Deliver mail to virtual users with sendmail and dovecot lda

Question

I'm trying to migrate our linux system user based post system to virtual users.

I have

• sendmail with procmail delivery
• dovecot
• system users with different uids
• roundcube web interface

Sendmail handles all mail delivery to user mailboxes, dovecot handles pop3 and imap interraction with users, everything is working like a charm

Now we start to implement active directory globally and i want to refuse from linux system email users prior to ldap virutal users.

I enabled sendmail ldap_routing

define(`confLDAP_DEFAULT_SPEC', `-h "10.1.0.1" -b "ou=portal,dc=univ,dc=priv" -d "cn=portal admin,ou=portal,dc=univ,dc=priv" -MLDAP_AUTH_SIMPLE -P/etc/mail/ldap_pass')dnl LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_route_domains')dnl FEATURE(`ldap_routing', `null', `ldap -1 -T -v sAMAccountName -k (&(|(objectclass=user)(objectclass=group))(|(mail=%0)(proxyAddresses=smtp:%0)))',`passthru')dnl 

created simple alias file for ldap users via perl script. File initially looked like this

sAMAccountName1: vmail sAMAccountName2: vmail .... sAMAccountNameN: vmail 

enabled dovecot-lda using this howto

Unfortunately sendmail passes real system user name ("vmail" in my case) as -d argument, not sAMAccountName of virtial user with this configuration.

After that i modify my alias file in something like this (inspired by this topic)

sAMAccountName1: "|/usr/libexec/dovecot/dovecot-lda -d sAMAccountName1" sAMAccountName2: "|/usr/libexec/dovecot/dovecot-lda -d sAMAccountName1" .... sAMAccountNameN: "|/usr/libexec/dovecot/dovecot-lda -d sAMAccountName1" 

This solution fails because of system right problem i can't solve. Here's log messages

Fatal: setgid(5000(vmail) from userdb lookup) failed with euid=8(mail), gid=12(mail), egid=12(mail): Operation not permitted (This binary should probably be called with process group set to 5000(vmail) instead of 12(mail))

dovecot deliver agent defined in sendmail.cf with U=vmail:vmail

Mdovecot, P=/usr/libexec/dovecot/dovecot-lda, F=l59DFMPhnu, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, M=51200000, U=vmail:vmail, T=DNS/RFC822/X-Unix, A=/usr/libexec/dovecot/dovecot-lda -d $u 

dovecot-lda has same owner and group

-rwxr-x--- 1 vmail vmail 28512 апр. 5 2013 /usr/libexec/dovecot/dovecot-lda 

If i use system user mail instead vmail everything starts working fine. But this config seems to me less secure and i want use user vmail with uid > 100 instead of user mail.

So mail delivery fails. I appreciate any help solving this problem.

Answer 1

1. Skip reading if you are not determined :-)

2. Make vmail special to sendmail (no DNS lookups for destination)

   LOCAL_CONFIG CPvmail 

3. Use FEATURE(ldap_routing) to select mailHost not mailRoutingAddress

4. Use FEATURE(mailertable) to select delivery method (mailer)

   mailertable

   vmail dovecot:dummy 

5. Do not make dovecot the local mailer - FEATURE(local_procmail,...)

6. In dovecot mailer definition use xSMTP rules not xL (local) rules

   http://wiki2.dovecot.org/LDA/Sendmail

Answer 2

I was trying to set this up myself and was finding snippets here and there but not a complete recipe. Here's how I did it.

I'm running FreeBSD 10.3-RELEASE, sendmail 8.15.2 and dovecot 2.2.29.

You need a user for the virtual user files:

# passwd vmail:*:2025:2025:Dovecot Virtual Mail:/var/empty:/usr/sbin/nologin # group vmail:*:2025: 

The dovecot is simple so let's do that first. Assuming a working dovecot config you will already have at least one userdb setting. Add a new one for virtual users:

# Virtual users userdb { driver = static args = uid=vmail gid=vmail home=/var/vmail/%u } 

If you don't have one already add a passdb setting for static credentials:

passdb { args = scheme=plain-md5 username_format=%u /usr/local/etc/dovecot/imap-passwd driver = passwd-file } 

Create /var/vmail:

mkdir /var/vmail chown vmail:vmail /var/vmail 

and unless you want to manually create directories for each new virtual users, add:

# Virtual users config lda_mailbox_autocreate = yes 

to dovecot.conf (the symptom of not turning on lda_mailbox_autocreate and the directories not existing is EX_TEMPFAIL errors and messages stuck in the local sendmail queue).

Use "doveadm pw -s PLAIN-MD5" and add a line for the new virtual user:

vfred:{PLAIN-MD5}912ec803b2ce49e4a541068d495ab570 

Restart dovecot to pick up the new config:

service dovecot restart 

Now on to sendmail. If you don't have a mailertable you'll need to add one:

FEATURE(`mailertable')dnl 

to sendmail.mc and:

vmail dovecot:dummy 

to mailertable. This is telling sendmail to use the dovecot local delivery agent for *@vmail.

At the end of your sendmail.mc you probably have something like:

MAILER(local)dnl MAILER(smtp)dnl 

Append something along the lines of:

dnl dnl Dovecot virtual user delivery agent dnl LOCAL_CONFIG Mdovecot, P=/usr/local/libexec/dovecot/dovecot-lda, F=l59DFMPhnu, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, M=51200000, U=vmail:vmail, T=DNS/RFC822/X-Unix, A=/usr/local/libexec/dovecot/dovecot-lda -d $u 

generate a new sendmail.cf and restart sendmail:

service sendmail stop ; sleep 1 ; service sendmail start 

("service sendmail restart" is a bit funny under FreeBSD)

Finally add your virtual user to the aliases file:

vfred: vfred@vmail 

Run newaliases and test.