[Dovecot] Default fallback behaviour
Nikita Koshikov
koshikov at gmail.com
Tue Nov 27 09:37:51 EET 2012
On Tue, Nov 27, 2012 at 3:04 AM, Timo Sirainen <tss at iki.fi> wrote:
> On 23.11.2012, at 9.46, Nikita Koshikov wrote:
>
> > Hello list,
> >
> > Here is the problem:
> > I have few:
> > passdb {
> > #1
> > }
> > passdb {
> > #2
> > }
> > And relative userdb sections. If user not found in 1) section it
> fallbacks
> > to next one - it's expected and right, IMHO. But when the user exists in
> > both section and password verification fails on 1) database it
> successfully
> > authenticated on next one. I think this behaviour should be configured.
> The
> > main goal of 1) section for this server is to overwrite users in main
> > (section2) database.
>
> It's not always possible to know why #1 failed. For example PAM doesn't
> always tell if the password was wrong or if the user didn't exist.
>
> > Maybe I missed something and this option is already in dovecot code and I
> > can't find it ? Or if not - will it be added in the future ?
>
>
> I'm not very interested in adding it, especially because it can't be done
> reliably.
>
>
Thank's for the anwer. It's a pity to hear, because it's security feature I
need to provide. The problem - that main passdb - is ldap and there are
about - 5-7 people who can edit it and simply to login as different users.
Yes, activity is logged - but mailbox can be read\stolen. The main goal for
passwd-file database is to revrite ldap very critical mailboxes to local
file. It can be edited only but 1 person - it is nativly to trust 1, but
not to 7.
More information about the dovecot
mailing list