dovecot - Aug 2013 - weird situation with pop3/imap proxy and postfix authentication

Hello dovecot mailing list,

     I have a server running postfix and dovecot. I havea configuration 
on dovecot that allows me to provide imap4/pop3 messages for local 
hosted users as well as for proxied users on other servers.

Basically, i have a simple MySQL table (imapproxy) with two fields, 
'domain' and 'host'. My password_query isa 'UNION'
query, exactly like:

password_query=select endereco as user, password, '/var/spool/mail/%u' 
as userdb_home, 'maildir:/var/spool/mail/%u' as userdb_mail, 8 as 
userdb_uid, 12 as userdb_gid, concat('*:storage=', quota) as 
userdb_quota_rule, 'Trash:storage=+100M' as userdb_quota_rule2,
'Y' as
proxy_maybe, '10.252.38.2' as host from emails where endereco =
'%u' and
ativa = '1' UNION select NULL as user, '%w' as password, NULL as
userdb_home, NULL as userdb_mail, NULL as userdb_uid, NULL as 
userdb_gid, NULL as userdb_quota_rule, NULL as userdb_quota_rule2, 'Y' 
as proxy_maybe, imapproxy.host as host from imapproxy where 
imapproxy.dominio = '%d'

the 10.252.38.2 address, on the query, is my local server

when this query received a local user, from a domain that is NOT listed 
on the imapproxy table, results are like:

*************************** 1. row ***************************
user: localuser at domain.com.br
password: (SSHA256 encrypted password)
userdb_home: /var/spool/mail/localuser at domain.com.br
userdb_mail: maildir:/var/spool/mail/localuser at domain.com.br
userdb_uid: 8
userdb_gid: 12
  userdb_quota_rule: *:storage=51200
userdb_quota_rule2: Trash:storage=+100M
proxy_maybe: Y
host: 10.252.38.2


when it receives a proxied domain, results are:


*************************** 1. row ***************************
user: NULL
password: password
userdb_home: NULL
userdb_mail: NULL
userdb_uid: NULL
userdb_gid: NULL
  userdb_quota_rule: NULL
userdb_quota_rule2: NULL
proxy_maybe: Y
host: 10.254.116.9


     This is working just fine for IMAP4 and POP3 proxying. Local users 
(which domains are NOT listed on imapproxy table) can successfully login 
to their accountsas well as users from domains listed on imapproxy table 
can successfully login to their accounts.


On SMTP authentication, tough, things are not so fine. SMTP 
authentication is provided by dovecot to postfix:

[root at correio dovecot]# postconf mail_version
mail_version = 2.7.1
[root at correio dovecot]#

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot


service auth is defined on dovecot confs as:


service auth {
unix_listener auth-userdb {
     mode = 0600
     user = mail
     group = mail
   }
   # Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
     mode = 0660
     user = postfix
     group = postfix
   }
}



and it seems to be allowing ANYuser on any domain listed on the 
imapproxy table domains to login, even if the user does not exists or 
provides wrong password. In fact, it seems dovecot returns OK to postfix 
even without trying to contact the assigned server to that domain, as i 
cannot find any password-failed-specific log to that user on the 
specific server. Example:

(a proxied domain)

[root at correio dovecot]# telnet mail.proxieddomain.com.br 110
Trying 10.254.116.9...
Connected to mail.proxieddomain.com.br (10.254.116.9).
Escape character is '^]'.
+OK Dovecot ready.
user teste at proxieddomain.com.br
+OK
pass password
-ERR Authentication failed.

(i can successfully find this auth trial and fail on 10.254.116.9 logs)


but on SMTP authentication, i have:

[root at correio dovecot]# perl -MMIME::Base64 -e \ 'print 
encode_base64("teste\@proxieddomain.com.br\0teste\@proxieddomain.com.br\0password");'
xxxxxxxxx(not the real encoded pass)xxxxxxxxxxxxxxxx[root at correio dovecot]#


[root at correio dovecot]# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.domain.com.br ESMTP
EHLO test
250-mail.domain.com.br
[ ... ]
AUTH PLAIN (encoded string returned by perl encode_base64)
235 2.7.0 Authentication successful


(and i cannot even find any authentication log, fail or success, on the 
specific server for proxieddomain.com.br)


dovecot version is:

[root at correio dovecot]# dovecot --version
2.2.2
[root at correio dovecot]#


what am i doing wrong here ? How to have dovecot to really check users 
before giving OK to postfix on SMTP authentications ?

Thanks for any hints !



-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, N?O mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it