[Dovecot] PAM session closes too soon

Lauri Alanko la at iki.fi
Sat Aug 16 12:59:56 EEST 2008


Hi.

I'm trying to keep most of my data encrypted when possible, only
keeping the decryption key in memory (and thus vulnerable to
local attacks) when I'm actually using my data. In practice, this
means using pam_mount to mount my home directory from an
encrypted device.

It almost looked like I could get this to work with mail as well,
even when read via IMAP from a remote client: I placed my mail in
the encrypted home directory, added pam_mount to
/etc/pam.d/dovecot, and set session=yes in Dovecot's PAM
configuration.

Except that it didn't, quite: pam_mount worked just fine and
mounted the encrypted disk using the IMAP password... and then
immediately unmounted it, since for some reason session=yes means
that Dovecot closes the session _immediately_ after opening it.

This seems just silly. If a PAM session is to be used, then it
seems obvious to me that its length should be exactly the length
of the IMAP session. I can't see any reason for the current
behavior, except maybe that it was a bit simpler to code and is
sufficient for pam_mkhomedir (and only that).

Can this be fixed with reasonable effort?

Also, for pam_mount to work correctly, there must not be any file
descriptors open in the mounted file system when the session
closes, as otherwise unmounting is impossible. Will dovecot
release all fds into the mail and index files when the session
ends, or can it be made to do so? (UTSL is an acceptable answer.)

Thanks in advance.


Lauri Alanko
la at iki.fi


More information about the dovecot mailing list