[Dovecot] weird situation with pop3/imap proxy and postfix authentication
Leonardo Rodrigues
leolistas at solutti.com.br
Wed Aug 14 23:34:48 EEST 2013
Hello dovecot mailing list,
I have a server running postfix and dovecot. I havea configuration
on dovecot that allows me to provide imap4/pop3 messages for local
hosted users as well as for proxied users on other servers.
Basically, i have a simple MySQL table (imapproxy) with two fields,
'domain' and 'host'. My password_query isa 'UNION' query, exactly like:
password_query=select endereco as user, password, '/var/spool/mail/%u'
as userdb_home, 'maildir:/var/spool/mail/%u' as userdb_mail, 8 as
userdb_uid, 12 as userdb_gid, concat('*:storage=', quota) as
userdb_quota_rule, 'Trash:storage=+100M' as userdb_quota_rule2, 'Y' as
proxy_maybe, '10.252.38.2' as host from emails where endereco = '%u' and
ativa = '1' UNION select NULL as user, '%w' as password, NULL as
userdb_home, NULL as userdb_mail, NULL as userdb_uid, NULL as
userdb_gid, NULL as userdb_quota_rule, NULL as userdb_quota_rule2, 'Y'
as proxy_maybe, imapproxy.host as host from imapproxy where
imapproxy.dominio = '%d'
the 10.252.38.2 address, on the query, is my local server
when this query received a local user, from a domain that is NOT listed
on the imapproxy table, results are like:
*************************** 1. row ***************************
user: localuser at domain.com.br
password: (SSHA256 encrypted password)
userdb_home: /var/spool/mail/localuser at domain.com.br
userdb_mail: maildir:/var/spool/mail/localuser at domain.com.br
userdb_uid: 8
userdb_gid: 12
userdb_quota_rule: *:storage=51200
userdb_quota_rule2: Trash:storage=+100M
proxy_maybe: Y
host: 10.252.38.2
when it receives a proxied domain, results are:
*************************** 1. row ***************************
user: NULL
password: password
userdb_home: NULL
userdb_mail: NULL
userdb_uid: NULL
userdb_gid: NULL
userdb_quota_rule: NULL
userdb_quota_rule2: NULL
proxy_maybe: Y
host: 10.254.116.9
This is working just fine for IMAP4 and POP3 proxying. Local users
(which domains are NOT listed on imapproxy table) can successfully login
to their accountsas well as users from domains listed on imapproxy table
can successfully login to their accounts.
On SMTP authentication, tough, things are not so fine. SMTP
authentication is provided by dovecot to postfix:
[root at correio dovecot]# postconf mail_version
mail_version = 2.7.1
[root at correio dovecot]#
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
service auth is defined on dovecot confs as:
service auth {
unix_listener auth-userdb {
mode = 0600
user = mail
group = mail
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
and it seems to be allowing ANYuser on any domain listed on the
imapproxy table domains to login, even if the user does not exists or
provides wrong password. In fact, it seems dovecot returns OK to postfix
even without trying to contact the assigned server to that domain, as i
cannot find any password-failed-specific log to that user on the
specific server. Example:
(a proxied domain)
[root at correio dovecot]# telnet mail.proxieddomain.com.br 110
Trying 10.254.116.9...
Connected to mail.proxieddomain.com.br (10.254.116.9).
Escape character is '^]'.
+OK Dovecot ready.
user teste at proxieddomain.com.br
+OK
pass password
-ERR Authentication failed.
(i can successfully find this auth trial and fail on 10.254.116.9 logs)
but on SMTP authentication, i have:
[root at correio dovecot]# perl -MMIME::Base64 -e \ 'print
encode_base64("teste\@proxieddomain.com.br\0teste\@proxieddomain.com.br\0password");'
xxxxxxxxx(not the real encoded pass)xxxxxxxxxxxxxxxx=
[root at correio dovecot]#
[root at correio dovecot]# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.domain.com.br ESMTP
EHLO test
250-mail.domain.com.br
[ ... ]
AUTH PLAIN (encoded string returned by perl encode_base64)
235 2.7.0 Authentication successful
(and i cannot even find any authentication log, fail or success, on the
specific server for proxieddomain.com.br)
dovecot version is:
[root at correio dovecot]# dovecot --version
2.2.2
[root at correio dovecot]#
what am i doing wrong here ? How to have dovecot to really check users
before giving OK to postfix on SMTP authentications ?
Thanks for any hints !
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes at solutti.com.br
My SPAMTRAP, do not email it
More information about the dovecot
mailing list