why is dovecot "Allowing any password"
Aki Tuomi
aki.tuomi at dovecot.fi
Wed Mar 21 18:24:56 EET 2018
> On 21 March 2018 at 18:12 mj <lists at merit.unu.edu> wrote:
>
>
> Hi,
>
> I noticed the following in the logs of our debian wheezy server:
>
> > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): bind search: base=CN=Users, DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA
> > ccountName=username)(!(userAccountControl=514)))
> > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username; uid unused
> > Mar 21 07:13:47 mail dovecot: auth: Debug: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username
> > Mar 21 07:13:48 mail dovecot: auth: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): invalid credentials (given password: invalid_password)
> > Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): lookup
> > Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets: Matching for network 127.0.0.1/32
> > Mar 21 07:13:48 mail dovecot: auth: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP not in allowed networks
> > Mar 21 07:13:48 mail dovecot: auth: Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing any password
> > Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174)
>
> The line second last line "Allowing any password" comes as a surprise..?
> Why would dovecot Allow any password..?
>
> We had the following bit in our config, but I removed it now:
>
> > #passdb {
> > # driver = static
> > # args = nopassword=y allow_nets=127.0.0.1/32
> > #}
>
> Could anyone expain the "Allowing any password"?
>
This is what 'nopassword=y' does. I'm guessing this is an attempt to allow logging in from localhost without password, but I'd use master password (for applications or webmails), or
doveadm exec imap -u victim
for admin use.
Aki
More information about the dovecot
mailing list