Size: 4549
Comment: removed @domain in -d arg to deliver, as it was breaking auth with dovecot (auth 'user' is OK while auth 'user@myhost' failed)
|
← Revision 17 as of 2013-05-02 15:00:33 ⇥
Size: 4536
Comment: use_shell is insecure
|
Deletions are marked like this. | Additions are marked like this. |
Line 113: | Line 113: |
use_shell |
Dovecot LDA with Exim
System users
Change the localuser router to use dovecot_delivery transport:
localuser: driver = accept check_local_user # local_part_suffix = +* : -* # local_part_suffix_optional transport = dovecot_delivery
check_local_user is required. It makes Exim execute the transport with the user's UID and GID and it also sets HOME environment.
Next create a new transport for Dovecot deliver:
dovecot_delivery: driver = pipe command = /usr/local/libexec/dovecot/deliver # use /usr/lib/dovecot/deliver if using Debian's package message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add #group = mail #mode = 0660 temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Deliver is now running using the local user's UID and GID. The mail is delivered to the location specified by mail_location setting. Note that the above configuration doesn't do any userdb lookups, so you can't have any per-user configuration. If you want that, see the virtual user setup below.
Virtual users
Make sure that check_local_user isn't set in the router.
Single UID
Configure the transport to run as the user you want, for example vmail:
dovecot_virtual_delivery: driver = pipe command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f $sender_address # v1.1+: command = /usr/local/libexec/dovecot/deliver -d $local_part -f $sender_address -a $original_local_part@$original_domain message_prefix = message_suffix = delivery_date_add envelope_to_add return_path_add log_output user = vmail temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
You'll also need to have a master authentication socket and give vmail user access to it. See LDA for more information.
List of temp_errors can be found in /usr/include/sysexits.h.
Multiple UIDs
If you need multiple uids/gids you'll need to set deliver setuid root. See the LDA main page how to do this securely.
You could alternatively set user = root, but this requires that you built Exim without root being in FIXED_NEVER_USERS list.
Multiple UIDs, without running deliver as root
In this mode, deliver won't be querying Dovecot's master socket, instead trusting Exim to setup its execution environment. This means you must set up Exim to get the UID, GID, Home directory from LDAP/SQL/whatever. Here, we're setting them in the router and the transport automatically inherits them.
Router configuration
Insert the following router after your external delivery routers and before your local system delivery routers.
This assumes you're using macros set elsewhere to handle your external queries, as they can quickly become unwieldy to manage. Make sure you adjust it to suit your installation first!
ldap_local_user: debug_print = "R: ldap_local_user for $local_part@$domain" driver = accept domains = +ldap_local_domains condition = LDAP_VIRT_COND router_home_directory = LDAP_VIRT_HOME user = LDAP_VIRT_UID group = LDAP_VIRT_GID #local_part_suffix = +* : -* #local_part_suffix_optional transport = dovecot_deliver
Transport configuration
This transport will not work with Dovecot 1.0.*, as its LDA didn't have support for this scenario yet. It has been tested with Exim 4.69-9 and Dovecot 1:1.2.5-2 (backported) on Debian Lenny. YMMV with Dovecot 1.1.*.
dovecot_deliver: debug_print = "T: dovecot_deliver for $local_part@$domain" driver = pipe # Uncomment the following line and comment the one after it if you want deliver to try # to deliver subaddresses into INBOX.{subaddress}. If you do this, uncomment the # local_part_suffix* lines in the router as well. Make sure you also change the separator # to suit your local setup. #command = /usr/lib/dovecot/deliver -e -k -s -m "INBOX|${substr_1:$local_part_suffix}" \ command = /usr/lib/dovecot/deliver -e -k -s \ -f "$sender_address" -a "$original_local_part@$original_domain" environment = USER=$local_part@$domain umask = 002 message_prefix = message_suffix = delivery_date_add envelope_to_add return_path_add log_output log_defer_output return_fail_output freeze_exec_fail #temp_errors = * temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78