From e3cb42039350c94e2eb0126aa548afa02adf9a79 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 12 Dec 2024 15:13:11 +0200 Subject: [PATCH 01/13] settings: Add passdb_ and userdb_ prefixes to auth-specific ldap_* settings --- data/settings.js | 141 +++++++++++++++--------- docs/core/config/auth/databases/ldap.md | 13 ++- docs/core/man/include/option-A.inc | 2 +- docs/howto/restrict_access.md | 4 +- 4 files changed, 98 insertions(+), 62 deletions(-) diff --git a/data/settings.js b/data/settings.js index 1fff94cf7..26f597da8 100644 --- a/data/settings.js +++ b/data/settings.js @@ -11026,57 +11026,6 @@ You may need to recompile OpenLDAP with debugging enabled to get enough output.` Specify dereference which is set as an LDAP option.` }, - ldap_filter: { - tags: [ 'ldap' ], - values: setting_types.STRING, - text: ` -::: info - LDAP Authentication Only -::: - -Filter for password and user lookups (passdb/userdb lookup). - -Variables that can be used (see [[variable]] for full list). - -Example: - -\`\`\` -ldap_filter = (&(objectClass=posixAccount)(uid=%u)) -\`\`\`` - }, - - ldap_iterate_fields: { - tags: [ 'ldap' ], - values: setting_types.STRLIST, - text: ` -::: info - LDAP Authentication Only -::: - -Attributes to get a list of all users. Currently only the attribute -\`user\` is supported. - -Example: -\`\`\` - iterate_attrs { - user = %{ldap:mailRoutingAddress} - } -\`\`\`` - }, - - ldap_iterate_filter: { - tags: [ 'ldap' ], - values: setting_types.STRING, - text: ` -::: info - LDAP Authentication Only -::: - -Filter to get a list of all users. - -Example: \`ldap_iterate_filter = (objectClass=smiMessageRecipient)\`` - }, - ldap_scope: { tags: [ 'ldap' ], default: 'subtree', @@ -11130,7 +11079,7 @@ Set \`yes\` to use authentication binding for verifying password's validity. This works by logging into LDAP server using the username and password given by client. -The [[setting,ldap_filter]] is used to find the DN for the user. +The [[setting,passdb_ldap_filter]] is used to find the DN for the user. Note that the [[setting,passdb_fields]] are still used, only the password field is ignored in it. @@ -11157,6 +11106,92 @@ the standard [[variable]]. Note that you can't use any [[setting,passdb_fields]] declaration if you use this setting. Example: \`passdb_ldap_bind_userdn = cn=%u,ou=people,o=org\`` - } + }, + + passdb_ldap_filter: { + tags: [ 'ldap' ], + values: setting_types.STRING, + text: ` +::: info + LDAP Authentication Only +::: + +Filter for passdb lookup. + +Variables that can be used (see [[variable]] for full list). + +Example: + +\`\`\` +passdb ldap { + filter = (&(objectClass=posixAccount)(uid=%u)) + #... +} +\`\`\`` + }, + + userdb_ldap_filter: { + tags: [ 'ldap' ], + values: setting_types.STRING, + text: ` +::: info + LDAP Authentication Only +::: + +Filter for userdb lookup. + +Variables that can be used (see [[variable]] for full list). + +Example: + +\`\`\` +userdb ldap { + filter = (&(objectClass=posixAccount)(uid=%u)) + #... +} +\`\`\`` + }, + + userdb_ldap_iterate_fields: { + tags: [ 'ldap' ], + values: setting_types.STRLIST, + text: ` +::: info + LDAP Authentication Only +::: + +Attributes to get a list of all users. Currently only the attribute +\`user\` is supported. + +Example: +\`\`\` +userdb ldap { + iterate_filter = (objectClass=smiMessageRecipient) + iterate_attrs { + user = %{ldap:mailRoutingAddress} + } +} +\`\`\`` + }, + + userdb_ldap_iterate_filter: { + tags: [ 'ldap' ], + values: setting_types.STRING, + text: ` +::: info + LDAP Authentication Only +::: + +Filter to get a list of all users. + +\`\`\` +userdb ldap { + iterate_filter = (objectClass=smiMessageRecipient) + iterate_attrs { + user = %{ldap:mailRoutingAddress} + } +} +\`\`\`` + }, } diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index fa225380c..beea72e75 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -82,7 +82,7 @@ $ ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f doveauth_access.ldif The two important settings in password lookups are: -- [[setting,ldap_filter]] specifies the LDAP filter how user is found from the +- [[setting,passdb_ldap_filter]] specifies the LDAP filter how user is found from the LDAP. You can use all the normal [[variable]] like `%{user}` in the filter. - [[setting,passdb_fields]] specifies a list of attributes that are returned and @@ -187,8 +187,8 @@ to configure this: lookup or template. ### DN Lookup -DN is looked up by sending a [[setting,ldap_filter]] LDAP request and getting -the DN from the reply. This is very similar to doing a +DN is looked up by sending a [[setting,passdb_ldap_filter]] LDAP request and +getting the DN from the reply. This is very similar to doing a [password lookup](#password-lookups). The only difference is that `userPassword` attribute isn't returned. @@ -221,7 +221,8 @@ of two LDAP requests per login in both cases). If you're also using Dovecot for SMTP AUTH, it doesn't do a userdb lookup so the prefetch optimization doesn't help. -If you're using DN template, [[setting,passdb_fields]] and [[setting,ldap_filter]] settings +If you're using DN template, [[setting,passdb_fields]] and +[[setting,passdb_ldap_filter]] settings are completely ignored. That means you can't make passdb return any [[link,passdb_extra_fields]]. You should also set [[setting,auth_username_format,%{user | lower}]] in `dovecot.conf` to normalize the @@ -372,7 +373,7 @@ concurrent LDAP connections. Otherwise only a single LDAP connection is used. ::: - Normalize the username to exactly the `mailRoutingAddress` field's value -regardless of how the [[setting,ldap_filter]] found the user: +regardless of how the [[setting,passdb_ldap_filter]] found the user: ::: code-group ```[dovecot.conf] @@ -526,7 +527,7 @@ without knowing the user's password). The userdb lookups are configured in very much the same way as [password lookups](#password-lookups). [[setting,userdb_fields]] and -[[setting,ldap_filter]], are used in the same way in passdb. +[[setting,userdb_ldap_filter]], are used in the same way in passdb. If you're using a single UID and GID for all the users, you can specify them globally with [[setting,mail_uid]] and [[setting,mail_gid]] settings instead of diff --git a/docs/core/man/include/option-A.inc b/docs/core/man/include/option-A.inc index 305be5db0..c1e591791 100644 --- a/docs/core/man/include/option-A.inc +++ b/docs/core/man/include/option-A.inc @@ -9,5 +9,5 @@ [[setting,userdb_sql_iterate_query]] setting matches your database layout. When using the LDAP userdb module, make sure that the [[setting,userdb_fields]] - and [[setting,ldap_iterate_fields]] settings match your LDAP schema. + and [[setting,userdb_ldap_iterate_fields]] settings match your LDAP schema. Otherwise [[man,doveadm]] will be unable to iterate over all users. diff --git a/docs/howto/restrict_access.md b/docs/howto/restrict_access.md index 7ed5da210..23be3cfa7 100644 --- a/docs/howto/restrict_access.md +++ b/docs/howto/restrict_access.md @@ -44,10 +44,10 @@ passdb sql { ## LDAP -Just like with SQL, you can use `%{protocol}` in [[setting,ldap_filter]]: +Just like with SQL, you can use `%{protocol}` in [[setting,passdb_ldap_filter]]: ``` -pass_filter = (&(objectClass=posixAccount)(uid=%{user})(protocol=%{protocol})) +passdb_ldap__filter = (&(objectClass=posixAccount)(uid=%{user})(protocol=%{protocol})) ``` That would require setting both protocol=pop3 and protocol=imap attributes From f1a0def8c50663fa83d2aa26e0391e3028e44a6d Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 12 Dec 2024 15:19:06 +0200 Subject: [PATCH 02/13] auth/ldap: Add passdb/userdb ldap sections around settings that require them --- docs/core/config/auth/databases/ldap.md | 56 ++++++++++++++++++------- 1 file changed, 41 insertions(+), 15 deletions(-) diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index beea72e75..f3cc6eb46 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -97,10 +97,12 @@ expression can include ldap specific variables and other variables too. For example: ::: code-group ```[dovecot.conf] +passdb ldap { fields { user = %{ldap:uid} password = %{ldap:userPassword} } +} ``` ::: @@ -356,8 +358,10 @@ The most important settings are: ::: code-group ```[dovecot.conf] - passdb_ldap_bind_userdn = %{user} - passdb_ldap_bind = yes +passdb ldap { + bind_userdn = %{user} + bind = yes +} ``` ::: @@ -377,12 +381,14 @@ regardless of how the [[setting,passdb_ldap_filter]] found the user: ::: code-group ```[dovecot.conf] +passdb ldap { fields { user = %{ldap:mailRoutingAddress} password = %{ldap:userPassword} proxy = y proxy_timeout = 10 } +} ``` ::: @@ -392,10 +398,12 @@ other means: ::: code-group ```[dovecot.conf] +passdb ldap { fields { user = %{ldap:mailRoutingAddress} quota_storage_size = %{ldap:messageQuotaHard}B } +} ``` ::: @@ -404,7 +412,9 @@ distinct values inside each [[setting,passdb]] / [[setting,userdb]] section): ::: code-group ```[dovecot.conf] -ldap_filter = (mailRoutingAddress=%{user}) +passdb ldap { + filter = (mailRoutingAddress=%{user}) +} ``` ::: @@ -412,11 +422,13 @@ ldap_filter = (mailRoutingAddress=%{user}) ::: code-group ```[dovecot.conf] - ldap_filter = (mailRoutingAddress=%{user}) - ldap_iterate_filter = (objectClass=messageStoreRecipient) +userdb ldap { + filter = (mailRoutingAddress=%{user}) + iterate_filter = (objectClass=messageStoreRecipient) iterate_fields { user = %{ldap:mailRoutingAddress} } +} ``` ::: @@ -534,18 +546,24 @@ them globally with [[setting,mail_uid]] and [[setting,mail_gid]] settings instea returning them from LDAP. ``` -ldap_filter = (&(objectClass=posixAccount)(uid=%{user})) -ldap_iterate_filter = (objectClass=posixAccount) -fields { +userdb ldap { + filter = (&(objectClass=posixAccount)(uid=%{user})) + fields { home = %{ldap:homeDirectory} uid = %{ldap:uidNumber} gid = %{ldap:gidNumber} + } } ``` -``` # For using doveadm -A: -fields=user=%{ldap:uid} +``` +userdb ldap { + iterate_filter = (objectClass=posixAccount) + iterate_fields { + user = %{ldap:uid} + } +} ``` ### Attribute Templates @@ -559,8 +577,10 @@ Create a `quota_storage_size` field with value `B` where `` comes from "quotaBytes" LDAP attribute: ``` -fields { - quota_storage_size = %{ldap:quotaBytes}B +userdb ldap { + fields { + quota_storage_size = %{ldap:quotaBytes}B + } } ``` @@ -568,8 +588,10 @@ Create a `mail_path` field with value `/var/mail//Maildir` where `` comes from "sAMAccountName" LDAP attribute: ``` -fields { - mail_path = /var/spool/vmail/%{ldap:sAMAccountName}/Maildir +userdb ldap { + fields { + mail_path = /var/spool/vmail/%{ldap:sAMAccountName}/Maildir + } } ``` @@ -577,9 +599,11 @@ You can add static fields that aren't looked up from LDAP. For example create a "mail_path" field with value `/var/vmail/%{user | domain}/%{user | username}/Maildir`: ``` -fields { +userdb ldap { + fields { quota_storage_size = %{ldap:quotaBytes}B mail_path = /var/vmail/%{user | domain}/%{user | username}/Maildir + } } ``` @@ -604,9 +628,11 @@ User names and domains may be distinguished using the [[variable]] The userdb may set a new username, too, using ``` +userdb ldap { fields { user = ... } +} ``` This will be used for: From 253a0c57701c1325b5b639b9ce5baf48ca3df760 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 12 Dec 2024 15:21:20 +0200 Subject: [PATCH 03/13] settings, ldap: Use "auth-ldap" tag for passdb/userdb ldap specific settings --- data/settings.js | 12 ++++++------ docs/core/config/auth/databases/ldap.md | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/data/settings.js b/data/settings.js index 26f597da8..7a8478279 100644 --- a/data/settings.js +++ b/data/settings.js @@ -11067,7 +11067,7 @@ LDAP protocol version to use. Likely \`2\` or \`3\`.` }, passdb_ldap_bind: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], default: 'no', values: setting_types.BOOLEAN, text: ` @@ -11092,7 +11092,7 @@ Otherwise the binding is changed to the default DN before each user lookup.` }, passdb_ldap_bind_userdn: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` ::: info @@ -11109,7 +11109,7 @@ Example: \`passdb_ldap_bind_userdn = cn=%u,ou=people,o=org\`` }, passdb_ldap_filter: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` ::: info @@ -11131,7 +11131,7 @@ passdb ldap { }, userdb_ldap_filter: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` ::: info @@ -11153,7 +11153,7 @@ userdb ldap { }, userdb_ldap_iterate_fields: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRLIST, text: ` ::: info @@ -11175,7 +11175,7 @@ userdb ldap { }, userdb_ldap_iterate_filter: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` ::: info diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index f3cc6eb46..696bdb0af 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -522,6 +522,7 @@ returning the userdb information already in the passdb lookup. ## LDAP Settings + ## LDAP userdb From 577ce89255f292d0dde9d58bf9708bbb8f3dab14 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Thu, 12 Dec 2024 15:21:56 +0200 Subject: [PATCH 04/13] settings: Remove "LDAP Authentication Only" info boxes It's now clear enough based on the setting names. --- data/settings.js | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/data/settings.js b/data/settings.js index 7a8478279..5e40451cc 100644 --- a/data/settings.js +++ b/data/settings.js @@ -11071,10 +11071,6 @@ LDAP protocol version to use. Likely \`2\` or \`3\`.` default: 'no', values: setting_types.BOOLEAN, text: ` -::: info - LDAP Authentication Only -::: - Set \`yes\` to use authentication binding for verifying password's validity. This works by logging into LDAP server using the username and password given by client. @@ -11095,10 +11091,6 @@ Otherwise the binding is changed to the default DN before each user lookup.` tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` -::: info - LDAP Authentication Only -::: - If authentication binding is used, you can save one LDAP request per login if users' DN can be specified with a common template. The template can use the standard [[variable]]. @@ -11112,10 +11104,6 @@ Example: \`passdb_ldap_bind_userdn = cn=%u,ou=people,o=org\`` tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` -::: info - LDAP Authentication Only -::: - Filter for passdb lookup. Variables that can be used (see [[variable]] for full list). @@ -11134,10 +11122,6 @@ passdb ldap { tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` -::: info - LDAP Authentication Only -::: - Filter for userdb lookup. Variables that can be used (see [[variable]] for full list). @@ -11156,10 +11140,6 @@ userdb ldap { tags: [ 'auth-ldap' ], values: setting_types.STRLIST, text: ` -::: info - LDAP Authentication Only -::: - Attributes to get a list of all users. Currently only the attribute \`user\` is supported. @@ -11178,10 +11158,6 @@ userdb ldap { tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` -::: info - LDAP Authentication Only -::: - Filter to get a list of all users. \`\`\` From a9a4d6af6b9582dbc2ba366f3194faf2928d267e Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 13:56:13 +0200 Subject: [PATCH 05/13] settings: Remove obsolete setting names --- data/settings.js | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/data/settings.js b/data/settings.js index 5e40451cc..acf56ef0d 100644 --- a/data/settings.js +++ b/data/settings.js @@ -2079,9 +2079,6 @@ Exactly one language must be marked with this flag.` text: ` The list of filters to apply. -Language specific filter chains can be specified with -\`language_filters_\` (e.g. \`language_filters_en\`). - See [[link,fts_filter_configuration]] for configuration information.` }, @@ -2096,9 +2093,6 @@ See [[link,fts_filter_configuration]] for configuration information.` text: ` The list of tokenizers to use. -This setting can be overridden for specific tokenizers by using -\`language_tokenizer_\` (e.g. \`language_tokenizer_generic\`). - See [[link,fts_tokenizer_configuration]] for configuration information.` }, @@ -5989,20 +5983,6 @@ The following values are currently supported: to be grayed out.` }, - 'imap_compress__level': { - default: '', - tags: ['imap'], - values: setting_types.UINT, - text: ` -Defines the compression level for the given algorithm. - -Per [[rfc,4978]], only the deflate algorithm is currently supported. - -| Algorithm | Minimum | Default | Maximum | -| --------- | ------- | ------- | ------- | -| \`deflate\` | 0 (no compression) | 6 | 9 |` - }, - imap_fetch_failure: { default: 'disconnect-immediately', tags: [ 'imap' ], From 5dd95a54fc9f5bcb29c2c1640c9080f951973663 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 13:57:34 +0200 Subject: [PATCH 06/13] settings: Add escaping to default values containing <> --- data/settings.js | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/data/settings.js b/data/settings.js index acf56ef0d..6292e2c8c 100644 --- a/data/settings.js +++ b/data/settings.js @@ -487,7 +487,7 @@ will generally not be useful.` managesieve_notify_capability: { tags: [ 'managesieve', 'sieve' ], - default: '', + default: '\\', values: setting_types.STRING, advanced: true, text: ` @@ -630,7 +630,7 @@ would be when no discard script is configured.` sieve_extensions: { tags: [ 'sieve' ], plugin: 'sieve', - default: '', + default: '\\', values: setting_types.STRING, text: ` The Sieve language extensions available to users. @@ -2002,7 +2002,7 @@ fts_decoder_tika_url = http://tikahost:9998/tika/ textcat_config_path: { plugin: 'fts', - default: '', + default: '\\', values: setting_types.STRING, seealso: [ 'language' ], text: ` @@ -2025,7 +2025,7 @@ textcat_config_path = /usr/share/libexttextcat/fpdb.conf language: { plugin: 'fts', - default: '', + default: '\\', values: setting_types.NAMED_LIST_FILTER, dependencies: [ 'language_default' ], seealso: [ 'textcat_config_path', '[[link,fts_tokenization]]' ], @@ -4165,7 +4165,7 @@ This setting doesn't affect internal failures. See }, auth_gssapi_hostname: { - default: '', + default: '\\', values: setting_types.STRING, text: ` This supplies the hostname to use in Generic Security Services API @@ -4191,7 +4191,7 @@ immediate retries.` }, auth_krb5_keytab: { - default: '', + default: '\\', values: setting_types.STRING, text: ` This specifies the Kerberos keytab to use for the GSSAPI mechanism. @@ -4694,7 +4694,7 @@ Name of the dict. The [[setting,dict_driver]] setting defaults to this.` dict_driver: { tags: [ 'dict' ], values: setting_types.STRING, - default: '', + default: '\\', text: ` The dict driver to use. Defaults to [[setting,dict_name]].` }, @@ -5379,7 +5379,7 @@ for HAProxy are aborted immediately.` }, hostname: { - default: '', + default: '\\', tags: [ 'submission' ], values: setting_types.STRING, text: ` @@ -7704,7 +7704,7 @@ automatically.` mail_path: { tags: [ 'mail-location' ], values: setting_types.STRING, - default: '', + default: '\\', seealso: [ '[[link,settings_variables_mail_user_variables]]', '[[link,home_directories_for_virtual_users]]', @@ -7744,7 +7744,7 @@ This can also be used to specify a different INBOX path with Maildir: mail_index_path: { tags: [ 'mail-location' ], values: setting_types.STRING, - default: '', + default: '\\', seealso: [ '[[link,design_indexes_index_format]]', '[[link,mail_location_index_files]]', @@ -7765,7 +7765,7 @@ The private index files are used with shared mailboxes to provide private mail_cache_path: { tags: [ 'mail-location' ], values: setting_types.STRING, - default: '', text: ` Place \`dovecot.index.cache\` files to this directory instead of among the other index files. This may be used as an optimization to split most index @@ -7840,7 +7840,7 @@ Specifies the filename used for storing mailbox subscriptions.` mailbox_directory_name: { tags: [ 'mail-location' ], values: setting_types.STRING, - default: '', seealso: [ 'mail_driver', 'mailbox_directory_name_legacy' ], text: ` Specifies the directory name used for mailbox, index, and control directory @@ -10114,7 +10114,7 @@ This setting is used for both incoming and outgoing SSL connections.` }, ssl_cipher_suites: { - default: '', + default: '\\', seealso: [ 'ssl', 'ssl_cipher_list', '[[link,ssl_configuration]]' ], values: setting_types.STRING, text: ` @@ -10214,7 +10214,7 @@ Which SSL crypto device to use.` }, ssl_curve_list: { - default: '', + default: '\\', seealso: [ 'ssl', '[[link,ssl_configuration]]' ], values: setting_types.STRING, text: ` From 31535d65d65571d0c818e4cbdd67f5c23f944833 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:03:29 +0200 Subject: [PATCH 07/13] settings: Replace generic ldap tag with specific auth-ldap and dict-ldap Since not all settings are currently supported by dict-ldap, it's better to be explicit. --- data/settings.js | 26 ++++++++++++------------- docs/core/config/auth/databases/ldap.md | 1 - 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/data/settings.js b/data/settings.js index 6292e2c8c..357fba2e5 100644 --- a/data/settings.js +++ b/data/settings.js @@ -10926,7 +10926,7 @@ If enabled, ignore version mismatches between different Dovecot versions.` }, ldap_auth_dn: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap', 'dict-ldap' ], values: setting_types.STRING, text: ` Specify the Distinguished Name (the username used to login to the LDAP server). @@ -10937,14 +10937,14 @@ Example: \`ldap_auth_dn = uid=dov-read,dc=example,dc=com,dc=.\`` }, ldap_auth_dn_password: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap', 'dict-ldap' ], values: setting_types.STRING, text: ` Password for LDAP server. Used if [[setting,ldap_auth_dn]] is specified.` }, ldap_auth_sasl_authz_id: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` SASL authorization ID, ie. the [[setting,ldap_auth_dn_password]] is for this "master user", but the @@ -10952,21 +10952,21 @@ SASL authorization ID, ie. the [[setting,ldap_auth_dn_password]] is for this "ma }, ldap_auth_sasl_mechanisms: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.BOOLLIST, text: ` List of SASL mechanism names to use.` }, ldap_auth_sasl_realm: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` SASL realm to use.` }, ldap_base: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` LDAP base. @@ -10977,7 +10977,7 @@ Example: \`ldap_base = dc=mail, dc=example, dc=org\`` }, ldap_connection_group: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], values: setting_types.STRING, text: ` Only databases with the same connection group share the ldap connections. @@ -10986,7 +10986,7 @@ and as such share the connections.` }, ldap_debug_level: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap', 'dict-ldap' ], default: '0', values: setting_types.UINT, text: ` @@ -10998,7 +10998,7 @@ You may need to recompile OpenLDAP with debugging enabled to get enough output.` }, ldap_deref: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], default: 'never', values: setting_types.ENUM, values_enum: [ 'never', 'searching', 'finding', 'always' ], @@ -11007,7 +11007,7 @@ Specify dereference which is set as an LDAP option.` }, ldap_scope: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], default: 'subtree', values: setting_types.ENUM, values_enum: [ 'base', 'onelevel', 'subtree' ], @@ -11017,7 +11017,7 @@ This specifies the search scope.` ldap_starttls: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap', 'dict-ldap' ], default: 'no', values: setting_types.BOOLEAN, text: ` @@ -11025,7 +11025,7 @@ Set to \`yes\` to use TLS to connect to the LDAP server.` }, ldap_uris: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap', 'dict-ldap' ], values: setting_types.STRING, text: ` LDAP URIs to use. @@ -11039,7 +11039,7 @@ Example: \`ldap_uris = ldaps://secure.domain.org\`` }, ldap_version: { - tags: [ 'ldap' ], + tags: [ 'auth-ldap' ], default: '3', values: setting_types.UINT, text: ` diff --git a/docs/core/config/auth/databases/ldap.md b/docs/core/config/auth/databases/ldap.md index 696bdb0af..b5f0cb3ef 100644 --- a/docs/core/config/auth/databases/ldap.md +++ b/docs/core/config/auth/databases/ldap.md @@ -521,7 +521,6 @@ returning the userdb information already in the passdb lookup. ## LDAP Settings - ## LDAP userdb From b5d18a8c3f0f347ff8e2403f13ad9dd518d43362 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:09:13 +0200 Subject: [PATCH 08/13] settings: Convert acl_anyone to imap_acl_allow_anyone --- data/settings.js | 18 ++++++------------ docs/core/config/shared_mailboxes.md | 2 +- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/data/settings.js b/data/settings.js index 357fba2e5..395100d96 100644 --- a/data/settings.js +++ b/data/settings.js @@ -2358,23 +2358,17 @@ fts_solr_batch_size = 1000 /* imap-acl plugin */ - acl_anyone: { + imap_acl_allow_anyone: { plugin: 'imap-acl', - values: setting_types.ENUM, - values_enum: [ 'allow' ], + values: setting_types.BOOLEAN, + default: 'no', text: ` -Users who have different set of keys cannot share mails when the mails are -encrypted, but sharing is possible within the scope of a key. - By default Dovecot doesn't allow using the IMAP \`anyone\` or \`authenticated\` identifier, because it would be an easy way to spam -other users in the system. If you wish to allow it, set: +other users in the system. -\`\`\` -plugin { - acl_anyone = allow -} -\`\`\`` +If [[plugin,mail-crypt]] is used, users who have different set of encryption +keys cannot share mails, but sharing is possible within the scope of a key.` }, /* last-login plugin */ diff --git a/docs/core/config/shared_mailboxes.md b/docs/core/config/shared_mailboxes.md index ef5204e1b..523f58d28 100644 --- a/docs/core/config/shared_mailboxes.md +++ b/docs/core/config/shared_mailboxes.md @@ -468,7 +468,7 @@ See [[plugin,acl]] for list of ``. ### Sharing Mailboxes to Everyone -See [[setting,acl_anyone]]. +See [[setting,imap_acl_allow_anyone]]. Note that you can also do this only for some users by using the second table "`anyone_shares`". Every user listed in this table shares his From b058812712d73ce56a55840eb83eb03a1df5be2b Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:09:49 +0200 Subject: [PATCH 09/13] settings: Fix fts_decoder_script_socket_path example --- data/settings.js | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/data/settings.js b/data/settings.js index 395100d96..7a366602e 100644 --- a/data/settings.js +++ b/data/settings.js @@ -1830,9 +1830,8 @@ See the \`decode2text.sh\` script included in Dovecot for how to use this. Example: \`\`\` -plugin { - fts_decoder = decode2text -} +fts_decoder_driver = script +fts_decoder_script_socket_path = decode2text service decode2text { executable = script /usr/lib/dovecot/decode2text.sh From 6cdd937bea5618aca514f5a2043f21e5c7c77059 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:11:13 +0200 Subject: [PATCH 10/13] settings: Fix notify_status example --- data/settings.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/settings.js b/data/settings.js index 7a366602e..64debbedc 100644 --- a/data/settings.js +++ b/data/settings.js @@ -2747,8 +2747,11 @@ The URI of the dictionary to use. This MUST be set for the plugin to be active. See [[link,dict]] for how to configure dictionaries. \`\`\` -plugin { - notify_status_dict = proxy:dict-async:notify_status +notify_status { + dict proxy { + name = notify_status + socket_path = dict-async + } } \`\`\`` }, From 2119cc8b975c90a1324c3b0c2b3f0cf6cd82d416 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:17:36 +0200 Subject: [PATCH 11/13] global: Remove various obsolete plugin section usage --- docs/core/config/auth/master_users.md | 4 ++-- docs/core/config/auth/userdb.md | 3 +-- docs/core/design/mail_user.md | 3 --- docs/core/plugins/fts.md | 6 +++--- docs/core/plugins/lazy_expunge.md | 4 ---- docs/core/plugins/push_notification_lua.md | 8 +++++--- docs/core/plugins/quota.md | 4 +--- docs/howto/virtual/simple_install.md | 3 +-- 8 files changed, 13 insertions(+), 22 deletions(-) diff --git a/docs/core/config/auth/master_users.md b/docs/core/config/auth/master_users.md index 35e9d48c3..ea30cacf5 100644 --- a/docs/core/config/auth/master_users.md +++ b/docs/core/config/auth/master_users.md @@ -71,10 +71,10 @@ The options for handling this are: You can create a `default ACL`, that applies to all mailboxes. See example below. -2. Set `plugin { acl_user=%{user} }`. This preserves the master_user for other +2. Set [[setting,acl_user,%{user}]]. This preserves the master_user for other purposes (e.g. `%{master_user}` variable). -3. Set `plugin { master_user=%{user} }`. This fully hides that master user login is +3. Change userdb to return `userdb_fields { master_user=%{user} }`. This fully hides that master user login is being used. Example configuration: diff --git a/docs/core/config/auth/userdb.md b/docs/core/config/auth/userdb.md index 727c54a8e..6c8348d23 100644 --- a/docs/core/config/auth/userdb.md +++ b/docs/core/config/auth/userdb.md @@ -203,8 +203,7 @@ helpful to know how Dovecot internally passes them: 1. First all actual settings are first read into memory. 2. Next all the extra fields returned by `userdb` lookup are used to override - the settings. Any unknown setting is placed into the plugin {} section - (e.g. `foo=bar` will be parsed as if it were `plugin { foo=bar }`). + the settings. 3. Last, if [[link,post_login_scripting]] is used, it may modify the settings. diff --git a/docs/core/design/mail_user.md b/docs/core/design/mail_user.md index 9c51f8318..a2497f85a 100644 --- a/docs/core/design/mail_user.md +++ b/docs/core/design/mail_user.md @@ -22,9 +22,6 @@ directly. Some of the most useful things you can do with a user are: - `mail_user_home_expand()` expands `~/` at the beginning of given path to user's actual home directory. -- `mail_user_plugin_getenv()` returns value for a setting defined in - `plugin {}` section. - Typically each new IMAP/POP3/etc. connection creates a single mail user. If the same process handles multiple connections for the same user, they don't share the same mail_user (especially since each mail_user has a diff --git a/docs/core/plugins/fts.md b/docs/core/plugins/fts.md index f8762c9a3..3474fd600 100644 --- a/docs/core/plugins/fts.md +++ b/docs/core/plugins/fts.md @@ -287,9 +287,9 @@ They are configured through [[setting,language_filters]]. Example: ``` -plugin { - language_filters = normalizer-icu snowball stopwords - language_filters_en = lowercase snowball english-possessive stopwords +language_filters = normalizer-icu snowball stopwords +language en { + language_filters = lowercase snowball english-possessive stopwords } ``` diff --git a/docs/core/plugins/lazy_expunge.md b/docs/core/plugins/lazy_expunge.md index d9fe5f562..d58f96245 100644 --- a/docs/core/plugins/lazy_expunge.md +++ b/docs/core/plugins/lazy_expunge.md @@ -73,10 +73,6 @@ acl_driver = vfile # Move messages to an .EXPUNGED mailbox lazy_expunge_mailbox = .EXPUNGED -plugin { - # Define ACL so that user cannot list the .EXPUNGED mailbox - acl = vfile:/etc/dovecot/dovecot.acl -} mailbox .EXPUNGED { # Expunged messages most likely don't want to be included in quota: quota_ignore = yes diff --git a/docs/core/plugins/push_notification_lua.md b/docs/core/plugins/push_notification_lua.md index 2c271a696..63dcecdb9 100644 --- a/docs/core/plugins/push_notification_lua.md +++ b/docs/core/plugins/push_notification_lua.md @@ -195,9 +195,11 @@ end ```lua:line-numbers -- To use: -- --- plugin { --- push_notification_driver = lua:file=/home/example/empty.lua --- push_lua_url = http://push.notification.server/handler +-- push_notification lua { +-- lua_file = /home/example/empty.lua +-- lua_settings { +-- push_lua_url = http://push.notification.server/handler +-- } -- } -- -- server is sent a POST message to given url with parameters diff --git a/docs/core/plugins/quota.md b/docs/core/plugins/quota.md index eadf5974a..94705f912 100644 --- a/docs/core/plugins/quota.md +++ b/docs/core/plugins/quota.md @@ -277,9 +277,7 @@ See [[setting,quota_exceeded_message]]. Example: ```[dovecot.conf] -plugin { - quota_exceeded_message = Quota exceeded, please go to http://www.example.com/over_quota_help for instructions on how to fix this. -} +quota_exceeded_message = Quota exceeded, please go to http://www.example.com/over_quota_help for instructions on how to fix this. ``` ## Quota Drivers diff --git a/docs/howto/virtual/simple_install.md b/docs/howto/virtual/simple_install.md index 0d69ce697..6eb472b3e 100644 --- a/docs/howto/virtual/simple_install.md +++ b/docs/howto/virtual/simple_install.md @@ -174,8 +174,7 @@ protocol imap { } } -plugin { - quota = maildir +quota User { } ``` From 9255a837c87770f460b399e48a9df78966849c52 Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:46:15 +0200 Subject: [PATCH 12/13] settings: Convert %short variables to %{long} variables --- data/settings.js | 193 +++++++++++++++++++++++------------------------ 1 file changed, 96 insertions(+), 97 deletions(-) diff --git a/data/settings.js b/data/settings.js index 64debbedc..a6b97a596 100644 --- a/data/settings.js +++ b/data/settings.js @@ -2391,7 +2391,7 @@ last_login { }, last_login_key: { - default: 'last-login/%u', + default: 'last-login/%{user}', plugin: 'last-login', values: setting_types.STRING, text: ` @@ -4468,7 +4468,7 @@ If you want to allow all characters, leave the value empty.` }, auth_username_format: { - default: '%Lu', + default: '%{user | lower}', values: setting_types.STRING, text: ` Formatting applied to username before querying the auth database. @@ -4477,9 +4477,9 @@ You can use the standard variables here. Examples: -- \`%Lu\`: Lowercases the username -- \`%n\`: Drops the domain if one was supplied -- \`%n-AT-%d\`: Changes the "@" symbol into "-AT-" before lookup +- \`%{user | lower}\`: Lowercases the username +- \`%{user | username}\`: Drops the domain if one was supplied +- \`%{user | username}-AT-%{user | domain}\`: Changes the "@" symbol into "-AT-" before lookup This translation is done after the changes specified with the [[setting,auth_username_translation]] setting.` @@ -4631,31 +4631,31 @@ service-specific configuration.` }, deliver_log_format: { - default: 'msgid=%m: %$', + default: 'msgid=%{msgid}: %{message}', values: setting_types.STRING_NOVAR, text: ` The format to use for logging mail deliveries. Variables that can be used for this setting (see [[variable,global]]): -| Variable Name | Short Form | Description | -| ------------- | ---------- | ----------- | -| \`%$\` | | Delivery status message (e.g., saved to INBOX) | -| \`%{msgid}\` | \`%m\` | Message-ID | -| \`%{subject}\` | \`%s\` | Subject | -| \`%{from}\` | \`%f\` | From address | -| \`%{from_envelope}\` | \`%e\` | SMTP FROM envelope | -| \`%{size}\` | \`%p\` | Physical size | -| \`%{vsize}\` | \`%w\` | Virtual size | -| \`%{to_envelope}\` | | RCPT TO envelope | -| \`%{delivery_time}\` | | How many milliseconds to deliver the mail | -| \`%{session_time}\` | | LMTP session duration, not including \`%{delivery_time}\` | -| \`%{storage_id}\` | | Backend-specific ID for mail, e.g. Maildir filename | +| Variable Name | Description | +| ------------- | ----------- | +| \`%{message}\` | Delivery status message (e.g., saved to INBOX) | +| \`%{msgid}\` | | Message-ID | +| \`%{subject}\` | Subject | +| \`%{from}\` | From address | +| \`%{from_envelope}\` | SMTP FROM envelope | +| \`%{size}\` | Physical size | +| \`%{vsize}\` | Virtual size | +| \`%{to_envelope}\` | RCPT TO envelope | +| \`%{delivery_time}\` | How many milliseconds to deliver the mail | +| \`%{session_time}\` | LMTP session duration, not including \`%{delivery_time}\` | +| \`%{storage_id}\` | Backend-specific ID for mail, e.g. Maildir filename | Example: \`\`\` -deliver_log_format = stime=%{session_time} msgid=%m: %$ +deliver_log_format = stime=%{session_time} msgid=%{msgid}: %{message} \`\`\`` }, @@ -6071,26 +6071,26 @@ when the client is in IDLE operation.` }, imap_logout_format: { - default: 'in=%i out=%o deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}', + default: 'in=%{input} out=%{output} deleted=%{deleted} expunged=%{expunged} trashed=%{trashed} hdr_count=%{fetch_hdr_count} hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} body_bytes=%{fetch_body_bytes}', tags: [ 'imap' ], values: setting_types.STRING_NOVAR, text: ` This setting specifies the IMAP logout format string. Supported variables, in addition to [[variable,mail-user]] are: -| Variable Name | Short Form | Description | -| ------------- | ---------- | ----------- | -| \`%{input}\` | \`%i\` | Total number of bytes read from client | -| \`%{output}\` | \`%o\` | Total number of bytes sent to client | -| \`%{fetch_hdr_count}\` | | Number of mails with mail header data sent to client | -| \`%{fetch_hdr_bytes}\` | | Number of bytes with mail header data sent to client | -| \`%{fetch_body_count}\` | | Number of mails with mail body data sent to client | -| \`%{fetch_body_bytes}\` | | Number of bytes with mail body data sent to client | -| \`%{deleted}\` | | Number of mails where client added \Deleted flag | -| \`%{expunged}\` | | Number of mails that client expunged, which does not include automatically expunged mails | -| \`%{autoexpunged}\` | | Number of mails that were automatically expunged after client disconnected | -| \`%{trashed}\` | | Number of mails that client copied/moved to the special_use=\Trash mailbox. | -| \`%{appended}\` | | Number of mails saved during the session |` +| Variable Name | Description | +| ------------- | ----------- | +| \`%{input}\` | Total number of bytes read from client | +| \`%{output}\` | Total number of bytes sent to client | +| \`%{fetch_hdr_count}\` | Number of mails with mail header data sent to client | +| \`%{fetch_hdr_bytes}\` | Number of bytes with mail header data sent to client | +| \`%{fetch_body_count}\` | Number of mails with mail body data sent to client | +| \`%{fetch_body_bytes}\` | Number of bytes with mail body data sent to client | +| \`%{deleted}\` | Number of mails where client added \Deleted flag | +| \`%{expunged}\` | Number of mails that client expunged, which does not include automatically expunged mails | +| \`%{autoexpunged}\` | Number of mails that were automatically expunged after client disconnected | +| \`%{trashed}\` | Number of mails that client copied/moved to the special_use=\Trash mailbox. | +| \`%{appended}\` | Number of mails saved during the session |` }, imap_max_line_length: { @@ -6123,7 +6123,7 @@ Example: # Store METADATA information within user's Maildir directory mail_attribute { dict file { - path = %h/Maildir/dovecot-attributes + path = %{home}/Maildir/dovecot-attributes } } @@ -6156,7 +6156,7 @@ be active. }, imap_urlauth_logout_format: { - default: 'in=%i out=%o', + default: 'in=%{input} out=%{output}', seealso: [ 'imap_urlauth_host' ], tags: [ 'imap' ], values: setting_types.STRING_NOVAR, @@ -6172,8 +6172,8 @@ Variables allowed: | Name | Description | | ---- | ----------- | -| \`%i\` | Total number of bytes read from the client | -| \`%o\` | Total number of bytes sent to the client |` +| \`%{input}\` | Total number of bytes read from the client | +| \`%{output}\` | Total number of bytes sent to the client |` }, imap_urlauth_port: { @@ -6403,7 +6403,7 @@ following configuration should be employed, where the credentials are represented by masteruser and masteruser-secret: \`\`\` -imapc_user = %u +imapc_user = %{user} imapc_master_user = masteruser imapc_password = masteruser-secret \`\`\` @@ -6963,7 +6963,7 @@ Variables allowed: }, login_log_format: { - default: '%$: %s', + default: '%{message}: %{elements}', values: setting_types.STRING_NOVAR, text: ` The formatting of login log messages. @@ -6972,12 +6972,12 @@ Variables allowed (in addition to [[variable,global]]): | Variable Name | Description | | ------------- | ----------- | -| \`%s\` | A [[setting,login_log_format_elements]] string | -| \`%$\` | The log data |` +| \`%{elements}\` | A [[setting,login_log_format_elements]] string | +| \`%{message}\` | The log data |` }, login_log_format_elements: { - default: 'user=<%u> method=%m rip=%r lip=%l mpid=%e %c session=<%{session}>', + default: 'user=<%{user}> method=%{mechanism} rip=%{remote_ip} lip=%{local_ip} mpid=%{mail_pid} %{secured} session=<%{session}>', // TODO: Provide join example values: setting_types.STRING_NOVAR, text: ` @@ -7289,7 +7289,7 @@ Example: \`\`\` mail_attribute { dict file { - path = %h/dovecot-attributes + path = %{home}/dovecot-attributes } } \`\`\`` @@ -7399,7 +7399,7 @@ The following example is one option when home is in \`/var/vmail/domain/user/\` and mails are in \`/var/vmail/domain/user/mail/\`: \`\`\`[dovecot.conf] -mail_home = /var/vmail/%d/%n +mail_home = /var/vmail/%{user | domain}/%{user | username} mail_path = ~/mail \`\`\` @@ -7407,7 +7407,7 @@ mail_path = ~/mail }, mail_log_prefix: { - default: '%s(%u)\<%{process:pid}\>\<%{session}\>', + default: '%{service}(%{user})<%{process:pid}><%{session}>: ', values: setting_types.STRING, text: ` You can specify a log prefix for mail processes here. @@ -8211,7 +8211,7 @@ The maximum time to wait for all locks to be released before aborting.` advanced: true, text: ` The mail-header selection algorithm to use for MD5 POP3 UIDLs when the -setting [[setting,pop3_uidl_format,%m]] is applied.` +setting [[setting,pop3_uidl_format,%{md5}]] is applied.` }, mbox_min_index_size: { @@ -8948,7 +8948,7 @@ Username attribute in response.` oauth2_username_validation_format: { tags: [ 'oauth2' ], values: setting_types.STRING, - default: '%u', + default: '%{user}', seealso: [ 'oauth2_username_attribute' ], text: ` Normalization for oauth2 provided username, this setting is normally not @@ -9436,7 +9436,7 @@ If enabled, only one POP3 session may exist for any single user.` }, pop3_logout_format: { - default: 'top=%t/%p retr=%r/%b del=%d/%m size=%s', + default: 'top=%{top_count}/%{top_bytes}, retr=%{retr_count}/%{retr_bytes}, del=%{deleted_count}/%{deleted_bytes}, size=%{message_bytes}', tags: [ 'pop3' ], values: setting_types.STRING_NOVAR, text: ` @@ -9444,19 +9444,19 @@ The string to display to the client on POP3 logout (informational only). Variables available (in addition to [[variable,mail-user]]): -| Variable Name | Short Form | Description | -| ------------- | ---------- | ----------- | -| \`%{input}\` | \`%i\` | Bytes read from the client | -| \`%{output}\` | \`%o\` | Bytes sent to the client | -| \`%{top_count}\` | \`%t\` | Number of TOP commands run | -| \`%{top_bytes}\` | \`%p\` | Bytes sent to the client because of TOP commands | -| \`%{retr_count}\` | \`%r\` | Number of RETR commands run | -| \`%{retr_bytes}\` | \`%b\` | Bytes sent to the client because of RETR commands | -| \`%{deleted_count}\` | \`%d\` | Number of deleted messages | -| \`%{deleted_bytes}\` | | Number of bytes in deleted messages | -| \`%{message_count}\` | \`%m\` | Number of messages before deletion | -| \`%{message_bytes}\` | \`%s\` | Mailbox size, in bytes, before deletion | -| \`%{uidl_change}\` | \`%u\` | The old and the new UIDL hash (which can be useful for identifying unexpected changes in UIDLs) |` +| Variable Name | Description | +| ------------- | ----------- | +| \`%{input}\` | Bytes read from the client | +| \`%{output}\` | Bytes sent to the client | +| \`%{top_count}\` | Number of TOP commands run | +| \`%{top_bytes}\` | Bytes sent to the client because of TOP commands | +| \`%{retr_count}\` | Number of RETR commands run | +| \`%{retr_bytes}\` | Bytes sent to the client because of RETR commands | +| \`%{deleted_count}\` | Number of deleted messages | +| \`%{deleted_bytes}\` | Number of bytes in deleted messages | +| \`%{message_count}\` | Number of messages before deletion | +| \`%{message_bytes}\` | Mailbox size, in bytes, before deletion | +| \`%{uidl_change}\` | The old and the new UIDL hash (which can be useful for identifying unexpected changes in UIDLs) |` }, pop3_no_flag_updates: { @@ -9505,23 +9505,23 @@ Options: }, pop3_uidl_format: { - default: '%08Xu%08Xv', + default: '%{uid | hex(8)}%{uidvalidity | hex(8)}', tags: [ 'pop3' ], values: setting_types.STRING_NOVAR, text: ` The POP3 unique mail identifier (UIDL) format to use. The following variables can be used in combination with the -standard variable modifiers (e.g., \`%Uf\` supplies the filename in uppercase) -and with [[variable,global]]: +standard variable filters (e.g., \`%{filename | upper}\` supplies the filename +in uppercase) and with [[variable,global]]: -| Variable Name | Short Form | Description | -| ------------- | ---------- | ----------- | -| \`%{uidvalidity}\` | \`%v\` | Mailbox's IMAP UIDVALIDITY value | -| \`%{uid}\` | \`%u\` | IMAP UID associated with the message | -| \`%{md5}\` | \`%m\` | MD5 sum of the mailbox headers in hex ([[link,mbox]] only) | -| \`%{filename}\` | \`%f\` | Filename ([[link,maildir]] only) | -| \`%{guid}\` | \`%g\`| Dovecot GUID for the message |` +| Variable Name | Description | +| ------------- | ----------- | +| \`%{uidvalidity}\` | Mailbox's IMAP UIDVALIDITY value | +| \`%{uid}\` | IMAP UID associated with the message | +| \`%{md5}\` | MD5 sum of the mailbox headers in hex ([[link,mbox]] only) | +| \`%{filename}\` | Filename ([[link,maildir]] only) | +| \`%{guid}\` | Dovecot GUID for the message |` }, pop3c_features: { @@ -9554,7 +9554,7 @@ following configuration should be employed, where the credentials are represented by masteruser and masteruser-secret: \`\`\` -pop3c_user = %u +pop3c_user = %{user} pop3c_master_user = masteruser pop3c_password = masteruser-secret \`\`\` @@ -9625,7 +9625,7 @@ Only used if [[setting,pop3c_ssl]] is enabled.` }, pop3c_user: { - default: '%u', + default: '%{user}', tags: [ 'pop3c' ], seealso: [ 'pop3c_master_user', 'pop3c_password' ], values: setting_types.STRING, @@ -9637,13 +9637,13 @@ POP3 server. }, postmaster_address: { - default: 'postmaster@%{if;%d;ne;;%d;%{hostname}}', + default: 'postmaster@%{user|domain|default(hostname)}', tags: [ 'lda', 'lmtp' ], values: setting_types.STRING, text: ` The From address from which email rejection messages (bounces) are sent. -As used here, the variable \`%d\` expands to the domain of the local user. +As used here, \`%{user | domain}\` expands to the domain of the local user. Other [[variable,mail-user]] can be used as well.` }, @@ -9709,9 +9709,9 @@ Example: \`\`\` protocol imap { - rawlog_dir = /tmp/rawlog/%u + rawlog_dir = /tmp/rawlog/%{user} # if you want to put files into user's homedir, use this, do not use ~ - #rawlog_dir = %h/rawlog + #rawlog_dir = %{home}/rawlog } \`\`\`` }, @@ -9724,7 +9724,7 @@ protocol imap { }, rejection_reason: { - default: 'Your message to \<%t\> was automatically rejected:%n%r', + default: 'Your message to <%{to}> was automatically rejected:%{literal(\'\\r\\n\')}%{reason}', tags: [ 'lda', 'lmtp' ], values: setting_types.STRING_NOVAR, text: ` @@ -9732,19 +9732,18 @@ A human-readable message for the recipients of bounce messages. The following variables are allowed, including [[variable,global]]: -| Variable Name | Short Form | Description | -| ------------- | ---------- | ----------- | -| \`%{crlf}\` | \`%n\` | Newline (CRLF) | -| \`%{reason}\` | \`%r\` | Reason for rejection | -| \`%{subject}\` | \`%s\` | Original subject line | -| \`%{to}\` | \`%t\` | Recipient address | +| Variable Name | Description | +| ------------- | ----------- | +| \`%{reason}\` | Reason for rejection | +| \`%{subject}\` | Original subject line | +| \`%{to}\` | Recipient address | The variable values are obtained from the mail being delivered or the delivery protocol.` }, rejection_subject: { - default: 'Rejected: %s', + default: 'Rejected: %{subject}', seealso: [ 'rejection_reason' ], tags: [ 'lda', 'lmtp' ], values: setting_types.STRING_NOVAR, @@ -10449,7 +10448,7 @@ Overrides [[setting,sendmail_path]] value, if set.` }, submission_logout_format: { - default: 'in=%i out=%o', + default: 'in=%{input} out=%{output}', tags: [ 'submission' ], values: setting_types.STRING_NOVAR, text: ` @@ -10457,13 +10456,13 @@ The SMTP Submission logout format string. Variables supported, including [[variable,mail-user]]: -| Variable Name | Short Form | Description | -| ------------- | ---------- | ----------- | -| \`%{input}\` | \`%i\` | Bytes read from client | -| \`%{output}\` | \`%o\` | Bytes sent to client | -| \`%{command_count}\` | | Number of commands received from client | -| \`%{reply_count}\` | | Number of replies sent to client | -| \`%{transaction_id}\` | | ID of the current transaction, if any |` +| Variable Name | Description | +| ------------- | ----------- | +| \`%{input}\` | Bytes read from client | +| \`%{output}\` | Bytes sent to client | +| \`%{command_count}\` | Number of commands received from client | +| \`%{reply_count}\` | Number of replies sent to client | +| \`%{transaction_id}\` | ID of the current transaction, if any |` }, submission_max_mail_size: { @@ -11073,7 +11072,7 @@ the standard [[variable]]. Note that you can't use any [[setting,passdb_fields]] declaration if you use this setting. -Example: \`passdb_ldap_bind_userdn = cn=%u,ou=people,o=org\`` +Example: \`passdb_ldap_bind_userdn = cn=%{user},ou=people,o=org\`` }, passdb_ldap_filter: { @@ -11088,7 +11087,7 @@ Example: \`\`\` passdb ldap { - filter = (&(objectClass=posixAccount)(uid=%u)) + filter = (&(objectClass=posixAccount)(uid=%{user})) #... } \`\`\`` @@ -11106,7 +11105,7 @@ Example: \`\`\` userdb ldap { - filter = (&(objectClass=posixAccount)(uid=%u)) + filter = (&(objectClass=posixAccount)(uid=%{user})) #... } \`\`\`` From 013c262dcb7625e2896d14f0d8a7c450a7033e3b Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 13 Dec 2024 14:46:42 +0200 Subject: [PATCH 13/13] global: Convert %short variables to %{long} variables --- docs/core/config/auth/databases/pam.md | 2 +- docs/core/config/auth/proxies.md | 2 +- docs/core/config/pop3.md | 8 ++++---- docs/core/config/shared_mailboxes.md | 3 --- docs/core/config/statistics.md | 6 +++++- docs/core/config/users/virtual.md | 2 -- docs/core/design/auth_process.md | 2 +- docs/core/plugins/virtual.md | 14 +++++++------- docs/core/settings/types.md | 4 ++-- docs/howto/convert_password_schemes.md | 10 +++++----- docs/howto/imapc_proxy.md | 2 +- docs/howto/lmtp/exim.md | 2 +- docs/howto/virtual/simple_install.md | 2 +- 13 files changed, 29 insertions(+), 30 deletions(-) diff --git a/docs/core/config/auth/databases/pam.md b/docs/core/config/auth/databases/pam.md index 27dbb0883..fd4233239 100644 --- a/docs/core/config/auth/databases/pam.md +++ b/docs/core/config/auth/databases/pam.md @@ -160,7 +160,7 @@ account required pam_unix.so For Solaris you will have to edit `/etc/pam.conf`. -Here is a working Solaris example (using [[setting,service_name,%L{service}]] +Here is a working Solaris example (using [[setting,service_name,%{service}]] instead of the default `dovecot` service): ``` diff --git a/docs/core/config/auth/proxies.md b/docs/core/config/auth/proxies.md index 886142c6e..9a2dbaa2d 100644 --- a/docs/core/config/auth/proxies.md +++ b/docs/core/config/auth/proxies.md @@ -275,7 +275,7 @@ See [[link,auth_master_users]] for more information how to configure this. ## OAuth2 Forwarding If you want to forward [[link,auth_oauth2]] tokens, return field -`proxy_mech=%m` as extra field. +`proxy_mech=%{mechanism}` as extra field. ## Examples diff --git a/docs/core/config/pop3.md b/docs/core/config/pop3.md index 3a1ec7359..f5f4d6be9 100644 --- a/docs/core/config/pop3.md +++ b/docs/core/config/pop3.md @@ -108,13 +108,13 @@ For new POP3 servers, the easiest way to set up UIDLs is to use IMAP's UIDVALIDITY and UID values. The default is: ``` -pop3_uidl_format = %08Xu%08Xv +pop3_uidl_format = %{uid | hex(8)}%{uidvalidity | hex(8)} ``` Another good default is to use the message's global UID: ``` -pop3_uidl_format = %g +pop3_uidl_format = %{guid} ``` However, note that GUIDs may not be unique, as the GUID does not change when a @@ -124,7 +124,7 @@ done using IMAP, Sieve, or doveadm.) ### MD5 UIDL format (mbox-only) ``` -pop3_uidl_format = %m +pop3_uidl_format = %{md5} ``` This works by getting the MD5 sum of a couple of message headers that uniquely @@ -162,7 +162,7 @@ calculation: * X-Delivery-ID: header -If you use [[link,lda]] or IMAP APPEND and [[setting,pop3_uidl_format,%m]] +If you use [[link,lda]] or IMAP APPEND and [[setting,pop3_uidl_format,%{md5}]] it always appends the X-Delivery-ID: header to saved mailbox. Any existing X-Delivery-ID: headers in the saved mails are dropped. diff --git a/docs/core/config/shared_mailboxes.md b/docs/core/config/shared_mailboxes.md index 523f58d28..b5e0f7b0a 100644 --- a/docs/core/config/shared_mailboxes.md +++ b/docs/core/config/shared_mailboxes.md @@ -6,9 +6,6 @@ dovecotlinks: shared_mailboxes_listing: hash: shared-mailbox-listing text: shared mailbox listing - shared_mailboxes_percent: - hash: vs - text: \% vs. \%\% shared_mailboxes_permissions: hash: filesystem-permissions text: shared mailboxes filesystem permissions diff --git a/docs/core/config/statistics.md b/docs/core/config/statistics.md index 67578d5e7..a7618fb01 100644 --- a/docs/core/config/statistics.md +++ b/docs/core/config/statistics.md @@ -85,7 +85,11 @@ metric imap_command { metric login_domains { filter = event=auth_request_finished fields = user - group_by = discrete:%L{domain} + group_by user { + method discrete { + modifier = %{value | domain | lower} + } + } } ``` diff --git a/docs/core/config/users/virtual.md b/docs/core/config/users/virtual.md index a7ab42244..b81768012 100644 --- a/docs/core/config/users/virtual.md +++ b/docs/core/config/users/virtual.md @@ -224,12 +224,10 @@ mail_driver = maildir mail_path = /home/%{user | domain}/%{user | username}/Maildir passdb passwd-file { - auth_username_format = %Ln passwd_file_path = /home/%{user | domain}/etc/shadow } userdb passwd-file { - auth_username_format = %Ln passwd_file_path = /home/%{user | domain}/etc/passwd } ``` diff --git a/docs/core/design/auth_process.md b/docs/core/design/auth_process.md index ca2d3ccde..8f359ede6 100644 --- a/docs/core/design/auth_process.md +++ b/docs/core/design/auth_process.md @@ -305,7 +305,7 @@ when the passdb lookup validity depends only on the username. With more complex databases such as SQL and LDAP this is created dynamically based on the password query in the configuration file. If there are multiple variables, they should be separated so that their -contents don't get mixed, for example `%{user}%r%l`. +contents don't get mixed, for example `%{user}%{rmote_ip}%{local_ip}`. `auth_cache_parse_key()` can be used to easily create a cache key from a query string. diff --git a/docs/core/plugins/virtual.md b/docs/core/plugins/virtual.md index 8af25617a..6ebe4b706 100644 --- a/docs/core/plugins/virtual.md +++ b/docs/core/plugins/virtual.md @@ -196,19 +196,19 @@ namespace real { list = no hidden = yes } -``` -```[mysql.ext] # Note: none of the namespaces have inbox=yes. This is because for IMAP users # you want the inbox namespace to have 'inbox=yes', but for POP3 users you want # the virtual namespace to have 'inbox=yes'. This requires setting the # 'inbox=yes' in userdb extra fields. For example with MySQL you can do # this like: -ser_query = SELECT ..., \ - CASE '%s' WHEN 'pop3' THEN NULL ELSE 'yes' END AS 'namespace/inbox/inbox', \ - CASE '%s' WHEN 'pop3' THEN 'yes' ELSE NULL END AS 'namespace/virtual/inbox' \ - WHERE ... +userdb sql { + query = SELECT ..., \ + CASE '%{protocol}' WHEN 'pop3' THEN NULL ELSE 'yes' END AS 'namespace/inbox/inbox', \ + CASE '%{protocol}' WHEN 'pop3' THEN 'yes' ELSE NULL END AS 'namespace/virtual/inbox' \ + WHERE ... +} ``` ```[/etc/dovecot/virtual/INBOX/dovecot-virtual] @@ -229,7 +229,7 @@ Also to avoid accidental POP3 UIDL changes, you shouldn't base the UIDLs on IMAP UIDs. Instead use GUIDs (with Maildir the same as base filename): ``` -pop3_uidl_format = %g +pop3_uidl_format = %{guid} ``` ## Configuration Examples diff --git a/docs/core/settings/types.md b/docs/core/settings/types.md index 4bf65b3e8..a38d9eb24 100644 --- a/docs/core/settings/types.md +++ b/docs/core/settings/types.md @@ -65,10 +65,10 @@ Certain settings require specific variables and thus don't use the default [[variable]]. For example: ```[dovecot.conf] -imap_logout_format = in=%i out=%o +imap_logout_format = in=%{input} out=%{output} ``` -Here the `%i` and `%o` refer to variables specific to the +Here the `%{input}` and `%{output}` refer to variables specific to the [[setting,imap_logout_format]] setting. ## Unsigned Integer diff --git a/docs/howto/convert_password_schemes.md b/docs/howto/convert_password_schemes.md index 1bffe4480..d0b443908 100644 --- a/docs/howto/convert_password_schemes.md +++ b/docs/howto/convert_password_schemes.md @@ -36,9 +36,9 @@ https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin- # default_pass_scheme = CRYPT # update your sql query so it will look at the new field - # AND add a %w field in the query so we have the plain password in our - # Enviroment ($PLAIN_PASS) - query = SELECT id as user, newpassword as password, home as userdb_home, uid as userdb_uid, gid as userdb_gid, '%w' as userdb_plain_pass \ + # AND add a %{password} field in the query so we have the plain password in + # our Enviroment ($PLAIN_PASS) + query = SELECT id as user, newpassword as password, home as userdb_home, uid as userdb_uid, gid as userdb_gid, '%{password}' as userdb_plain_pass \ FROM users \ WHERE id = '%{user}' @@ -48,7 +48,7 @@ https://kaworu.ch/blog/2016/04/20/strong-crypt-scheme-with-dovecot-postfixadmin- # driver = mysql # connect = host=127.0.0.1 user=mailauth password=secret dbname=postfixadmin # default_pass_scheme = SHA512-CRYPT - # query = SELECT username AS user, password, CONCAT('/var/mail/vdomains/', maildir) as userdb_home, 'vmail' as userdb_uid, 'vmail' as userdb_gid, '%w' as userdb_plain_pass \ + # query = SELECT username AS user, password, CONCAT('/var/mail/vdomains/', maildir) as userdb_home, 'vmail' as userdb_uid, 'vmail' as userdb_gid, '%{password}' as userdb_plain_pass \ # FROM mailbox \ # WHERE username = '%{user}' } @@ -273,7 +273,7 @@ passdb passwd-file { userdb passwd-file { passwd_file_path = /var/vmail/auth.d/%{user | domain}/passwd fields { - plain_pass = %w + plain_pass = %{password} } } ``` diff --git a/docs/howto/imapc_proxy.md b/docs/howto/imapc_proxy.md index c1863a194..07d7445fc 100644 --- a/docs/howto/imapc_proxy.md +++ b/docs/howto/imapc_proxy.md @@ -56,7 +56,7 @@ This is based on already having Dovecot already compiled and installed. args = host=10.1.2.3 fields { userdb_imapc_user = %{user} - userdb_imapc_password = %w + userdb_imapc_password = %{password} } } diff --git a/docs/howto/lmtp/exim.md b/docs/howto/lmtp/exim.md index b420d0f36..8fc81c7f3 100644 --- a/docs/howto/lmtp/exim.md +++ b/docs/howto/lmtp/exim.md @@ -118,7 +118,7 @@ this problem by extending the *protocol lmtp* section: ```[dovecot.conf] protocol lmtp { ... - # use %Ln to strip away the domain part + # strip away the domain part auth_username_format = %{user|lower} } ``` diff --git a/docs/howto/virtual/simple_install.md b/docs/howto/virtual/simple_install.md index 6eb472b3e..1fba54e1f 100644 --- a/docs/howto/virtual/simple_install.md +++ b/docs/howto/virtual/simple_install.md @@ -55,7 +55,7 @@ mail_driver = maildir mail_path = ~/Maildir # If you're using POP3, you'll need this: -pop3_uidl_format = %g +pop3_uidl_format = %{guid} # Authentication configuration: auth_verbose = yes