<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title></title>
</head>
<body style="font-family:Arial;font-size:14px">
<p>Quoting Eric Broch <<a href="mailto:ebroch@whitehorsetc.com">ebroch@whitehorsetc.com</a>>:</p>
<blockquote style="border-left:2px solid blue;margin-left:2px;padding-left:12px;" type="cite">
<p><br></p>
<div class="moz-cite-prefix">On 10/4/2018 6:34 AM, Rick Romero wrote:</div>
<blockquote cite="mid:20181004123427.Horde.QGsSqrtqxio28yVnrqWcr1m@vfemail.net" type="cite">
<p> </p>
</blockquote>
</blockquote>
<p>Quoting Aki Tuomi <<a href="mailto:aki.tuomi@open-xchange.com" moz-do-not-send="true">aki.tuomi@open-xchange.com</a>>:</p>
<blockquote style="border-left:2px solid blue;margin-left:2px;padding-left:12px;" type="cite">
<p>On 03.10.2018 23:30, Eric Broch wrote:</p>
<blockquote style="border-left:2px solid blue;margin-left:2px;padding-left:12px;" type="cite">
<p>Hello list,<br>
<br>
I run Dovecot with the vpopmail driver and have found that it<br>
authenticates against the clear text password in the vpopmail<br>
database. Is there a configuration option either at compile time, link<br>
time, or a setting in one of the configuration files that tells the<br>
program to authenticate against the hash instead of the clear text?</p>
</blockquote>
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT})<br>
Aki</blockquote>
<p><br>
Or use SQL - then you don't have to munge any of your tools.<br>
<br>
password_query =<br>
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid<br>
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))<br>
<br>
pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail.<br>
<br>
Rick</p>
<p>When configuring vpopmail for our purposes we use (now) the configuration option:<br>
<br></p>
<pre>
--disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table.
Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb {
args = cache_key=%u webmail=127.0.0.1
driver = vpopmail
}
userdb {
args = cache_key=%u quota_template=quota_rule=*:backend=%q
driver = vpopmail
}
If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.
<snippet>
if (vpopmail_is_disabled(auth_request, vpw)) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"%s disabled in vpopmail for this user",
auth_request->service);
password = NULL;
*result_r = PASSDB_RESULT_USER_DISABLED;
} else {
if (vpw->pw_clear_passwd != NULL &&
*vpw->pw_clear_passwd != '\0') {
password = t_strdup_noconst(vpw->pw_clear_passwd);
*cleartext = TRUE;
} else if (!*cleartext)
password = t_strdup_noconst(vpw->pw_passwd);
else
password = NULL;
*result_r = password != NULL ? PASSDB_RESULT_OK :
PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
}
</snippet>
Looking for an option to make dovecot use hashed password instead of clear text.
Hope this makes sense.
-EricB
We seem to have lost quoting..
First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should just be:
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Where %d is the domain name. Your vpopmail database should have a bunch of domain.com table names.
Or you can hardcode the database with FROM vpopmail.%d
You may need to play with quotes.. FROM `vpopmail.%d` or FROM `%d`
Rick
</pre>
</body>
</html>