[Dovecot] patch for checkpassword exit codes & vpopmail
Max A
sub at comtel-60.ru
Thu Nov 9 12:59:33 UTC 2006
>> Also it is possible, that a similar problem exists with other variables
>> TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt).
>
> Hmm. I hadn't heard of UCSPI before.
>
> Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP
> will stay for backwards compatibility, maybe I'll remove them in Dovecot
> v2.0.
>
Thanks for answer :)
There are still some problems with the use of the
checkpassword-interface with vpopmail. Besides standard exit codes of
checkpassword:
1 unacceptable
2 misused
111 temporary problem
vchkpw (the checkpassword analogue in vpopmail) uses two additional
groups of exit codes:
a) When user gives wrong username/password (procedure
checkpassword_request_half_finish() should call
checkpassword_request_finish() with parameter
PASSDB_RESULT_PASSWORD_MISMATCH):
1 pop/smtp/webmal/imap/ access denied (match with a code of
classic checkpassword)
3 password fail / vpopmail user not found
12 null user name given
13 null password given
15 user has no password
20 invalid user/domain characters
21 system user not found
22 system user shadow entry not found
23 system password fail
b) vpopmail's internal errors:
(checkpassword_request_half_finish() call checkpassword_request_finish()
with parameter PASSDB_RESULT_INTERNAL_FAILURE):
4 setgid failed
5 setuid failed
6 autocreate dir error / chdir failed
7 putenv(USER) failed
8 putenv(HOME) failed
9 putenv(SHELL) failed
10 putenv(VPOPUSER) failed
11 vchkpw is only for talking with qmail-popup and qmail-pop3d.
It is not for runnning on the command line
14 dir auto create failed / failed to vauth_getpw() after dir auto
create
Now all these codes are processed in checkpassword_request_half_finish()
by "default" section. It will be wrong for the first group of codes to
return the user "-ERR Temporary authentication failure. ", because it is
not an internal problem, it's a login failure (user problem). I have
made some changes in passdb-checkpassword.c to separate internal
vpopmail mistakes from user's mistakes (a patch is in attachment).
As the exit code "1" in vchkpw corresponds to an interdiction of access
to service (smtp/pop3/imap/webmail) I have changed a line for logging in
"case 1 " from "Password not accepted" to "Login failed". This line
(imho) acceptables both for classical checkpassword and for vchkpw.
Now all user's mistakes will be processed as well as a mistake of the
password in checkpassword (exit code 1), and internal mistakes will be
logged by "default" section.
If you do not like an idea of changing a code specially for vpopmail it
will be possible to make some parameter in "passdb checkpassword {}"
section in the config file, pointing at work specially with vpopmail.
Depending on its presence "case" will work otherwise (my knowledge of C
is insufficiently for this purpose).
Also, if it is not too hard for you, can you add variable TCPLOCALPORT
(described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment
variables for checkpassword, because vchkpw uses it for an interdiction
of access to various services (SMTP/POP3/IMAP/Webmal)?
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpopmail_env.patch
Url: http://dovecot.org/pipermail/dovecot/attachments/20061109/98ce079e/attachment.pot
More information about the dovecot
mailing list