设置一个使用 openldap 作为用户帐户后端的 dovecot 实例(在 Ubuntu Bionic 下)。用户邮箱是这样的
# find /home/virtual_mail/emont/ -type d -ls
2228468 4 drwxrwx--- 8 exim mail 4096 Jun 5 15:48 /home/virtual_mail/emont/
2228741 4 drwxrwx--- 5 exim mail 4096 Jun 4 12:08 /home/virtual_mail/emont/.foo1
2228744 4 drwxrwx--- 2 exim mail 4096 Jun 4 12:08 /home/virtual_mail/emont/.foo1/cur
2228746 4 drwxrwx--- 2 exim mail 4096 Jun 4 12:08 /home/virtual_mail/emont/.foo1/tmp
2228745 4 drwxrwx--- 2 exim mail 4096 Jun 4 12:08 /home/virtual_mail/emont/.foo1/new
2228471 20 drwxrwx--- 2 exim mail 20480 Jun 4 12:09 /home/virtual_mail/emont/cur
2228473 4 drwxrwx--- 2 exim mail 4096 Jun 3 15:49 /home/virtual_mail/emont/tmp
请注意,exim uid 为 1000 amd mail gid 为 8。
现在我希望 dovecot 以最小的权限访问这些内容,但我无法这样做:
# doveadm -D mailbox list -u emont
[..]
doveadm(emont): Debug: Effective uid=0, gid=0, home=/home/emont
即使我有这个(在 dovecot-ldap.conf.ext 中,另见下文):
user_attrs = homeDirectory=home,1000=uid,8=gid
也就是说,我期待看到这样的东西:
# doveadm -D mailbox list -u emont
[..]
doveadm(emont): Debug: Effective uid=1000, gid=8, home=/home/emont
请注意,我使用密码查找作为 ldap 身份验证后端(https://wiki.dovecot.org/AuthDatabase/LDAP/PasswordLookups)并且该部分工作正常(我得到用户/组并且身份验证成功)。
这是配置转储:
# doveconf -n
# 2.2.33.2 (d6601f4ec): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.21 (92477967)
# OS: Linux 4.15.0-101-generic x86_64 Ubuntu 18.04.4 LTS ext4
auth_debug = yes
auth_verbose = yes
mail_location = maildir:/home/virtual_mail/%u
namespace inbox {
hidden = no
inbox = yes
list = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = INBOX.
separator = .
type = private
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocols = " imap pop3"
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_key = # hidden, use -P to show it
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
对于 ldap 来说还有这个:
# grep -v ^# dovecot-ldap.conf.ext | sort | uniq
base = dc=example,dc=de
blocking = yes
dn = uid=queryimap,cn=users,dc=example,dc=com
dnpass = xxxxxxx
hosts = myldap.example.com:7389
ldap_version = 3
scope = subtree
tls = yes
tls_ca_cert_file = /etc/myssl/mysslcert.pem
tls_require_cert = hard
user_attrs = homeDirectory=home,1000=uid,8=gid
对我做错了什么有什么建议吗?提前致谢。
答案1
我相信我已经找到了解决方案:事实证明我必须将这些添加到/etc/dovecot/conf.d/10-mail.conf
first_valid_uid = 1000
last_valid_uid = 1000
[...]
first_valid_gid = 8
last_valid_gid = 8
现在我得到了预期的结果,即:
# doveadm -D mailbox list -u emont
[...]
doveadm(emont): Debug: Effective uid=1000, gid=8, home=/home/emont
尽管如此,我还是欢迎任何对此的反馈。干杯