Bug 38387

Summary:	PAM changes email address to username
Product:	UCS	Reporter:	Daniel Tröder <troeder>
Component:	Mail - Dovecot	Assignee:	Mail maintainers <mail-maintainers>
Status:	RESOLVED WONTFIX	QA Contact:
Severity:	normal
Priority:	P5	CC:	best, birkefeld, schwardt
Version:	UCS 4.0
Target Milestone:	---
Hardware:	Other
OS:	Linux
What kind of report is it?:	Bug Report	What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	5: Will affect all installed domains	How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.029	Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Bug Depends on:
Bug Blocks:	38457, 39317

Description Daniel Tröder

2015-04-29 15:08:14 CEST

In /etc/pam.d/smtp pam_univentionmailcyrus.so changes a login for an email service from the email address to the system accounts username. This clashes with Dovecot trying to find user information in the LDAP when used as a backend by Postfix.
Current solution is to search for both:
user_filter = (&(objectClass=univentionMail)(|(mailPrimaryAddress=%u)(uid=%u))
Better would be to change the username in a 2nd PAM module back to the email address. Maybe in a PAM session context?

Related: Bug #34839, Bug #37814

Comment 1 Sönke Schwardt-Krummrich

2015-05-20 11:07:40 CEST

Open tasks:
- add dependency to libpam-univentionmailcyrus
- provide a suitable PAM stack via univention-mail-dovecot

Comment 2 Daniel Tröder

2015-05-22 10:36:56 CEST

* dependency to libpam-univentionmailcyrus: r60761
* PAM stack via univention-mail-dovecot: r60838

Leaving this OPEN until a decision is made regarding trying to make PAM to revert the "user" back to the "original_user" (email address).

Comment 3 Sönke Schwardt-Krummrich

2015-06-30 23:45:45 CEST

I think we can stick to the current status:
pam stack converts mail address to username and user_filter is looking for uid=%s in LDAP. There is no benefit in changing this now. May be altered without problems later on.

Comment 4 Daniel Tröder

2015-07-15 16:43:49 CEST

univentionmailcyrus.so does not honor univentionMailHomeServer.

This results with Dovecot in an "Internal login failure", because for a user with a homeServer!=self PAM authentication succeeds, but the LDAP lookup fails. Dovecot interprets this as his own fault.
This is not a problem for the functioning of Dovecot, just a ugly log message.

Authentication should only succeed if the user has a mail account on the local server (univentionMailHomeServer=FQDN) or univentionMailHomeServer is empty.

Comment 5 Daniel Tröder

2015-09-08 11:10:10 CEST

Split problem "univentionmailcyrus.so does not honor univentionMailHomeServer" into separate Bug #39317.

Comment 6 Sönke Schwardt-Krummrich

2015-09-29 10:31:29 CEST

(In reply to Sönke Schwardt-Krummrich from comment #3)
> I think we can stick to the current status:
> pam stack converts mail address to username and user_filter is looking for
> uid=%s in LDAP. There is no benefit in changing this now. May be altered
> without problems later on.

Currently the logfile contains a mix of mail address and UID as dovecot username. If the PAM stack has been used, the UID is shown in logile, otherwise the mail address is used.

Maybe we can fix this in conjunction with bug 39317.

Comment 7 Stefan Gohmann

2019-01-03 07:16:30 CET

This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.