per-user uid & ldap

Hello,

I have a postfix-maildrop setup which just works fine using
an LDAP backend.
The whole /mail directory containing all the messages is
currently owned 
by the mail user, the same which maildrop runs as.
I would like to modify this so that every users email is
stored under 
his own UID/GID (every user has and it is working fine
as all the files are stored under these uids) so that i can
enforce 
filesystem quotas to the mails as well.

The maildrop line in postfix originally looked like this:

maildrop  unix  -       n       n       -       -      
pipe
  flags=DRhu user=mail argv=/usr/bin/maildrop -d
$

and the authldaprc:
...
LDAP_MAIL               mail
LDAP_HOMEDIR            mailMessageStore
LDAP_MAILDIR            mailMessageStore
LDAP_GLOBAL_UID                mail
LDAP_GLOBAL_GID                mail
LDAP_DEREF              never
...

Now I changed the authldaprc file by setting the LDAP_UID to
uidNumber 
and the LDAP_GID accordingly
and removed the '-d' switch from the postfix master.cf file
and i hoped 
maildrop will change to the user receiving the mail
and deliver under that uid. Well, it didn't instead it gave
the 
following strange error:
Unable to open filter file, errno=2
I didn't really understand how the mailfilter file has to do
anything 
with the user permissions (of course it was world readable)
but I specified it by hand so master.cf now looks like:

maildrop  unix  -       n       n       -       -      
pipe
  flags=DRhu user=mail argv=/usr/bin/maildrop
/etc/courier/maildroprc 
$

So maildrop again reads the filter file, but adding some
debug output to 
the filter file (whoami, echo $HOME)
it was easy to find out that maildrop can't deliver to the
user maildir 
because it runs as user mail and
thinks home directory is /var/mail meaning that maildrop
didn't get 
anything from LDAP which i don't really understand.
Of course maildrop is installed setuid (I even added
setgid..) so that 
should not be a problem.

Could anyone please give a hint what i am missing?

Oh and I have one more question: when maildrop receives the
message and 
gets that the recipient is
xxyy.com, does it look up the mail address xxyy.com in
LDAP, retrieve 
the UID/GID and change to that
UID/GID or does it directly change to user xxyy.com?
I'm only asking 
because the first one would obviously work
while the second one would fail when a user gets a message
to one of his 
aliases..
(Courier searches for the attribute "mail" and
there can be several mail 
attributes but
libnss-ldap is set up to search for the attribute
"uid" which is a 
unique one and i'm quite happy with this
so I'd rather not change it).

Thanks in advance,
Adam


------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-maildrop mailing list
Courier-maildroplists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/courie
r-maildrop

> The maildrop line in postfix originally looked like
this:
>
> maildrop  unix  -       n       n       -       -      
pipe
>   flags=DRhu user=mail argv=/usr/bin/maildrop -d
$
>
> and the authldaprc:
> ...
> LDAP_MAIL               mail
> LDAP_HOMEDIR            mailMessageStore
> LDAP_MAILDIR            mailMessageStore
> LDAP_GLOBAL_UID                mail
> LDAP_GLOBAL_GID                mail
> LDAP_DEREF              never
> ...
>
> Now I changed the authldaprc file by setting the
LDAP_UID to uidNumber
> and the LDAP_GID accordingly
> and removed the '-d' switch from the postfix master.cf
file

Do not remove the '-d' switch, it is necessary. Is
/usr/bin/maildrop  
owned by root and have it's suid bit set? Does the user
'mail' belong  
to the trusted users of maildrop (set at compile time)?
See 'man pipe' section Flags -> user= and 'man maildrop'
section  
Options -> -d

Another approach would be to use maildrop as mailbox_command
in Postfix.
See http://ww
w.postfix.org/MAILDROP_README.html section Indirect  
delivery via the local delivery agent
--
Cheers
Petri
GSM +358 400 505 939



------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-maildrop mailing list
Courier-maildroplists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/courie
r-maildrop

Petri Riihikallio wrote:
>> The maildrop line in postfix originally looked like
this:
>>
>> maildrop  unix  -       n       n       -       -  
    pipe
>>   flags=DRhu user=mail argv=/usr/bin/maildrop -d
$
>>
>> and the authldaprc:
>> ...
>> LDAP_MAIL               mail
>> LDAP_HOMEDIR            mailMessageStore
>> LDAP_MAILDIR            mailMessageStore
>> LDAP_GLOBAL_UID                mail
>> LDAP_GLOBAL_GID                mail
>> LDAP_DEREF              never
>> ...
>>
>> Now I changed the authldaprc file by setting the
LDAP_UID to uidNumber
>> and the LDAP_GID accordingly
>> and removed the '-d' switch from the postfix
master.cf file
>
> Do not remove the '-d' switch, it is necessary. Is
/usr/bin/maildrop 
> owned by root and have it's suid bit set? Does the user
'mail' belong 
> to the trusted users of maildrop (set at compile
time)?
> See 'man pipe' section Flags -> user= and 'man
maildrop' section 
> Options -> -d
>
> Another approach would be to use maildrop as
mailbox_command in Postfix.
> See http://ww
w.postfix.org/MAILDROP_README.html section Indirect 
> delivery via the local delivery agent
> -- 
> Cheers
> Petri
> GSM +358 400 505 939
>
>
Yes, maildrop is owned by root, setuid(/setgid), and mail is
a trusted 
user (as in the old setup maildrop run as
"mail").
I re-inserted the -d switch. If the maildroprc file isn't
specified by 
hand than it isn't executed otherwise the result is the same
as before.
I've read both of the man pages but didn't get closer to the
solution.
using maildrop as mailbox command could be a solution but if
it is 
possible i'd stick with the current setup because it doesn't
explicitly 
require every user to
have a unix system account (or a compatible LDAP account)
which might 
turn out to be a big advantage.
Do you have any more ideas?

Thanks,
Adam

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-maildrop mailing list
Courier-maildroplists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/courie
r-maildrop

> Yes, maildrop is owned by root, setuid(/setgid), and
mail is a trusted
> user (as in the old setup maildrop run as
"mail").

These were my easy guesses. Your setup differs from mine, so
I can't  
give you any working sample config. I can guess some more,
though:

Are you sure the LDAP queries are working and returning the
values  
you expect? Maildrop needs to know the uid and gid of the
user and  
the Maildir must be writable by that user.

 From your original post:
> I didn't really understand how the mailfilter file has
to do anything
> with the user permissions (of course it was world
readable)
> but I specified it by hand so master.cf now looks
like:
>
> maildrop  unix  -       n       n       -       -      
pipe
>   flags=DRhu user=mail argv=/usr/bin/maildrop
/etc/courier/maildroprc
> $
>
> So maildrop again reads the filter file, but adding
some debug  
> output to
> the filter file (whoami, echo $HOME)
> it was easy to find out that maildrop can't deliver to
the user  
> maildir
> because it runs as user mail and
> thinks home directory is /var/mail meaning that
maildrop didn't get
> anything from LDAP which i don't really understand.

In this case Maildrop runs in manual mode (sans -d) and the
$ 
 is available as $1 in the rules, but Maildrop
won't try  
to switch to this user. It will run as user mail as invoked
by Pipe.

 From your original post:
> Oh and I have one more question: when maildrop receives
the message  
> and
> gets that the recipient is
> xxyy.com, does it look up the mail address xxyy.com in
LDAP,  
> retrieve
> the UID/GID and change to that
> UID/GID or does it directly change to user xxyy.com?

Maildrop can't switch to user xxyy.com, since that is not a
valid  
username. xx might be, but need not. That's why authdaemond
will  
query the LDAP back-end for the uid. Confirm that this is
really  
working: enable enough logging to see what is asked what is
the answer.
--
Cheers
Petri
GSM +358 400 505 939



------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-maildrop mailing list
Courier-maildroplists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/courie
r-maildrop