Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
-- Eric Broch White Horse Technical Consulting (WHTC)
On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT})
Aki
Quoting Aki Tuomi aki.tuomi@open-xchange.com:
On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query =
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &
8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.
Rick
On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi
mailto:aki.tuomi@open-xchange.com>: On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.
Rick
When configuring vpopmail for our purposes we use (now) the configuration option:
--disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table. Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail }
userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail }
If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.
<snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet>
Looking for an option to make dovecot use hashed password instead of clear text.
Hope this makes sense.
-EricB
-- Eric Broch White Horse Technical Consulting (WHTC)
Quoting Eric Broch ebroch@whitehorsetc.com:
On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi aki.tuomi@open-xchange.com:
On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query =
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &
8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.
Rick
When configuring vpopmail for our purposes we use (now) the
configuration option:
--disable-many-domains Creates a table for each virtual domain
instead of storing all users in a single table.
Only valid for MySQL and PostgreSQL This disallows (I think)
the use Dovecot MySQL configuration file as every user is stored in a
domain table of the form 'mydomain_tld'. So, we're limited to these
configurations (no dovecot-mysql.conf.ext) : passdb { args =
cache_key=%u webmail=127.0.0.1 driver = vpopmail } userdb { args
= cache_key=%u quota_template=quota_rule=*:backend=%q driver =
vpopmail } If there is a clear text password (pw_clear_passwd)
present it seems that Dovecot will use that instead of using the hash
(pw_passwd). It seems that in the code 'passdb-vpopmail.c' (below)
that if the clear password (pw_clear_passwd) is present Dovecot skips
the hashed password (pw_passwd), and we want authentication against
the hashed password. <snippet> if
(vpopmail_is_disabled(auth_request, vpw)) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"%s disabled in vpopmail for this user",
auth_request->service);
password = NULL; *result_r =
PASSDB_RESULT_USER_DISABLED; } else { if
(vpw->pw_clear_passwd != NULL &&
*vpw->pw_clear_passwd != '\0') { password =
t_strdup_noconst(vpw->pw_clear_passwd);
*cleartext = TRUE; } else if (!*cleartext)
password = t_strdup_noconst(vpw->pw_passwd);
else password = NULL;
*result_r = password != NULL ? PASSDB_RESULT_OK :
PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet> Looking
for an option to make dovecot use hashed password instead of clear
text. Hope this makes sense. -EricB We seem to have lost quoting..
First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should
just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8)
AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) Where
%d is the domain name. Your vpopmail database should have a bunch of
domain.com table names. Or you can hardcode the database with FROM
vpopmail.%d You may need to play with quotes.. FROM vpopmail.%d
or FROM %d
Rick
On 10/4/2018 7:27 AM, Rick Romero wrote:
Quoting Eric Broch
mailto:ebroch@whitehorsetc.com>: On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi
mailto:aki.tuomi@open-xchange.com>: On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.
Rick
Rick,
I'm not sure what you're saying.
Vpopmail's DB can be configured in two different ways, 1) With domain tables and all users for that particular domain underneath (described below), or 2) Simply, one table with all users with the domain field 'pw_domain' (This works with dovecot-sql.conf.ext files). The former (1), which we use does not allow the use of dovecot-sql.conf.ext files, we're limited to userdb and passwd options previously mentioned. When using these options dovecot will get the clear text password if present.
The problem is that if a password is over 16 characters long the clear text field will only store the first 16 characters while the hashed field will contain the whole password.
# echo "describe domain_tld" | mysql -u root -pcat vpoppasswd
vpopmail
yeilds
Field Type Null Key Default Extra
pw_name char(32) NO PRI NULL
pw_passwd char(40) YES NULL
pw_uid int(11) YES NULL
pw_gid int(11) YES NULL
pw_gecos char(48) YES NULL
pw_dir char(160) YES NULL
pw_shell char(20) YES NULL
pw_clear_passwd char(16) YES NULL
As you can see there is no 'pw_domain' field from which to draw.
Again we are limited to the passdb, and userdb options already described.
When configuring vpopmail for our purposes we use (now) the configuration option:
--disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table. Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail }
userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail }
If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.
<snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet>
Looking for an option to make dovecot use hashed password instead of clear text.
Hope this makes sense.
-EricB
We seem to have lost quoting.. First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Where %d is the domain name. Your vpopmail database should have a bunch of domain.com table names. Or you can hardcode the database with FROM vpopmail.%d You may need to play with quotes.. FROM
vpopmail.%d
or FROM%d
Rick
-- Eric Broch White Horse Technical Consulting (WHTC)
Quoting Eric Broch ebroch@whitehorsetc.com:
On 10/4/2018 7:27 AM, Rick Romero wrote:
Quoting Eric Broch
mailto:ebroch@whitehorsetc.com>: On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi
mailto:aki.tuomi@open-xchange.com>: On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND
!(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or
!(pw_gid & 4))pw_gid refers to the the binary vpopmail flags for disable POP,
IMAP, Webmail.Rick
When configuring vpopmail for our purposes we use (now) the
configuration option:--disable-many-domains Creates a table for each virtual domain
instead of storing all users in a single table. Only valid for MySQL and PostgreSQLThis disallows (I think) the use Dovecot MySQL configuration file
as every user is stored in a domain table of the form 'mydomain_tld'.So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail }
userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail }
If there is a clear text password (pw_clear_passwd) present it
seems that Dovecot will use that instead of using the hash
(pw_passwd).It seems that in the code 'passdb-vpopmail.c' (below) that if the
clear password (pw_clear_passwd) is present Dovecot skips the
hashed password (pw_passwd), and we want authentication against the
hashed password.<snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet>
Looking for an option to make dovecot use hashed password instead
of clear text.Hope this makes sense.
-EricB
We seem to have lost quoting.. First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes
should just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8)
AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))Where %d is the domain name. Your vpopmail database should have a
bunch of domain.com table names. Or you can hardcode the database with FROM vpopmail.%d You may need to play with quotes.. FROMvpopmail.%d
or FROM%d
Rick
Rick,
I'm not sure what you're saying.
Vpopmail's DB can be configured in two different ways, 1) With
domain tables and all users for that particular domain underneath
(described below), or 2) Simply, one table with all users with the
domain field 'pw_domain' (This works with dovecot-sql.conf.ext
files). The former (1), which we use does not allow the use of
dovecot-sql.conf.ext files, we're limited to userdb and passwd
options previously mentioned. When using these options dovecot will
get the clear text password if present.The problem is that if a password is over 16 characters long the
clear text field will only store the first 16 characters while the
hashed field will contain the whole password.# echo "describe domain_tld" | mysql -u root -p
cat vpoppasswd
vpopmail yeilds Field Type Null Key Default Extra pw_name char(32) NO PRI NULL pw_passwd char(40) YES NULL pw_uid int(11) YES NULL pw_gid int(11) YES NULL pw_gecos char(48) YES NULL pw_dir char(160) YES NULL pw_shell char(20) YES NULL pw_clear_passwd char(16) YES NULLAs you can see there is no 'pw_domain' field from which to draw.
Again we are limited to the passdb, and userdb options already described.
I'm not sure why #1 wouldn't work with a proper query - here's the
same without a reference to pw_domain at all.
SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d
WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND
!(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Alternatively if you absolutely must have clear text password, and it
has to be greater than 16 characters, make the MySQL field bigger than
16 characters. 'Alter table' is the command.
It really sounds to me like you need a test environment.
Rick
Quoting Rick Romero rick@havokmon.com:
Quoting Eric Broch ebroch@whitehorsetc.com:
On 10/4/2018 7:27 AM, Rick Romero wrote:
Quoting Eric Broch
mailto:ebroch@whitehorsetc.com>: On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi
mailto:aki.tuomi@open-xchange.com>: On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND
!(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or
!(pw_gid & 4))pw_gid refers to the the binary vpopmail flags for disable POP,
IMAP, Webmail.Rick
When configuring vpopmail for our purposes we use (now) the
configuration option:--disable-many-domains Creates a table for each virtual domain
instead of storing all users in a single table. Only valid for MySQL and PostgreSQLThis disallows (I think) the use Dovecot MySQL configuration file
as every user is stored in a domain table of the form
'mydomain_tld'.So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail }
userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail }
If there is a clear text password (pw_clear_passwd) present it
seems that Dovecot will use that instead of using the hash
(pw_passwd).It seems that in the code 'passdb-vpopmail.c' (below) that if the
clear password (pw_clear_passwd) is present Dovecot skips the
hashed password (pw_passwd), and we want authentication against
the hashed password.<snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet>
Looking for an option to make dovecot use hashed password instead
of clear text.Hope this makes sense.
-EricB
We seem to have lost quoting.. First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes
should just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &
8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))Where %d is the domain name. Your vpopmail database should have a
bunch of domain.com table names. Or you can hardcode the database with FROM vpopmail.%d You may need to play with quotes.. FROMvpopmail.%d
or FROM%d
Rick
Rick,
I'm not sure what you're saying.
Vpopmail's DB can be configured in two different ways, 1) With
domain tables and all users for that particular domain underneath
(described below), or 2) Simply, one table with all users with the
domain field 'pw_domain' (This works with dovecot-sql.conf.ext
files). The former (1), which we use does not allow the use of
dovecot-sql.conf.ext files, we're limited to userdb and passwd
options previously mentioned. When using these options dovecot will
get the clear text password if present.The problem is that if a password is over 16 characters long the
clear text field will only store the first 16 characters while the
hashed field will contain the whole password.# echo "describe domain_tld" | mysql -u root -p
cat vpoppasswd
vpopmail yeilds Field Type Null Key Default Extra pw_name char(32) NO PRI NULL pw_passwd char(40) YES NULL pw_uid int(11) YES NULL pw_gid int(11) YES NULL pw_gecos char(48) YES NULL pw_dir char(160) YES NULL pw_shell char(20) YES NULL pw_clear_passwd char(16) YES NULLAs you can see there is no 'pw_domain' field from which to draw.
Again we are limited to the passdb, and userdb options already described.
I'm not sure why #1 wouldn't work with a proper query - here's the
same without a reference to pw_domain at all.SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d
WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND
!(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))Alternatively if you absolutely must have clear text password, and
it has to be greater than 16 characters, make the MySQL field bigger
than 16 characters. 'Alter table' is the command.It really sounds to me like you need a test environment. Rick
Dammit
SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d
WHERE pw_name = '%n' AND !(pw_gid & 8) AND !(pw_gid & 2) AND
('%r'!='<webserverip>' or !(pw_gid & 4))
On 04 October 2018 at 17:42 Rick Romero rick@havokmon.com wrote:
Quoting Rick Romero rick@havokmon.com:
Quoting Eric Broch ebroch@whitehorsetc.com:
On 10/4/2018 7:27 AM, Rick Romero wrote:
Quoting Eric Broch
mailto:ebroch@whitehorsetc.com>: On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi
mailto:aki.tuomi@open-xchange.com>: On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND
!(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or
!(pw_gid & 4))pw_gid refers to the the binary vpopmail flags for disable POP,
IMAP, Webmail.Rick
When configuring vpopmail for our purposes we use (now) the
configuration option:--disable-many-domains Creates a table for each virtual domain
instead of storing all users in a single table. Only valid for MySQL and PostgreSQLThis disallows (I think) the use Dovecot MySQL configuration file
as every user is stored in a domain table of the form
'mydomain_tld'.So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail }
userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail }
If there is a clear text password (pw_clear_passwd) present it
seems that Dovecot will use that instead of using the hash
(pw_passwd).It seems that in the code 'passdb-vpopmail.c' (below) that if the
clear password (pw_clear_passwd) is present Dovecot skips the
hashed password (pw_passwd), and we want authentication against
the hashed password.<snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet>
Looking for an option to make dovecot use hashed password instead
of clear text.Hope this makes sense.
-EricB
We seem to have lost quoting.. First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes
should just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &
8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))Where %d is the domain name. Your vpopmail database should have a
bunch of domain.com table names. Or you can hardcode the database with FROM vpopmail.%d You may need to play with quotes.. FROMvpopmail.%d
or FROM%d
Rick
Rick,
I'm not sure what you're saying.
Vpopmail's DB can be configured in two different ways, 1) With
domain tables and all users for that particular domain underneath
(described below), or 2) Simply, one table with all users with the
domain field 'pw_domain' (This works with dovecot-sql.conf.ext
files). The former (1), which we use does not allow the use of
dovecot-sql.conf.ext files, we're limited to userdb and passwd
options previously mentioned. When using these options dovecot will
get the clear text password if present.The problem is that if a password is over 16 characters long the
clear text field will only store the first 16 characters while the
hashed field will contain the whole password.# echo "describe domain_tld" | mysql -u root -p
cat vpoppasswd
vpopmail yeilds Field Type Null Key Default Extra pw_name char(32) NO PRI NULL pw_passwd char(40) YES NULL pw_uid int(11) YES NULL pw_gid int(11) YES NULL pw_gecos char(48) YES NULL pw_dir char(160) YES NULL pw_shell char(20) YES NULL pw_clear_passwd char(16) YES NULLAs you can see there is no 'pw_domain' field from which to draw.
Again we are limited to the passdb, and userdb options already described.
I'm not sure why #1 wouldn't work with a proper query - here's the
same without a reference to pw_domain at all.SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d
WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND
!(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))Alternatively if you absolutely must have clear text password, and
it has to be greater than 16 characters, make the MySQL field bigger
than 16 characters. 'Alter table' is the command.It really sounds to me like you need a test environment. Rick
Dammit
SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d
WHERE pw_name = '%n' AND !(pw_gid & 8) AND !(pw_gid & 2) AND
('%r'!='<webserverip>' or !(pw_gid & 4))
One does wonder why you are using vpopmail if you have SQL database... you could just use SQL passdb/userdb instead.
Aki
On 10/4/2018 7:27 AM, Rick Romero wrote:
Quoting Eric Broch
mailto:ebroch@whitehorsetc.com>: On 10/4/2018 6:34 AM, Rick Romero wrote:
Quoting Aki Tuomi
mailto:aki.tuomi@open-xchange.com>: On 03.10.2018 23:30, Eric Broch wrote:
Hello list,
I run Dovecot with the vpopmail driver and have found that it authenticates against the clear text password in the vpopmail database. Is there a configuration option either at compile time, link time, or a setting in one of the configuration files that tells the program to authenticate against the hash instead of the clear text?
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) Aki
Or use SQL - then you don't have to munge any of your tools.
password_query = SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.
Rick
When configuring vpopmail for our purposes we use (now) the configuration option:
--disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table. Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail }
userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail }
If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.
<snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet>
Looking for an option to make dovecot use hashed password instead of clear text.
Hope this makes sense.
-EricB
We seem to have lost quoting.. First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Where %d is the domain name. Your vpopmail database should have a bunch of domain.com table names. Or you can hardcode the database with FROM vpopmail.%d You may need to play with quotes.. FROM
vpopmail.%d
or FROM%d
Rick
I think we're getting to the crux.
The domain tables are not in 'domain.com' form but in 'domain_com' form (who knows why the vpopmail authors would do that)...users being in the table. So, if I add a virtual domain (our vpopmail configuration '--disable-many-domains') to my mail server, e.g., 'mydomain.com', vpopmail creates a domain table 'mydomain_com', the '.' (dot) replaced by an '_' (underscore). That's why the SQL query above will not work. If there were a way (and I don't know it) to replace the '.' with an '_' in the query we could go that way. Until then we have to simply use the current dovecot vpopmail driver instead of the more robust sql driver.
Again, the vpopmail driver will use the clear text password (if present) and not bother with the hashed password.
One solution as you mentioned was to delete the clear text, but I simply wanted to avoid messing with the database and implement a more simple configuration option.
Thank you, Rick
--EricB
-- Eric Broch White Horse Technical Consulting (WHTC)
participants (3)
-
Aki Tuomi
-
Eric Broch
-
Rick Romero