vpopmail

Eric Broch ebroch at whitehorsetc.com
Thu Oct 4 16:14:52 EEST 2018 

On 10/4/2018 6:34 AM, Rick Romero wrote:
>
> Quoting Aki Tuomi <aki.tuomi at open-xchange.com 
> <mailto:aki.tuomi at open-xchange.com>>:
>
>> On 03.10.2018 23:30, Eric Broch wrote:
>>
>>> Hello list,
>>>
>>> I run Dovecot with the vpopmail driver and have found that it
>>> authenticates against the clear text password in the vpopmail
>>> database. Is there a configuration option either at compile time, link
>>> time, or a setting in one of the configuration files that tells the
>>> program to authenticate against the hash instead of the clear text?
>>>
>> Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
>> Aki
>
>
> Or use SQL -  then you don't have to munge any of your tools.
>
> password_query =
> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, 
> pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
> FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 
> 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
>
> pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, 
> Webmail.
>
> Rick
>
When configuring vpopmail for our purposes we use (now) the 
configuration option:

  --disable-many-domains     Creates a table for each virtual domain instead of storing all users in a single table.
                             Only valid for MySQL and PostgreSQL

This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.

So, we're limited to these configurations (no dovecot-mysql.conf.ext) :

passdb {
   args = cache_key=%u webmail=127.0.0.1
   driver = vpopmail
}

userdb {
   args = cache_key=%u quota_template=quota_rule=*:backend=%q
   driver = vpopmail
}

If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).

It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.

<snippet>
         if (vpopmail_is_disabled(auth_request, vpw)) {
                 auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
                                       "%s disabled in vpopmail for this user",
                                       auth_request->service);
                 password = NULL;
                 *result_r = PASSDB_RESULT_USER_DISABLED;
         } else {
                 if (vpw->pw_clear_passwd != NULL &&
                     *vpw->pw_clear_passwd != '\0') {
                         password = t_strdup_noconst(vpw->pw_clear_passwd);
                         *cleartext = TRUE;
                 } else if (!*cleartext)
                         password = t_strdup_noconst(vpw->pw_passwd);
                 else
                         password = NULL;
                 *result_r = password != NULL ? PASSDB_RESULT_OK :
                         PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
         }
</snippet>


Looking for an option to make dovecot use hashed password instead of clear text.

Hope this makes sense.

-EricB






-- 
Eric Broch
White Horse Technical Consulting (WHTC)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20181004/925d88cb/attachment.html>

More information about the dovecot mailing list