Hello dovecot mailing list,

 I have a server running postfix and dovecot. I havea configuration 

on dovecot that allows me to provide imap4/pop3 messages for local hosted users as well as for proxied users on other servers.

Basically, i have a simple MySQL table (imapproxy) with two fields, 'domain' and 'host'. My password_query isa 'UNION' query, exactly like:

password_query=select endereco as user, password, '/var/spool/mail/%u' as userdb_home, 'maildir:/var/spool/mail/%u' as userdb_mail, 8 as userdb_uid, 12 as userdb_gid, concat('*:storage=', quota) as userdb_quota_rule, 'Trash:storage=+100M' as userdb_quota_rule2, 'Y' as proxy_maybe, '10.252.38.2' as host from emails where endereco = '%u' and ativa = '1' UNION select NULL as user, '%w' as password, NULL as userdb_home, NULL as userdb_mail, NULL as userdb_uid, NULL as userdb_gid, NULL as userdb_quota_rule, NULL as userdb_quota_rule2, 'Y' as proxy_maybe, imapproxy.host as host from imapproxy where imapproxy.dominio = '%d'

the 10.252.38.2 address, on the query, is my local server

when this query received a local user, from a domain that is NOT listed on the imapproxy table, results are like:

*************************** 1. row *************************** user: localuser@domain.com.br password: (SSHA256 encrypted password) userdb_home: /var/spool/mail/localuser@domain.com.br userdb_mail: maildir:/var/spool/mail/localuser@domain.com.br userdb_uid: 8 userdb_gid: 12 userdb_quota_rule: *:storage=51200 userdb_quota_rule2: Trash:storage=+100M proxy_maybe: Y host: 10.252.38.2

when it receives a proxied domain, results are:

*************************** 1. row *************************** user: NULL password: password userdb_home: NULL userdb_mail: NULL userdb_uid: NULL userdb_gid: NULL userdb_quota_rule: NULL userdb_quota_rule2: NULL proxy_maybe: Y host: 10.254.116.9

 This is working just fine for IMAP4 and POP3 proxying. Local users 

(which domains are NOT listed on imapproxy table) can successfully login to their accountsas well as users from domains listed on imapproxy table can successfully login to their accounts.

On SMTP authentication, tough, things are not so fine. SMTP authentication is provided by dovecot to postfix:

[root@correio dovecot]# postconf mail_version mail_version = 2.7.1 [root@correio dovecot]#

smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot

service auth is defined on dovecot confs as:

service auth { unix_listener auth-userdb { mode = 0600 user = mail group = mail } # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }

and it seems to be allowing ANYuser on any domain listed on the imapproxy table domains to login, even if the user does not exists or provides wrong password. In fact, it seems dovecot returns OK to postfix even without trying to contact the assigned server to that domain, as i cannot find any password-failed-specific log to that user on the specific server. Example:

(a proxied domain)

[root@correio dovecot]# telnet mail.proxieddomain.com.br 110 Trying 10.254.116.9... Connected to mail.proxieddomain.com.br (10.254.116.9). Escape character is '^]'. +OK Dovecot ready. user teste@proxieddomain.com.br +OK pass password -ERR Authentication failed.

(i can successfully find this auth trial and fail on 10.254.116.9 logs)

but on SMTP authentication, i have:

[root@correio dovecot]# perl -MMIME::Base64 -e \ 'print encode_base64("teste\@proxieddomain.com.br\0teste\@proxieddomain.com.br\0password");' xxxxxxxxx(not the real encoded pass)xxxxxxxxxxxxxxxx= [root@correio dovecot]#

[root@correio dovecot]# telnet localhost 587 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.domain.com.br ESMTP EHLO test 250-mail.domain.com.br [ ... ] AUTH PLAIN (encoded string returned by perl encode_base64) 235 2.7.0 Authentication successful

(and i cannot even find any authentication log, fail or success, on the specific server for proxieddomain.com.br)

dovecot version is:

[root@correio dovecot]# dovecot --version 2.2.2 [root@correio dovecot]#

what am i doing wrong here ? How to have dovecot to really check users before giving OK to postfix on SMTP authentications ?

Thanks for any hints !

--

Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it