Re: vpopmail

4 Oct 2018

      ...
On 04 October 2018 at 17:42 Rick Romero rick@havokmon.com wrote:
Quoting Rick Romero rick@havokmon.com:
...
Quoting Eric Broch ebroch@whitehorsetc.com:
...
On 10/4/2018 7:27 AM, Rick Romero wrote:
...
Quoting Eric Broch 
mailto:ebroch@whitehorsetc.com>:
...
On 10/4/2018 6:34 AM, Rick Romero wrote:
...

Quoting Aki Tuomi 
mailto:aki.tuomi@open-xchange.com>:
...
On 03.10.2018 23:30, Eric Broch wrote:
...
Hello list,
I run Dovecot with the vpopmail driver and have found that it
authenticates against the clear text password in the vpopmail
database. Is there a configuration option either at compile time, link
time, or a setting in one of the configuration files that tells the
program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
Aki
Or use SQL -  then you don't have to munge any of your tools.
password_query =
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS

password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND

!(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or

!(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP,

IMAP, Webmail.
Rick
...
When configuring vpopmail for our purposes we use (now) the

configuration option:
--disable-many-domains     Creates a table for each virtual domain

instead of storing all users in a single table.
Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file

as every user is stored in a domain table of the form

'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb {
args = cache_key=%u webmail=127.0.0.1
driver = vpopmail
}
userdb {
args = cache_key=%u quota_template=quota_rule=*:backend=%q
driver = vpopmail
}
If there is a clear text password (pw_clear_passwd) present it

seems that Dovecot will use that instead of using the hash

(pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the

clear password (pw_clear_passwd) is present Dovecot skips the

hashed password (pw_passwd), and we want authentication against

the hashed password.
<snippet>
       if (vpopmail_is_disabled(auth_request, vpw)) {
               auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
                                     "%s disabled in vpopmail for  
this user",
                                     auth_request->service);
               password = NULL;
               *result_r = PASSDB_RESULT_USER_DISABLED;
       } else {
               if (vpw->pw_clear_passwd != NULL &&
                   *vpw->pw_clear_passwd != '\0') {
                       password = t_strdup_noconst(vpw->pw_clear_passwd);
                       *cleartext = TRUE;
               } else if (!*cleartext)
                       password = t_strdup_noconst(vpw->pw_passwd);
               else
                       password = NULL;
               *result_r = password != NULL ? PASSDB_RESULT_OK :
                       PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
       }
</snippet>
Looking for an option to make dovecot use hashed password instead

of clear text.
Hope this makes sense.
-EricB
We seem to have lost quoting..
First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes

should just be:
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS

password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &

8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Where %d is the domain name. Your vpopmail database should have a

bunch of domain.com table names.
Or you can hardcode the database with   FROM vpopmail.%d
You may need to play with quotes..  FROM vpopmail.%d  or  FROM %d
Rick
Rick,
I'm not sure what you're saying.
Vpopmail's DB can be configured in two different ways, 1) With

domain tables and all users for that particular domain underneath

(described below), or 2) Simply, one table with all users with the

domain field 'pw_domain' (This works with dovecot-sql.conf.ext

files). The former (1), which we use does not allow the use of

dovecot-sql.conf.ext files, we're limited to userdb and passwd

options previously mentioned. When using these options dovecot will

get the clear text password if present.
The problem is that if a password is over 16 characters long the

clear text field will only store the first 16 characters while the

hashed field will contain the whole password.
# echo "describe domain_tld" | mysql -u root -pcat vpoppasswd vpopmail
yeilds
Field   Type    Null    Key     Default Extra
pw_name char(32)        NO      PRI     NULL
pw_passwd       char(40)        YES             NULL
pw_uid  int(11) YES             NULL
pw_gid  int(11) YES             NULL
pw_gecos        char(48)        YES             NULL
pw_dir  char(160)       YES             NULL
pw_shell        char(20)        YES             NULL
pw_clear_passwd char(16)        YES             NULL
As you can see there is no 'pw_domain' field from which to draw.
Again we are limited to the passdb, and userdb options already described.
I'm not sure why #1 wouldn't work with a proper query - here's the

same without a reference to pw_domain at all.
SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS  password,

pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d

WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND

!(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Alternatively if you absolutely must have clear text password, and

it has to be greater than 16 characters, make the MySQL field bigger

than 16 characters.  'Alter table' is the command.
It really sounds to me like you need a test environment.
Rick
Dammit
SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS  password,

pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d

WHERE pw_name = '%n' AND !(pw_gid & 8) AND !(pw_gid & 2) AND

('%r'!='<webserverip>' or !(pw_gid & 4))
One does wonder why you are using vpopmail if you have SQL database... you could just use SQL passdb/userdb instead.
Aki