Master auth only

Rick Romero rick at havokmon.com
Wed Jul 12 16:24:15 EEST 2017 

  Quoting Rick Romero <rick at havokmon.com>:

> Quoting Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>>> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote:
>>>
>>> Citát azurit at pobox.sk:
>>>
>>> Citát Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote:
>>>
>>> Citát Aki Tuomi <aki.tuomi at dovecot.fi>:
>>>
>>> On July 10, 2017 at 12:33 PM azurit at pobox.sk wrote:
>>>
>>> Hi,
>>>
>>> i'm trying to configure Dovecot proxy with user authentication on
>>> proxy side only, so backends will authenticate using master password
>>> (proxy is configured to send it). The problem is that Dovecot, on
>>> backends, is telling me that i need to configure at least one auth
>>> mechanism:
>>>
>>> auth: Fatal: No passdbs specified in configuration file. LOGIN
>>> mechanism needs one
>>>
>>> The master auth is correctly configured.
>>>
>>> I want to accomplished to have user database only on one place
>>> (=proxy). Any hints?
>>>
>>> azur
>>>
>>> Can you show your backend doveconf -n?
>>>
>>> Aki
>>>
>>> Here it is:
>>> https://pastebin.com/C8dTUm5k
>>>
>>> Try adding another entry after the first passdb (order matters)
>>>
>>> passdb {
>>>   driver = static
>>>   args = nopassword
>>>   deny = yes
>>>   skip = authenticated
>>> }
>>>
>>> Aki
>>>
>>> This seems to be working, thank you. Can you explain me why it's needed?
>>>
>>> No need to explain it anymore, i understand it now. I made a little
>>> change and (probably) final version is this:
>>>
>>> passdb {
>>>    driver = static
>>>    args = nopassword
>>>    skip = authenticated
>>> }
>>>
>>> I removed 'deny = yes' as, i believe, it's not needed and it was doing
>>> problems with LMTP proxing ('User doesn't exist' error message from
>>> backend LMTP). Thanks again.
>>>
>>> azur
>>
>> Hi!
>>
>> This is very dangerous configuration, please consider using what  
>> Sami suggested, viz
>>
>> passdb {
>> driver = static
>> args = password=masterpassword
>> }
>>
>> and remove the master auth completely.
>>
>> then you can override user's password to masterpassword in proxy config.
>> Aki
>
> This is awesome, as I was just contemplating how to maintain  
> persistence with 2FA. 
> Is it possible to use a passdb based on remote ip?  There's a  
> username_filter, but I want to use a master password for webmail  
> (which will use 2FA via Radius), and those IPs are known and  
> non-routable.
> Rick

Maybe just in the SQL passdb would be better...
password_query = SELECT userid as user, if(host =  
'192.168.1.1',encrypt('masterpassword'), pass_field) as password,     
FROM users WHERE userid = '%u'

More information about the dovecot mailing list