[Dovecot] Root password or key access to pop3?
Hi all,
We're an ISP, and are currently looking for a way for our tech support guys to access customer's email without having shell access to the server, or knowing the customer's password.
We'd like to install a custom webmail client that would only show the user's inbox and the ability to delete the messages. The problem is, that we would have to know the user's password in order for my PHP pop3 code to go out and fetch the mail.
Is there a way I can setup and/or patch dovecot so that any connection from <said IP address> can use the password "jq3erjq3535" for any account, and it will authenticate them?
Or is this some kind of custom patch I would need to write?
Thanks!
-Matt
Matt Juszczak wrote:
Hi all,
We're an ISP, and are currently looking for a way for our tech support guys to access customer's email without having shell access to the server, or knowing the customer's password.
We'd like to install a custom webmail client that would only show the user's inbox and the ability to delete the messages. The problem is, that we would have to know the user's password in order for my PHP pop3 code to go out and fetch the mail.
Is there a way I can setup and/or patch dovecot so that any connection from <said IP address> can use the password "jq3erjq3535" for any account, and it will authenticate them?
Or is this some kind of custom patch I would need to write?
Thanks!
-Matt
Hi Matt,
You could keep the passwords in plain text form in an sql table for dovecot to access, you could then easily plug this into a PHP script. Or just give them access to the MySQL database. We as an ISP keep passwords in crypt or MD5 form as well as plain text in the SQL so the customer's control panel can reveal their E-Mail and FTP passwords upon request.
Regards Andrew
Andrew Hutchings (A-Wing) - Linux Guru Netserve Consultants - http://www.domaincity.co.uk/ A-Wing Internet Services - http://www.a-wing.co.uk/ Random quote 77: "Only Microsoft would have the temerity to pick your pocket and ask you to thank it for the favor. - JAI SINGH, C|net
You could keep the passwords in plain text form in an sql table for dovecot to access, you could then easily plug this into a PHP script. Or just give them access to the MySQL database. We as an ISP keep passwords in crypt or MD5 form as well as plain text in the SQL so the customer's control panel can reveal their E-Mail and FTP passwords upon request.
This really isn't an option for us. We use LDAP as a back end and all the passwords are in crypt already. We need a way for our pop server to accept a "pass all" password of some sort so we can access anyone's mail via pop3 without knowing their password...
Matt Juszczak wrote:
You could keep the passwords in plain text form in an sql table for dovecot to access, you could then easily plug this into a PHP script. Or just give them access to the MySQL database. We as an ISP keep passwords in crypt or MD5 form as well as plain text in the SQL so the customer's control panel can reveal their E-Mail and FTP passwords upon request.
This really isn't an option for us. We use LDAP as a back end and all the passwords are in crypt already. We need a way for our pop server to accept a "pass all" password of some sort so we can access anyone's mail via pop3 without knowing their password...
Hi Matt,
If you use dovecot 1.0 you could add a second auth scheme such as sql that has 1 user/pass in which overrides the mail_env (settable in the PHP). Beyond that you are talking a hack I think. Maybe some kind of new static passdb module? We only have 6000 users on the mail cluster (as our ADSL service only went live 2 days ago) so I am the only one who needs to access it for support and I do it via SSH and some custom scripts I wrote.
Regards Andrew
-- Andrew Hutchings (A-Wing) - Linux Guru Netserve Consultants - http://www.domaincity.co.uk/ A-Wing Internet Services - http://www.a-wing.co.uk/ Random quote 60: "You could argue that Microsoft is the product of clever strategy, mediocre technology, and a hell of a lot of increasing returns." - BRIAN ARTHURE, Economist
On Tue, Jul 05, 2005 at 02:50:56PM -0400, Matt Juszczak wrote:
You could keep the passwords in plain text form in an sql table for dovecot to access, you could then easily plug this into a PHP script. Or just give them access to the MySQL database. We as an ISP keep passwords in crypt or MD5 form as well as plain text in the SQL so the customer's control panel can reveal their E-Mail and FTP passwords upon request.
This really isn't an option for us. We use LDAP as a back end and all the passwords are in crypt already. We need a way for our pop server to accept a "pass all" password of some sort so we can access anyone's mail via pop3 without knowing their password...
That's pretty dangerous. Slightly less dangerous would be to give your tech people a way to change a customer's password temporarily and to revert it back to the old one when they are done.
mm
That's pretty dangerous. Slightly less dangerous would be to give your tech people a way to change a customer's password temporarily and to revert it back to the old one when they are done.
Good idea :) Thanks... since we're in LDAP, I'll just have LDAP change the password, read the mail spool, then change the password back again.
participants (3)
-
Andrew Hutchings
-
Mark E. Mallett
-
Matt Juszczak