vpopmail
Rick Romero
rick at havokmon.com
Thu Oct 4 16:27:53 EEST 2018
Quoting Eric Broch <ebroch at whitehorsetc.com>:
> On 10/4/2018 6:34 AM, Rick Romero wrote:
>
>>
Quoting Aki Tuomi <aki.tuomi at open-xchange.com>:
> On 03.10.2018 23:30, Eric Broch wrote:
>
>> Hello list,
>>
>> I run Dovecot with the vpopmail driver and have found that it
>> authenticates against the clear text password in the vpopmail
>> database. Is there a configuration option either at compile time, link
>> time, or a setting in one of the configuration files that tells the
>> program to authenticate against the hash instead of the clear text?
>
> Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT})
> Aki
Or use SQL - then you don't have to munge any of your tools.
password_query =
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password,
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &
8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.
Rick
When configuring vpopmail for our purposes we use (now) the
configuration option:
--disable-many-domains Creates a table for each virtual domain
instead of storing all users in a single table.
Only valid for MySQL and PostgreSQL This disallows (I think)
the use Dovecot MySQL configuration file as every user is stored in a
domain table of the form 'mydomain_tld'. So, we're limited to these
configurations (no dovecot-mysql.conf.ext) : passdb { args =
cache_key=%u webmail=127.0.0.1 driver = vpopmail } userdb { args
= cache_key=%u quota_template=quota_rule=*:backend=%q driver =
vpopmail } If there is a clear text password (pw_clear_passwd)
present it seems that Dovecot will use that instead of using the hash
(pw_passwd). It seems that in the code 'passdb-vpopmail.c' (below)
that if the clear password (pw_clear_passwd) is present Dovecot skips
the hashed password (pw_passwd), and we want authentication against
the hashed password. <snippet> if
(vpopmail_is_disabled(auth_request, vpw)) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"%s disabled in vpopmail for this user",
auth_request->service);
password = NULL; *result_r =
PASSDB_RESULT_USER_DISABLED; } else { if
(vpw->pw_clear_passwd != NULL &&
*vpw->pw_clear_passwd != '\0') { password =
t_strdup_noconst(vpw->pw_clear_passwd);
*cleartext = TRUE; } else if (!*cleartext)
password = t_strdup_noconst(vpw->pw_passwd);
else password = NULL;
*result_r = password != NULL ? PASSDB_RESULT_OK :
PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet> Looking
for an option to make dovecot use hashed password instead of clear
text. Hope this makes sense. -EricB We seem to have lost quoting..
First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should
just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8)
AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) Where
%d is the domain name. Your vpopmail database should have a bunch of
domain.com table names. Or you can hardcode the database with FROM
vpopmail.%d You may need to play with quotes.. FROM `vpopmail.%d`
or FROM `%d` Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20181004/819b6809/attachment.html>
More information about the dovecot
mailing list