[Dovecot] Clash between multiple authentication databases (security problem?)

[Timo Sirainen]

On Thu, 2006-02-02 at 12:24 -0500, dovecot-ri wrote:
> Hi all,
> 
> I just installed dovecot-1.0_beta2 and love it!  However, I've run into issues using multiple authentication databases.
> 
> I use both pam (for users on my system) and sql (for virtual users).  I've noticed that if I have system user "userabc" and virtual user "userabc at otherdomain.com" (two distinct users) and my "auth default" section contains these passdb/userdb entries in this order (the order in the example config):
> 
>   passdb pam
>   passdb sql
>   userdb pam
>   userdb sql
..
> then when userabc at otherdomain.com logs in, he'll get the system user userabc's mail instead of his own.  It appears that the sql password check succeeds, then Dovecot grabs the home directory from pam, NOT sql.

Yes, because passdbs and userdbs aren't tied together. It always goes
through them in order.

> Is there a safer way to do this?  If not, should there be?

Why is userdbc at otherdomain.com found from passwd? If there was only
"userabc" in passwd and "userabc at otherdomain.com" in SQL, there should
be no conflicts since they'd be completely different usernames.

Anyway I'm not sure if I can do anything about this in Dovecot's side.
Unless maybe if I added some kind of optional relationships so you could
configure what userdb to use when a user is found from one passdb..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20060204/8b20feed/attachment.pgp