[Dovecot] Passwordless auth?

Dan Mahoney, System Admin danm at prime.gushi.org
Fri May 24 02:57:28 EEST 2013 

On Fri, 24 May 2013, Ben Morrow wrote:

> At  4PM -0700 on 23/05/13 you (Dan Mahoney, System Admin) wrote:
>>
>> I'm in the process of writing some scripts which I want to be able to take
>> actions on my local mailbox.  (For example, to move a subset of messages
>> to the trash over time, if unread for a week.  To act on messages in my
>> learn-spam folder and then delete them).
>
> http://wiki2.dovecot.org/PreAuth
>

Aah!

I came across this in the Q&A, and assumed such a thing wasn't possible:

-=-

Can Dovecot authenticate and work via UNIX sockets?

Dovecot authentication already works via UNIX sockets, but it only speaks 
its internal protocol. You could always create a "socket" passdb/userdb. 
Probably should be made compatible with "checkpassword" protocol. Patches 
welcome :)

-=-

Which could probably use some expansion/repointing.  The "preauth" name 
kind of just implies in my mind "things you check before pam" -- I would 
have not looked there if not pointed.

> You can also use doveadm for quite a lot of this sort of administration;
> this may be easier if you're scripting in shell rather than something
> more sophisticated.

I'm pretty much resigned to trying to parse the whole mailbox anyway, 
because I want functions like "when I move a message to the "threadkill" 
folder, move any message with the referenced messageid's in said message 
to folder X".

All this is in pursuit of making that little red number in my mail.app 
window meaningful -- and it seems the only real control plane mobile 
clients give you is the ability to move a message to a folder :)

>> I'd definitely consider something like an SSH key with a forced
>> command (I do see questions in the FAQ about making dovecot work over a
>> socket connection), but that forgoes using standard imap clients.
>
> Well, I'm not sure what you consider 'standard' here, but there are both
> Perl and Python IMAP libraries which will connect to a command rather
> than a socket. If you're using a client which insists on connecting to
> an (INET) socket, it's a little harder; while you can obviously connect
> preauthed imap to a listening socket with netcat, that's not remotely
> secure.

I'm constructing a client, really.  In perl, it looks like 
Mail::Box::Manager is the thing I want, in conjunction with the above.

>> I could also create a dovecot-only user with my UID and no other login
>> privileges, but I'd like this to "just work" for anyone.
>
> I believe with the latest 2.2 you can also do this with Kerberos
> principals, if you're running Kerberos; I haven't looked into this yet,
> but I mean to (for much the same reason).

we are at the day job, but I'm not doing so personally.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

More information about the dovecot mailing list