vpopmail

Aki Tuomi aki.tuomi at open-xchange.com
Thu Oct 4 18:19:33 EEST 2018 

> On 04 October 2018 at 17:42 Rick Romero <rick at havokmon.com> wrote:
> 
> 
>   Quoting Rick Romero <rick at havokmon.com>:
> 
> > Quoting Eric Broch <ebroch at whitehorsetc.com>:
> >
> >> On 10/4/2018 7:27 AM, Rick Romero wrote:
> >>> Quoting Eric Broch <ebroch at whitehorsetc.com  
> >>> <mailto:ebroch at whitehorsetc.com>>:
> >>>
> >>>> On 10/4/2018 6:34 AM, Rick Romero wrote:
> >>>>>  
> >>>
> >>> Quoting Aki Tuomi <aki.tuomi at open-xchange.com  
> >>> <mailto:aki.tuomi at open-xchange.com>>:
> >>>
> >>>> On 03.10.2018 23:30, Eric Broch wrote:
> >>>>
> >>>>> Hello list,
> >>>>>
> >>>>> I run Dovecot with the vpopmail driver and have found that it
> >>>>> authenticates against the clear text password in the vpopmail
> >>>>> database. Is there a configuration option either at compile time, link
> >>>>> time, or a setting in one of the configuration files that tells the
> >>>>> program to authenticate against the hash instead of the clear text?
> >>>>
> >>>> Prefix your passwords in vpopmail with {SCHEME} (like,  {CRYPT})
> >>>> Aki
> >>>
> >>> Or use SQL -  then you don't have to munge any of your tools.
> >>>
> >>> password_query =
> >>> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS  
> >>> password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
> >>> FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND  
> >>> !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or  
> >>> !(pw_gid & 4))
> >>>
> >>> pw_gid refers to the the binary vpopmail flags for disable POP,  
> >>> IMAP, Webmail.
> >>>
> >>> Rick
> >>
> >>> When configuring vpopmail for our purposes we use (now) the  
> >>> configuration option:
> >>>
> >>> --disable-many-domains     Creates a table for each virtual domain  
> >>> instead of storing all users in a single table.
> >>>                            Only valid for MySQL and PostgreSQL
> >>>
> >>> This disallows (I think) the use Dovecot MySQL configuration file  
> >>> as every user is stored in a domain table of the form  
> >>> 'mydomain_tld'.
> >>>
> >>> So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
> >>>
> >>> passdb {
> >>> args = cache_key=%u webmail=127.0.0.1
> >>> driver = vpopmail
> >>> }
> >>>
> >>> userdb {
> >>> args = cache_key=%u quota_template=quota_rule=*:backend=%q
> >>> driver = vpopmail
> >>> }
> >>>
> >>> If there is a clear text password (pw_clear_passwd) present it  
> >>> seems that Dovecot will use that instead of using the hash  
> >>> (pw_passwd).
> >>>
> >>> It seems that in the code 'passdb-vpopmail.c' (below) that if the  
> >>> clear password (pw_clear_passwd) is present Dovecot skips the  
> >>> hashed password (pw_passwd), and we want authentication against  
> >>> the hashed password.
> >>>
> >>> <snippet>
> >>>        if (vpopmail_is_disabled(auth_request, vpw)) {
> >>>                auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
> >>>                                      "%s disabled in vpopmail for  
> >>> this user",
> >>>                                      auth_request->service);
> >>>                password = NULL;
> >>>                *result_r = PASSDB_RESULT_USER_DISABLED;
> >>>        } else {
> >>>                if (vpw->pw_clear_passwd != NULL &&
> >>>                    *vpw->pw_clear_passwd != '\0') {
> >>>                        password = t_strdup_noconst(vpw->pw_clear_passwd);
> >>>                        *cleartext = TRUE;
> >>>                } else if (!*cleartext)
> >>>                        password = t_strdup_noconst(vpw->pw_passwd);
> >>>                else
> >>>                        password = NULL;
> >>>                *result_r = password != NULL ? PASSDB_RESULT_OK :
> >>>                        PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
> >>>        }
> >>> </snippet>
> >>>
> >>> Looking for an option to make dovecot use hashed password instead  
> >>> of clear text.
> >>>
> >>> Hope this makes sense.
> >>>
> >>> -EricB
> >>>
> >>> We seem to have lost quoting..
> >>> First - Why aren't you just deleting all the clear text passwords?
> >>>
> >>> Second, for many domanis, my password query for your purposes  
> >>> should just be:
> >>> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS  
> >>> password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
> >>> FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid &  
> >>> 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
> >>>
> >>> Where %d is the domain name. Your vpopmail database should have a  
> >>> bunch of domain.com table names.
> >>> Or you can hardcode the database with   FROM vpopmail.%d
> >>> You may need to play with quotes..  FROM `vpopmail.%d`  or  FROM `%d`
> >>>
> >>> Rick
> >>
> >> Rick,
> >>
> >> I'm not sure what you're saying.
> >>
> >> Vpopmail's DB can be configured in two different ways, 1) With  
> >> domain tables and all users for that particular domain underneath  
> >> (described below), or 2) Simply, one table with all users with the  
> >> domain field 'pw_domain' (This works with dovecot-sql.conf.ext  
> >> files). The former (1), which we use does not allow the use of  
> >> dovecot-sql.conf.ext files, we're limited to userdb and passwd  
> >> options previously mentioned. When using these options dovecot will  
> >> get the clear text password if present.
> >>
> >> The problem is that if a password is over 16 characters long the  
> >> clear text field will only store the first 16 characters while the  
> >> hashed field will contain the whole password.
> >>
> >> # echo "describe domain_tld" | mysql -u root -p`cat vpoppasswd` vpopmail
> >> yeilds
> >> Field   Type    Null    Key     Default Extra
> >> pw_name char(32)        NO      PRI     NULL
> >> pw_passwd       char(40)        YES             NULL
> >> pw_uid  int(11) YES             NULL
> >> pw_gid  int(11) YES             NULL
> >> pw_gecos        char(48)        YES             NULL
> >> pw_dir  char(160)       YES             NULL
> >> pw_shell        char(20)        YES             NULL
> >> pw_clear_passwd char(16)        YES             NULL
> >>
> >> As you can see there is no 'pw_domain' field from which to draw.
> >>
> >> Again we are limited to the passdb, and userdb options already described.
> >
> > I'm not sure why #1 wouldn't work with a proper query - here's the  
> > same without a reference to pw_domain at all.
> >
> > SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS  password,  
> > pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d  
> > WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND  
> > !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
> >
> > Alternatively if you absolutely must have clear text password, and  
> > it has to be greater than 16 characters, make the MySQL field bigger  
> > than 16 characters.  'Alter table' is the command.
> >
> > It really sounds to me like you need a test environment.
> > Rick
> 
> Dammit
> 
> SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS  password,  
> pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d  
> WHERE pw_name = '%n' AND !(pw_gid & 8) AND !(pw_gid & 2) AND  
> ('%r'!='<webserverip>' or !(pw_gid & 4))

One does wonder why you are using vpopmail if you have SQL database... you could just use SQL passdb/userdb instead.

Aki

More information about the dovecot mailing list