAIN/mydomain/g"
Marcio>     listen = * [::]
Marcio>     mail_plugins = quota mailbox_alias acl
Marcio>     protocols = pop3 imap sieve lmtp
Marcio>     mail_uid = 2000
Marcio>     mail_gid = 2000
Marcio>     first_valid_uid = 2000
Marcio>     last_valid_uid = 2000
Marcio>     log_path = /var/log/dovecot.log
Marcio>     auth_verbose = yes
Marcio>     auth_debug = yes
Marcio>     ssl_protocols = !SSLv2 !SSLv3
Marcio>     ssl = required
Marcio>     verbose_ssl = no
Marcio>     ssl_ca = </etc/ssl/certs/mydomain.com.ca-bundle
Marcio>     ssl_cert = </etc/ssl/certs/mydomain.com.crt
Marcio>     ssl_key = </etc/ssl/private/mydomain.com.key
Marcio>     ssl_cipher_list =
Marcio>     ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Marcio>     ssl_dh_parameters_length = 2048
Marcio>     ssl_prefer_server_ciphers = yes
Marcio>     disable_plaintext_auth = no
Marcio>     mail_location = maildir:%Lh/Maildir/:INDEX=%Lh/Maildir/
Marcio>     auth_default_realm = mydomain.com
Marcio>     auth_mechanisms = PLAIN LOGIN
Marcio>     service auth {
Marcio>         unix_listener /var/spool/postfix/private/dovecot-auth {
Marcio>             user = postfix
Marcio>             group = postfix
Marcio>             mode = 0666
Marcio>         }
Marcio>         unix_listener auth-master {
Marcio>             user = vmail
Marcio>             group = vmail
Marcio>             mode = 0666
Marcio>         }
Marcio>         unix_listener auth-userdb {
Marcio>             user = vmail
Marcio>             group = vmail
Marcio>             mode = 0660
Marcio>         }
Marcio>     }
Marcio>     service lmtp {
Marcio>         user = vmail
Marcio>         process_min_avail = 5
Marcio>         executable = lmtp -L
Marcio>         unix_listener /var/spool/postfix/private/dovecot-lmtp {
Marcio>             user = postfix
Marcio>             group = postfix
Marcio>             mode = 0600
Marcio>         }
Marcio>         inet_listener lmtp {
Marcio>             address = 127.0.0.1
Marcio>             port = 24
Marcio>         }
Marcio>     }
Marcio>     auth_master_user_separator = *
Marcio>     passdb {
Marcio>         driver = passwd-file
Marcio>         args = /etc/dovecot/dovecot-master-users
Marcio>         master = yes
Marcio>     }
Marcio>     userdb {
Marcio>         args = /etc/dovecot/dovecot-ldap.conf
Marcio>         driver = ldap
Marcio>     }
Marcio>     passdb {
Marcio>         args = /etc/dovecot/dovecot-ldap.conf
Marcio>         driver = ldap
Marcio>     }
Marcio>     plugin {
Marcio>         auth_socket_path = /var/run/dovecot/auth-master
Marcio>         quota = dict:user::proxy::quotadict
Marcio>         quota_rule = *:storage=3G
Marcio>         quota_warning = storage=100%% quota-warning 100 %u
Marcio>         quota_warning2 = storage=95%% quota-warning 95 %u
Marcio>         quota_warning3 = storage=90%% quota-warning 90 %u
Marcio>         quota_warning4 = storage=85%% quota-warning 85 %u
Marcio>         quota_grace = 10%%
Marcio>         acl = vfile
Marcio>         acl_shared_dict = proxy::acl
Marcio>         sieve_dir = %Lh/sieve
Marcio>         sieve = %Lh/sieve/dovecot.sieve
Marcio>         sieve_global_dir = /var/vmail/sieve
Marcio>         sieve_before = /var/vmail/sieve/dovecot.sieve
Marcio>         mailbox_alias_old = Sent
Marcio>         mailbox_alias_new = Sent Messages
Marcio>         mailbox_alias_old2 = Sent
Marcio>         mailbox_alias_new2 = Sent Items
Marcio>     }
Marcio>     service quota-warning {
Marcio>         executable = script /usr/local/bin/dovecot-quota-warning.sh
Marcio>         unix_listener quota-warning {
Marcio>             user = vmail
Marcio>             group = vmail
Marcio>             mode = 0660
Marcio>         }
Marcio>     }
Marcio>     service dict {
Marcio>         unix_listener dict {
Marcio>             mode = 0660
Marcio>             user = vmail
Marcio>             group = vmail
Marcio>         }
Marcio>     }
Marcio>     dict {
Marcio>         quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
Marcio>         acl = mysql:/etc/dovecot/dovecot-share-folder.conf
Marcio>     }
Marcio>     protocol lda {
Marcio>         mail_plugins = $mail_plugins sieve
Marcio>         auth_socket_path = /var/run/dovecot/auth-master
Marcio>         log_path = /var/log/dovecot-sieve.log
Marcio>         lda_mailbox_autocreate = yes
Marcio>         lda_mailbox_autosubscribe = yes
Marcio>         postmaster_address = [hidden email]
Marcio>     }
Marcio>     protocol lmtp {
Marcio>         info_log_path = /var/log/dovecot-lmtp.log
Marcio>         mail_plugins = quota sieve
Marcio>         postmaster_address = postmaster
Marcio>         lmtp_save_to_detail_mailbox = yes
Marcio>         recipient_delimiter = +
Marcio>     }
Marcio>     protocol imap {
Marcio>         mail_plugins = $mail_plugins imap_quota imap_acl
Marcio>         imap_client_workarounds = tb-extra-mailbox-sep
Marcio>         mail_max_userip_connections = 30
Marcio>     }
Marcio>     protocol pop3 {
Marcio>         mail_plugins = $mail_plugins
Marcio>         pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
Marcio>         pop3_uidl_format = %08Xu%08Xv
Marcio>         mail_max_userip_connections = 30
Marcio>     }
Marcio>     service imap-login {
Marcio>         service_count = 1
Marcio>         process_limit = 500
Marcio>     }
Marcio>     service pop3-login {
Marcio>         service_count = 1
Marcio>     }
Marcio>     service managesieve-login {
Marcio>         inet_listener sieve {
Marcio>             address = 127.0.0.1
Marcio>             port = 4190
Marcio>         }
Marcio>     }
Marcio>     namespace {
Marcio>         type = private
Marcio>         separator = /
Marcio>         prefix =
Marcio>         inbox = yes
Marcio>         mailbox Sent {
Marcio>             auto = subscribe
Marcio>             special_use = \Sent
Marcio>         }
Marcio>         mailbox "Sent Messages" {
Marcio>             auto = no
Marcio>             special_use = \Sent
Marcio>         }
Marcio>         mailbox "Sent Items" {
Marcio>             auto = no
Marcio>             special_use = \Sent
Marcio>         }
Marcio>         mailbox Drafts {
Marcio>             auto = subscribe
Marcio>             special_use = \Drafts
Marcio>         }
Marcio>         mailbox Trash {
Marcio>             auto = subscribe
Marcio>             special_use = \Trash
Marcio>         }
Marcio>         mailbox "Deleted Messages" {
Marcio>             auto = no
Marcio>             special_use = \Trash
Marcio>         }
Marcio>         mailbox Junk {
Marcio>             auto = subscribe
Marcio>             special_use = \Junk
Marcio>         }
Marcio>         mailbox Spam {
Marcio>             auto = no
Marcio>             special_use = \Junk
Marcio>         }
Marcio>         mailbox "Junk E-mail" {
Marcio>             auto = no
Marcio>             special_use = \Junk
Marcio>         }
Marcio>         mailbox Archive {
Marcio>             auto = subscribe
Marcio>             special_use = \Archive
Marcio>         }
Marcio>         mailbox Archives {
Marcio>             auto = no
Marcio>             special_use = \Archive
Marcio>         }
Marcio>     }
Marcio>     namespace {
Marcio>         type = shared
Marcio>         separator = /
Marcio>         prefix = Shared/%%u/
Marcio>         location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%u
Marcio>         subscriptions = yes
Marcio>         list = children
Marcio>     }
   
Marcio>     root@mail-01:/etc/dovecot# cat dovecot-ldap.conf | sed
Marcio>     "s/realdomain/mydomain/g"
Marcio>     hosts           = active-directory:389
Marcio>     ldap_version    = 3
Marcio>     auth_bind       = yes
Marcio>     dn              = domain\vmail
Marcio>     dnpass          = Str0ngP4ssw0rd
Marcio>     base            = ou=Organizational Unit,dc=domain,dc=com
Marcio>     scope           = subtree
Marcio>     deref           = never
Marcio>     user_filter     =
Marcio>     (&(userPrincipalName=%[hidden email])(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Marcio>     pass_filter     =
Marcio>     (&(userPrincipalName=%[hidden email])(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Marcio>     #user_filter     =
Marcio>     (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Marcio>     #pass_filter     =
Marcio>     (&(mail=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Marcio>     pass_attrs      = userPassword=password
Marcio>     default_pass_scheme = CRYPT
Marcio>     user_attrs      = \
Marcio>                     #=mail=master_user, \
Marcio>     #mail=user, \
Marcio>     =user=%[hidden email], \
Marcio>     =home=/var/vmail/vmail1/mydomain.com/%Ln/Maildir/, \
Marcio>     =mail=maildir:/var/vmail/vmail1/mydomain.com/%Ln/Maildir/, \
Marcio>     maxStorage=quota_rule=*:bytes=%$

Marcio>     root@mail-01:/etc/dovecot# ls -al dovecot-master-users
Marcio>     -r-x------ 1 dovecot dovecot 120 Nov 13 14:45 dovecot-master-users
   
Marcio> --
Marcio> Marcio Merlone
Marcio> TI - Administrador de redes

Marcio> A1 Engenharia - Unidade Corporativa
Marcio> Fone: +55 41 3616-3797  
Marcio> Cel:  +55 41 99689-0036
Marcio> https://a1.ind.br/

Reply | Threaded
Open this post in threaded view
|

Re: Dovecot Master User: Access user's mailbox without owner's password

Dovecot mailing list


Em 19/11/2019 12:59, John Stoffel via dovecot escreveu:
Marcio,
Looking at your passdb { } block, you don't have the "result_sucess =
continue" option.  Have you tried adding that to make it work?  

Sorry for late reply, lone busy admin here....

You spelled wrong, correct is result_success :

https://doc.dovecot.org/configuration_manual/authentication/master_users/

It is there, line 65 of https://pastebin.com/3cAvfNqB and yet no luck.

Thanks for your input.


--
Marcio Merlone