why is dovecot "Allowing any password"
aki.tuomi at dovecot.fi
Wed Mar 21 18:43:38 EET 2018
> On 21 March 2018 at 18:31 mj <lists at merit.unu.edu> wrote:
> Hi AKi,
> Thanks for the quick answer!
> On 03/21/2018 05:24 PM, Aki Tuomi wrote:
> > This is what 'nopassword=y' does. I'm guessing this is an attempt to allow logging in from localhost without password, but I'd use master password (for applications or webmails), or
> Yes, the config is taken from the SOGo configuration guide, which can be
> seen here:
> Yes, but we have args = nopassword=y allow_nets=127.0.0.1/32
> so it should only allow passwordless logins from localhost, right..?
> And in "Debug: static(username,126.96.36.199,<g2/rF+ZnjAAu5ceg>): Allowing any
> password" 188.8.131.52 is NOT localhost...
> (obviously 184.108.40.206 is not the *real* ip, bit it's a *real* ip from the
> internet, NOT localhost...
Looking at the code for v2.2.13, it would seem that
a) when using nopassword, it will log the debug row in any case
b) allow_nets will fail the authentication by setting request failed
Mar 21 07:13:48 mail dovecot: auth: static(username,220.127.116.11,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP not in allowed networks
this indicates that the request is marked failed.
I would, still, recommend using doveadm exec imap -u instead of the static passdb.
More information about the dovecot