dovecot passdb driver=checkpassword as external script for block ip

bes bes.internal at gmail.com
Thu Oct 18 01:17:13 EEST 2018


After some debuging i expain that this happens only when the client
authentication method is CRAM-MD5

dovecot[5553]: auth: Debug:
checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): execute:
/myscript.sh ip=192.168.99.128
/usr/libexec/dovecot/checkpassword-reply
dovecot[5553]: auth: Error:
checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Child 7810
exited with status 1
dovecot[5553]: auth-worker(7811): Debug: Loading modules from
directory: /usr/lib/dovecot/auth
dovecot[5553]: auth-worker(7811): Debug: Module loaded:
/usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
dovecot[5553]: auth: Debug:
sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Generating CRAM-MD5 from
user 'login', password 'pass'
dovecot[5553]: auth: Debug:
sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Credentials:
39d6bc889c65808c09b87d2081fe2aff4fd1e174ed3a97ac966e67323cba8d7e
dovecot[5553]: auth: Debug: client passdb out: OK  1       user=login

Any other method works correctly and return:

auth: Debug: .........  execute: /myscript.sh ............
......
auth: checkpassword(login,ip,<uh259nN4jRwu2KzB>): Login failed (status=1)
......
auth: Debug: client passdb out: FAIL        1       user=login
On Wed, Oct 17, 2018 at 8:09 PM bes <bes.internal at gmail.com> wrote:
>
> Refer to
> https://dovecot.org/pipermail/dovecot/2015-March/099971.html
> https://wiki.dovecot.org/PasswordDatabase
> I tried to repeat the same thing.
> Set these passdb:
>
> passdb {
>   args = /myscript.sh ip=%r
>   driver = checkpassword
>   result_failure = return-fail
>   result_success = continue
> }
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
>   driver = sql
> }
>
> Created executable /myscript.sh:
> #!/bin/sh
> exit 1
>
> But I saw in the logs:
>
> dovecot[15111]: auth: Error:
> checkpassword(techdept at nestormedia.com,192.168.99.128,<Mos6jW94XNzAqGOA>):
> Child 15115 exited with status 1
> dovecot[18016]: imap-login: Login: user=....[successful login]
>
> Why result_failure=return-fail from first passdb does not work?


More information about the dovecot mailing list