Master auth only

Rick Romero rick at havokmon.com
Wed Jul 12 15:46:31 EEST 2017 

  Quoting Aki Tuomi <aki.tuomi at dovecot.fi>:

>> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote:
>>
>> Citát azurit at pobox.sk:
>>
>> Citát Aki Tuomi <aki.tuomi at dovecot.fi>:
>>
>> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote:
>>
>> Citát Aki Tuomi <aki.tuomi at dovecot.fi>:
>>
>> On July 10, 2017 at 12:33 PM azurit at pobox.sk wrote:
>>
>> Hi,
>>
>> i'm trying to configure Dovecot proxy with user authentication on
>> proxy side only, so backends will authenticate using master password
>> (proxy is configured to send it). The problem is that Dovecot, on
>> backends, is telling me that i need to configure at least one auth
>> mechanism:
>>
>> auth: Fatal: No passdbs specified in configuration file. LOGIN
>> mechanism needs one
>>
>> The master auth is correctly configured.
>>
>> I want to accomplished to have user database only on one place
>> (=proxy). Any hints?
>>
>> azur
>>
>> Can you show your backend doveconf -n?
>>
>> Aki
>>
>> Here it is:
>> https://pastebin.com/C8dTUm5k
>>
>> Try adding another entry after the first passdb (order matters)
>>
>> passdb {
>>   driver = static
>>   args = nopassword
>>   deny = yes
>>   skip = authenticated
>> }
>>
>> Aki
>>
>> This seems to be working, thank you. Can you explain me why it's needed?
>>
>> No need to explain it anymore, i understand it now. I made a little
>> change and (probably) final version is this:
>>
>> passdb {
>>    driver = static
>>    args = nopassword
>>    skip = authenticated
>> }
>>
>> I removed 'deny = yes' as, i believe, it's not needed and it was doing
>> problems with LMTP proxing ('User doesn't exist' error message from
>> backend LMTP). Thanks again.
>>
>> azur
>
> Hi!
>
> This is very dangerous configuration, please consider using what  
> Sami suggested, viz
>
> passdb {
> driver = static
> args = password=masterpassword
> }
>
> and remove the master auth completely.
>
> then you can override user's password to masterpassword in proxy config.
> Aki

This is awesome, as I was just contemplating how to maintain  
persistence with 2FA. 
Is it possible to use a passdb based on remote ip?  There's a  
username_filter, but I want to use a master password for webmail  
(which will use 2FA via Radius), and those IPs are known and  
non-routable.

Rick

More information about the dovecot mailing list