[Dovecot] authentication methods : pam, passwd and then backup question. How to restrict the methods
Dear all,
I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in. Is there a way for dovecot to only query a mysql backup for users, and skip the other methods?
Examples from logs (via Roundcube webmail in this case, but the same messages appear with port 993)
Jan 25 17:22:17 srv dovecot: auth-worker(default): pam(aa@bb.co.uk,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) Jan 25 17:22:17 srv dovecot: auth(default): passwd(aa@bb.co.uk,127.0.0.1): unknown user Jan 25 17:22:17 srv dovecot: imap-login: Login: user=<aa@bb.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
As shown above, the user uses pam, passwd and then finally the user account fetched from mysql.
The distribution is Debian Squeeze.
Regards, s
On 01/25/2011 05:50 PM J4K wrote:
Dear all,
I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in. Is there a way for dovecot to only query a mysql backup for users, and skip the other methods?
Examples from logs (via Roundcube webmail in this case, but the same messages appear with port 993)
Jan 25 17:22:17 srv dovecot: auth-worker(default): pam(aa@bb.co.uk,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) Jan 25 17:22:17 srv dovecot: auth(default): passwd(aa@bb.co.uk,127.0.0.1): unknown user Jan 25 17:22:17 srv dovecot: imap-login: Login: user=<aa@bb.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
As shown above, the user uses pam, passwd and then finally the user account fetched from mysql.
The distribution is Debian Squeeze.
Configure only the userdb and passdb you want to use and remove all
other. You forgot to show your doveconf -n
/dovecot -n
output.
Regards, Pascal
The trapper recommends today: c01dcofe.1102517@localdomain.org
On 01/25/2011 05:53 PM, Pascal Volk wrote:
On 01/25/2011 05:50 PM J4K wrote:
Dear all,
I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in. Is there a way for dovecot to only query a mysql backup for users, and skip the other methods?
Examples from logs (via Roundcube webmail in this case, but the same messages appear with port 993)
Jan 25 17:22:17 srv dovecot: auth-worker(default): pam(aa@bb.co.uk,127.0.0.1): pam_authenticate() failed: Authentication failure (password mismatch?) Jan 25 17:22:17 srv dovecot: auth(default): passwd(aa@bb.co.uk,127.0.0.1): unknown user Jan 25 17:22:17 srv dovecot: imap-login: Login: user=<aa@bb.co.uk>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
As shown above, the user uses pam, passwd and then finally the user account fetched from mysql.
The distribution is Debian Squeeze.
Configure only the userdb and passdb you want to use and remove all other. You forgot to show your
doveconf -n
/dovecot -n
output.Regards, Pascal Sorry. Its below:
# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-cgmemcap-smack x86_64 Debian 6.0 ext4 log_timestamp: %Y-%m-%d %H:%M:%S listen: 127.0.0.1:3993 ssl_listen: *:993 ssl: required ssl_ca_file: /etc/ssl/certs/startcomIntermediateCA.pem ssl_cert_file: /etc/ssl/private/klunky.co.uk.ssl.crt ssl_key_file: /etc/ssl/private/klunky.co.uk.nopassphase_ssl.key login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login login_max_processes_count: 256 valid_chroot_dirs: /var/vmail first_valid_uid: 106 mail_privileged_group: mail mail_location: maildir:/var/vmail/%d/%u/ maildir_very_dirty_syncs: yes mbox_write_locks: fcntl dotlock mail_plugins: quota lda: log_path: auth_socket_path: /var/run/dovecot/auth-master postmaster_address: postmaster@example.com mail_plugins: sieve quota sieve_global_path: /var/vmail/globalsieverc auth default: mechanisms: plain login verbose: yes passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 384 user: vmail plugin: quota_rule: *:storage=262144:messages=20000 quota_rule2: Trash:storage=282144:messages=23000 dict: quotadict: mysql:/etc/dovecot/dovecot-dict-quota.conf
On 01/25/2011 05:55 PM J4K wrote:
On 01/25/2011 05:50 PM J4K wrote:
I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in. Is there a way for dovecot to only query a mysql backup for users, and skip the other methods?
# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-cgmemcap-smack x86_64 Debian 6.0 ext4 … auth default: …
On 01/25/2011 05:53 PM, Pascal Volk wrote: passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf …
Remove passdb pam and userdb static, then reload the configuration and be happy. ;-)
Regards, Pascal
The trapper recommends today: c01dcafe.1102518@localdomain.org
On 01/25/2011 06:11 PM, Pascal Volk wrote:
On 01/25/2011 05:55 PM J4K wrote:
On 01/25/2011 05:50 PM J4K wrote:
I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in. Is there a way for dovecot to only query a mysql backup for users, and skip the other methods?
# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-cgmemcap-smack x86_64 Debian 6.0 ext4 … auth default: …
On 01/25/2011 05:53 PM, Pascal Volk wrote: passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf … Remove passdb pam and userdb static, then reload the configuration and be happy. ;-)
Regards, Pascal I do not undestand why the static should be removed:
userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes
Won't this break it?
I have commented out:
On 01/25/2011 06:18 PM J4K wrote:
On 01/25/2011 06:11 PM, Pascal Volk wrote:
On 01/25/2011 05:55 PM J4K wrote:
… auth default: … passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf … Remove passdb pam and userdb static, then reload the configuration and be happy. ;-)
I do not undestand why the static should be removed:
userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes
Won't this break it?
Sorry, I meant userdb passwd - my fault.
Regards, Pascal
The trapper recommends today: c01dcafe.1102518@localdomain.org
On 01/25/2011 06:20 PM, Pascal Volk wrote:
On 01/25/2011 06:18 PM J4K wrote:
On 01/25/2011 06:11 PM, Pascal Volk wrote:
On 01/25/2011 05:55 PM J4K wrote:
… auth default: … passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf … Remove passdb pam and userdb static, then reload the configuration and be happy. ;-)
I do not undestand why the static should be removed:
userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes
Won't this break it? Sorry, I meant userdb passwd - my fault.
Regards, Pascal Just seen this message. Done. Thank-you. S
On 01/25/2011 06:11 PM, Pascal Volk wrote:
On 01/25/2011 05:55 PM J4K wrote:
On 01/25/2011 05:50 PM J4K wrote:
I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in. Is there a way for dovecot to only query a mysql backup for users, and skip the other methods?
# dovecot -n # 1.2.15: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-cgmemcap-smack x86_64 Debian 6.0 ext4 … auth default: …
On 01/25/2011 05:53 PM, Pascal Volk wrote: passdb: driver: pam passdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf userdb: driver: passwd userdb: driver: static args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes userdb: driver: sql args: /etc/dovecot/dovecot-mysql.conf … Remove passdb pam and userdb static, then reload the configuration and be happy. ;-)
Regards, Pascal OK,. tested. Removing the userdb static breaks authentication. I won't do this again. userdb static { args = uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes }
participants (2)
-
J4K
-
Pascal Volk