This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.
Differences between revisions 16 and 17
Revision 16 as of 2012-07-18 08:06:13
Size: 4549
Editor: solitonplus
Comment: removed @domain in -d arg to deliver, as it was breaking auth with dovecot (auth 'user' is OK while auth 'user@myhost' failed)
Revision 17 as of 2013-05-02 15:00:33
Size: 4536
Editor: TimoSirainen
Comment: use_shell is insecure
Deletions are marked like this. Additions are marked like this.
Line 113: Line 113:
  use_shell

Dovecot LDA with Exim

System users

Change the localuser router to use dovecot_delivery transport: 

localuser:
  driver = accept
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  transport = dovecot_delivery

check_local_user is required. It makes Exim execute the transport with the user's UID and GID and it also sets HOME environment.

Next create a new transport for Dovecot deliver: 

dovecot_delivery:
  driver = pipe
  command = /usr/local/libexec/dovecot/deliver 
# use /usr/lib/dovecot/deliver  if using Debian's package
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

Deliver is now running using the local user's UID and GID. The mail is delivered to the location specified by mail_location setting. Note that the above configuration doesn't do any userdb lookups, so you can't have any per-user configuration. If you want that, see the virtual user setup below.

Virtual users

Make sure that check_local_user isn't set in the router.

Single UID

Configure the transport to run as the user you want, for example vmail: 

dovecot_virtual_delivery:
  driver = pipe
  command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain  -f $sender_address
  # v1.1+: command = /usr/local/libexec/dovecot/deliver -d $local_part  -f $sender_address -a $original_local_part@$original_domain
  message_prefix =
  message_suffix =
  delivery_date_add
  envelope_to_add
  return_path_add
  log_output
  user = vmail
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

You'll also need to have a master authentication socket and give vmail user access to it. See LDA for more information.

List of temp_errors can be found in /usr/include/sysexits.h.

Multiple UIDs

If you need multiple uids/gids you'll need to set deliver setuid root. See the LDA main page how to do this securely.

You could alternatively set user = root, but this requires that you built Exim without root being in FIXED_NEVER_USERS list.

Multiple UIDs, without running deliver as root

In this mode, deliver won't be querying Dovecot's master socket, instead trusting Exim to setup its execution environment. This means you must set up Exim to get the UID, GID, Home directory from LDAP/SQL/whatever. Here, we're setting them in the router and the transport automatically inherits them.

Router configuration

Insert the following router after your external delivery routers and before your local system delivery routers.

This assumes you're using macros set elsewhere to handle your external queries, as they can quickly become unwieldy to manage. Make sure you adjust it to suit your installation first! 

ldap_local_user:
  debug_print = "R: ldap_local_user for $local_part@$domain"
  driver = accept
  domains = +ldap_local_domains
  condition = LDAP_VIRT_COND
  router_home_directory = LDAP_VIRT_HOME
  user = LDAP_VIRT_UID
  group = LDAP_VIRT_GID
  #local_part_suffix = +* : -*
  #local_part_suffix_optional
  transport = dovecot_deliver

Transport configuration

This transport will not work with Dovecot 1.0.*, as its LDA didn't have support for this scenario yet. It has been tested with Exim 4.69-9 and Dovecot 1:1.2.5-2 (backported) on Debian Lenny. YMMV with Dovecot 1.1.*. 

dovecot_deliver:
  debug_print = "T: dovecot_deliver for $local_part@$domain"
  driver = pipe
  # Uncomment the following line and comment the one after it if you want deliver to try
  # to deliver subaddresses into INBOX.{subaddress}. If you do this, uncomment the
  # local_part_suffix* lines in the router as well. Make sure you also change the separator
  # to suit your local setup.
  #command = /usr/lib/dovecot/deliver -e -k -s -m "INBOX|${substr_1:$local_part_suffix}" \
  command = /usr/lib/dovecot/deliver -e -k -s \
      -f "$sender_address" -a "$original_local_part@$original_domain"
  environment = USER=$local_part@$domain
  umask = 002
  message_prefix =
  message_suffix =
  delivery_date_add
  envelope_to_add
  return_path_add
  log_output
  log_defer_output
  return_fail_output
  freeze_exec_fail
  #temp_errors = *
  temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78

LDA/Exim (last edited 2013-05-02 15:00:33 by TimoSirainen)