[Dovecot] patch for checkpassword exit codes & vpopmail

Max A sub at comtel-60.ru
Thu Nov 9 12:59:33 UTC 2006 

>> Also it is possible, that a similar problem exists with other variables
>> TCP UCSPI protocol  (http://cr.yp.to/proto/ucspi-tcp.txt).
> 
> Hmm. I hadn't heard of UCSPI before.
> 
> Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP
> will stay for backwards compatibility, maybe I'll remove them in Dovecot
> v2.0.
> 

Thanks for answer :)

There are still some problems with the use of the
checkpassword-interface with vpopmail. Besides standard exit codes of
checkpassword:

1 	unacceptable
2 	misused
111	temporary problem

vchkpw (the checkpassword analogue in vpopmail) uses two additional
groups of exit codes:

a) When user gives wrong username/password (procedure
checkpassword_request_half_finish() should call
checkpassword_request_finish() with parameter
PASSDB_RESULT_PASSWORD_MISMATCH):

1	pop/smtp/webmal/imap/ access denied (match with a code of
	classic checkpassword)
3	password fail / vpopmail user not found
12	null user name given
13	null password given
15	user has no password
20	invalid user/domain characters
21	system user not found
22	system user shadow entry not found
23	system password fail

b) vpopmail's internal errors:
(checkpassword_request_half_finish() call checkpassword_request_finish()
with parameter PASSDB_RESULT_INTERNAL_FAILURE):

4	setgid failed
5	setuid failed
6	autocreate dir error / chdir failed
7	putenv(USER) failed
8	putenv(HOME) failed
9	putenv(SHELL) failed
10	putenv(VPOPUSER) failed
11	vchkpw is only for talking with qmail-popup and qmail-pop3d.
	It is not for runnning on the command line
14	dir auto create failed / failed to vauth_getpw() after dir auto
	create

Now all these codes are processed in checkpassword_request_half_finish()
by "default" section. It will be wrong for the first group of codes to
return the user "-ERR Temporary authentication failure. ", because it is
not an internal problem, it's a login failure (user problem).  I have 
made some changes in passdb-checkpassword.c to separate internal 
vpopmail mistakes from user's mistakes (a patch is in attachment).

As the exit code "1" in vchkpw corresponds to an interdiction of access
to service (smtp/pop3/imap/webmail) I have changed a line for logging in
"case 1 " from "Password not accepted" to "Login failed". This line
(imho) acceptables both for classical checkpassword and for vchkpw.

Now all user's mistakes will be processed as well as a mistake of the
password in checkpassword (exit code 1), and internal mistakes will be
logged by "default" section.

If you do not like an idea of changing a code specially for vpopmail it
will be possible to make some parameter in "passdb checkpassword {}"
section in the config file, pointing at work specially with vpopmail. 
Depending on its presence "case" will work otherwise (my knowledge of C 
is insufficiently for this purpose).

Also, if it is not too hard for you, can you add variable TCPLOCALPORT
(described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment
variables for checkpassword, because vchkpw uses it for an interdiction
of access to various services (SMTP/POP3/IMAP/Webmal)?

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpopmail_env.patch
Url: http://dovecot.org/pipermail/dovecot/attachments/20061109/98ce079e/attachment.pot

More information about the dovecot mailing list