Dovecot vpopmail-auth driver removal. Migrating to the SQL driver

Has anyone tried just taking the old vpopmail authorization code from the older version and add it back in to the current?

I have not thought of it until now, but I don't have the time to look into it until next month.  I was thinking it would be the obvious path to look at. If it is not, why not?

...and patching dovecot again and again and again? I don't think this would be a definitive solution to the problem

Hi Roberto

I have created a patch to add vpopmail authentication to the latest version of dovecot (2.3.20).

It works for me without any problems. I will try to keep the patch up-to-date.

Feel free to share this link in your website.

Regards,

Ali Erturk TURKER

Hi Roberto, Ali,

First i want to say "big thank" for you for your work!
I try to compile dovecot v.2.3.20 with your patch on ubuntu 20.04.5 LTS, but receive the below error.
Please share/explain more details how to use this patch with vpopmail.

Thank you in advance!

*** Warning: Linking the executable auth against the loadable module
*** libstats_auth.so is not portable!
libtool: link: gcc -std=gnu99 -g -O2 -fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -mfunction-return=keep -mindirect-branch=keep -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -fno-builtin-strftime -Wstrict-aliasing=2 -o .libs/auth auth-main.o -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--export-dynamic ./.libs/libauth.a ./.libs/libstats_auth.so ./.libs/libpassword.a ../lib-otp/.libs/libotp.a ../../src/lib-sql/.libs/libsql.a -L/usr/lib/x86_64-linux-gnu ../../src/lib-dovecot/.libs/libdovecot.so -lcrypt -lmysqlclient -lpthread -ldl -lssl -lcrypto -lresolv -lm -lrt -Wl,-rpath -Wl,/usr/local/dovecot/lib/dovecot/old-stats -Wl,-rpath -Wl,/usr/local/dovecot/lib/dovecot
/usr/bin/ld: ./.libs/libauth.a(passdb.o): in function `passdbs_init':
/usr/local/src/dovecot-2.3.20/src/auth/passdb.c:342: undefined reference to `passdb_vpopmail'
/usr/bin/ld: ./.libs/libauth.a(userdb.o): in function `userdbs_init':
/usr/local/src/dovecot-2.3.20/src/auth/userdb.c:244: undefined reference to `userdb_vpopmail'
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:1130: auth] Error 1
make[3]: Leaving directory '/usr/local/src/dovecot-2.3.20/src/auth'
make[2]: *** [Makefile:573: all-recursive] Error 1
make[2]: Leaving directory '/usr/local/src/dovecot-2.3.20/src'
make[1]: *** [Makefile:702: all-recursive] Error 1
make[1]: Leaving directory '/usr/local/src/dovecot-2.3.20'
make: *** [Makefile:546: all] Error 2
root@qdev:/usr/local/src/dovecot-2.3.20#

I think it can be cured as  Ali certainly knows with an "if vpopmail has been declared" around that part which calls the vpopmail library

Anyway the error should go away if you run autogen

Hi Bai,

These are the steps I use to build dovecot with vpopmail support. Please try and let us know if it works:

tar -xzvf 2.3.20.tar.gz
cd core-2.3.20
patch -p1 < ../dovecot_2.3.20_vpopmail_auth.patch
sh ./autogen.sh
./configure \
--prefix=/usr/local/dovecot \
--with-docs=no \
--with-nss=no \
--with-shadow=no \
--with-pam=no \
--with-bsdauth=no \
--with-vpopmail \
--with-docs \
--with-ssl \
--with-solr

make
make install

Hi Ali,

Thank you for your quick response!
I try with official source https://dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz but there isn't such file "autogen.sh".

The patching finish without errors/warnings:

root@qdev:/usr/local/src/dovecot-2.3.20# patch -p1 < ../dovecot_2.3.20_vpopmail_auth.patch
patching file configure.ac
patching file doc/example-config/conf.d/10-auth.conf
patching file doc/example-config/conf.d/auth-vpopmail.conf.ext
patching file doc/example-config/conf.d/Makefile.am
patching file m4/want_vpopmail.m4
patching file src/auth/db-checkpassword.c
patching file src/auth/Makefile.am
patching file src/auth/passdb.c
patching file src/auth/passdb-vpopmail.c
patching file src/auth/userdb.c
patching file src/auth/userdb-vpopmail.c
patching file src/auth/userdb-vpopmail.h
patching file src/master/main.c

I run compilation in your way (without step "sh ./autogen.sh") and receive the same error when run make.
One more thing i don't know how relevant it is bu configure script finish with this warning:

configure: WARNING: unrecognized options: --with-vpopmail

Hi Bai,

Please download dovecot-core tarball from https://github.com/dovecot/core/tags

I don't know the difference between dovecot and dovecot-core, but the core version

works just fine. Then follow my build procedure and let us know the result.

Regards

Ali Erturk TURKER

Hi Roberto, Ali,

finally i successfully build dovecot with vpopmail support from offigial source in this way:

tar xzf dovecot-2.3.20.tar.gz
cd dovecot-2.3.20/
patch -p1 < ../dovecot_2.3.20_vpopmail_auth.patch
autoconf
automake
./configure \
--prefix=/usr/local/dovecot \
--with-docs=no \
--with-nss=no \
--with-shadow=no \
--with-pam=no \
--with-bsdauth=no \
--with-sql \
--with-mysql \
--with-vpopmail \
--with-ssl \
--without-pam \
--without-ldap \
--without-pgsql \
--without-sqlite \
--with-systemd=no \
--with-solr
make
dovecotctl stop
rm /usr/local/dovecot
make install
cd /usr/local
mv dovecot dovecot-2.3.20
ln -s dovecot-2.3.20 dovecot

Thank you very much for support !

Hi Bai,

I'm glad to hear that the patch builds fine for you. The vpopmail auth patch is pretty straightforward, therefore I don't expect any bugs. But please check the dovecot logs and let us know if you see anything strange.

I will try to keep it up-to-date with future dovecot releases.

Regards

Ali Erturk TURKER

Hi Bai, Roberto,

After another code review, I've found that I missed to correct a section which was ifdef'd,

and never used. So the old patch is perfectly fine. Just to make perfectionist feel comfortable,

I created a revised patch :) The link is here. Feel free to share.

Regards

Ali Erturk TURKER

Hi Ali,

The original source dovecot-2.3.20 + new patch dovecot_2.3.20_vpopmail_auth_rev01.patch is build without any issues.

Thx

Ali, I would like to create a link to your patch and it would be great to have it permanent, i.e. a link which is not changed after any review and not depending on dovecot version. I mean.. it would be great if one can grab the latest version simply following a link to your GitHub project

Hi Robertoi

Please copy the patch to your website. Then I will inform you whenever I update it.

Regards,

Ali Erturk TURKER

This is because the patch modified the configure.ac You have to run autogen to regenerate the configure script

Hey guys,

absolute great work here - thanks!

I try to install all the stuff here on Rocky Linux 8 (RedHat more or less) and I don't want to use mysql (running qmail for almost 20 years now) - so I was very happy to find Ali's patch here for the newest dovecot Version. But I have a problem with the patch on my server. The patch applies without any error - but after "autoconf" and "automake" I have the string DOVECOT_WANT_VPOPMAIL in my configure file and this codesnippet is missing:

have_vpopmail=no
if test $want_vpopmail != no; then
vpop_etc="$vpopmail_home/etc"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for vpopmail configuration at $vpop_etc/lib_deps" >&5
$as_echo_n "checking for vpopmail configuration at $vpop_etc/lib_deps... " >&6; }
if ! test -f $vpop_etc/lib_deps; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
$as_echo "not found" >&6; }
vpop_etc="$vpopmail_home"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for vpopmail configuration at $vpop_etc/lib_deps" >&5
$as_echo_n "checking for vpopmail configuration at $vpop_etc/lib_deps... " >&6; }
fi
if test -f $vpop_etc/lib_deps; then
AUTH_CFLAGS="$AUTH_CFLAGS `cat $vpop_etc/inc_deps` $CFLAGS"
AUTH_LIBS="$AUTH_LIBS `cat $vpop_etc/lib_deps`"

$as_echo "#define USERDB_VPOPMAIL /**/" >>confdefs.h

$as_echo "#define PASSDB_VPOPMAIL /**/" >>confdefs.h

{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found" >&5
$as_echo "found" >&6; }
have_vpopmail=yes
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
$as_echo "not found" >&6; }
if test $want_vpopmail = yes; then
as_fn_error $? "Can't build with vpopmail support: $vpop_etc/lib_deps not found" "$LINENO" 5
fi
fi
fi

if test $have_vpopmail = no; then
not_passdb="$not_passdb vpopmail"
not_userdb="$not_userdb vpopmail"
else
userdb="$userdb vpopmail"
passdb="$passdb vpopmail"
fi

.....which mistake have I made that it isn't working as intended?

Regards,

Herbert

Hi Herbert

I could not understand what has failed for you. Below is the simplest build recipe.

Please do not add or remove any other commands, and follow the exact steps below.

If it builds, you can play with the configure options as you wish.

wget https://github.com/dovecot/core/archive/refs/tags/2.3.20.tar.gz
https://notes.sagredo.eu/files/qmail/patches/vpopmail/dovecot_vpopmail-auth/dovecot_2.3.20_vpopmail_auth_rev01.patch
tar -xvf ./2.3.20.tar.gz
cd core-2.3.20
patch -p1 < ../dovecot_2.3.20_vpopmail_auth_rev01.patch
sh ./autogen.sh

./configure \
--prefix=/usr/local/dovecot \
--with-nss=no \
--with-shadow=no \
--with-pam=no \
--with-bsdauth=no \
--with-vpopmail \
--with-ssl

make

the autogen.sh script appears only when downloading from github. No file like that if downloading from here https://www.dovecot.org/releases/2.3

Hi Roberto,

I checked myself, and confirm that the dovecot github releases page and the dovecot website provide the same sources

with a minor difference:

When you download from gihub and run autogen.sh script, it becomes the tarball you download from dovecot website,

but with a big bonus: it will configured exactly for your own build environment.

So please download from github, run autogen.sh script yourself, and save your precious time :-)

Ali Erturk TURKER

But I don't need to have autogen :-) as I'm not rebuilding the configure...

Hi Robert

Please check the openzfs build page here:

sh autogen.sh
./configure

I have been building ZFS myself with this recipe for ages and did not have a single failure.

If you are building qmail with vpopmail and dovecot (and many others), installing autogen (and friends) should not be a concern.

try autoreconf -f -i after patching

Hi Roberto

Today I tested and confirm that your suggestion also works.

I summarized both options here, so you can choose whichever you prefer.

- 1st option (tarball downloaded from dovecot website):

wget https://www.dovecot.org/releases/2.3/dovecot-2.3.20.tar.gz
wget https://notes.sagredo.eu/files/qmail/patches/vpopmail/dovecot_vpopmail-auth/dovecot_2.3.20_vpopmail_auth_rev01.patch
tar -xvf dovecot-2.3.20.tar.gz
cd dovecot-2.3.20
patch -p1 < ../dovecot_2.3.20_vpopmail_auth_rev01.patch
autoreconf -f -i

- 2nd option (tarball downloaded from dovecot github repo):

wget https://github.com/dovecot/core/archive/refs/tags/2.3.20.tar.gz
wget https://notes.sagredo.eu/files/qmail/patches/vpopmail/dovecot_vpopmail-auth/dovecot_2.3.20_vpopmail_auth_rev01.patch
tar -xvf 2.3.20.tar.gz
cd core-2.3.20
patch -p1 < ../dovecot_2.3.20_vpopmail_auth_rev01.patch
sh autogen.sh

The rest is the same (feel free to add/remove options according to your needs):

./configure \
--prefix=/usr/local/dovecot \
--with-nss=no \
--with-shadow=no \
--with-pam=no \
--with-bsdauth=no \
--with-vpopmail \
--with-ssl

Hope this helps.

Hi Roberto, hi Ali,

thank you so much for clarification - it works like a charm now!

I didn't know that both downloads are different and was wondering why the autogen.sh was missing.

Thanks for your support!

Regards,

Herbert

Hi Roberto,

if you can provide a link to this post on this page, I believe it will be easier for people to understand and apply the patch.

Sure. I've provided the link here https://notes.sagredo.eu/files/qmail/patches/vpopmail/dovecot_vpopmail-auth/. There is also a link to this thread under your name at the top of this page.

Thank you. Very much appreciated. I'll link it here and in the vpopmail page

As of Dovecot 2.3, the lua backend can also be used to emulate something close to the original vpopmail, including default domain,etc.  I am new to lua, but this seems to work quite well.

passdb { 
 driver = lua 
 args = file=/path/to/auth.lua 
 override_fields = uid=vpopmail gid=vchkpw

 auth_verbose = yes

}

userdb {

 driver = lua 
 args = file=/path/to/auth.lua

}

-- auth.lua --

local databasebase = "/home/vpopmail/domains" 

local defaultdomain = "mydefaultdomain.com"

local returnuid = 520

local returngid = 520

---------------------------

function split(inputstr, sep)  
       sep=sep or '%s'  
       local t={}   
       for field,s in string.gmatch(inputstr, "([^"..sep.."]*)("..sep.."?)") do  
               table.insert(t,field)   
               if s=="" then  
                       return t  
               end  
       end  
end

-- Find user / password / home in database 
function db_lookup(fullusername)

  --Convert to lower case 
  fullusername = string.lower(fullusername)

  local username = "" 
  local domain = "" 
  local splituser

  -- Check for existance of an @ 
  if string.match (fullusername, "@") then 
       splituser = split(fullusername, "@" ) 
       username = splituser[1] 
       domain = splituser[2] 
  else 
       username = fullusername 
       domain = defaultdomain 
  end 
   
  --Create real path where dB resides 
  local database = databasebase .. "/" .. domain .. "/vpasswd"

  for line in io.lines(database) do

      local userparams = split(line, ":")

      local user = userparams[1] 
       
      if (user == username) then 
              return {result=0, password=userparams[8], home=userparams[6]} 
      end 
  end 
  return {result=-1} 
end

function auth_passdb_lookup(req) 
  res = db_lookup(req.username) 
  if res.result == 0 then 
      return dovecot.auth.PASSDB_RESULT_OK, "password=" .. res.password 
  end 
  return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "" 
end

function auth_userdb_lookup(req) 
  res = db_lookup(req.username) 
  if res.result == 0 then 
      -- you can add additional information here for userdb, like uid or home 
      return dovecot.auth.USERDB_RESULT_OK, "uid="..returnuid.." gid="..returngid.." home="..res.home 
  end 
  return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "" 
end



--Testing for working lookup running direct from cli
--x =db_lookup("postmaster@mydomain.com") 
--print (x.password) 
--print (x.home)

This is an improved version of the auth.lua that Tyler sent me today (download)

--End user editable values

local databasebase = "/home/vpopmail/domains"
local defaultdomain = "yourdomain.tld"
local returnuid = 520
local returngid = 520

--Supporting functions----------------


--Check if a file exists
function file_exists(name)
   local f=io.open(name,"r")
   if f~=nil then io.close(f) return true else return false end
end

--Split username and domain portions of an email address
function split(inputstr, sep) 
        sep=sep or '%s' 
        local t={}  
        for field,s in string.gmatch(inputstr, "([^"..sep.."]*)("..sep.."?)") do 
                table.insert(t,field)  
                if s=="" then 
                        return t 
                end 
        end 
end

-- Get all subdirectories of a directory (1 level)
function scandir(directory)
    local i, t, popen = 0, {}, io.popen
    local pfile = popen('ls -d '..directory..'/*/')
    for filename in pfile:lines() do
        print("Filename: "..filename)
        i = i + 1
        t[i] = filename
    end
    pfile:close()
    return t
end

--DoveCot called fuctions ------------

-- Find user / password / home in database
function db_lookup(fullusername)

   --Convert to lower case
   fullusername = string.lower(fullusername)

   local username = ""
   local domain = ""

   -- Check for existance of an @
   if string.match (fullusername, "@") then
        local splituser = split(fullusername, "@" )
        username = splituser[1]
        domain = splituser[2]
   else
        username = fullusername
        domain = defaultdomain
   end
   
   --Create real path where dB resides
   local database = databasebase .. "/" .. domain .. "/vpasswd"

   if (file_exists(database)) then

           for line in io.lines(database) do

                local userparams = split(line, ":")
                local user = userparams[1]
       
                if (user == username) then
                        return {result=0, password=userparams[8], home=userparams[6]}
                end
        end
   end
   return {result=-1}
end

function auth_passdb_lookup(req)
   res = db_lookup(req.user)
   if res.result == 0 then
       return dovecot.auth.PASSDB_RESULT_OK, "password=" .. res.password
   end
   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
end

function auth_userdb_lookup(req)
   res = db_lookup(req.user)
   if res.result == 0 then
       -- you can add additional information here for userdb, like uid or home
       return dovecot.auth.USERDB_RESULT_OK, "uid="..returnuid.." gid="..returngid.." home="..res.home
   end
   return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, ""
end

function auth_userdb_iterate()
  users = {}
  
  for _,domain in ipairs(scandir(databasebase)) do


        --Create real path where dB resides
        local database = domain .. "vpasswd"

        print("Current vpasswd file: "..database)

        if (file_exists(database)) then

           --split path into array of folders after removing the trailing /
           local splitpath=split(domain:sub(1, #domain -1),"/")
           local rawdomain

           --last piece of path is domain
           for _,path in ipairs(splitpath) do
                rawdomain=path
           end

           for line in io.lines(database) do

                local userparams = split(line, ":")
                local user = userparams[1]

                table.insert(users, user.."@"..rawdomain)     
           end
        end
   end

   return users
end

--Testing for API function operation
--Dovecot relies on these

--Testing for working db_lookup()
--x =db_lookup("user@email.address")
--
--print (x.password)
--print (x.home)

--Testing for working auth_userdb_iterate
--for index,data in ipairs(auth_userdb_iterate()) do
--      print (data)
--end

Should note that this lua script only works if you store passwords in plaintext in vpopmail.  If using MD5-CRYPT as many of us are then add this function:

function auth_password_verify(req, pass)
  res = db_lookup(req.user)
  if res.result == 0 then
    if req:password_verify("{MD5-CRYPT}" .. res.password, pass) == 1 then
      return dovecot.auth.PASSDB_RESULT_OK, {}
    end
  end
end

and then modify db_lookup to return the crypted password like so:

(password = userparams[2] instead of password = userparams[8])

-- Find user / password / home in database
function db_lookup(fullusername)

--Convert to lower case
  fullusername = string.lower(fullusername)

  local username = ""
  local domain = ""

  -- Check for existance of an @
  if string.match (fullusername, "@") then
    local splituser = split(fullusername, "@" )
    username = splituser[1]
    domain = splituser[2]
  else
    username = fullusername
    domain = defaultdomain
  end

  --Create real path where dB resides
  local database = databasebase .. "/" .. domain .. "/vpasswd"

  if (file_exists(database)) then

    for line in io.lines(database) do

      local userparams = split(line, ":")
      local user = userparams[1]

      if (user == username) then
        return {result=0, password=userparams[2], home=userparams[6]}
      end
    end
  end
  return {result=-1}
end

Thank you, Tyler and Rick - I was finally able to upgrade dovecot without much hassle :)

Just one suggestion:

Add the line

return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, ""

before the end of the function auth_password_verify as follows:

function auth_password_verify(req, pass)
  res = db_lookup(req.user)
  if res.result == 0 then
    if req:password_verify("{MD5-CRYPT}" .. res.password, pass) == 1 then
      return dovecot.auth.PASSDB_RESULT_OK, {}
    end
  end
  return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, ""
end

this fixes getting  the following error messages in syslog in case of a password failure:

Feb 10 20:04:18 dovecot: auth-worker(14502): Error: conn unix:auth-worker (pid=14501,uid=97): auth-worker<19>: lua(xxx@xxx.com,127.0.0.1,<Ntb3na7XCKF/AAAB>): passdb-lua: db-lua: auth_password_verify invalid return value (expected number got nil)

In most of the approaches I noticed that work normally done by vpopmail's vuserinfo is duplicated, so I figured that we could just use the tool that was meant to do the lookups for maildir and crypted password.

So here's my shot on a purely lua based lookup into the vpopmail that wraps vuserinfo.

function auth_password_verify(req, pass)
 local handle = io.popen("/usr/local/vpopmail/bin/vuserinfo -p "..req.user)
 local result = handle:read("*a")
 handle:close()

 local epass = result:match "^%s*(.-)%s*$"
 if req:password_verify("{MD5-CRYPT}"..epass,pass) > 0 then
   return dovecot.auth.PASSDB_RESULT_OK, {}
 end

 return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, {}
end

function auth_userdb_lookup(req)
 local handle = io.popen("/usr/local/vpopmail/bin/vuserinfo -d "..req.user)
 local result = handle:read("*a")
 handle:close()

 if result:find("no such user") ~= nil then
  return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
 end

 return dovecot.auth.USERDB_RESULT_OK, "uid=vpopmail gid=vchkpw home="..result:match "^%s*(.-)%s*$"
end

Thanks a lot, very much appreciated. I'll check it out

Hi

Now, the dovecot 2.3.13 arrives to FreeBSD ports, and now I found that there is not a patch (or I don't find it) for vpopmail with the option -disable-many-domains

The bigger problem is that domain tables reaplace dots whit underscore

Is there a solution for this or I need to start programming :D ?

I think you meant --enable-many-domains, right? Are you using the sql auth driver? If yes I think it can be sufficient to modify a bit the password_query, in order to look in a different table depending on the user's domain.

VpopMail config instruction are confused, but to enable 1 domain per table the config option is -disable-many-domains

md5 passwords = ON --enable-md5-passwords (default)
auth module = mysql --enable-auth-module=mysql
one domain per SQL table = --disable-many-domains

The problem is the domain table, is changed to underscore, but I just solve this sending the USER whit the domain with underscore :D

User : xxxx@xxxx_com and I use domain as table name

 SELECT \
   CONCAT(vpopmail.pw_name,'@',%L{domain_first}) AS user, \
   vpopmail.pw_passwd AS password \
   vpopmail.pw_dir AS userdb_home, \
   89 AS userdb_uid, \
   89 AS userdb_gid, \
   CONCAT('*:bytes=', REPLACE(SUBSTRING_INDEX(vpopmail.pw_shell, 'S', 1), 'NOQUOTA', '0')) AS userdb_quota_rule \
FROM %d AS vpopmail \
WHERE \
   vpopmail.pw_name='%n';

But after a lot of test I found that only works with PLAIN password, if I use CRAM-MD5 or MD5-CRYPT, I get errors from dovecot

roundcube with : NULL 
dovecot with: MD5-CRYPT 

Requested CRAM-MD5 scheme, but we have only MD5-CRYPT 

Any idea?

The query works here but the %L{domain_first} had to be embedded into quotes.

Can you clarify how did you pass the domain with the underscore?

btw, modifing the query like this breaks the possibility to authenticate with alias domains. I find that todays Steve's solution in dovecot m/l (using sql view) would do both things.

weird... Let me know if the hint of Aki Tuomi in the dovecot m/l solves.

Finally

The hint of Aki Tuomi in the dovecot m/l, don't work, but ... he give me another idea

I set encrypted password on Thunder and RoundCube and set default_pass_scheme to PLAIN on dovecot-sql.conf.ext, and now, is working !

Now I need to change vpopmail, beacuse UID / GID is not saved on domain tables !, more work !

I think adding this to your select will be sufficient

89 AS uid, \ 
89 AS gid, \

Please post your auth config when finished

After a lot of test, I was looking for other thing and I found this :
https://wiki.dovecot.org/AuthDatabase/VPopMail

I can't belive that there was a working example :D

Anyway, I did something different for the way we use vpopmail, and I don't changed vpopmail, I created other table that was updated from the system we use, so the uid was taken from the other table

The BIG difference is the way the user MUST be sent to dovecot

USER@DOMAIN@DOAMIN_with_UNDERSCORES

Example: me@pablomurillo.com.ar@pablomurillo_com_ar

Roundcube must be modified too, in rcube_imap.php on connect fucntion I added:

$user .= "@" . preg_replace(array("/\./","/\-/"), "_", $host);

But I have rouncube modified too, so, I don't know if host has the real host for everybody

password_query = \
  SELECT \
    CONCAT(vpopmail.pw_name,'@','%L{domain_first}') AS user, \
    vpopmail.pw_clear_passwd AS password, \
    vpopmail.pw_dir AS userdb_home, \
    89 AS userdb_uid, \
    89 AS userdb_gid, \
    CONCAT('*:bytes=', REPLACE(SUBSTRING_INDEX(vpopmail.pw_shell, 'S', 1), 'NOQUOTA', '0')) AS quota_rule \
  FROM \
    %L{domain_last} AS vpopmail \
  LEFT JOIN \
    aliasdomains ON aliasdomains.alias='%L{domain_first}' \
  LEFT JOIN \
    limits ON limits.domain = '%L{domain_first}' \
  WHERE \
    vpopmail.pw_name='%n' \
  AND \
    (('[WEBMAIL-IP]'!='%l' AND limits.disable_imap = 0) \
  OR \
   ('[WEBMAIL-IP]'='%l' AND limits.disable_webmail = 0))

what if a user connects with a client dfferent from roundcube? I think that we should consider a solution which doesn't touch the client but only the dovecot query...

I find a better solution, made an storage procedure returning the information :

password_query = CALL STORAGE_PROCEDURE_NAME('%n', '%d','%r','%l')

Parameters:
User name
Domanin name
Remote IP
Local IP

The select is the same, I only convert domain to table name (replace "-" and "." to "_")
No need to declare OUT variables
I have a lot of code for our internal system in the procedure, this is why I'm not posting it, but is just a :

BEGIN
DECLARE table varchar(256);
SET table = REPLACE(REPLACE(domain, ".", "_"), "-", "_");

SET @sql = CONCAT("SELECT HERE using the parameters received and the table name as variable");

PREPARE stmt FROM @SQL;
EXECUTE stmt ;
DEALLOCATE PREPARE stmt;
END

Pablo, did you find a way to iterate among users when domains have their own table?

Great!

Finally I found the time to write a wrapper for vaddaliasdomain and adjust the dovecot's sql query. Please test and let me know.

Have fun!

Now the script has been replaced by a patch, so that vpopmail will do the new sql stuff transparently!

I did a little research and you can easily convert vpopmail cdb backend to an sql one. Since I prefer postgres, this is what is needed. YMMW.

Start by installing postgres and add the table

createdb --username=postgres --owner=postgres vpopmail

If you have vpopmail re-compiled with postgres backend, this already should be enough to just create a new domain in there

vadddomain foo.bar postmasterpass

to create all the needed tables. Now it's time to get all the existing user accounts in there. We run the script (NOTE: For this export to work, vpopmail needs to be installed with cdb as backend, of course.)

#!/bin/sh

[ `id -u` = 0 ] || printf "Must run as root" || exit 1

alldomains=`/usr/local/vpopmail/bin/vdominfo | grep ^domain: | grep -v 'alias of' | cut -d ' ' -f 2-`

for domain in ${alldomains}; do
  domdir=`/usr/local/vpopmail/bin/vdominfo -d $a | head -n 1`

  if [ -r "${domdir}/.dir-control" ]; then
    dircontrol=`cat "${domdir}/.dir-control" | xargs | tr ' ' ','`
    printf "INSERT INTO dir_control (cur_users, level_cur, level_max, level_start0, level_start1, level_start2, level_end0, level_end1, level_end2, level_mod0, level_mod1, level_mod2, level_index0, level_index1, level_index2) VALUES (%s);\n" "${dircontrol}"
  fi

  /usr/local/vpopmail/bin/vuserinfo -D $domain -n -c -p -d | paste - - - - | while IFS=`printf '\t'` read user password comment dir; do

    printf "INSERT INTO vpopmail (pw_name, pw_domain, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell) VALUES ( '%s', '%s', '%s', '%s', '%s', '%s', '%s', 'NOQUOTA');\n" "${user}" "${domain}" "${password}" 89 89 "${comment}" "${dir}"

  done
done

That produces an sql script that can be imported to postgres like

  psql -U postgres -d vpopmail -f 

Finally, as outlined in https://wiki2.dovecot.org/HowTo/DovecotPostgresql, we need to configure dovecot to use the new sql backend. To use the table format of vpopmail, the sql.conf must like something like this:

driver = pgsql
connect = host=localhost dbname=vpopmail user=postgres
default_pass_scheme = CRYPT
password_query = SELECT pw_name AS user, pw_passwd AS password, pw_dir
AS userdb_home, pw_uid AS userdb_uid, pw_gid AS userdb_gid FROM vpopmail
WHERE pw_name = '%n' AND pw_domain = '%d'
#user_query = pw_dir AS home, pw_uid AS uid, pw_gid AS gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d'

The only problem I found is that alias domains don't work anymore for dovecot auth, you always need to auth against the main domain.

Thank you, appreciated.

Concerning the aliasdomain issue, if one adds a table which links the domain to its aliases, and the sql query is modified in order to check both domain and aliases, the auth would be validated... I hope that someone can find the time to write that sql soon or later...

Modifying the SQL request is not really hard, the hard part is convincing vpopmail to modify the extra table in the database everytime an aliasdomain is added or existing ones modified.

Currently vpopmail only changes /var/qmail/control/virtualdomains   :/

It will be sufficent to write a vaddaliasdomain's wrapper to add a record on the aliasdomains' table and eventually create that table first. In this case we don't even have to patch vpopmail.

Personally it wouldn't be a simple task to do the auth in one single sql query as it's required...

Supposing that we have a new table 'aliasdomains' with the couples domain/alias, this is an example of the new queries

/*
In this example I assume
%d = alias.com -> test.com (real domain)
%n = postmaster
*/

/* password_query */
SELECT 
CONCAT(vpopmail.pw_name, '@', vpopmail.pw_domain) AS user,
vpopmail.pw_passwd AS password
FROM `vpopmail`
LEFT JOIN aliasdomains ON aliasdomains.alias='alias.com'
WHERE 
vpopmail.pw_name = 'postmaster'
AND
(vpopmail.pw_domain = 'alias.com' OR vpopmail.pw_domain = aliasdomains.domain);

/* user query */
SELECT 
vpopmail.pw_dir AS home,
89 AS uid,
89 AS gid,
CONCAT('*:bytes=', REPLACE(SUBSTRING_INDEX(vpopmail.pw_shell, 'S', 1), 'NOQUOTA', '0')) AS quota_rule
FROM vpopmail
LEFT JOIN aliasdomains ON aliasdomains.alias='alias.com'
WHERE 
vpopmail.pw_name = 'postmaster' 
AND
(vpopmail.pw_domain = 'alias.com' OR vpopmail.pw_domain = aliasdomains.domain)
AND
('%a'!='995' or !(vpopmail.pw_gid & 2))
AND
('%r'!='[WEBMAIL-IP]' or !(pw_gid & 4))
AND
('%r'='[WEBMAIL-IP]' or '%a'!='993' or !(vpopmail.pw_gid & 8))

It will be a minor task to write up a wrapper of addaliasdomain which populates the 'aliasdomains' table.

 Hello,

I use vpopmail and was very, very disappointed by the dovecot team's decision to remove the vpopmail auth driver. The words I have for them would get me banned on the spot from any community.

However, with a bit of doc reading, I was able to migrate to another scheme quite easily, and almost painlessly. The backend you want is the passwd-file one.

- Deactivate the vpopmail backend in your /etc/dovecot/10-auth.conf

- Activate the passwd-file backend in your /etc/dovecot/10-auth.conf. The default extension file is probably named auth-passwdfile.conf.ext

- Edit your auth-passwdfile.conf.ext:

passdb {
driver = passwd-file
args = username_format=%n /home/vpopmail/domains/%d/vpasswd
}

userdb {
driver = passwd-file
args = username_format=%n /home/vpopmail/domains/%d/vpasswd
}

Replace /home/vpopmail/domains with the directory where you actually store your domains. :-)

This assumes you're using the default vpasswd settings, with a CRYPT passwd scheme in the vpasswd file. If you're using something else, you may have a bit more configuration work to do in that auth-passwdfile.conf.ext file.

- And now, the small extra pain: assuming all your vpopmail domains are handled by one vchkpw user, you need to change all the uids and gids in all your vpasswd files to the uid/gid of the vchkpwd user (typically 89:89). By default vpopmail puts 1:0 in the uid:gid fields; this would make dovecot attempt to change to uid 1 in order to read mail belonging to user vchkpwd, and would not work. Changing the uid/gid in the vpasswd files allows dovecot to access all the mail. You don't need to recompile vpasswd to vpasswd.cdb: dovecot will only read the text vpasswd files, never the cdb.

- Bear in mind you need to perform that uid/gid change every time you add/modify a user in a vpasswd file. Every time you run vadduser or equivalent, you need to go behind vadduser to make sure the uid and gid fields are correct, else dovecot won't be able to access mail for the new user. I haven't checked whether vmoduser modifies the uid/gid; if it does, you'll also need to clean up after it every time you invoke it.

- There you go. With a small amount of effort, you can keep using vpopmail together with dovecot, and in particular, you don't need to switch to a SQL backend and pull an unnecessary kitchen sink.

Thank's a lot for the contribution, it's very much appreciated. I'll check it out.

Note that the steps above worked for me because I only use very simple backends with vpopmail: the text vpasswd file (which is the one passwd-file piggybacks on) and the cdb one (unused by dovecot). If your vpopmail configuration is more complex, and you store vuser data into other databases (via SQL, for instance), then you'll have to perform more steps.

However, the idea should remain the same: look at the auth schemes vpopmail is using, and configure dovecot to use the same ones, but accessing the vpopmail data directly instead of relying on glue code that was implemented in the "vpopmail" auth driver. If you're lucky, there will be an auth driver for dovecot that corresponds to how you're using vpopmail, and you will be able to plug it directly into your vpopmail backends. If you're unlucky, however, you will have to program glue yourself, and use something like dovecot-auth-lua to make dovecot use your own programs that access the vpopmail data.

Thank you. I suppose that the passwd-file works well also with valiasdomains...

What about the doveadm iteration feature needed to expunge the mailboxes? Does it work with passwd-file as well?

Personally I'll stick with sql, because I already have a working setup. The problem is for people who have domain aliases which can't be easily transported in the sql database.

I don't know about the doveadm expunge feature, but if it's an admin tool it shouldn't need to authenticate like a remote user accessing their mail via IMAP would, so I don't see why it should be impacted by auth backends.

It is a feature where dovecot has to iterate among all the accounts in order to purge their Trash and Junk folders. The old vpopmail driver didn't have that feature and this is the reason why I switched to sql.

Hi

I'm using version 2.3.11.3 of dovecot and vpopmail auth still working

Hello again, Roberto. I wanted to share this link with folks to the dovecot mailing list. It appears that the plan is to remove support for vpopmail in an upcoming version of dovecot. 

https://dovecot.org/pipermail/dovecot/2020-March/118416.html

The thread is long, and has a many folks complaining about removing features on a point release. My guess is that it will not cause a problem for your suggested mysql install, but it will cause a problem for those who are using vpopmail directly. Your instructions here may need a slight edit about installing without mysql.

I'm also wondering which reasons prevent the migration to the sql driver, apart from the one concerning the alias domains already pointed out by Alexandre below...

Hi Jim,

I'll not fail to post something about the topic if I'll find the time, but I'm confident that some hint may also come from one of you who managed to find a solution with the LUA driver or whatelse. It can be enough to post some raw info about the new configuration, to use as a starting point for me to build the new how to.

dovecot will ended vpopmail driver! oh no!

and what about domain aliases?

the entries of a domain alias are inside /var/qmail/control and /var/qmail/users and if you only use sql authentication in dovecot, it cannot authenticate any user using the alias domain, only by the main domain

currently, I keep the sql driver first to authenticate users and if it fail, dovecot tries the vpopmail driver, to auth the aliases too.

without the vpopmail driver, how would an email@aliasdomain be authenticated in pop3/imap?!

has anyone thought about it?

Even if not much elegant one work around could be the following:

- build a db_table to save the pairs aliasdomain / realdomain

- save a new record when creating an alias by means of a php script

- modify the sql dovecot/auth accordingly to allow both realdomain and aliasdomain

PS as you may have read, finally the dovecot team announced that they will not break vpopmail until the next major release (2.4)

PS2: sorry, the delay will be just for xz, not vpopmail. Look here

indeed!

I also read about getting around via vchkpw that follows the checkpassword driver pattern, or even using the LUA driver

I will do some tests before dovecot abandon the vpopmail drivers and I will post here if I find a working solution.