Hi,
I’ve been looking into a problem with a local dovecot setup with ~systemd-homed~ and uses PAM authentication. To give a brief overview, ~systemd-homed~ mounts the users home directory upon particular authencation calls (which is configurable through ~/etc/pam.d~).
Dovecot currently supports PAM authentication perfectly fine — the problem comes when a system has systemd-homed. This is because the session is created and deleted immediately afterwards [1].
This is a problem because if the server isn’t busy, systemd-homed can run it’s cleanup which causes the home directory to be unavailable once again [2].
To support this properly, ideally the whole of the imap/pop3/lda session needs to happen before the deletion of the session.
Does the imap session happen within a ~verify_plain~ [3] call? If not, are there any other authentication backends which currently need to keep a live token?
Yilin
[1] https://github.com/dovecot/core/blob/266e54b7b8c34c9a58dd60a2e53c5ca7d1deae1... [2] https://dovecot.org/pipermail/dovecot/2019-April/115559.html [3] https://github.com/dovecot/core/blob/266e54b7b8c34c9a58dd60a2e53c5ca7d1deae1...
On 07/01/2021 02:47 Yilin Wei <yilin@kebab-ca.se> wrote:
Hi,
I’ve been looking into a problem with a local dovecot setup with ~systemd-homed~ and uses PAM authentication. To give a brief overview, ~systemd-homed~ mounts the users home directory upon particular authencation calls (which is configurable through ~/etc/pam.d~).
Dovecot currently supports PAM authentication perfectly fine — the problem comes when a system has systemd-homed. This is because the session is created and deleted immediately afterwards [1].
This is a problem because if the server isn’t busy, systemd-homed can run it’s cleanup which causes the home directory to be unavailable once again [2].
To support this properly, ideally the whole of the imap/pop3/lda session needs to happen before the deletion of the session.
Does the imap session happen within a ~verify_plain~ [3] call? If not, are there any other authentication backends which currently need to keep a live token?
Yilin
[1] https://github.com/dovecot/core/blob/266e54b7b8c34c9a58dd60a2e53c5ca7d1deae1... [2] https://dovecot.org/pipermail/dovecot/2019-April/115559.html [3] https://github.com/dovecot/core/blob/266e54b7b8c34c9a58dd60a2e53c5ca7d1deae1...
Hi!
IMAP session happens after authentication has taken place. For this to work correctly in this case, there would need to be a mail plugin that would actually open the pam session and then close it.
Aki
participants (2)
-
Aki Tuomi
-
Yilin Wei