Proxy with director accept only plain login
Andrey Fesenko
f0andrey at gmail.com
Tue Oct 27 15:43:27 UTC 2015
Hello, i'm test system dovecot (proxy with director) and backend
storage, auth LDAP server (user plain passwords)
If i use plain auth, work fine.
If connect DIGEST-MD5 or CRAM-MD5 proxy not redirect connection
(Requested DIGEST-MD5 scheme, but we have a NULL password)
### Frontend proxy+director
# dovecot -n
# 2.2.19: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 10.2-RELEASE amd64
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login digest-md5 cram-md5
auth_username_format = %Ln
auth_verbose = yes
base_dir = /var/run/dovecot-proxy/
director_doveadm_port = 12347
director_mail_servers = 192.168.1.3
director_servers = 192.168.1.2
disable_plaintext_auth = no
doveadm_port = 12347
first_valid_gid = 0
first_valid_uid = 1000
instance_name = proxy
last_valid_gid = 6000
last_valid_uid = 6000
listen = 192.168.1.2
lmtp_proxy = yes
mail_location = mbox:~/:INBOX=/var/mail/%u
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf
driver = ldap
}
passdb {
args = scheme=SSHA /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = pam
}
protocols = imap lmtp
service director {
fifo_listener login/proxy-notify {
mode = 0600
}
inet_listener {
port = 9090
}
unix_listener director-userdb {
mode = 0600
}
unix_listener login/director {
mode = 0666
}
}
service doveadm {
inet_listener {
port = 12347
}
}
service imap-login {
executable = imap-login director
}
service ipc {
unix_listener ipc {
user = dovecot
}
}
service lmtp {
client_limit = 5
executable = lmtp
idle_kill = 0
inet_listener lmtp {
address = 192.168.1.2
port = 2003
}
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
}
ssl_cert = </etc/ssl/certs/cyrus_imapd.pem
ssl_key = </etc/ssl/certs/cyrus_imapd.pem
userdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf
driver = ldap
}
userdb {
driver = passwd
}
userdb {
driver = passwd
}
verbose_proctitle = yes
protocol lmtp {
auth_socket_path = director-userdb
}
protocol doveadm {
auth_socket_path = director-userdb
}
local 192.168.1.2/24 {
doveadm_password = # hidden, use -P to show it
}
# cat /usr/local/etc/dovecot/dovecot-ldap.conf
uris = ldaps://192.168.1.2:636
# allow self-sign sert (not skip connect if sert not valid)
tls_ca_cert_dir = /home/user/openldap/
tls_ca_cert_file = /home/user/openldap/ca-slapd-serv.crt
tls_require_cert = allow
dn = cn=dovecot,ou=accounts,dc=host,dc=ru
dnpass = CycsonfeavaidOr
ldap_version = 3
#auth_bind = no
base = ou=accounts,dc=host,dc=ru
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailDirectory=mail,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,=password=,description=proxy,ipHostNumber=host,=nopassword=y,=starttls=any-cert
pass_filter = (&(objectClass=posixAccount)(uid=%u))
# need for work chap-MD5
default_pass_scheme = CLEARTEXT
#### Backend
# dovecot -n
# 2.2.19: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.3-RELEASE-p24 amd64
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_mechanisms = plain login digest-md5 cram-md5
auth_username_format = %Ln
auth_verbose = yes
base_dir = /var/run/dovecot/
director_servers = 1192.168.1.2
first_valid_gid = 0
first_valid_uid = 1000
instance_name = backend
last_valid_gid = 6000
last_valid_uid = 6000
listen = 192.168.1.3
mail_location = mbox:~/:INBOX=/var/mail/%u
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf
driver = ldap
}
passdb {
args = scheme=SSHA /etc/dovecot/passwd.masterusers
driver = passwd-file
master = yes
pass = yes
}
passdb {
driver = pam
}
protocols = imap lmtp
service doveadm {
inet_listener {
port = 12347
}
}
service lmtp {
client_limit = 1
executable = lmtp -L
idle_kill = 0
inet_listener lmtp {
address = 192.168.1.3
port = 2003
}
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
}
ssl_cert = </etc/ssl/certs/cyrus_imapd.pem
ssl_key = </etc/ssl/certs/cyrus_imapd.pem
userdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf
driver = ldap
}
userdb {
driver = passwd
}
userdb {
driver = passwd
}
valid_chroot_dirs = /var/dovecot
verbose_proctitle = yes
local 192.168.1.2/24 {
doveadm_password = # hidden, use -P to show it
}
# cat /usr/local/etc/dovecot/dovecot-ldap.conf
uris = ldaps://192.168.1.2:636
# allow self-sign sert (not skip connect if sert not valid)
tls_ca_cert_dir = /home/user/openldap/
tls_ca_cert_file = /home/user/openldap/ca-slapd-serv.crt
tls_require_cert = allow
ldaprc_path = /usr/local/etc/openldap/ldap.conf
dn = cn=dovecot,ou=accounts,dc=host,dc=ru
dnpass = CycsonfeavaidOr
ldap_version = 3
base = ou=accounts,dc=host,dc=ru
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid,mailDirectory=mail
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,clearPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = CLEARTEXT
###
Oct 27 18:15:40 imtest -v -u usertest -a usertest 192.168.1.2
(success)
Oct 27 18:16:30 imtest -m DIGEST-MD5 -v -u usertest -a usertest
192.168.1.2 (fail)
### Logs
Oct 27 18:15:26 fbsd10 dovecot: master: Warning: Killed with signal 15
(by pid=67306 uid=0 code=kill)
Oct 27 18:15:27 fbsd10 dovecot: master: Dovecot v2.2.19 starting up
for imap, lmtp
Oct 27 18:15:40 fbsd10 dovecot: imap-login: proxy(usertest): started
proxying to 192.168.1.3:143: user=<usertest>, method=PLAIN,
rip=192.168.1.3, lip=192.168.1.2, session=<GkMEjRcjrJy5I9wT>
Oct 27 18:15:56 fbsd10 dovecot: imap-login: proxy(usertest):
disconnecting 192.168.1.3 (Disconnected by server): user=<usertest>,
method=PLAIN, rip=192.168.1.3, lip=192.168.1.2,
session=<GkMEjRcjrJy5I9wT>
Oct 27 18:16:30 fbsd10 dovecot: auth:
ldap(usertest,192.168.1.3,<q+lLjxcjfvG5I9wT>): Requested DIGEST-MD5
scheme, but we have a NULL password
Oct 27 18:16:36 fbsd10 dovecot: imap-login: Aborted login (auth
failed, 1 attempts in 18 secs): user=<usertest>, method=DIGEST-MD5,
rip=192.168.1.3, lip=192.168.1.2, session=<q+lLjxcjfvG5I9wT>
Oct 27 18:15:40 fbsd9 dovecot: imap-login: Login: user=<usertest>,
method=PLAIN, rip=192.168.1.2, lip=192.168.1.3, mpid=62534, TLS,
session=<IpIGjRcjX/25I9wo>
Oct 27 18:15:56 fbsd9 dovecot: imap(usertest): Disconnected: Logged
out in=8 out=383
More information about the dovecot
mailing list