Re: vpopmail

4 Oct 2018 · _' (underscore). That's why the SQL query above will not work. If there were a way (and I don't know it) to replace the '.' with an '_


      On 10/4/2018 7:27 AM, Rick Romero wrote:
...
Quoting Eric Broch mailto:ebroch@whitehorsetc.com>:
...
On 10/4/2018 6:34 AM, Rick Romero wrote:
...
Quoting Aki Tuomi mailto:aki.tuomi@open-xchange.com>:
...
On 03.10.2018 23:30, Eric Broch wrote:
...
Hello list,
I run Dovecot with the vpopmail driver and have found that it
authenticates against the clear text password in the vpopmail
database. Is there a configuration option either at compile time, link
time, or a setting in one of the configuration files that tells the
program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
Aki
Or use SQL -  then you don't have to munge any of your tools.
password_query =
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &
8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP,
Webmail.
Rick
When configuring vpopmail for our purposes we use (now) the
configuration option:
--disable-many-domains     Creates a table for each virtual domain instead of storing all users in a single table.
Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb {
args = cache_key=%u webmail=127.0.0.1
driver = vpopmail
}
userdb {
args = cache_key=%u quota_template=quota_rule=*:backend=%q
driver = vpopmail
}
If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.
<snippet>
         if (vpopmail_is_disabled(auth_request, vpw)) {
                 auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
                                       "%s disabled in vpopmail for this user",
                                       auth_request->service);
                 password = NULL;
                 *result_r = PASSDB_RESULT_USER_DISABLED;
         } else {
                 if (vpw->pw_clear_passwd != NULL &&
                     *vpw->pw_clear_passwd != '\0') {
                         password = t_strdup_noconst(vpw->pw_clear_passwd);
                         *cleartext = TRUE;
                 } else if (!*cleartext)
                         password = t_strdup_noconst(vpw->pw_passwd);
                 else
                         password = NULL;
                 *result_r = password != NULL ? PASSDB_RESULT_OK :
                         PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
         }
</snippet>
Looking for an option to make dovecot use hashed password instead of clear text.
Hope this makes sense.
-EricB
We seem to have lost quoting..
First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should just be:
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Where %d is the domain name. Your vpopmail database should have a bunch of domain.com table names.
Or you can hardcode the database with   FROM vpopmail.%d
You may need to play with quotes..  FROM vpopmail.%d  or  FROM %d
Rick
I think we're getting to the crux.
The domain tables are not in 'domain.com' form but in 'domain_com' form
(who knows why the vpopmail authors would do that)...users being in the
table.
So, if I add a virtual domain (our vpopmail configuration
'--disable-many-domains') to my mail server, e.g., 'mydomain.com',
vpopmail creates a domain table 'mydomain_com', the '.' (dot) replaced
by an '_' (underscore).
That's why the SQL query above will not work. If there were a way (and I
don't know it) to replace the '.' with an '_' in the query we could go
that way. Until then we have to simply use the current dovecot vpopmail
driver
instead of the more robust sql driver.
Again, the vpopmail driver will use the clear text password (if present)
and not bother with the hashed password.
One solution as you mentioned was to delete the clear text, but I simply
wanted to avoid messing with the database and implement a more simple
configuration option.
Thank you, Rick
--EricB
--
Eric Broch
White Horse Technical Consulting (WHTC)