> On 04 October 2018 at 17:42 Rick Romero <r...@havokmon.com> wrote: > > > Quoting Rick Romero <r...@havokmon.com>: > > > Quoting Eric Broch <ebr...@whitehorsetc.com>: > > > >> On 10/4/2018 7:27 AM, Rick Romero wrote: > >>> Quoting Eric Broch <ebr...@whitehorsetc.com > >>> <mailto:ebr...@whitehorsetc.com>>: > >>> > >>>> On 10/4/2018 6:34 AM, Rick Romero wrote: > >>>>> > >>> > >>> Quoting Aki Tuomi <aki.tu...@open-xchange.com > >>> <mailto:aki.tu...@open-xchange.com>>: > >>> > >>>> On 03.10.2018 23:30, Eric Broch wrote: > >>>> > >>>>> Hello list, > >>>>> > >>>>> I run Dovecot with the vpopmail driver and have found that it > >>>>> authenticates against the clear text password in the vpopmail > >>>>> database. Is there a configuration option either at compile time, link > >>>>> time, or a setting in one of the configuration files that tells the > >>>>> program to authenticate against the hash instead of the clear text? > >>>> > >>>> Prefix your passwords in vpopmail with {SCHEME} (like, {CRYPT}) > >>>> Aki > >>> > >>> Or use SQL - then you don't have to munge any of your tools. > >>> > >>> password_query = > >>> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS > >>> password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid > >>> FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND > >>> !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or > >>> !(pw_gid & 4)) > >>> > >>> pw_gid refers to the the binary vpopmail flags for disable POP, > >>> IMAP, Webmail. > >>> > >>> Rick > >> > >>> When configuring vpopmail for our purposes we use (now) the > >>> configuration option: > >>> > >>> --disable-many-domains Creates a table for each virtual domain > >>> instead of storing all users in a single table. > >>> Only valid for MySQL and PostgreSQL > >>> > >>> This disallows (I think) the use Dovecot MySQL configuration file > >>> as every user is stored in a domain table of the form > >>> 'mydomain_tld'. > >>> > >>> So, we're limited to these configurations (no dovecot-mysql.conf.ext) : > >>> > >>> passdb { > >>> args = cache_key=%u webmail=127.0.0.1 > >>> driver = vpopmail > >>> } > >>> > >>> userdb { > >>> args = cache_key=%u quota_template=quota_rule=*:backend=%q > >>> driver = vpopmail > >>> } > >>> > >>> If there is a clear text password (pw_clear_passwd) present it > >>> seems that Dovecot will use that instead of using the hash > >>> (pw_passwd). > >>> > >>> It seems that in the code 'passdb-vpopmail.c' (below) that if the > >>> clear password (pw_clear_passwd) is present Dovecot skips the > >>> hashed password (pw_passwd), and we want authentication against > >>> the hashed password. > >>> > >>> <snippet> > >>> if (vpopmail_is_disabled(auth_request, vpw)) { > >>> auth_request_log_info(auth_request, AUTH_SUBSYS_DB, > >>> "%s disabled in vpopmail for > >>> this user", > >>> auth_request->service); > >>> password = NULL; > >>> *result_r = PASSDB_RESULT_USER_DISABLED; > >>> } else { > >>> if (vpw->pw_clear_passwd != NULL && > >>> *vpw->pw_clear_passwd != '\0') { > >>> password = t_strdup_noconst(vpw->pw_clear_passwd); > >>> *cleartext = TRUE; > >>> } else if (!*cleartext) > >>> password = t_strdup_noconst(vpw->pw_passwd); > >>> else > >>> password = NULL; > >>> *result_r = password != NULL ? PASSDB_RESULT_OK : > >>> PASSDB_RESULT_SCHEME_NOT_AVAILABLE; > >>> } > >>> </snippet> > >>> > >>> Looking for an option to make dovecot use hashed password instead > >>> of clear text. > >>> > >>> Hope this makes sense. > >>> > >>> -EricB > >>> > >>> We seem to have lost quoting.. > >>> First - Why aren't you just deleting all the clear text passwords? > >>> > >>> Second, for many domanis, my password query for your purposes > >>> should just be: > >>> SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS > >>> password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid > >>> FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & > >>> 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) > >>> > >>> Where %d is the domain name. Your vpopmail database should have a > >>> bunch of domain.com table names. > >>> Or you can hardcode the database with FROM vpopmail.%d > >>> You may need to play with quotes.. FROM `vpopmail.%d` or FROM `%d` > >>> > >>> Rick > >> > >> Rick, > >> > >> I'm not sure what you're saying. > >> > >> Vpopmail's DB can be configured in two different ways, 1) With > >> domain tables and all users for that particular domain underneath > >> (described below), or 2) Simply, one table with all users with the > >> domain field 'pw_domain' (This works with dovecot-sql.conf.ext > >> files). The former (1), which we use does not allow the use of > >> dovecot-sql.conf.ext files, we're limited to userdb and passwd > >> options previously mentioned. When using these options dovecot will > >> get the clear text password if present. > >> > >> The problem is that if a password is over 16 characters long the > >> clear text field will only store the first 16 characters while the > >> hashed field will contain the whole password. > >> > >> # echo "describe domain_tld" | mysql -u root -p`cat vpoppasswd` vpopmail > >> yeilds > >> Field Type Null Key Default Extra > >> pw_name char(32) NO PRI NULL > >> pw_passwd char(40) YES NULL > >> pw_uid int(11) YES NULL > >> pw_gid int(11) YES NULL > >> pw_gecos char(48) YES NULL > >> pw_dir char(160) YES NULL > >> pw_shell char(20) YES NULL > >> pw_clear_passwd char(16) YES NULL > >> > >> As you can see there is no 'pw_domain' field from which to draw. > >> > >> Again we are limited to the passdb, and userdb options already described. > > > > I'm not sure why #1 wouldn't work with a proper query - here's the > > same without a reference to pw_domain at all. > > > > SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password, > > pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d > > WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND > > !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) > > > > Alternatively if you absolutely must have clear text password, and > > it has to be greater than 16 characters, make the MySQL field bigger > > than 16 characters. 'Alter table' is the command. > > > > It really sounds to me like you need a test environment. > > Rick > > Dammit > > SELECT CONCAT(pw_name, '@', %d) AS user, pw_passwd AS password, > pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d > WHERE pw_name = '%n' AND !(pw_gid & 8) AND !(pw_gid & 2) AND > ('%r'!='<webserverip>' or !(pw_gid & 4))
One does wonder why you are using vpopmail if you have SQL database... you could just use SQL passdb/userdb instead. Aki
