Domain (%d) is empty¶
IMAP or POP3 protocol doesn’t have explicit support for domains. The
usernames are commonly in user@domain format, and that is also where
Dovecot gets the domain from. If the username doesn’t have @domain, then
the domain is also usually empty (unless auth_default_realm setting
is used).
If you login as user@domain, but the %d is still empty, the problem is
that your configuration lost the domain part by changing the username.
Dovecot doesn’t keep track of the domain separately from username, so if
something changes username from user@domain to just plain user, the
domain is lost and %d returns nothing. If you have
auth_debug=yes,
this shows up in logs like:
Info: auth(user@domain.org): username changed user@domain.org -> user
Below are some of the most common reasons for this.
Settings¶
auth_username_format = %Ln lowercases
the username but also drops the domain. Use
auth_username_format = %Lu instead.
auth_username_format changes the username permanently, some
user databases support using variables or username_format (see
Passwd-file). See also Virtual and system users.
SQL¶
password_query gets often misconfigured to drop the domain if
username and domain are stored separately. For example:
# BROKEN:
password_query = SELECT username AS user, password FROM users \
WHERE username = '%n' AND domain = '%d'
The “username AS user” changes the username permanently and the domain is dropped. You can instead use:
# MySQL:
password_query = SELECT concat(username, '@', domain) AS user, \
password FROM users WHERE username = '%n' AND domain = '%d'
Or you can return username and domain fields separately and Dovecot will merge them into a single user field:
password_query = SELECT username, domain, password FROM users \
WHERE username = '%n' AND domain = '%d'
Virtual and system users¶
If you need to do PAM/passwd lookup for system users, and also have domain users, you can configure authentication to drop the domain part after doing virtual user lookup.
## Your virtual passdb
passdb {
driver = ldap
args = /path/to/ldap/config
}
passdb {
driver = static
args = user=%Ld noauthenticate
skip = authenticated
}
passdb {
driver = pam
skip = authenticated
}
userdb {
driver = ldap
args = /path/to/ldap/config
}
userdb {
driver = passwd
}
