[Dovecot] Dovecot doesn't use vchkpw properly :(

[Casey Allen Shobe]

Hey all,

It seems that dovecot does NOT call vchkpw properly when using 
vpopmail-style authentication, I can only guess that it reads the 
vpasswd{,.cdb} files directly.  This is indicated by the syslog log 
for the mail facitily which reads:

Jun 30 16:51:30 [vpopmail] vchkpw-smtp: (PLAIN) login success 
blah at blah.com:24.17.153.137
Jun 30 17:16:25 [pop3-login] Login: blah at blah.com [24.17.153.137]
Jun 30 17:47:42 [imap-login] Login: blah at blah.com [216.57.201.58]

pop3-login and imap-login are dovecot processes - vchkpw is never 
called or there would also be log entries for it.  I've verified 
this with the vpopmail list, who agree that the problem lies within 
dovecot.

This might not be quite so annoying, but we are using vpopmail 
compiled with the --enable-learn-passwords option, which will 
populate the password files with cleartext versions of the 
passwords where they are missing.  Because of dovecot not calling 
vchkpw, this doesn't work for POP3/IMAP logins, only SMTP (using 
qmail-smtpd).  People don't send mail from every account they poll, 
and we need to get all of the passwords in cleartext form so that 
we can complete migration to a PostgreSQL password database which 
multiple applications will use to authenticate.

Are there plans to make dovecot use vchkpw in the normal 
checkpassword manner?  If not, I'd like to request it.  We will 
probably switch back to qmail-pop3d and bincimap for the time being 
to finish collecting passwords if we can't get a quick fix...I 
think we can do that without much impact.

Cheers,
-- 
Casey Allen Shobe | http://casey.shobe.info
cshobe at seattleserver.com | cell 425-443-4653
AIM & Yahoo:  SomeLinuxGuy | ICQ:  1494523
SeattleServer.com, Inc. | http://www.seattleserver.com