<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 10/4/2018 7:27 AM, Rick Romero
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20181004132753.Horde.XTz8diianTcB-ZI21fSQl2S@vfemail.net">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title></title>
<p>Quoting Eric Broch <<a href="mailto:ebroch@whitehorsetc.com"
moz-do-not-send="true">ebroch@whitehorsetc.com</a>>:</p>
<blockquote style="border-left:2px solid
blue;margin-left:2px;padding-left:12px;" type="cite">
<p><br>
</p>
<div class="moz-cite-prefix">On 10/4/2018 6:34 AM, Rick Romero
wrote:</div>
<blockquote
cite="mid:20181004123427.Horde.QGsSqrtqxio28yVnrqWcr1m@vfemail.net"
type="cite">
<p> </p>
</blockquote>
</blockquote>
<p>Quoting Aki Tuomi <<a
href="mailto:aki.tuomi@open-xchange.com"
moz-do-not-send="true">aki.tuomi@open-xchange.com</a>>:</p>
<blockquote style="border-left:2px solid
blue;margin-left:2px;padding-left:12px;" type="cite">
<p>On 03.10.2018 23:30, Eric Broch wrote:</p>
<blockquote style="border-left:2px solid
blue;margin-left:2px;padding-left:12px;" type="cite">
<p>Hello list,<br>
<br>
I run Dovecot with the vpopmail driver and have found that
it<br>
authenticates against the clear text password in the
vpopmail<br>
database. Is there a configuration option either at compile
time, link<br>
time, or a setting in one of the configuration files that
tells the<br>
program to authenticate against the hash instead of the
clear text?</p>
</blockquote>
Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT})<br>
Aki</blockquote>
<p><br>
Or use SQL - then you don't have to munge any of your tools.<br>
<br>
password_query =<br>
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS
password, pw_dir as userdb_home, 89 as userdb_uid, 89 as
userdb_gid<br>
FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND
!(pw_gid & 8) AND !(pw_gid & 2) AND
('%r'!='<webserverip>' or !(pw_gid & 4))<br>
<br>
pw_gid refers to the the binary vpopmail flags for disable POP,
IMAP, Webmail.<br>
<br>
Rick</p>
</blockquote>
Rick,<br>
<br>
I'm not sure what you're saying.<br>
<br>
Vpopmail's DB can be configured in two different ways, 1) With
domain tables and all users for that particular domain underneath
(described below), or 2) Simply, one table with all users with the
domain field 'pw_domain' (This works with dovecot-sql.conf.ext
files). The former (1), which we use does not allow the use of
dovecot-sql.conf.ext files, we're limited to userdb and passwd
options previously mentioned. When using these options dovecot will
get the clear text password if present.<br>
<br>
The problem is that if a password is over 16 characters long the
clear text field will only store the first 16 characters while the
hashed field will contain the whole password. <br>
<br>
# echo "describe domain_tld" | mysql -u root -p`cat vpoppasswd`
vpopmail<br>
yeilds<br>
Field Type Null Key Default Extra<br>
pw_name char(32) NO PRI NULL<br>
pw_passwd char(40) YES NULL<br>
pw_uid int(11) YES NULL<br>
pw_gid int(11) YES NULL<br>
pw_gecos char(48) YES NULL<br>
pw_dir char(160) YES NULL<br>
pw_shell char(20) YES NULL<br>
pw_clear_passwd char(16) YES NULL<br>
<br>
As you can see there is no 'pw_domain' field from which to draw.<br>
<br>
Again we are limited to the passdb, and userdb options already
described.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:20181004132753.Horde.XTz8diianTcB-ZI21fSQl2S@vfemail.net">
<p>When configuring vpopmail for our purposes we use (now) the
configuration option:<br>
<br>
</p>
<pre> --disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table.
Only valid for MySQL and PostgreSQL
This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'.
So, we're limited to these configurations (no dovecot-mysql.conf.ext) :
passdb {
args = cache_key=%u webmail=127.0.0.1
driver = vpopmail
}
userdb {
args = cache_key=%u quota_template=quota_rule=*:backend=%q
driver = vpopmail
}
If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd).
It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password.
<snippet>
if (vpopmail_is_disabled(auth_request, vpw)) {
auth_request_log_info(auth_request, AUTH_SUBSYS_DB,
"%s disabled in vpopmail for this user",
auth_request->service);
password = NULL;
*result_r = PASSDB_RESULT_USER_DISABLED;
} else {
if (vpw->pw_clear_passwd != NULL &&
*vpw->pw_clear_passwd != '\0') {
password = t_strdup_noconst(vpw->pw_clear_passwd);
*cleartext = TRUE;
} else if (!*cleartext)
password = t_strdup_noconst(vpw->pw_passwd);
else
password = NULL;
*result_r = password != NULL ? PASSDB_RESULT_OK :
PASSDB_RESULT_SCHEME_NOT_AVAILABLE;
}
</snippet>
Looking for an option to make dovecot use hashed password instead of clear text.
Hope this makes sense.
-EricB
We seem to have lost quoting..
First - Why aren't you just deleting all the clear text passwords?
Second, for many domanis, my password query for your purposes should just be:
SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid
FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4))
Where %d is the domain name. Your vpopmail database should have a bunch of domain.com table names.
Or you can hardcode the database with FROM vpopmail.%d
You may need to play with quotes.. FROM `vpopmail.%d` or FROM `%d`
Rick
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Eric Broch
White Horse Technical Consulting (WHTC)
</pre>
</body>
</html>