Bug 49307 – Make it possible to configure a master password for dovecot

Bug 49307 - Make it possible to configure a master password for dovecot


Summary:	Make it possible to configure a master password for dovecot

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Mail - Dovecot
Version:	UCS 4.4
Hardware:	Other Mac OS X 10.1

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Mail maintainers
QA Contact:	Mail maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-04-17 10:46 CEST by Michel Smidt
Modified:	2021-01-18 20:31 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michel Smidt 2019-04-17 10:46:20 CEST

For the configuration of Single-Sign-On between UCS and OX, a Dovecot master password is required because OX no longer has the credentials available in the user session.
Of course, this could also be relevant for other groupwares.

So far there is only one master user under /etc/dovecot/master-users
Unfortunately this does not work with OX. As far as I know, you can only define a password in OX. See com.openexchange.mail.masterPassword: https://documentation.open-xchange.com/7.8.4/middleware/components/saml/saml.html
Therefore I asked OX additionally if you could also configure a name (e.g. dovecotadmin). 

The following article (section Master passwords) describes the possibilities to configure master passwords in Dovecot: https://wiki.dovecot.org/Authentication/MasterUsers

Comment 1 Michel Smidt 2019-04-17 12:02:12 CEST

Feedback from OX:
"Dovecot versteht das. OX kann das aber standardmäßig in dem Format nicht."
Format:
1 login loginuser*masteruser masterpass

Comment 2 Sönke Schwardt-Krummrich

2019-05-02 20:45:46 CEST

(In reply to Michel Smidt from comment #1)
> 1 login loginuser*masteruser masterpass

Our listener passes the IMAP user and IMAP password to OX. Has anyone tested, if the masterpassword works, if the listener automatically appends "*masteruser" to the IMAP username?

Comment 3 Michel Smidt 2019-05-02 21:52:46 CEST

(In reply to Sönke Schwardt-Krummrich from comment #2)
> (In reply to Michel Smidt from comment #1)
> > 1 login loginuser*masteruser masterpass
> 
> Our listener passes the IMAP user and IMAP password to OX. Has anyone
> tested, if the masterpassword works, if the listener automatically appends
> "*masteruser" to the IMAP username?

No, not yet. 
Can you give me a hint how I can do that? I have a working test environment.

Comment 4 Sönke Schwardt-Krummrich

2019-05-02 22:05:23 CEST

I would try something like this:
Edit /usr/share/univention-ox/listener/ox-user.py and replace (line 336)
             groupwareoptions.append("--imaplogin=%s" % email)
with
             groupwareoptions.append("--imaplogin=%s*dovecotadmin" % email)

Then restart the Listener and create a new user.

Comment 5 Stefan Gohmann

2019-09-21 10:33:53 CEST

This was also necessary in my case:

cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/90-acl.conf
plugin {
 acl_user = %u
}
auth_master_user_separator = *"
_EOT_ACL_

# See https://www.dovecot.nl/pipermail/dovecot/2019-April/115457.html

Comment 6 Dirk Ahrnke

2021-01-18 18:37:12 CET

(In reply to Stefan Gohmann from comment #5)
> This was also necessary in my case:
> 
> cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/90-acl.conf
> plugin {
>  acl_user = %u
> }
> auth_master_user_separator = *"
> _EOT_ACL_
> 
> # See https://www.dovecot.nl/pipermail/dovecot/2019-April/115457.html

which would not survive the next ucr commit.

Comment 7 Dirk Ahrnke

2021-01-18 20:31:26 CET

as a workaround one may consider placing the ACL-settings into /etc/dovecot/local.conf instead of /etc/dovecot/conf.d/90-acl.conf