Univention Bugzilla – Bug 38387
PAM changes email address to username
Last modified: 2019-01-03 07:16:30 CET
In /etc/pam.d/smtp pam_univentionmailcyrus.so changes a login for an email service from the email address to the system accounts username. This clashes with Dovecot trying to find user information in the LDAP when used as a backend by Postfix. Current solution is to search for both: user_filter = (&(objectClass=univentionMail)(|(mailPrimaryAddress=%u)(uid=%u)) Better would be to change the username in a 2nd PAM module back to the email address. Maybe in a PAM session context? Related: Bug #34839, Bug #37814
Open tasks: - add dependency to libpam-univentionmailcyrus - provide a suitable PAM stack via univention-mail-dovecot
* dependency to libpam-univentionmailcyrus: r60761 * PAM stack via univention-mail-dovecot: r60838 Leaving this OPEN until a decision is made regarding trying to make PAM to revert the "user" back to the "original_user" (email address).
I think we can stick to the current status: pam stack converts mail address to username and user_filter is looking for uid=%s in LDAP. There is no benefit in changing this now. May be altered without problems later on.
univentionmailcyrus.so does not honor univentionMailHomeServer. This results with Dovecot in an "Internal login failure", because for a user with a homeServer!=self PAM authentication succeeds, but the LDAP lookup fails. Dovecot interprets this as his own fault. This is not a problem for the functioning of Dovecot, just a ugly log message. Authentication should only succeed if the user has a mail account on the local server (univentionMailHomeServer=FQDN) or univentionMailHomeServer is empty.
Split problem "univentionmailcyrus.so does not honor univentionMailHomeServer" into separate Bug #39317.
(In reply to Sönke Schwardt-Krummrich from comment #3) > I think we can stick to the current status: > pam stack converts mail address to username and user_filter is looking for > uid=%s in LDAP. There is no benefit in changing this now. May be altered > without problems later on. Currently the logfile contains a mix of mail address and UID as dovecot username. If the PAM stack has been used, the UID is shown in logile, otherwise the mail address is used. Maybe we can fix this in conjunction with bug 39317.
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.