Master auth only

Aki Tuomi aki.tuomi at dovecot.fi
Wed Jul 12 10:06:47 EEST 2017 

> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote:
> 
> 
> 
> Citát azurit at pobox.sk:
> 
> > Citát Aki Tuomi <aki.tuomi at dovecot.fi>:
> >
> >>> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote:
> >>>
> >>>
> >>>
> >>> Citát Aki Tuomi <aki.tuomi at dovecot.fi>:
> >>>
> >>>>> On July 10, 2017 at 12:33 PM azurit at pobox.sk wrote:
> >>>>>
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> i'm trying to configure Dovecot proxy with user authentication on
> >>>>> proxy side only, so backends will authenticate using master password
> >>>>> (proxy is configured to send it). The problem is that Dovecot, on
> >>>>> backends, is telling me that i need to configure at least one auth
> >>>>> mechanism:
> >>>>>
> >>>>> auth: Fatal: No passdbs specified in configuration file. LOGIN
> >>>>> mechanism needs one
> >>>>>
> >>>>>
> >>>>> The master auth is correctly configured.
> >>>>>
> >>>>> I want to accomplished to have user database only on one place
> >>>>> (=proxy). Any hints?
> >>>>>
> >>>>> azur
> >>>>
> >>>> Can you show your backend doveconf -n?
> >>>>
> >>>> Aki
> >>>
> >>>
> >>>
> >>> Here it is:
> >>> https://pastebin.com/C8dTUm5k
> >>
> >> Try adding another entry after the first passdb (order matters)
> >>
> >> passdb {
> >>  driver = static
> >>  args = nopassword
> >>  deny = yes
> >>  skip = authenticated
> >> }
> >>
> >> Aki
> >
> >
> >
> >
> > This seems to be working, thank you. Can you explain me why it's needed?
> 
> 
> No need to explain it anymore, i understand it now. I made a little  
> change and (probably) final version is this:
> 
> passdb {
>    driver = static
>    args = nopassword
>    skip = authenticated
> }
> 
> I removed 'deny = yes' as, i believe, it's not needed and it was doing  
> problems with LMTP proxing ('User doesn't exist' error message from  
> backend LMTP). Thanks again.
> 
> azur

Hi!

This is very dangerous configuration, please consider using what Sami suggested, viz

passdb {
  driver = static
  args = password=masterpassword
}

and remove the master auth completely.

then you can override user's password to masterpassword in proxy config.

Aki

More information about the dovecot mailing list