Whoops, I got something wrong on this, and I don't want to mislead the
next person. The two "result" lines should be:
passdb_result_success = return-fail
passdb_result_failure = continue
If your "passdb_result_failure" is set to "continue-ok", then the user
is verified even if they should fail later tests. Which is to say, you
are effectively running Dovecot without passwords, and that's not good.
Whereas if you set it to "continue", it means that any successful
validations will have to come from subsequent validation attempts.
Anyway, I thought I should set the record straight before I caused any
mishaps.
On 11/13/2025 2:53 PM, Lou Duchez via dovecot wrote:
One thing I wanted to add, for the next person trying to figure these
things out: If you're doing a passdb with "deny = yes" (for example,
if you want to reject people on a blacklist), the
passdb_result_success and passdb_result_failure are returning the
result of the lookup, not whether the user is authenticated. Thus, if
someone is found on the blacklist, the passdb will return "success"
(meaning they're NOT authenticated), but if they're not on the list
the passdb will return "failure" (which means they may yet be
authenticated).
Here is how I set it up to reject people on my "deny.imap" and
"deny.pop3" blacklists; note how "success" means "return-fail" while
"failure" means "continue-ok":
passdb deny_wrong_protocols {
driver = passwd-file
passwd_file_path = /vmail/Maildir/deny.%{protocol}
deny = yes
passdb_result_success = return-fail
passdb_result_failure = continue-ok
}
On 11/13/2025 8:07 AM, Lou Duchez via dovecot wrote:
Once again, you are right, and I thank you! I have added the "driver"
parameters so that it's explicit, and when I have to change this
again in 2040, I will understand how it works.
Here is what I have now, and I believe this will be the "final" version:
passdb ordinary_users {
driver = passwd-file
passwd_file_path = /vmail/Maildir/passwdfile
passdb_result_success = return-ok
passdb_result_failure = continue-fail
}
passdb main_mail_server {
driver = static
fields {
nopassword = yes
allow_nets = xxx.xxx.xxx.xxx/32
}
passdb_result_success = return-ok
passdb_result_failure = return-fail
}
On 11/13/2025 7:57 AM, Aki Tuomi via dovecot wrote:
On 13/11/2025 14:43 EET Lou Duchez via dovecot
<[email protected]> wrote:
Thank you for your advice! I have it working now, by changing the
second
passdb to static.
I was not able to give arbitrary names to my two passdbs though; it
seems that Dovecot expects names of mechanisms like "passwd-file" or
"static", or else it doesn't work. Unless I'm doing something wrong,
anyway. But if I'm correct, that means that Dovecot 2.4.1 is going to
have trouble if you need to consult multiple passwd-files.
Here is what worked for me:
passdb passwd-file {
passwd_file_path = /vmail/Maildir/passwdfile
passdb_result_success = return-ok
passdb_result_failure = continue-fail
}
passdb static {
fields {
nopassword = yes
allow_nets = xxx.xxx.xxx.xxx/32
}
passdb_result_success = return-ok
passdb_result_failure = return-fail
}
Not really true, but if you use
passdb machine-to-user {
}
you need to add
driver=static
so it knows which driver to use now.
Aki
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
