email_localpart not working for auth

[the-maldridge]

I'm in the middle of trying to debug email authentication after having written a new authentication module, and I'm running into the problem that I need to get the username of the authenticating entity and pass that into the auth module, same for lookups for the table module.

I have tried using email_localpart in my auth_map and delivery_map and it still passes the full email address to the auth module, which obviously fails since its not a username that exists.

Here's my config:

## Maddy Mail Server - default configuration file (2022-06-18)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = example.org
$(primary_domain) = example.org
$(local_domains) = $(primary_domain)

tls off

# ----------------------------------------------------------------------------
# Local storage & authentication

auth.netauth netauth_authdb

# imapsql module stores all indexes and metadata necessary for IMAP using a
# relational database. It is used by IMAP endpoint for mailbox access and
# also by SMTP & Submission endpoints for delivery of local messages.
#
# IMAP accounts, mailboxes and all message metadata can be inspected using
# imap-* subcommands of maddyctl utility.

storage.imapsql local_mailboxes {
    auth_map email_localpart
    delivery_map email_localpart
    driver sqlite3
    dsn imapsql.db
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
        entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /etc/maddy/aliases
}

msgpipeline local_routing {
    # Insert handling for special-purpose local domains here.
    # e.g.
    # destination lists.example.org {
    #     deliver_to lmtp tcp://127.0.0.1:8024
    # }

    destination postmaster $(local_domains) {
        modify {
            replace_rcpt &local_rewrites
        }

        deliver_to &local_mailboxes
    }

    default_destination {
        reject 550 5.1.1 "User doesn't exist"
    }
}

smtp tcp://0.0.0.0:25 {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    dmarc yes
    check {
        require_mx_record
        dkim
        spf
    }

    source $(local_domains) {
        reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.1.1 "User doesn't exist"
        }
    }
}

submission tcp://0.0.0.0:587 {
    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &netauth_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &local_rewrites
                user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) default
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        dane
        mtasts {
            cache fs
            fs_dir mtasts_cache/
        }
        local_policy {
            min_tls_level encrypted
            min_mx_level none
        }
    }
}

target.queue remote_queue {
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination postmaster $(local_domains) {
            deliver_to &local_routing
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tcp://0.0.0.0:143 {
    auth &netauth_authdb
    storage &local_mailboxes
}

The docs aren't super helpful here, they just point me to the storage backend documentation which documents the syntax of the auth_map directive, but not how to actually use it to do anything. Is there somewhere that has more complete docs for how to actually use maddy?

---

Update 1

Just to be sure, the entire thing that led me down this path was troubleshooting that even though my backend authentication service responds with success and I return a nil error in AuthPlain I still get back an IMAP response of A1 NO Invalid credentials which suggests to me that maddy doesn't consider me logged in even though I responded with valid credentials. I can only auth successfully if I just try to send my username without any domain component, but I'm slowly starting to wonder if that's how this is supposed to work, that you just always send whatever the backend system considers the username with most of the time that being an email, but for services that do not directly key on emails it is just a uid.

Going on that assumption I am now just trying to understand why I can't auth successfully even though the backend service returns an OK status.

[the-maldridge]

The more I look into this the more it looks like auth_map is dead code that is no longer called/callable. It looks like IMAP auth happens in internal/endpoints/imap in Login where it checks the SASL auth mechs but there's no way to import an auth_map in there to strip the usernames from the domain component. Is this actually the case?

[the-maldridge]

I eventually completely gave up on this approach, I don't think auth_map is used anywhere in authentication, despite the name and that it appears to require PlainAuth be implemented. Given that everything appears to eventually flow through SASL I just imported github.com/foxcpp/maddy/framework/address into the netauth authentication driver and do the address split there so that the driver pretends to accept email addresses and subsequently discards the domain component.

[foxcpp]

Not working auth_map is definitely unintentional. I will create an issue for this..