dovecot passdb driver=checkpassword as external script for block ip
Refer to https://dovecot.org/pipermail/dovecot/2015-March/099971.html https://wiki.dovecot.org/PasswordDatabase I tried to repeat the same thing. Set these passdb:
passdb { args = /myscript.sh ip=%r driver = checkpassword result_failure = return-fail result_success = continue } passdb { args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method ) driver = sql }
Created executable /myscript.sh: #!/bin/sh exit 1
But I saw in the logs:
dovecot[15111]: auth: Error: checkpassword(techdept@nestormedia.com,192.168.99.128,<Mos6jW94XNzAqGOA>): Child 15115 exited with status 1 dovecot[18016]: imap-login: Login: user=....[successful login]
Why result_failure=return-fail from first passdb does not work?
After some debuging i expain that this happens only when the client authentication method is CRAM-MD5
dovecot[5553]: auth: Debug: checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): execute: /myscript.sh ip=192.168.99.128 /usr/libexec/dovecot/checkpassword-reply dovecot[5553]: auth: Error: checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Child 7810 exited with status 1 dovecot[5553]: auth-worker(7811): Debug: Loading modules from directory: /usr/lib/dovecot/auth dovecot[5553]: auth-worker(7811): Debug: Module loaded: /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so dovecot[5553]: auth: Debug: sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Generating CRAM-MD5 from user 'login', password 'pass' dovecot[5553]: auth: Debug: sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Credentials: 39d6bc889c65808c09b87d2081fe2aff4fd1e174ed3a97ac966e67323cba8d7e dovecot[5553]: auth: Debug: client passdb out: OK 1 user=login
Any other method works correctly and return:
auth: Debug: ......... execute: /myscript.sh ............ ...... auth: checkpassword(login,ip,<uh259nN4jRwu2KzB>): Login failed (status=1) ...... auth: Debug: client passdb out: FAIL 1 user=login On Wed, Oct 17, 2018 at 8:09 PM bes bes.internal@gmail.com wrote:
Refer to https://dovecot.org/pipermail/dovecot/2015-March/099971.html https://wiki.dovecot.org/PasswordDatabase I tried to repeat the same thing. Set these passdb:
passdb { args = /myscript.sh ip=%r driver = checkpassword result_failure = return-fail result_success = continue } passdb { args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method ) driver = sql }
Created executable /myscript.sh: #!/bin/sh exit 1
But I saw in the logs:
dovecot[15111]: auth: Error: checkpassword(techdept@nestormedia.com,192.168.99.128,<Mos6jW94XNzAqGOA>): Child 15115 exited with status 1 dovecot[18016]: imap-login: Login: user=....[successful login]
Why result_failure=return-fail from first passdb does not work?
On 17 Oct 2018, at 20.09, bes bes.internal@gmail.com wrote:
Refer to https://dovecot.org/pipermail/dovecot/2015-March/099971.html https://wiki.dovecot.org/PasswordDatabase I tried to repeat the same thing. Set these passdb:
passdb { args = /myscript.sh ip=%r driver = checkpassword result_failure = return-fail result_success = continue } passdb { args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method ) driver = sql }
Created executable /myscript.sh: #!/bin/sh exit 1
While I'm not sure why this does not work I'm was wondering if a deny-passdb would be more efficient to implement this blacklisting as executing a script on each login attempt is awfully slow.
Instead I would do something like this:
# check deny passwd for ip address first passdb { driver = passwd-file args = username_format=%r /etc/dovecot/ip-deny-list deny = yes auth_verbose = no result_success = return-fail }
and then just create /etc/dovecot/ip-deny-list with one ip address per line.
Sami
participants (2)
-
bes
-
Sami Ketola