[Dovecot] BUG: passdb checkpassword {} and lastauth file
(Repeat, because on the first message there was no reaction) Hi. If checkpassword interface is used for working with vpopmail, function vpopmail "Record time and ip of last auth attempt" (--enable-auth-logging option for configure) won't work - the file "lastauth" is created in Maildir, but does not contain ip-address. If I had correctly understood, dovecot woldn't have set a enviroment variable TCPREMOTEIP for vchkpw. If changes are made in auth/passdb-checkpassword.c (a patch in attachment), everything will work. Probably, the patch is incorrect and does not solve all problems, however the request is to pay attention to existence of the problem. Also it is possible, that a similar problem exists with other variables TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt). P.S. If use the interface vpopmail instead of checkpassword, the file "lastauth" will not be created at all, that is a little bit inconvenient. ********************************** System: dovecot-1.0.rc10 vpopmail-5.4.17 ASP Linux Server II (RHEL3 clone) kernel 2.4.21-47.EL.aspsmp CPU architecture: x86 (IBM xSeries 336) Filesystem: ext3 ********************************** dovecot configuration: base_dir = /var/run/dovecot/ protocols = imap pop3 disable_plaintext_auth = no ssl_disable = yes login_greeting = Ready. first_valid_uid = 89 last_valid_uid = 89 first_valid_gid = 89 last_valid_gid = 89 protocol imap { listen = 81.26.136.8:144 mail_executable = /usr/local/libexec/dovecot/imap mail_plugins = quota imap_quota mail_plugin_dir = /usr/local/lib/dovecot/imap imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep } protocol pop3 { listen = 81.26.136.8:112 login_executable = /usr/local/libexec/dovecot/pop3-login mail_executable = /usr/local/libexec/dovecot/pop3 pop3_uidl_format = %f mail_plugins = quota mail_plugin_dir = /usr/local/lib/dovecot/pop3 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } auth default { mechanisms = plain login passdb checkpassword { args = /var/qmail/vpopmail/bin/vchkpw } userdb prefetch { } user = root } dict { } plugin { quota = maildir } *************************************** dovecot configure options: ./configure \ --disable-ipv6 \ --prefix=/usr/local \ --sysconfdir=/etc/dovecot \ --without-passwd \ --without-passwd-file \ --without-shadow \ --without-pam \ --without-bsdauth \ --with-checkpassword \ --with-vpopmail \ --without-static-userdb \ --with-prefetch-userdb \ --without-sql \ --without-pgsql \ --without-mysql \ --without-sqlite \ --with-ssl=openssl \ --with-pop3d \ --without-deliver \ --with-storages=maildir \ --with-docs ***************************************** vpopmail configure options: ./configure \ --enable-auth-module=cdb \ --enable-logging=p \ --enable-md5-passwords \ --enable-make-seekable \ --enable-file-sync \ --enable-ip-alias-domains \ --enable-clear-passwd \ --disable-roaming-users \ --disable-learn-passwords \ --disable-passwd \ --enable-auth-logging diff -ur dovecot-1.0.rc10.orig/src/auth/passdb-checkpassword.c dovecot-1.0.rc10/src/auth/passdb-checkpassword.c --- dovecot-1.0.rc10.orig/src/auth/passdb-checkpassword.c 2006-08-22 06:37:56.000000000 +0400 +++ dovecot-1.0.rc10/src/auth/passdb-checkpassword.c 2006-10-17 16:47:09.000000000 +0400 @@ -226,6 +226,10 @@ env_put(t_strconcat("REMOTE_IP=", net_ip2addr(&request->remote_ip), NULL)); + env_put(t_strconcat("TCPREMOTEIP=", + net_ip2addr(&request->remote_ip), + NULL)); + } if (request->master_user != NULL) { env_put(t_strconcat("MASTER_USER=",
On Thu, 2006-10-26 at 11:49 +0400, Max A wrote:
Also it is possible, that a similar problem exists with other variables TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt).
Hmm. I hadn't heard of UCSPI before.
Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP will stay for backwards compatibility, maybe I'll remove them in Dovecot v2.0.
Also it is possible, that a similar problem exists with other variables TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt).
Hmm. I hadn't heard of UCSPI before.
Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP will stay for backwards compatibility, maybe I'll remove them in Dovecot v2.0.
Thanks for answer :) There are still some problems with the use of the checkpassword-interface with vpopmail. Besides standard exit codes of checkpassword: 1 unacceptable 2 misused 111 temporary problem vchkpw (the checkpassword analogue in vpopmail) uses two additional groups of exit codes: a) When user gives wrong username/password (procedure checkpassword_request_half_finish() should call checkpassword_request_finish() with parameter PASSDB_RESULT_PASSWORD_MISMATCH): 1 pop/smtp/webmal/imap/ access denied (match with a code of classic checkpassword) 3 password fail / vpopmail user not found 12 null user name given 13 null password given 15 user has no password 20 invalid user/domain characters 21 system user not found 22 system user shadow entry not found 23 system password fail b) vpopmail's internal errors: (checkpassword_request_half_finish() call checkpassword_request_finish() with parameter PASSDB_RESULT_INTERNAL_FAILURE): 4 setgid failed 5 setuid failed 6 autocreate dir error / chdir failed 7 putenv(USER) failed 8 putenv(HOME) failed 9 putenv(SHELL) failed 10 putenv(VPOPUSER) failed 11 vchkpw is only for talking with qmail-popup and qmail-pop3d. It is not for runnning on the command line 14 dir auto create failed / failed to vauth_getpw() after dir auto create Now all these codes are processed in checkpassword_request_half_finish() by "default" section. It will be wrong for the first group of codes to return the user "-ERR Temporary authentication failure. ", because it is not an internal problem, it's a login failure (user problem). I have made some changes in passdb-checkpassword.c to separate internal vpopmail mistakes from user's mistakes (a patch is in attachment). As the exit code "1" in vchkpw corresponds to an interdiction of access to service (smtp/pop3/imap/webmail) I have changed a line for logging in "case 1 " from "Password not accepted" to "Login failed". This line (imho) acceptables both for classical checkpassword and for vchkpw. Now all user's mistakes will be processed as well as a mistake of the password in checkpassword (exit code 1), and internal mistakes will be logged by "default" section. If you do not like an idea of changing a code specially for vpopmail it will be possible to make some parameter in "passdb checkpassword {}" section in the config file, pointing at work specially with vpopmail. Depending on its presence "case" will work otherwise (my knowledge of C is insufficiently for this purpose). Also, if it is not too hard for you, can you add variable TCPLOCALPORT (described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment variables for checkpassword, because vchkpw uses it for an interdiction of access to various services (SMTP/POP3/IMAP/Webmal)? diff -r -U 10 dovecot-1.0.rc12.orig/src/auth/passdb-checkpassword.c dovecot-1.0.rc12/src/auth/passdb-checkpassword.c --- dovecot-1.0.rc12.orig/src/auth/passdb-checkpassword.c 2006-11-06 15:12:23.000000000 +0300 +++ dovecot-1.0.rc12/src/auth/passdb-checkpassword.c 2006-11-09 15:41:40.000000000 +0300 @@ -94,23 +94,33 @@ i_free(request); } static void checkpassword_request_half_finish(struct chkpw_auth_request *request) { if (!request->exited || request->fd_in != -1) return; switch (request->exit_status) { - case 1: +/*vpopmail's exit codes for bad user/password */ + case 3: /*password fail / vpopmail user not found*/ + case 12: /*null user name given*/ + case 13: /*null password given*/ + case 15: /*user has no password*/ + case 20: /*invalid user/domain characters*/ + case 21: /*system user not found*/ + case 22: /*system user shadow entry not found*/ + case 23: /*system password fail*/ +/*classic checkpassword exit codes*/ + case 1: /*additionally defined in vpopmail for "pop/smtp/webmal/imap/ access denied"*/ auth_request_log_info(request->request, "checkpassword", - "Password not accepted"); + "Login failed"); checkpassword_request_finish(request, PASSDB_RESULT_PASSWORD_MISMATCH); break; case 0: if (request->input_buf != NULL) { checkpassword_request_finish(request, PASSDB_RESULT_OK); break; } /* missing input - fall through */ case 2:
On Thu, 2006-11-09 at 15:59 +0300, Max A wrote:
Now all user's mistakes will be processed as well as a mistake of the password in checkpassword (exit code 1), and internal mistakes will be logged by "default" section.
Applied the patch.
If you do not like an idea of changing a code specially for vpopmail it will be possible to make some parameter in "passdb checkpassword {}" section in the config file, pointing at work specially with vpopmail. Depending on its presence "case" will work otherwise (my knowledge of C is insufficiently for this purpose).
No, there are already too many settings.
Also, if it is not too hard for you, can you add variable TCPLOCALPORT (described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment variables for checkpassword, because vchkpw uses it for an interdiction of access to various services (SMTP/POP3/IMAP/Webmal)?
dovecot-auth doesn't know the port, so this won't make it into Dovecot v1.0. If people bug me enough I'll implement it for later versions. :)
Also, if it is not too hard for you, can you add variable TCPLOCALPORT (described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment variables for checkpassword, because vchkpw uses it for an interdiction of access to various services (SMTP/POP3/IMAP/Webmal)?
dovecot-auth doesn't know the port, so this won't make it into Dovecot v1.0. If people bug me enough I'll implement it for later versions. :)
In that case, is there an opportunity to use some fake variables, for example TCPLOCALPORT=110 for POP3 connection, TCPLOCALPORT=143 for IMAP, TCPLOCALPORT=993 for IMAP over SSL, etc.?
On Mon, 2006-11-20 at 12:39 +0300, Max A wrote:
Also, if it is not too hard for you, can you add variable TCPLOCALPORT (described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment variables for checkpassword, because vchkpw uses it for an interdiction of access to various services (SMTP/POP3/IMAP/Webmal)?
dovecot-auth doesn't know the port, so this won't make it into Dovecot v1.0. If people bug me enough I'll implement it for later versions. :)
In that case, is there an opportunity to use some fake variables, for example TCPLOCALPORT=110 for POP3 connection, TCPLOCALPORT=143 for IMAP, TCPLOCALPORT=993 for IMAP over SSL, etc.?
Umh. That's beginning to sound way too kludgy. If you really need that you could just as well write a wrapper script that sets them..
participants (2)
-
Max A
-
Timo Sirainen