lmtp and virtual users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

lmtp and virtual users

Dovecot mailing list
Good afternoon.

I have dovecot setup to authenticate virtual users using either gssapi
or doind a bind to an ldap server to achieve a single sign on capable
imap server connected to a samba active directory DC. What I am also
trying to achieve is to have dovecot's lmtp daemon handle the mails
passed from postfix. However, the only way I've gotten this to work is
setting allow_all_users = yes in the userdb but this causes lmtp to
deliver mails to non existant accounts without rejection. I've been
searching but haven't found a way to set this same thing up but having
dovecots lmtp check the validity of the mails recipient against the same
samba AD DC through ldap before delivering it and rejecting unknown
email addresses. Could someone please provide some insight into how to
achieve this?

Thank you very much in advance.
Best regards,
David Wells.


Reply | Threaded
Open this post in threaded view
|

Re: lmtp and virtual users

Dovecot mailing list

On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:

> Good afternoon.
>
> I have dovecot setup to authenticate virtual users using either gssapi
> or doind a bind to an ldap server to achieve a single sign on capable
> imap server connected to a samba active directory DC. What I am also
> trying to achieve is to have dovecot's lmtp daemon handle the mails
> passed from postfix. However, the only way I've gotten this to work is
> setting allow_all_users = yes in the userdb but this causes lmtp to
> deliver mails to non existant accounts without rejection. I've been
> searching but haven't found a way to set this same thing up but having
> dovecots lmtp check the validity of the mails recipient against the same
> samba AD DC through ldap before delivering it and rejecting unknown
> email addresses. Could someone please provide some insight into how to
> achieve this?
>
> Thank you very much in advance.
> Best regards,
> David Wells.
>
>
You could setup LDAP userdb without bind authentication, and use a
service account instead.

Aki

Reply | Threaded
Open this post in threaded view
|

Re: lmtp and virtual users

Dovecot mailing list
Dear Aki, good afternoon.

Thank you very much for your response and thank you again for the tip on
how I could resolve this issue. The problem I'm facing is that I need
dovecot to serve emails with two different authorization methods for
imap and sasl, one through the kerberos ticket as in
https://wiki.dovecot.org/Authentication/Kerberos which I have working
but only with a static userdb and also with plain (over tls of course)
performing an ldap bind. I also need to verify the validity of incoming
emails for the lmtp process. I have only managed to get plain working
with the ldap userdb, or the kerberos solution with static databases and
no address verification working but not both. I believe I could set up
two different dovecot instances listening on different ports or even on
different ip addresses over the same ethernet device but I believe I
would run into problems with the locking of files and I would like a one
solution to serve them all. Is this even possible? Is there information
on how to achieve this somewhere I haven't found?

Thank you very much again.
Best regards,
David Wells.

El 30/09/2019 a las 03:36, Aki Tuomi escribió:

> On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
>> Good afternoon.
>>
>> I have dovecot setup to authenticate virtual users using either gssapi
>> or doind a bind to an ldap server to achieve a single sign on capable
>> imap server connected to a samba active directory DC. What I am also
>> trying to achieve is to have dovecot's lmtp daemon handle the mails
>> passed from postfix. However, the only way I've gotten this to work is
>> setting allow_all_users = yes in the userdb but this causes lmtp to
>> deliver mails to non existant accounts without rejection. I've been
>> searching but haven't found a way to set this same thing up but having
>> dovecots lmtp check the validity of the mails recipient against the same
>> samba AD DC through ldap before delivering it and rejecting unknown
>> email addresses. Could someone please provide some insight into how to
>> achieve this?
>>
>> Thank you very much in advance.
>> Best regards,
>> David Wells.
>>
>>
> You could setup LDAP userdb without bind authentication, and use a
> service account instead.
>
> Aki
>


Reply | Threaded
Open this post in threaded view
|

Fwd: lmtp and virtual users

Dovecot mailing list
Good morning.

I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.

Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?


-------- Mensaje reenviado --------
Asunto: Re: lmtp and virtual users
Fecha: Mon, 30 Sep 2019 17:14:16 -0300
De: David Wells - Alfavinil S.A. via dovecot [hidden email]
Responder a: David Wells - Alfavinil S.A. [hidden email]
Para: Aki Tuomi [hidden email], [hidden email]


Dear Aki, good afternoon.

Thank you very much for your response and thank you again for the tip on
how I could resolve this issue. The problem I'm facing is that I need
dovecot to serve emails with two different authorization methods for
imap and sasl, one through the kerberos ticket as in
https://wiki.dovecot.org/Authentication/Kerberos which I have working
but only with a static userdb and also with plain (over tls of course)
performing an ldap bind. I also need to verify the validity of incoming
emails for the lmtp process. I have only managed to get plain working
with the ldap userdb, or the kerberos solution with static databases and
no address verification working but not both. I believe I could set up
two different dovecot instances listening on different ports or even on
different ip addresses over the same ethernet device but I believe I
would run into problems with the locking of files and I would like a one
solution to serve them all. Is this even possible? Is there information
on how to achieve this somewhere I haven't found?

Thank you very much again.
Best regards,
David Wells.

El 30/09/2019 a las 03:36, Aki Tuomi escribió:
> On 27.9.2019 23.21, David Wells - Alfavinil S.A. via dovecot wrote:
>> Good afternoon.
>>
>> I have dovecot setup to authenticate virtual users using either gssapi
>> or doind a bind to an ldap server to achieve a single sign on capable
>> imap server connected to a samba active directory DC. What I am also
>> trying to achieve is to have dovecot's lmtp daemon handle the mails
>> passed from postfix. However, the only way I've gotten this to work is
>> setting allow_all_users = yes in the userdb but this causes lmtp to
>> deliver mails to non existant accounts without rejection. I've been
>> searching but haven't found a way to set this same thing up but having
>> dovecots lmtp check the validity of the mails recipient against the same
>> samba AD DC through ldap before delivering it and rejecting unknown
>> email addresses. Could someone please provide some insight into how to
>> achieve this?
>>
>> Thank you very much in advance.
>> Best regards,
>> David Wells.
>>
>>
> You could setup LDAP userdb without bind authentication, and use a
> service account instead.
>
> Aki
>


Reply | Threaded
Open this post in threaded view
|

Re: Fwd: lmtp and virtual users

Dovecot mailing list


On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.

I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.

Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?

You cannot check user existence with auth binds because auth bind requires user credentials.

This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.

Aki

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: lmtp and virtual users

Dovecot mailing list
Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users.

Thanks!
Best regards,
David Wells.


El 02/10/2019 a las 04:29, Aki Tuomi escribió:


On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.

I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.

Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?

You cannot check user existence with auth binds because auth bind requires user credentials.

This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.

Aki


Reply | Threaded
Open this post in threaded view
|

Re: lmtp and virtual users

Dovecot mailing list
You set ‘auth_bind' to ‘no' and  and you make sure ‘dn’ and ‘dnpass’ are properly configured with a user with enough privileges to read users passwords.

And also, you make sure your pass_attrs contains a password attributes (containing the user password hash).


Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot <[hidden email]> a écrit :

Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users.

Thanks!
Best regards,
David Wells.


El 02/10/2019 a las 04:29, Aki Tuomi escribió:


On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
Good morning.

I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
When using LDA and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.

Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?

You cannot check user existence with auth binds because auth bind requires user credentials.

This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.

Aki



Reply | Threaded
Open this post in threaded view
|

Re: lmtp and virtual users

Dovecot mailing list

As documented e.g. here https://doc.dovecot.org/configuration_manual/authentication/ldap/

Aki

> On 02/10/2019 20:47 Jean-Daniel via dovecot <[hidden email]> wrote:
>
>
> You set ‘auth_bind' to ‘no' and and you make sure ‘dn’ and ‘dnpass’ are properly configured with a user with enough privileges to read users passwords.
>
>
> And also, you make sure your pass_attrs contains a password attributes (containing the user password hash).
>
>
>
> > Le 2 oct. 2019 à 19:33, David Wells - Alfavinil S.A. via dovecot <[hidden email]> a écrit :
> >
> >
> > Is there anywhere an example of how this would be setup? I understand the use of a service account which I already setup but I can't figure out how to use this service account to retrieve information and authenticate users.
> >  
> >  Thanks!
> >  Best regards,
> >  David Wells.
> >  
> >  
> >  
> > El 02/10/2019 a las 04:29, Aki Tuomi escribió:
> >
> >  
> > >
> > >
> > >  
> > > On 1.10.2019 17.33, David Wells - Alfavinil S.A. via dovecot wrote:
> > >
> > >  
> > > > Good morning.
> > > >  
> > > >  I was just reading https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups and found the following statement
> > > >  
> > > > > When using LDA (https://wiki.dovecot.org/LDA) and static userdb, deliver can check if destination user exists. With auth binds this check isn't possible.
> > > >  
> > > >  Is this still relevant? Is there a workaround? It seems like using dovecots lmtp in an active directory environment is not possible, is this correct?
> > > >  
> > > >
> > > >
> > > You cannot check user existence with auth binds because auth bind requires user credentials.
> > > This is why I suggested you use a "service user" in LDAP to perform the database lookups instead of auth binds. You can still authenticate your users using kerberos.
> > >
> > > Aki
> > >
> >  
> >
>