[Dovecot] Different classes of user

Timo Sirainen tss at iki.fi
Wed Feb 14 19:52:31 UTC 2007

On Wed, 2007-02-14 at 19:17 +0000, John Robinson wrote:
> I propose to amend the syntax of the PAM service name in dovecot.conf, 
> and allow a placeholder character at the end of it (probably ?). At 
> runtime, if it's there, I'll either remove it or change it to an 's', 
> varying the service name supplied by dovecot to PAM depending on whether 
> the current connection uses TLS/SSL.

I think I'll add the %c variable and than allow the PAM service name to
contain %variables. So you can then use eg. "dovecot%c" as the service
name and it expands to "dovecot" / "dovecotsecure" or something.

> I'm not much of a C programmer, in fact I'm rusty at programming at all, 
> but I'll have a go. In passdb-pam.c:pam_verify_plain(), what can I do to 
> find out whether the current connection is using TLS/SSL? Hopefully this 
> will end up being a 5-line patch and I won't introduce any horrific 
> security hole.

Hmm. Actually it looks like dovecot-auth doesn't store that information
anywhere. I think what you need is:

In auth_request_import() check if key contains "secured". If it does,
it's SSL/TLS. Add such bitfield to struct auth_request. Then use it in
the PAM code.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070214/40964aaa/attachment.pgp 

More information about the dovecot mailing list