Postfix : root and system user authentication

15 Mar 2023 · _valid_

      Hello everyone,
...
From what I understand of the documentation, it is impossible to
log in to the dovecot server as root, or as any user not in the
interval between first_valid_uid and last_valid_uid.
I have been able to verify this.
However, when we have a postfix server on the same machine, that
delegates authentication to dovecot SASL according to the
configuration described at
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/,
we can indeed log in as root on the postfix server.
Proof (/var/log/mail.log with auth=debug) :
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=<redacted>#011rip=<redacted>#011secured#011resp=<hidden>
Mar 13 20:16:37 ricorambo dovecot: auth: Debug:
pam(root,<redacted>): Performing passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
Loading modules from directory: /usr/lib/dovecot/modules/auth
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
Module loaded:
/usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): Server accepted
connection (fd=13)
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): Sending version
handshake
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>:
Handling PASSV request
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>:
pam(root,<redacted>): Performing passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>:
pam(root,<redacted>): lookup service=dovecot
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>:
pam(root,<redacted>): #1/1 style=1 msg=Password:
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>:
pam(root,<redacted>): Finished passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug:
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>:
Finished
Mar 13 20:16:37 ricorambo dovecot: auth: Debug:
pam(root,<redacted>): Finished passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth: Debug:
auth(root,<redacted>): Auth request finished
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client passdb out:
OK#0111#011user=root#011
At this moment, the smtps client connecting to postfix produces
"Authentication successful" and we can continue.
In contrast, when we try to login to dovecot directly as root, we
have the following :
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=<redacted>#011lip=<redacted>#011rip=<redacted>#011lport=993#011rport=52004#011local_name=mail.ricorambo.su#011resp=<hidden>
Mar 13 20:28:38 ricorambo dovecot: auth: Debug:
pam(root,<redacted>,<redacted>): Performing passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
Loading modules from directory: /usr/lib/dovecot/modules/auth
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
Module loaded:
/usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): Server accepted
connection (fd=13)
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): Sending version
handshake
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>:
Handling PASSV request
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>:
pam(root,<redacted>,<redacted>): Performing passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>:
pam(root,<redacted>,<redacted>): lookup service=dovecot
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>:
pam(root,<redacted>,<redacted>): #1/1 style=1 msg=Password:
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>:
pam(root,<redacted>,<redacted>): Finished passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>:
Finished
Mar 13 20:28:38 ricorambo dovecot: auth: Debug:
pam(root,<redacted>,<eU8pHs32JMuE40wF>): Finished passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth: Debug:
auth(root,<redacted>,<eU8pHs32JMuE40wF>): Auth request finished
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client passdb out:
OK#0111#011user=root#011#011original_user=root@ricorambo.su
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master in:
REQUEST#<redacted>
Mar 13 20:28:38 ricorambo dovecot: auth: Debug:
passwd(root,<redacted>,<redacted>): Performing userdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>:
Handling USER request
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>:
passwd(root,<redacted>,<redacted>): Performing userdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>:
passwd(root,<redacted>,<redacted>): lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>:
passwd(root,<redacted>,<redacted>): Finished userdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug:
conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>:
Finished
Mar 13 20:28:38 ricorambo dovecot: auth: Debug:
passwd(root,<redacted>,<redacted>): Finished userdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master userdb out:
USER#<redacted>
Mar 13 20:28:38 ricorambo dovecot: imap-login: Login: user=<root>,
method=PLAIN, rip=<redacted>, lip=192.168.1.22, mpid=137090, TLS,
session=<redacted>
Mar 13 20:28:38 ricorambo dovecot: imap(root): Error: Invalid
settings in userdb: userdb returned 0 as uid
Mar 13 20:28:38 ricorambo dovecot: imap(root): Warning: Event
0xaaab0e9db2a0 leaked (parent=0xaaab0e9cdc80):
mail-storage-service.c:1336
Mar 13 20:28:38 ricorambo dovecot: imap(root): Warning: Event
0xaaab0e9cdc80 leaked (parent=(nil)): main.c:246
At this moment, the imap client produces "Internal server error"
and finishes.
Steps to reproduce :

Delegate SASL authentication from postfix to dovecot as such :

/etc/postfix/master.cf
smtps     inet  n       -       y       -       -       smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
and of course :
/etc/dovecot/conf.d/10-master.conf
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}

login to your server, port 465, with a client like openssl :

openssl s_client -connect mail.example.org:465
EHLO whateveryouwant
AUTH PLAIN \0root\0password (in base 64, ofc)
You should be able to login, and produce the first log trace I
have included.
My question is, is this a feature or a bug ? The hardcoded
impossibility to login as root to dovecot, and the honouring of
the variables {first,last}_valid_{u,g}id, are those specific to
login to dovecot directly, or should they be applicable to any
other process that has delegated its authentication to dovecot ?
If this is a feature, that is if postfix cannot profit from the
variables {first,last}_valid_{u,g}id (or the hardcoded forbidding
of root) through dovecot sasl :

This should maybe made more obvious somewhere in the
documentation.
What would be the good way to prevent root login to postfix,
when authentication is delegated to dovecot ?

The dovecot version is 2.3.13 (89f716dc2)
The system is the following : Linux 5.10.0-21-arm64 #1 SMP Debian
5.10.162-1 (2023-01-21) aarch64 GNU/Linux
Thank you in advance for your time. I have included the output of
dovecot -n for reference.
Best regards,
Aymeric

Postfix : root and system user authentication

Aymeric Agon-Rambosson