vpopmail

Rick Romero rick at havokmon.com
Thu Oct 4 17:42:23 EEST 2018 

  Quoting Rick Romero <rick at havokmon.com>:

> Quoting Eric Broch <ebroch at whitehorsetc.com>:
>
>> On 10/4/2018 7:27 AM, Rick Romero wrote:
>>> Quoting Eric Broch <ebroch at whitehorsetc.com  
>>> <mailto:ebroch at whitehorsetc.com>>:
>>>
>>>> On 10/4/2018 6:34 AM, Rick Romero wrote:
>>>>>  
>>>
>>> Quoting Aki Tuomi <aki.tuomi at open-xchange.com  
>>> <mailto:aki.tuomi at open-xchange.com>>:
>>>
>>>> On 03.10.2018 23:30, Eric Broch wrote:
>>>>
>>>>> Hello list,
>>>>>
>>>>> I run Dovecot with the vpopmail driver and have found that it
>>>>> authenticates against the clear text password in the vpopmail
>>>>> database. Is there a configuration option either at compile time, link
>>>>> time, or a setting in one of the configuration files that tells the
>>>>> program to authenticate against the hash instead of the clear text?
>>>>
>>>> Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
>>>> Aki
>>>
>>> Or use SQL -  then you don't have to munge any of your tools.
>>>
>>> password_query =
>>> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS  
>>> password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
>>> FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND  
>>> !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or  
>>> !(pw_gid & 4))
>>>
>>> pw_gid refers to the the binary vpopmail flags for disable POP,  
>>> IMAP, Webmail.
>>>
>>> Rick
>>
>>> When configuring vpopmail for our purposes we use (now) the  
>>> configuration option:
>>>
>>> --disable-many-domains     Creates a table for each virtual domain  
>>> instead of storing all users in a single table.
>>>                            Only valid for MySQL and PostgreSQL
>>>
>>> This disallows (I think) the use Dovecot MySQL configuration file  
>>> as every user is stored in a domain table of the form  
>>> 'mydomain_tld'.
>>>
>>> So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
>>>
>>> passdb {
>>> args = cache_key=%u webmail=127.0.0.1
>>> driver = vpopmail
>>> }
>>>
>>> userdb {
>>> args = cache_key=%u quota_template=quota_rule=*:backend=%q
>>> driver = vpopmail
>>> }
>>>
>>> If there is a clear text password (pw_clear_passwd) present it  
>>> seems that Dovecot will use that instead of using the hash  
>>> (pw_passwd).
>>>
>>> It seems that in the code 'passdb-vpopmail.c' (below) that if the  
>>> clear password (pw_clear_passwd) is present Dovecot skips the  
>>> hashed password (pw_passwd), and we want authentication against  
>>> the hashed password.
>>>
>>> <snippet>
>>>        if (vpopmail_is_disabled(auth_request, vpw)) {
>>>                auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
>>>                                      "%s disabled in vpopmail for  
>>> this user",
>>>                                      auth_request->service);
>>>                password = NULL;
>>>                *result_r = PASSDB_RESULT_USER_DISABLED;
>>>        } else {
>>>                if (vpw->pw_clear_passwd != NULL &&
>>>                    *vpw->pw_clear_passwd != '\0') {
>>>                        password = t_strdup_noconst(vpw->pw_clear_passwd);
>>>                        *cleartext = TRUE;
>>>                } else if (!*cleartext)
>>>                        password = t_strdup_noconst(vpw->pw_passwd);
>>>                else
>>>                        password = NULL;
>>>                *result_r = password != NULL ? PASSDB_RESULT_OK :
>>>                        PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
>>>        }
>>> </snippet>
>>>
>>> Looking for an option to make dovecot use hashed password instead  
>>> of clear text.
>>>
>>> Hope this makes sense.
>>>
>>> -EricB
>>>
>>> We seem to have lost quoting..
>>> First - Why aren't you just deleting all the clear text passwords?
>>>
>>> Second, for many domanis, my password query for your purposes  
>>> should just be:
>>> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS  
>>> password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
>>> FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &  
>>> 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
>>>
>>> Where %d is the domain name. Your vpopmail database should have a  
>>> bunch of domain.com table names.
>>> Or you can hardcode the database with   FROM vpopmail.%d
>>> You may need to play with quotes..  FROM `vpopmail.%d`  or  FROM `%d`
>>>
>>> Rick
>>
>> Rick,
>>
>> I'm not sure what you're saying.
>>
>> Vpopmail's DB can be configured in two different ways, 1) With  
>> domain tables and all users for that particular domain underneath  
>> (described below), or 2) Simply, one table with all users with the  
>> domain field 'pw_domain' (This works with dovecot-sql.conf.ext  
>> files). The former (1), which we use does not allow the use of  
>> dovecot-sql.conf.ext files, we're limited to userdb and passwd  
>> options previously mentioned. When using these options dovecot will  
>> get the clear text password if present.
>>
>> The problem is that if a password is over 16 characters long the  
>> clear text field will only store the first 16 characters while the  
>> hashed field will contain the whole password.
>>
>> # echo "describe domain_tld" | mysql -u root -p`cat vpoppasswd` vpopmail
>> yeilds
>> Field   Type    Null    Key     Default Extra
>> pw_name char(32)        NO      PRI     NULL
>> pw_passwd       char(40)        YES             NULL
>> pw_uid  int(11) YES             NULL
>> pw_gid  int(11) YES             NULL
>> pw_gecos        char(48)        YES             NULL
>> pw_dir  char(160)       YES             NULL
>> pw_shell        char(20)        YES             NULL
>> pw_clear_passwd char(16)        YES             NULL
>>
>> As you can see there is no 'pw_domain' field from which to draw.
>>
>> Again we are limited to the passdb, and userdb options already described.
>
> I'm not sure why #1 wouldn't work with a proper query - here's the  
> same without a reference to pw_domain at all.
>
> SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS  password,  
> pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d  
> WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND  
> !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
>
> Alternatively if you absolutely must have clear text password, and  
> it has to be greater than 16 characters, make the MySQL field bigger  
> than 16 characters.  'Alter table' is the command.
>
> It really sounds to me like you need a test environment.
> Rick

Dammit

SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS  password,  
pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d  
WHERE pw_name = '%n' AND !(pw_gid & 8) AND !(pw_gid & 2) AND  
('%r'!='<webserverip>' or !(pw_gid & 4))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20181004/d32ba329/attachment-0001.html>

More information about the dovecot mailing list