why is dovecot "Allowing any password"

Aki Tuomi aki.tuomi at dovecot.fi
Wed Mar 21 18:24:56 EET 2018


> On 21 March 2018 at 18:12 mj <lists at merit.unu.edu> wrote:
> 
> 
> Hi,
> 
> I noticed the following in the logs of our debian wheezy server:
> 
> > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): bind search: base=CN=Users, DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA
> > ccountName=username)(!(userAccountControl=514)))
> > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username; uid unused
> > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username
> > Mar 21 07:13:48 mail dovecot: auth: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): invalid credentials (given password: invalid_password)
> > Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): lookup
> > Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets: Matching for network 127.0.0.1/32
> > Mar 21 07:13:48 mail dovecot: auth: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP not in allowed networks
> > Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing any password
> > Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174)
> 
> The line second last line "Allowing any password" comes as a surprise..? 
> Why would dovecot Allow any password..?
> 
> We had the following bit in our config, but I removed it now:
> 
> > #passdb {
> > #  driver = static
> > #  args = nopassword=y allow_nets=127.0.0.1/32
> > #}
> 
> Could anyone expain the "Allowing any password"?
> 

This is what 'nopassword=y' does. I'm guessing this is an attempt to allow logging in from localhost without password, but I'd use master password (for applications or webmails), or

doveadm exec imap -u victim

for admin use.

Aki


More information about the dovecot mailing list