Postfix : root and system user authentication

[Aymeric Agon-Rambosson]

Hello everyone,

From what I understand of the documentation, it is impossible to 
log in to the dovecot server as root, or as any user not in the 
interval between first_valid_uid and last_valid_uid.


I have been able to verify this.

However, when we have a postfix server on the same machine, that 
delegates authentication to dovecot SASL according to the 
configuration described at 
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/, 
we can indeed log in as root on the postfix server.


Proof (/var/log/mail.log with auth=debug) :

Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=#011rip=#011secured#011resp=
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: 
pam(root,): Performing passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
Loading modules from directory: /usr/lib/dovecot/modules/auth
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
Module loaded: 
/usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): Server accepted 
connection (fd=13)
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): Sending version 
handshake
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: 
Handling PASSV request
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: 
pam(root,): Performing passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: 
pam(root,): lookup service=dovecot
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: 
pam(root,): #1/1 style=1 msg=Password:
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: 
pam(root,): Finished passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: 
conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: 
Finished
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: 
pam(root,): Finished passdb lookup
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: 
auth(root,): Auth request finished
Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client passdb out: 
OK#0111#011user=root#011


At this moment, the smtps client connecting to postfix produces 
"Authentication successful" and we can continue.


In contrast, when we try to login to dovecot directly as root, we 
have the following :


Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=#011lip=#011rip=#011lport=993#011rport=52004#011local_name=mail.ricorambo.su#011resp=
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: 
pam(root,,): Performing passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
Loading modules from directory: /usr/lib/dovecot/modules/auth
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
Module loaded: 
/usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): Server accepted 
connection (fd=13)
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): Sending version 
handshake
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: 
Handling PASSV request
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: 
pam(root,,): Performing passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: 
pam(root,,): lookup service=dovecot
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: 
pam(root,,): #1/1 style=1 msg=Password:
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: 
pam(root,,): Finished passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: 
conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: 
Finished
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: 
pam(root,,): Finished passdb lookup
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: 
auth(root,,): Auth request finished
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client passdb out: 
OK#0111#011user=root#011#011original_user=r...@ricorambo.su
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master in: 
REQUEST#
Mar 13 20:28:38 ricorambo dovecot: auth: Debug: 
passwd(root,,): Performing userdb lookup
Mar 13 20:28:38 ricorambo dov

Re: Postfix : root and system user authentication

[Aymeric Agon-Rambosson]

Le mardi 14 mars 2023 à 22:32, dove...@ptld.com a écrit :

However, when we have a postfix server on the same machine, 
that delegates authentication to dovecot SASL ... we can indeed 
log in as root on the postfix server.



You are not logging into Dovecot with root, you are connecting 
to Postfix for submission.


When you connect to dovecot using linux users (PAM) the process 
running takes on the UID of the login user to give file 
permissions to read that users home directory where email could 
be stored. The risk being if someone had root UID:0 they could 
read anything on the server, not just the home directory of a 
user.


But you aren't logging into Dovecot, you are connecting to 
Postfix. You aren't
checking mail or reading directories. You are only submitting an 
email to
Postfix for submission services. Postfix runs as its own Postfix 
UID no matter
who you authenticate as. So even though you are authenticating 
yourself with
root credentials, you aren't doing so as the root UID, you 
aren't reading email,

and you aren't accessing any file systems like Dovecot would be.


I agree that this is absolutely not the same in terms of security.

The thing I'm worrying about is a lot less dangerous than what 
you're describing, no arguing about that. It's just, if we imagine 
that we have disabled root ssh access, and password ssh connection 
(allowing only keypair connection), this situation provides the 
port 465 as another way to test passwords, for instance. I would 
just like to be able to implement on port 465 more or less the 
same requirements I have implemented on port 22, and on port 993 
as well through the use of {first,last}_valid_{u,g}id : a static, 
and well-known set of users that are allowed to try and 
authenticate, even though, as you say (and I agree), that the risk 
is absolutely not the same as with SSH or IMAPS.


So, am I to understand from your answer that the fact that login 
with root or with users not respecting {first,last}_valid_{u,g}id 
is only applicable to dovecot direcly, not to other processes that 
have delegated authentication to dovecot ? In other words, that 
this is a feature and not a bug ?


Best,

Aymeric

Re: Postfix : root and system user authentication

[Aymeric Agon-Rambosson]

I have a solution to my problem.

For reference, I am putting it here :

I recall that my issue is that postfix authorises login with root 
(or other users), even though authentication is delegated to 
dovecot, and the documentation about {first,last}_valid_{g,u}id 
seems to say that is should not be possible (and that 
authentication to dovecot with root is also forbidden in a 
hardcoded way).


I thank Mr. Ardley to have pointed out that dovecot delegates the 
authentication to PAM.


What actually happens (in my case at least) is that dovecot 
questions PAM about a specific authentication attempt, and 
receives PAM's answer. Then, *and only for itself*, it applies its 
own restrictions regarding root login and 
{first,last}_valid_{g,u}id. When it authenticates on behalf of 
postfix, it notifies postfix of success directly.


So the semantic of {first,last}_valid_{g,u}id should be understood 
for dovecot only, not for other processes that have delegated 
authentication to dovecot, which answers my first question.


Then, on how to effectively restrict postfix submission login 
based on uids, the simple solution not involving virtual users is 
to set these conditions in PAM directly.


The conditions that dovecot must match in order to succeed 
authentication with PAM are in the file /etc/pam.d/dovecot (at 
least on Debian) :


#%PAM-1.0

@include common-auth
@include common-account
@include common-session

A simple way to restrict login based on uids is to modify the file 
as such :


#%PAM-1.0

authrequiredpam_succeed_if.so uid > 500 quiet
@include common-auth
@include common-account
@include common-session

Now, in order for dovecot (and *for every process it authenticates 
on behalf of* as well, which is what matters) to succeed 
authentication, the uid will have to be greater than 500. It is 
possible to specify other conditions as well, see 
https://linux.die.net/man/8/pam_succeed_if.


Best regards to everyone,

Aymeric