Quoting Rick Romero rick@havokmon.com:
Quoting Aki Tuomi aki.tuomi@dovecot.fi:
On July 11, 2017 at 11:50 AM azurit@pobox.sk wrote:
Citát azurit@pobox.sk:
Citát Aki Tuomi aki.tuomi@dovecot.fi:
On July 10, 2017 at 1:45 PM azurit@pobox.sk wrote:
Citát Aki Tuomi aki.tuomi@dovecot.fi:
On July 10, 2017 at 12:33 PM azurit@pobox.sk wrote:
Hi,
i'm trying to configure Dovecot proxy with user authentication on proxy side only, so backends will authenticate using master password (proxy is configured to send it). The problem is that Dovecot, on backends, is telling me that i need to configure at least one auth mechanism:
auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one
The master auth is correctly configured.
I want to accomplished to have user database only on one place (=proxy). Any hints?
azur
Can you show your backend doveconf -n?
Aki
Here it is: https://pastebin.com/C8dTUm5k
Try adding another entry after the first passdb (order matters)
passdb { driver = static args = nopassword deny = yes skip = authenticated }
Aki
This seems to be working, thank you. Can you explain me why it's needed?
No need to explain it anymore, i understand it now. I made a little change and (probably) final version is this:
passdb { driver = static args = nopassword skip = authenticated }
I removed 'deny = yes' as, i believe, it's not needed and it was doing problems with LMTP proxing ('User doesn't exist' error message from backend LMTP). Thanks again.
azur
Hi!
This is very dangerous configuration, please consider using what
Sami suggested, vizpassdb { driver = static args = password=masterpassword }
and remove the master auth completely.
then you can override user's password to masterpassword in proxy config. Aki
This is awesome, as I was just contemplating how to maintain
persistence with 2FA. Is it possible to use a passdb based on remote ip? There's a
username_filter, but I want to use a master password for webmail
(which will use 2FA via Radius), and those IPs are known and
non-routable. Rick
Maybe just in the SQL passdb would be better...
password_query = SELECT userid as user, if(host =
'192.168.1.1',encrypt('masterpassword'), pass_field) as password,
FROM users WHERE userid = '%u'