This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 21 and 22
Revision 21 as of 2010-06-03 08:13:02
Size: 4256
Editor: TimoSirainen
Comment:
Revision 22 as of 2010-06-14 17:54:17
Size: 3549
Editor: TimoSirainen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
If you want to do something special after authentication, but before beginning the IMAP or POP3 session, you can do this by changing the `mail_executable` setting to run a script. Below are some examples for what this can be used for. If you want to do something special after authentication, but before beginning the IMAP or POP3 session, you can do this by telling imap/pop3 executable to use post-login service:
Line 4: Line 4:
'''WARNING: The process still runs as root at this point!''' The privileges are dropped only after the imap process starts. You can change this by setting `mail_drop_priv_before_exec=yes`. {{{
service imap {
  executable = imap imap-postlogin
}

# The service name below doesn't actually matter.
service imap-postlogin {
  executable = script-login /usr/local/bin/postlogin.sh

  # the script process runs as the user specified here
  user = root
  unix_listener imap-postlogin {
  }
}
}}}

You can run multiple post-login scripts by just giving multiple scripts as parameters to {{{script-login}}}, for example:

{{{
  executable = script-login rawlog /usr/local/bin/postlogin.sh /usr/local/bin/postlogin2.sh
}}}
Line 9: Line 29:
All of Dovecot's settings are passed via environment variables from master process to mail processes. Usually the settings have same names as in {{{dovecot.conf}}}, except uppercased. So for example {{{mmap_disable}}} setting shows up in {{{MMAP_DISABLE}}} environment variable. You can override any settings you want by modifying the environment before executing the imap/pop3 binary. The script can use environment variables:
 * USER: Username
 * IP: Remote IP address
 * LOCAL_IP: Local IP address
 * Fields returned by userdb lookup with their keys uppercased (e.g. if userdb returned home, it's stored in HOME).
Line 11: Line 35:
Note that boolean settings are enabled simply by having the environment variable exist. So {{{MMAP_DISABLE=1}}} and {{{MMAP_DISABLE=0}}} (and =anything) means the same as {{{mmap_disable=yes}}}. It's possible to add/modify userdb fields by adding them to environment and adding the field to USERDB_KEYS. For example to change user's mail location:
Line 13: Line 37:
The only list for mapping settings to environment variables exists in the source code ({{{src/master/mail-process.c}}}. Another somewhat easy way would be for you to get a list of all environment variables and find the settings you want to override from it: {{{
#!/bin/sh
Line 15: Line 40:
{{{#!plain
#!/bin/sh
set > /tmp/dovecot-environment
exec /usr/local/libexec/dovecot/imap "$@"
export MAIL=maildir:/tmp/test
export USERDB_KEYS="$USERDB_KEYS mail"
exec "$@"
Line 21: Line 45:
The USER and IP environment variables come from the login process and are guaranteed to be sanitized. You can change any Dovecot settings using the above method.
Line 33: Line 57:
# Finally execute the imap/pop3 binary. If you use both, you'll need two scripts.
exec /usr/local/libexec/dovecot/imap "$@"
exec "$@"
Line 45: Line 68:
 * Don't write anything if user is "dump-capability", otherwise Dovecot uses your string as IMAP CAPABILITY string, which probably breaks all clients.
Line 50: Line 72:
  if [ "$USER" != "dump-capability" ]
  then
  
printf "* OK [ALERT] You're still marked as being out of office.\r\n"
  fi
  printf "* OK [ALERT] You're still marked as being out of office.\r\n"
Line 55: Line 74:
# Finally execute the imap/pop3 binary. If you use both, you'll need two scripts.
exec /usr/local/libexec/dovecot/imap "$@"
exec "$@"
Line 64: Line 82:
exec /usr/local/libexec/dovecot/imap "$@" exec "$@"
Line 68: Line 86:
You can use the IP and USER shell variables that are setup by dovecot in a bash script in order to deny connection (after a successfull login), like this: You can use the IP and USER shell variables that are setup by dovecot in a bash script in order to deny connection (after a successful login), like this:
Line 72: Line 90:
  exit 1   exit 0
Line 77: Line 95:
  exit 1   exit 0
Line 79: Line 97:
exec /usr/local/libexec/dovecot/imap "$@" exec "$@"
Line 82: Line 100:
Or use the Connect ACL Script for limiting some user from connecting from the Internet. More info here: http://www.linux.org.py/wiki/howto/dovecot_connect_acl You can also use
 * http://www.linux.org.py/wiki/howto/dovecot_connect_acl
 * TCP wrappers can be used with {{{login_access_sockets = tcpwrap}}}

Post-login scripting

If you want to do something special after authentication, but before beginning the IMAP or POP3 session, you can do this by telling imap/pop3 executable to use post-login service:

service imap {
  executable = imap imap-postlogin
}

# The service name below doesn't actually matter.
service imap-postlogin {
  executable = script-login /usr/local/bin/postlogin.sh

  # the script process runs as the user specified here
  user = root
  unix_listener imap-postlogin {
  }
}

You can run multiple post-login scripts by just giving multiple scripts as parameters to script-login, for example:

  executable = script-login rawlog /usr/local/bin/postlogin.sh /usr/local/bin/postlogin2.sh

Running environment

Standard input and output file descriptors are redirected to the client's network socket, so you can send data to client by simply writing to stdout. Standard error fd is redirected to Dovecot's error log, you can write errors there as well.

The script can use environment variables:

  • USER: Username
  • IP: Remote IP address
  • LOCAL_IP: Local IP address
  • Fields returned by userdb lookup with their keys uppercased (e.g. if userdb returned home, it's stored in HOME).

It's possible to add/modify userdb fields by adding them to environment and adding the field to USERDB_KEYS. For example to change user's mail location:

export MAIL=maildir:/tmp/test
export USERDB_KEYS="$USERDB_KEYS mail"
exec "$@"

You can change any Dovecot settings using the above method.

Last-login tracking

If you want to know when the user last logged in, you can do it like this:

#!/bin/sh
# a) Filesystem based timestamp in user's home directory
touch ~/.last_login
# b) SQL based tracking. Beware of potential SQL injection holes if you allow
# users to have ' characters in usernames.
#echo "update last_login = now WHERE user = '$USER'" | mysql mails
exec "$@"

Note: if creating a timestamp inside the Maildir itself, it's better to avoid filenames which begin with a dot. The IMAP "list" command will show such files as IMAP folders, unless you also set maildir_stat_dirs = yes which generates more I/O ops.

Custom mailbox location autodetection

See MailLocation for an example.

Alerts

If you want to give the user's client some warning notification, you can do it just by writing it to stdout. But note:

  • Not all clients show the alerts, even though IMAP RFC requires it.
  • IMAP protocol requires CRLF (\r\n) line feeds. Some clients will break if you only send LF.

#!/bin/sh
if [ -f ~/.out-of-office ]; then
  printf "* OK [ALERT] You're still marked as being out of office.\r\n"
fi
exec "$@"

Use UNIX groups for ACL authorization

#!/bin/sh
ACL_GROUPS=`groups $USER | tr ' '  ','`
export ACL_GROUPS
exec "$@"

Denying connection from some IP/User

You can use the IP and USER shell variables that are setup by dovecot in a bash script in order to deny connection (after a successful login), like this:

if [ "$USER" = "myuser" ] ; then
  printf "* NO [ALERT] The user '$USER' can not login\r\n"
  exit 0
fi

if [ ! "$IP" = "192.168.1.1" ] ; then
  printf "* NO [ALERT] Access not allowed from the Internet\r\n"
  exit 0
fi
exec "$@"

You can also use

None: PostLoginScripting (last edited 2022-02-04 22:55:54 by TimoSirainen)