why is dovecot "Allowing any password"

Aki Tuomi aki.tuomi at dovecot.fi
Wed Mar 21 18:43:38 EET 2018


> On 21 March 2018 at 18:31 mj <lists at merit.unu.edu> wrote:
> 
> 
> Hi AKi,
> 
> Thanks for the quick answer!
> 
> On 03/21/2018 05:24 PM, Aki Tuomi wrote:
> > This is what 'nopassword=y' does. I'm guessing this is an attempt to allow logging in from localhost without password, but I'd use master password (for applications or webmails), or
> 
> Yes, the config is taken from the SOGo configuration guide, which can be 
> seen here:
> https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html
> 
> Yes, but we have args = nopassword=y allow_nets=127.0.0.1/32
> so it should only allow passwordless logins from localhost, right..?
> 
> And in "Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing any 
> password" 1.2.3.4 is NOT localhost...
> 
> (obviously 1.2.3.4 is not the *real* ip, bit it's a *real* ip from the 
> internet, NOT localhost...
> 
> MJ

Looking at the code for v2.2.13, it would seem that

a) when using nopassword, it will log the debug row in any case
b) allow_nets will fail the authentication by setting request failed

Mar 21 07:13:48 mail dovecot: auth: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP not in allowed networks

this indicates that the request is marked failed.

I would, still, recommend using doveadm exec imap -u instead of the static passdb.

Aki


More information about the dovecot mailing list