why is dovecot "Allowing any password"

Aki Tuomi aki.tuomi at dovecot.fi
Thu Mar 22 10:56:18 EET 2018



On 22.03.2018 10:55, mj wrote:
>
>
> On 03/22/2018 09:34 AM, Aki Tuomi wrote:
>> I have no idea*WHY*  it is required by SOGo. It does not make sense.
>
> Well, the thing is: SOGo has this ability to behave like a *real*
> exchange server, as if it's running on a windows server. And this
> enables Outlook to connect to it like it would to an exchange server.
> (so: not in imap mode, and not using regular username/password
> authentication)
>
> Normally, SOGo simply reuses the provided username/password to connect
> to the imap server, but in the above scenario, these are not available.
>
> The same goes for a SAML2 authenticated SOGo webmail logon.
>
> In these scenarios, SOGo uses the 127.0.0.1 connection, to logon to
> imap. Since it does know the username.
>
> I guess a better solution would be for SOGo to be able to do
> 'transformations' to the username/password, to change the regular
> username/unknownpassword into username*master/masterpassword, and get
> rid of the 127.0.0.1 passwordless listener.
>
> Right?
>
> But SOGo doesn't do that. (afaik)
>
> MJ

I would recommend using master password (that is, replace nopassword=y
with password=staticpassword). I know that from localhost perspective
this isn't much different, but it will reduce accidents.

Aki


More information about the dovecot mailing list