On 21 March 2018 at 18:12 mj lists@merit.unu.edu wrote:
Hi,
I noticed the following in the logs of our debian wheezy server:
Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,
): bind search: base=CN=Users, DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA ccountName=username)(!(userAccountControl=514))) Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4, ): result: uid=username; uid unused Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4, ): result: uid=username Mar 21 07:13:48 mail dovecot: auth: ldap(username,1.2.3.4, ): invalid credentials (given password: invalid_password) Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4, ): lookup Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4, ): allow_nets: Matching for network 127.0.0.1/32 Mar 21 07:13:48 mail dovecot: auth: static(username,1.2.3.4, ): allow_nets check failed: IP not in allowed networks Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4, ): Allowing any password Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174) The line second last line "Allowing any password" comes as a surprise..? Why would dovecot Allow any password..?
We had the following bit in our config, but I removed it now:
#passdb { # driver = static # args = nopassword=y allow_nets=127.0.0.1/32 #}
Could anyone expain the "Allowing any password"?
This is what 'nopassword=y' does. I'm guessing this is an attempt to allow logging in from localhost without password, but I'd use master password (for applications or webmails), or
doveadm exec imap -u victim
for admin use.
Aki