Unable to delete user/mailbox when user/domain is disabled

[yannfill]

• Modoboa: 1.8.1
• installer used: No
• Webserver: Apache

When disabling a domain, all mailboxes of that domain are (logically) disabled too. When I try to delete a disabled mailbox, an error shows up: Failed to retrieve mailbox location (userdb lookup: user xxx doesn't exist)

So I must re-enable the domain before being able to delete users, which is kind of weird steps to follow (mailbox disabled -> mailbox enabled -> mailbox deleted).

Disabling a domain or a mailbox could be considered the first step before deleting it, so their should be no need to re-enable it to do that.

[tonioo]

@yannfill can you check query used for iterate_query in /etc/dovecot/dovecot-sql.conf.ext please?

[yannfill]

iterate_query = SELECT email AS user FROM core_user WHERE email='%Lu'

[yannfill]

I also have this in /etc/dovecot/conf.d/auth-sql.conf.ext:

passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
userdb {
  driver = prefetch
}

# For LDA and doveadm
userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
}

[tonioo]

Can you try with this please:
iterate_query = SELECT email AS user FROM core_user

[yannfill]

Same error, even after restarting Dovecot and Apache.

[tonioo]

@yannfill can you show me the full trace please?

[yannfill]

I got it, this is my password_query:

password_query = SELECT email AS user, password, '/home/vmail/%Ld/%Ln' AS userdb_home, 89 AS userdb_uid, 89 AS userdb_gid, \
                 CONCAT('*:bytes=', mb.quota, 'M') AS userdb_quota_rule \
                 FROM core_user u INNER JOIN admin_mailbox mb ON u.id=mb.user_id INNER JOIN admin_domain dom \
                 ON mb.domain_id=dom.id \
                 WHERE u.email='%Lu' AND u.is_active=1 AND dom.enabled=1

When I remove AND u.is_active=1 AND dom.enabled=1 I can delete disabled users. But then, disabled users can still log in, or not ?

[tonioo]

I don't understand why you encounter this issue, I don't reproduce it...
Do not modify this query otherwise disabled users will still be able to login (IMAP and POP). doveadm only uses iterate_query and there is not status filter, that's why I'm a bit lost.

[yannfill]

My user_query is this:

user_query = SELECT '/home/vmail/%Ld/%Ln' AS home, 89 AS uid, 89 AS gid, concat('*:bytes=', mb.quota, 'M') AS quota_rule \
             FROM admin_mailbox mb INNER JOIN admin_domain dom ON mb.domain_id=dom.id \
             WHERE mb.address='%Ln' AND dom.name='%Ld' AND dom.enabled=1

When I try this command doveadm mailbox delete -u user@domain Trash I get this error:

doveadm(user@domain): Fatal: User doesn't exist

If I remove AND dom.enabled=1 from the query the same command exit 0 with no output.

So, doveadm seems to use all the queries in /etc/dovecot/dovecot-sql.conf except iterate_query.

[yannfill]

And commenting user_query gives this:

doveadm(user@domain): Error: user beatrice.gavory@solutech.fr: Auth USER lookup failed
doveadm(user@domain): Fatal: User lookup failed: Internal error occurred. Refer to server log for more information.

[tonioo]

Have you tried with doveadm user (the command used by modoboa)?

[yannfill]

# doveadm -D user user@domain
doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules
doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/lib10_quota_plugin.so
doveadm(root): Debug: Loading modules from directory: /usr/lib/dovecot/modules/doveadm
doveadm(root): Debug: Skipping module doveadm_acl_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_acl_plugin.so: undefined symbol: acl_user_module (this is usually intentional, so just ignore this message)
doveadm(root): Debug: Skipping module doveadm_expire_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_expire_plugin.so: undefined symbol: expire_set_deinit (this is usually intentional, so just ignore this message)
doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_quota_plugin.so
doveadm(root): Debug: Module loaded: /usr/lib/dovecot/modules/doveadm/lib10_doveadm_sieve_plugin.so
doveadm(root): Debug: Skipping module doveadm_fts_lucene_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_lucene_plugin.so: undefined symbol: lucene_index_iter_deinit (this is usually intentional, so just ignore this message)
doveadm(root): Debug: Skipping module doveadm_fts_plugin, because dlopen() failed: /usr/lib/dovecot/modules/doveadm/lib20_doveadm_fts_plugin.so: undefined symbol: fts_backend_rescan (this is usually intentional, so just ignore this message)
doveadm(root): Debug: auth input: 
field	valueuserdb lookup: user user@domain doesn't exist

[tonioo]

What happens if you reactivate this user? Does dovecot found it?

[yannfill]

I can't reactivate users individually since I have disabled the whole domain, and when I reactivate the domain, I get:

# doveadm user user@domain
field	value
uid	89
gid	89
home	/home/vmail/domain/user
mail	maildir:~/Maildir/
quota_rule	*:bytes=2048M

[tonioo]

I still can't reproduce this behaviour... What is your dovecot version? Which user runs the doveadm command in your example?

[yannfill]

Dovecot 2.2.13

I was root when running the doveadm command, but using dovecot user gives the same results.

[yannfill]

According to the wiki, iterate_query is used only for a small subset of doveadm command. I think that doveadm user looks for user_query and since my SQL request includes WHEN dom.enabled=1, it makes sense that it fails.

[yannfill]

That's it, I've removed dom.enabled=1 and now I can delete disabled users, even when the domain is also disabled. Since userdb use prefetch from passdb first for regular user authentication and the SQL query for userdb is only used by doveadm, I think the issue is solved. You can close it if you agree.

[tonioo]

Could you try to send an email to user in a deactivated domain?

[yannfill]

Then the email comes back with Postfix saying

<user@domain>: mail for domain loops back to myself

[tonioo]

@yannfill Have you checked logs?

[yannfill]

From Postfix?

Aug  1 13:56:58 wfsv164 postfix/smtpd[8615]: AB6533C629D6: client=localhost[127.0.0.1]
Aug  1 13:56:58 wfsv164 postfix/cleanup[8493]: AB6533C629D6: message-id=<bde2f9df-cb2c-d6bb-407a-0edb9f660d0d@mydomain>
Aug  1 13:56:58 wfsv164 postfix/qmgr[11010]: AB6533C629D6: from=<me@mydomain>, size=24909, nrcpt=1 (queue active)
Aug  1 13:56:58 wfsv164 postfix/smtp[7149]: AB6533C629D6: to=<user@domain>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for domain loops back to myself)
Aug  1 13:56:58 wfsv164 postfix/bounce[7421]: AB6533C629D6: sender non-delivery notification: AC3873C629FF
Aug  1 13:56:58 wfsv164 amavis[2913]: (02913-15) Passed CLEAN {RelayedInbound}, [92.154.61.201]:49690 [92.154.61.201] <me@mydomain> -> <user@domain>, Queue-ID: 5AE863C62924, Message-ID: <bde2f9df-cb2c-d6bb-407a-0edb9f660d0d@webfutur.fr>, mail_id: Tm48Sr8o6F2y, Hits: -0.936, size: 24447, queued_as: AB6533C629D6, 290 ms
Aug  1 13:56:58 wfsv164 postfix/qmgr[11010]: AB6533C629D6: removed

[tonioo]

Fixed in the installer: modoboa/modoboa-installer@2c206a5.