[Dovecot] Proxy with MasterUser + Authentication issues
Per Timo's direction, I decided to give the MasterUser a try in connecting my proxy to my destination server. This might allow for the use of 'secure password' for my clients that like to check that box by default.
A couple of problems I'm running into running RC15:
#1: My Proxy's SQL password_query line:
password_query = SELECT a.clearpasswd AS password, v.storeIP AS host, CONCAT(v.userID,'*someuser') AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy, 'somepass' AS pass FROM iwmailsystem.virtmailbox AS v NATURAL JOIN authenticate.users AS a WHERE v.userID = '%u' and v.imap_active = 1
I'm wanting to authenticate the user on the proxy before I send it off via the MasterUser to the destination server. However, I show this in the logs:
Info: auth(default): client in: AUTH 1 PLAIN service=IMAP lip= x.y.z.a rip=a.b.c.d resp=AGJ1dGNoQGluZm93ZXN0LmNvbQBzZWNyZXQ= Info: auth-worker(default): sql(user@host.com,a.b.c.d): query: SELECT a.clearpass wd AS password, v.storeIP AS host, CONCAT(v.userID,'*someuser') AS destuser, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS p roxy, 'somepass' AS pass FROM iwmailsystem.virtmailbox AS v NATURAL JOIN authenticate.users AS a WHERE v.userID = 'user@host.com' and v.imap_active = 1 Error: auth(default): file auth-request.c: line 207 (auth_request_save_cache): assertion failed: (extra_fields == NULL || (strstr(extra_fields, "\tpass=") == NULL && strncmp(extra_fields, "pass=", 5) != 0)) Error: child 54122 (auth) killed with signal 6
The Wiki showed I should return a 'pass' column. However, that's choking the query up in auth-request.c. Could it be the "\tpass" from auth-request.c?
If I change user@host.com's password to 'someass' and remove the 'pass' column from the password_query, it authenticates, and proxy's over just fine. Am I doing something wrong? I want to authenticate the user locally on the proxy and pass off the 'master password' to the proxy, but using 'pass' doesnt work. 'password' column does. Doesnt help me though for my situation :)
Problem #2:
I'm wanting to put the masteruser/pass in the database for quick retrieval and updating. So I setup dovecot.conf as: passdb sql { # Path for SQL configuration file, see doc/dovecot-sql.conf for example args = /usr/local/etc/dovecot-sql.conf master=yes #pass=yes }
passdb passwd { }
and dovecot-sql.conf with: password_query = SELECT '%u' AS user, 'master-password' AS password
Trying to connect locally with a "telnet localhost 143" via: 1 login user@host.com*someuser "somepass"
Give me this in the detail log file:
Info: auth(default): client in: AUTH 1 PLAIN service=IMAP lip= a.b.c.d rip=w.x.y.z resp=AGJ1dGNoQGluZm93ZXN0LmNvbSphZG1pbkBpbmZvd2VzdC5jb20AbWFzdGVyLXBhc3N3b3Jk Error: auth-worker(default): BUG: PASSV had invalid passdb ID Warning: Killed with signal 15
I am able to successfully authenticate with the master user/pass if I store it in a passdb file. However, I'd prefer to have it in the database for obvious reasons.
Any help to the above would be appreciated.
thanks,
Cassidy
On Sun, 2006-12-17 at 12:27 -0700, Cassidy B. Larson wrote:
Error: auth(default): file auth-request.c: line 207 (auth_request_save_cache): assertion failed: (extra_fields == NULL || (strstr(extra_fields, "\tpass=") == NULL && strncmp(extra_fields, "pass=", 5) != 0))
Finally fixed this. The assert isn't valid anymore, so it can be just removed.
Error: auth-worker(default): BUG: PASSV had invalid passdb ID
Does this still happen with rc22?
Error: auth-worker(default): BUG: PASSV had invalid passdb ID
Does this still happen with rc22?
Yes, I am still getting this.
Here is my situation. I am authenticating people out of MySQL on a proxy, and relaying them to my storage servers.
proxy log: Feb 15 17:05:59 dellio dovecot: auth(mail.infowest.com): client out: OK 1 user=user@host.com host=204.17.177.250 destuser= user@host.com*masteruser nologin proxy pass=secret
I get this in my logs on my storage server: dovecot: Feb 15 17:05:59 Info: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=204.17.177.250 rip=204.17.177.30 resp=AGNhc3NpZHl0ZXN0QGluZm93ZXN0LmNvbSphZG1pbkBpbmZvd2VzdC5jb20Ac2VjcmV0 dovecot: Feb 15 17:05:59 Error: auth-worker(default): BUG: PASSV had invalid passdb ID
Perhaps I am understanding how the whole MasterUser works right? But, I want to authenticate the users at the proxy level so I can do SPA, then proxy it off to my storage server for mailbox storage. On my proxy I simply return the cleartext password from my password_query line for the authentication to correctly complete. However, how is the correct 'master password' going to get sent off to the "storage server"? Sure, I can append the master username, and I do just fine. But, how is the storage server supposed to get the "master password" in addition?
On my storage server I have the following in dovecot.conf: passdb pam { } passdb sql { args = /usr/local/etc/dovecot-sql.conf master=yes }
Then within dovecot-sql.conf: password_query = SELECT user, clearpasswd AS password FROM authenticate.users WHERE '%u' = 'masteruser'
However, I am not seeing any SQL queries happen to try and verify the user/pass for the masteruser.
The next funny thing is, if I have a password file, and have the masteruser's password set in that password file to the same password as the user that I am trying to proxy with, things work. If the masteruser's password in the password file is different, it doesnt work. So the question is, how does the proxy send the password to use for the masteruser?
Thanks,
Cassidy
On Thu, 2007-02-15 at 17:19 -0700, Cassidy B. Larson wrote:
> Error: auth-worker(default): BUG: PASSV had invalid passdb ID
passdb sql { args = /usr/local/etc/dovecot-sql.conf master=yes }
Looks like no-one has before tried to use MySQL as a masterdb. This should fix it: http://dovecot.org/list/dovecot-cvs/2007-February/007699.html
Looks like no-one has before tried to use MySQL as a masterdb. This should fix it: http://dovecot.org/list/dovecot-cvs/2007-February/007699.html
Cool, that fixed that issue. It'll now run the query against the MySQL database as a masterdb.
The final problem I am seeing is there needs to be a way to send the 'masterpassword' to the storageserver. Currently, it is sending the password from the authenticated user of the proxy to the storage server, which isnt the master user's password. Is there a variable I can return on the proxy's SQL query to specify the MasterUser password?
I basically need the proxy to Authenticate the plain/crypt password returned from the SQL query. If it validates, then send the new user=user@host.com*masteruser variable to the storage server, with the correct masteruser's password. If I were to be able to figure this out, this problem would be done with.
Thanks,
Cassidy
On Fri, 2007-02-16 at 10:49 -0700, Cassidy B. Larson wrote:
The final problem I am seeing is there needs to be a way to send the 'masterpassword' to the storageserver. Currently, it is sending the password from the authenticated user of the proxy to the storage server, which isnt the master user's password. Is there a variable I can return on the proxy's SQL query to specify the MasterUser password?
Didn't your original SQL query contain "pass"? That should work. Although unless you have this patch it assert-crashes:
http://dovecot.org/list/dovecot-cvs/2007-February/007665.html
Didn't your original SQL query contain "pass"? That should work. Although unless you have this patch it assert-crashes:
http://dovecot.org/list/dovecot-cvs/2007-February/007665.html
Yes! That patch makes it all better once I added it and added the 'pass' back into my original query. As far as I can tell, proxying with and without SPA fine with the masteruser and MySQL.
Thanks!!!
-cassidy
participants (2)
-
Cassidy B. Larson
-
Timo Sirainen