What is right way to get mails from Gmail to Dovecot with doveadm-backup?

Dovecot doc is far from being perfect, thus I’m little bit confused what is right way to get mails from Gmail to local Dovecot.

See: https://wiki.dovecot.org/Migration/Gmail

After some struggle I have working sync of one user but is there something which can be tuned for Gmail and its unusual labels/virtual folders?

Do I understand it right that each gmail user must be synced separately, ie. via a loop as there’s no way to write multiple passwords users file (doveadm backup -F $ file).

IIUC the remote user must be configured in local Dovecot.

I currently have:

# egrep -v '^(#|[ \t]*$  )' /etc/dovecot/conf.d/99-migration.conf                                                                                                                                                                            imapc_host = imap.gmail.com imapc_features = rfc822.size imapc_features = $  imapc_features fetch-headers mail_prefetch_count = 20 imapc_port = 993 imapc_ssl = imaps imapc_ssl_verify = yes imapc_features = gmail-migration  # sed -n '/^namespace inbox/,/^}/p' /etc/dovecot/conf.d/10-mail.conf | \ egrep -v '^([ \t]*#|[ \t]*$  )' namespace inbox {       separator = /       inbox = yes } 

Doing sync:

# doveadm -v -o imapc_user=gmailuser@example.com -o \ imapc_password='gmailuser_password' backup -O '-$  GmailHaveLabels' \ -R -x '\Flagged' -x '\Important' -u gmailuser@example.com imapc: 

And after sync, I got this:

# ls -lF /mail/example.com/data/gmailuser/Maildir/ total 112 drwx------  5 localuser  localgroup    512 Jan 13 22:45 .[Gmail].All Mail/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Drafts/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Sent Mail/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Spam/ drwx------  5 localuser  localgroup    512 Jan 13 22:46 .[Gmail].Trash/ drwx------  2 localuser  localgroup   3072 Jan 13 22:44 cur/ -rw-------  1 localuser  localgroup      6 Jan 13 22:30 dovecot-keywords -rw-------  1 localuser  localgroup   3684 Jan 13 22:43 dovecot-uidlist -rw-------  1 localuser  localgroup      8 Jan 13 22:43 dovecot-uidvalidity -r--r--r--  1 localuser  localgroup      0 Jan 13 22:30 dovecot-uidvalidity.5c3c0276 -rw-------  1 localuser  localgroup  21808 Jan 13 22:44 dovecot.index.cache -rw-------  1 localuser  localgroup   3148 Jan 13 22:44 dovecot.index.log -rw-------  1 localuser  localgroup    240 Jan 13 22:43 dovecot.mailbox.log -rw-------  1 localuser  localgroup      0 Jan 13 22:30 maildirfolder drwx------  2 localuser  localgroup    512 Jan 13 22:43 new/ -rw-------  1 localuser  localgroup    117 Jan 13 22:30 subscriptions drwx------  2 localuser  localgroup    512 Jan 13 22:43 tmp/ 

IMAP Proxy to allow an internal server to access emails via imap.gmail.com with dovecot

I need to find a way to set up dovecot as a mail proxy server which is internet facing to allow the internal server to access emails from gmail

not really good with dovecot so would be appreciate it if someone tell me how to configure as well thanks so:

Imap.gmail.com => dovecot proxy => internal server (accessing email)

thanks in advance

Why does dovecot cur folder remain very large after emptying it?

My CentOS system, used for PHPList, accumulates incoming mail in this path: /var/qmail/mailnames/example.com/noreply/Maildir/cur

There used to be hundreds of thousands of emails in this mailbox, they were bounce emails meant for bounce processing by PHPList, but PHPList was choking on them. So I used cleanup-maildir script to mass-remove emails. Now I see that the cur directory is empty, (ls -l weirdly takes about 10 seconds to return with “total 0”) and yet it shows a large size. My Plesk panel also shows that the mail account is still occupying many GB. What do I need to do?

[root@server-1012263-1 cur]# pwd /var/qmail/mailnames/example.com/noreply/Maildir/cur [root@server-1012263-1 cur]# ls -l total 0 [root@server-1012263-1 cur]# cd .. [root@server-1012263-1 Maildir]# ls -l total 76460 -rwxr-xr-x 1 popuser popuser    18968 Jun  3  2016 cleanup-maildir drwx------ 2 popuser popuser     4096 Jul 18  2017 courierimapkeywords -rw-r--r-- 1 popuser popuser       30 Jul 14  2015 courierimapsubscribed -rw-r--r-- 1 popuser popuser  2216005 Mar  9  2016 courierimapuiddb -rw-r--r-- 1 popuser popuser   666592 Jun  5  2016 courierpop3dsizelist drwx------ 2 popuser popuser 74199040 Jan  7 11:55 cur -rw------- 1 popuser popuser      672 Jan  7 09:42 dovecot.index -rw------- 1 popuser popuser   203808 Jan  7 11:55 dovecot.index.cache -rw------- 1 popuser popuser     3480 Jan  7 11:55 dovecot.index.log -rw------- 1 popuser popuser    32828 Jan  7 09:42 dovecot.index.log.2 -rw------- 1 popuser popuser      720 Apr 23  2018 dovecot.list.index.log -rw------- 1 popuser popuser      254 Jan  7 11:55 dovecot-uidlist -rw------- 1 popuser popuser        8 Apr 23  2018 dovecot-uidvalidity -r--r--r-- 1 popuser popuser        0 Jun  6  2016 dovecot-uidvalidity.57547a5e -rw------- 1 popuser popuser     3717 Jan  7 11:55 maildirsize drwx------ 2 popuser popuser   839680 Jan  7 11:55 new -rw-r--r-- 1 popuser popuser       18 Jun  5  2016 subscriptions drwx------ 2 popuser popuser     4096 Jan  7 11:45 tmp [root@server-1012263-1 Maildir]# 

Screenshot of my Plesk panel showing 15GB: https://i.imgur.com/oCToAWB.png

dovecot with LDAP can’t find userPassword

I’m new to LDAP and I’m trying to use it with Dovecot for authentication. When I test out my setup with Telnet and IMAP, it reports ‘userPassword not found’. However a simple search using the same criteria brings up the userPassword correctly. Here’s my database setup (olcDatabase={1}mdb.ldif)

    # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 d372c2c5 dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=diradmin,dc=example,dc=com olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: fed6b8a2-97ef-1038-8643-a149e041a590 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20181219153919Z olcRootPW:: cnZ3MTIz entryCSN: 20181220125956.316222Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20181220125956Z 

This is the database (ldapsearch output)

    # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #  # example.com dn: dc=example,dc=com dc: example o: Example Company objectClass: top objectClass: dcObject objectClass: organization  # diradmin, example.com dn: cn=diradmin,dc=example,dc=com objectClass: organizationalRole objectClass: top cn: diradmin  # Domains, example.com dn: ou=Domains,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Domains  # Users, example.com dn: ou=Users,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Users  # Services, example.com dn: ou=Services,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Services  # rvw.xxxxxx.org, Domains, example.com dn: dc=rvw.xxxxxx.org,ou=Domains,dc=example,dc=com dc: rvw.xxxxxx.org objectClass: dNSDomain objectClass: top o: postfixUser userPassword:: e0NSWVBUfXdRd0VQdGh3dEtUYTY=  # Richard Williams, Users, example.com dn: cn=Richard Williams,ou=Users,dc=example,dc=com cn: Richard Williams mailacceptinggeneralid: rvw.xxxxxx.org maildrop: richardwilliams@rvw.xxxxxx.org mailEnabled: TRUE mailGidNumber: 5000 mailUidNumber: 5000 objectClass: extensibleObject objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: PostfixBookMailAccount objectClass: postfixUser objectClass: top sn: Williams uid: richardwiliams userPassword:: e01ENX10YTc1cE80QjNwOWtJRFFuVUsxeUpRPT0= mail: richardwilliams@rvw.xxxxxx.org mailAlias: richard@rvw.xxxxxx.org mailAlias: postmaster@rvw.xxxxxx.org mailAlias: abuse@rvw.xxxxxx.org mailHomeDirectory: /home/vmail mailStorageDirectory: maildir:/home/vmail/richardwilliams@rvw.xxxxxx.org/Maild  ir uniqueIdentifier: richardwilliams@rvw.xxxxxx.org  # phamm, example.com dn: cn=phamm,dc=example,dc=com cn: phamm objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: top userPassword:: e01ENX10YTc1cE80QjNwOWtJRFFuVUsxeUpRPT0=  # dovecot, Services, example.com dn: uid=dovecot,ou=Services,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top userPassword:: e01ENX10YTc1cE80QjNwOWtJRFFuVUsxeUpRPT0= uid: dovecot  # search result search: 2 result: 0 Success  # numResponses: 10 # numEntries: 9 

The log shows

    Jan  5 16:01:58 broadband dovecot: auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libauthdb_ldap.so Jan  5 16:01:58 broadband dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Jan  5 16:01:58 broadband dovecot: auth: Debug: auth client connected (pid=1232) Jan  5 16:02:24 broadband dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB#011lip=::1#011rip=::1#011lport=143#011rport=55538#011resp=<hidden> Jan  5 16:02:24 broadband dovecot: auth: Debug: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): pass search: base=ou=Users,dc=example,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=richardwilliams@rvw.xxxxxx.org)) fields=mail,userPassword Jan  5 16:02:24 broadband dovecot: auth: Debug: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): result: mail=richardwilliams@rvw.xxxxxx.org; mail unused Jan  5 16:02:24 broadband dovecot: auth: Debug: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): result: mail=richardwilliams@rvw.xxxxxx.org; userPassword missing Jan  5 16:02:24 broadband dovecot: auth: ldap(richardwilliams@rvw.xxxxxx.org,::1,<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB>): No password returned (and no nopassword) Jan  5 16:02:26 broadband dovecot: auth: Debug: client passdb out: FAIL#0111#011user=richardwilliams@rvw.xxxxxx.org Jan  5 16:02:31 broadband dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richardwilliams@rvw.xxxxxx.org>, method=PLAIN, rip=::1, lip=::1, secured, session=<j1UfH7h+8tgAAAAAAAAAAAAAAAAAAAAB> 

Here’s the dovecot-ldap.conf.ext file

    # This file is commonly accessed via passdb {} or userdb {} section in # conf.d/auth-ldap.conf.ext  # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/LDAP # # NOTE: If you're not using authentication binds, you'll need to give # dovecot-auth read access to userPassword field in the LDAP server. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should # already be something like this:  # access to attribute=userPassword #        by dn="<dovecot's dn>" read # add this #        by anonymous auth #        by self write #        by * none  # Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 127.0.0.1  # LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. #uris =   # Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). #dn =   # Password for LDAP server, if dn is specified. #dnpass =   # Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = # SASL realm to use. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id =  # Use TLS to connect to the LDAP server. #tls = no # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = #tls_key_file = # Valid values: never, hard, demand, allow, try #tls_require_cert =  # Use the given ldaprc path. #ldaprc_path =  # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. debug_level = 0   # Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = no   # If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: #   auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =  # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3  # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org base = ou=Users,dc=example,dc=com  # Dereference: never, searching, finding, always deref = never  # Search scope: base, onelevel, subtree scope = subtree  # User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: #   uid - System UID #   gid - System GID #   home - Home directory #   mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid  # Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): #   %u - username #   %n - user part in user@domain, same as %u if there's no domain #   %d - domain part in user@domain, empty if user there's no domain user_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Password checking attributes: #  user: Virtual user name (user@domain), if you wish to change the #        user-given username to something else #  password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = mail=user,userPassword=password  # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ #  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid  # Filter for password lookups pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount)  # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication default_pass_scheme = md5 

auth-ldap.conf.ext

    # This file is commonly accessed via passdb {} or userdb {} section in # conf.d/auth-ldap.conf.ext  # This file is opened as root, so it should be owned by root and mode 0600. # # http://wiki2.dovecot.org/AuthDatabase/LDAP # # NOTE: If you're not using authentication binds, you'll need to give # dovecot-auth read access to userPassword field in the LDAP server. # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should # already be something like this:  # access to attribute=userPassword #        by dn="<dovecot's dn>" read # add this #        by anonymous auth #        by self write #        by * none  # Space separated list of LDAP hosts to use. host:port is allowed too. hosts = 127.0.0.1  # LDAP URIs to use. You can use this instead of hosts list. Note that this # setting isn't supported by all LDAP libraries. #uris =   # Distinguished Name - the username used to login to the LDAP server. # Leave it commented out to bind anonymously (useful with auth_bind=yes). #dn =   # Password for LDAP server, if dn is specified. #dnpass =   # Use SASL binding instead of the simple binding. Note that this changes # ldap_version automatically to be 3 if it's lower. #sasl_bind = no # SASL mechanism name to use. #sasl_mech = # SASL realm to use. #sasl_realm = # SASL authorization ID, ie. the dnpass is for this "master user", but the # dn is still the logged in user. Normally you want to keep this empty. #sasl_authz_id =  # Use TLS to connect to the LDAP server. #tls = no # TLS options, currently supported only with OpenLDAP: #tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_file = #tls_key_file = # Valid values: never, hard, demand, allow, try #tls_require_cert =  # Use the given ldaprc path. #ldaprc_path =  # LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. # -1 = everything. You may need to recompile OpenLDAP with debugging enabled # to get enough output. debug_level = 0   # Use authentication binding for verifying password's validity. This works by # logging into LDAP server using the username and password given by client. # The pass_filter is used to find the DN for the user. Note that the pass_attrs # is still used, only the password field is ignored in it. Before doing any # search, the binding is switched back to the default DN. auth_bind = no   # If authentication binding is used, you can save one LDAP request per login # if users' DN can be specified with a common template. The template can use # the standard %variables (see user_filter). Note that you can't # use any pass_attrs if you use this setting. # # If you use this setting, it's a good idea to use a different # dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as # the filename is different in userdb's args). That way one connection is used # only for LDAP binds and another connection is used for user lookups. # Otherwise the binding is changed to the default DN before each user lookup. # # For example: #   auth_bind_userdn = cn=%u,ou=people,o=org # #auth_bind_userdn =  # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3  # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org base = ou=Users,dc=example,dc=com  # Dereference: never, searching, finding, always deref = never  # Search scope: base, onelevel, subtree scope = subtree  # User attributes are given in LDAP-name=dovecot-internal-name list. The # internal names are: #   uid - System UID #   gid - System GID #   home - Home directory #   mail - Mail location # # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/UserDatabase/ExtraFields user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid  # Filter for user lookup. Some variables can be used (see # http://wiki2.dovecot.org/Variables for full list): #   %u - username #   %n - user part in user@domain, same as %u if there's no domain #   %d - domain part in user@domain, empty if user there's no domain user_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Password checking attributes: #  user: Virtual user name (user@domain), if you wish to change the #        user-given username to something else #  password: Password, may optionally start with {type}, eg. {crypt} # There are also other special fields which can be returned, see # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields pass_attrs = mail=user,userPassword=password  # If you wish to avoid two LDAP lookups (passdb + userdb), you can use # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll # also have to include user_attrs in pass_attrs field prefixed with "userdb_" # string. For example: #pass_attrs = uid=user,userPassword=password,\ #  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid  # Filter for password lookups pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))  # Attributes and filter to get a list of all users #iterate_attrs = uid=user #iterate_filter = (objectClass=posixAccount)  # Default password scheme. "{scheme}" before password overrides this. # List of supported schemes is in: http://wiki2.dovecot.org/Authentication default_pass_scheme = md5 

10-master.conf

    #default_process_limit = 100 #default_client_limit = 1000  # Default VSZ (virtual memory size) limit for service processes. This is mainly # intended to catch and kill processes that leak memory before they eat up # everything. #default_vsz_limit = 256M  # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn't have access to anything at all. #default_login_user = dovenull  # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can't disturb other processes. #default_internal_user = dovecot  service imap-login {   inet_listener imap {     #port = 143   }   inet_listener imaps {     #port = 993     #ssl = yes   }    # Number of connections to handle before starting a new process. Typically   # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0   # is faster. <doc/wiki/LoginProcess.txt>   #service_count = 1    # Number of processes to always keep waiting for more connections.   #process_min_avail = 0    # If you set service_count=0, you probably need to grow this.   #vsz_limit = $  default_vsz_limit }  service pop3-login {   inet_listener pop3 {     #port = 110   }   inet_listener pop3s {     #port = 995     #ssl = yes   } }  service lmtp {   unix_listener lmtp {     #mode = 0666   }    # Create inet listener only if you can't use the above UNIX socket   #inet_listener lmtp {     # Avoid making LMTP visible for the entire internet     #address =     #port =    #} }  service imap {   # Most of the memory goes to mmap()ing files. You may need to increase this   # limit if you have huge mailboxes.   #vsz_limit = $  default_vsz_limit    # Max. number of IMAP processes (connections)   #process_limit = 1024 }  service pop3 {   # Max. number of POP3 processes (connections)   #process_limit = 1024 }  service auth {   # auth_socket_path points to this userdb socket by default. It's typically   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have   # full permissions to this socket are able to get a list of all usernames and   # get the results of everyone's userdb lookups.   #   # The default 0666 mode allows anyone to connect to the socket, but the   # userdb lookups will succeed only if the userdb returns an "uid" field that   # matches the caller process's UID. Also if caller's uid or gid matches the   # socket's uid or gid the lookup succeeds. Anything else causes a failure.   #   # To give the caller full permissions to lookup all users, set the mode to   # something else than 0666 and Dovecot lets the kernel enforce the   # permissions (e.g. 0777 allows everyone full permissions).   unix_listener auth-userdb {     mode = 0666     user = vmail     group = vmail   }    # Postfix smtp-auth   unix_listener /var/spool/postfix/private/auth {     mode = 0660     user = postfix     group = postfix   }    # Auth process is run as this user.   # user = $  default_internal_user }  service auth-worker {   # Auth worker process is run as root by default, so that it can access   # /etc/shadow. If this isn't necessary, the user should be changed to   # $  default_internal_user.   #user = root }  service dict {   # If dict proxy is used, mail processes should have access to its socket.   # For example: mode=0660, group=vmail and global mail_access_groups=vmail   unix_listener dict {     #mode = 0600     #user =      #group =    } } 

and 10-auth.conf

## ## Authentication processes ##  # Disable LOGIN command and all other plaintext authentications unless # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. #disable_plaintext_auth = yes  # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. #auth_cache_size = 0 # Time to live for cached data. After TTL expires the cached record is no # longer used, *except* if the main database lookup returns internal failure. # We also try to handle password changes automatically: If user's previous # authentication was successful, but this one wasn't, the cache isn't used. # For now this works only with plaintext authentication. #auth_cache_ttl = 1 hour # TTL for negative hits (user not found, password mismatch). # 0 disables caching them completely. #auth_cache_negative_ttl = 1 hour  # Space separated list of realms for SASL authentication mechanisms that need # them. You can leave it empty if you don't want to support multiple realms. # Many clients simply use the first one listed here, so keep the default realm # first. #auth_realms =  # Default realm/domain to use if none was specified. This is used for both # SASL realms and appending @domain to username in plaintext logins. #auth_default_realm =   # List of allowed characters in username. If the user-given username contains # a character not listed in here, the login automatically fails. This is just # an extra check to make sure user can't exploit any potential quote escaping # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, # set this value to empty. #auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@  # Username character translations before it's looked up from databases. The # value contains series of from -> to characters. For example "#@/@" means # that '#' and '/' characters are translated to '@'. #auth_username_translation =  # Username formatting before it's looked up from databases. You can use # the standard variables here, eg. %Lu would lowercase the username, %n would # drop away the domain if it was given, or "%n-AT-%d" would change the '@' into # "-AT-". This translation is done after auth_username_translation changes. #auth_username_format = %Lu  # If you want to allow master users to log in by specifying the master # username within the normal username string (ie. not using SASL mechanism's # support for it), you can specify the separator character here. The format # is then <username><separator><master username>. UW-IMAP uses "*" as the # separator, so that could be a good choice. #auth_master_user_separator =  # Username to use for users logging in with ANONYMOUS SASL mechanism #auth_anonymous_username = anonymous  # Maximum number of dovecot-auth worker processes. They're used to execute # blocking passdb and userdb queries (eg. MySQL and PAM). They're # automatically created and destroyed as needed. #auth_worker_max_count = 30  # Host name to use in GSSAPI principal names. The default is to use the # name returned by gethostname(). Use "$  ALL" (with quotes) to allow all keytab # entries. #auth_gssapi_hostname =  # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. #auth_krb5_keytab =   # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt> #auth_use_winbind = no  # Path for Samba's ntlm_auth helper binary. #auth_winbind_helper_path = /usr/bin/ntlm_auth  # Time to delay before replying to failed authentications. #auth_failure_delay = 2 secs  # Require a valid SSL client certificate or the authentication fails. #auth_ssl_require_client_cert = no  # Take the username from client's SSL certificate, using  # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName.  #auth_ssl_username_from_cert = no  # Space separated list of wanted authentication mechanisms: #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey #   gss-spnego # NOTE: See also disable_plaintext_auth setting. auth_mechanisms = plain login  ## ## Password and user databases ##  # # Password database is used to verify user's password (and nothing more). # You can have multiple passdbs and userdbs. This is useful if you want to # allow both system users (/etc/passwd) and virtual users to login without # duplicating the system users into virtual database. # # <doc/wiki/PasswordDatabase.txt> # # User database specifies where mails are located and what user/group IDs # own them. For single-UID configuration use "static" userdb. # # <doc/wiki/UserDatabase.txt>  #!include auth-deny.conf.ext #!include auth-master.conf.ext  #!include auth-system.conf.ext #!include auth-sql.conf.ext !include auth-ldap.conf.ext #!include auth-passwdfile.conf.ext #!include auth-checkpassword.conf.ext #!include auth-vpopmail.conf.ext #!include auth-static.conf.ext 

I’m sure there’s just a simple mistake but I’m not able to spot it. all help appreciated.

Dovecot can’t read other userdb than /etc/passwd

I had the last day alot of trouble with the dovecot userdb. The problem was that dovecot only read the /etc/passwd and not my custom /etc/dovecot/users file. I changed the /etc/dovecot/auth-passwdfile.conf.ext so that it looked like this (vmail is a user i created on my debian machine):

# Authentication for passwd-file users. Included from 10-auth.conf. # passwd-like file with specified location. # <doc/wiki/AuthDatabase.PasswdFile.txt>  passdb {   driver = passwd-file   args = /etc/dovecot/users }   userdb {   driver = static   args = uid=vmail gid=vmail home=/home/vmail/%u } 

My users file looked like this (sysntax of the /etc/passwd file):

test:{PLAIN}pass:::::: bill:{PLAIN}secret:::::: 

But when I checked if dovecot could read my users file (comand: doveadm user USERNAME) it failed reading the users file.

After I checked if everything was spelled correctly I started searching for the error.

And I found it 🙂

Since the dovecot.conf is just a file including other config files is started to search in those for the error. Somehow dovecot was still searching in /etc/passwd for the users and not in my /etc/dovecot/users file, eventhough I changed the auth-passwdfile.conf.ext. The was in the 10-auth.conf file. This file has several options to include conf files. As default it includes the auth-system.conf.ext file. But this file defines still that /etc/passwd is used as our userdb. So I commented this line and decommented the line including our auth-passwd.conf.ext file. And just to be save I also changed the path in the auth-system.conf.ext file to our /etc/dovecot/users userdb file.

And that’s It. Afters this it worked. The doveadm user test comand is working.

As I am relativly new to this kind of stuff I would be interested in feedback for this solution. And please excuse my bad English.