thr3ads.net - dovecot - Question about password field in passwd-file [Jul 2018]

If this information is useful, please help other people find it:
Share via:

J Doe

2018-Jul-08 04:26 UTC

Question about password field in passwd-file

> On Jul 7, 2018, at 2:12 AM, Aki Tuomi <aki.tuomi at dovecot.fi>
wrote:
> 
> you can add nopassword attribute to the end. See
https://wiki.dovecot.org/PasswordDatabase/ExtraFields
> 
> 
> ---
> Aki Tuomi
> Dovecot oy
Hi Aki,

Thank you for your reply.

I have two questions regarding this:

1.  Is the ?nopassword? attribute the same as specifying a null password field
by itself ?  The documentation at
[1] seems to suggest that having a null password AND specifying ?nopassword?
will allow someone to
authenticate with _no_ password:

    ?nopasword: if you want to allow all passwords, use an empty password and
this field.?

Farther down, the page seems to indicate that the ?nologin? attribute is what I
am looking for:

    ?nologin: User isn?t actually allowed to log in even if the password matches
. . .?

Or possibly ?noauthenticate?:

    ?noauthenticate: Do not perform any authentication . . ."

2.  Is ?nologin? functionally equivalent to specifying no password in the
password field ?  I am assuming that
setting a null password (even without ?nologin?), prevents login with ANY or NO
password as a blank field
would default to a {CRYPT} scheme and a call to crypt() cannot return a null
string.

As background to why I want to do this, I have a server with a basic Dovecot
setup that provides
SMTP SASL AUTH, IMAP and LMTP for Postfix.  For the passdb and userdb, I use the
same passwd-style file:

    /etc/dovecot/dovecot.conf
        userdb {
            driver = passwd-file
            args = /etc/dovecot/passwd
        }

        passdb {
            driver = passwd-file
            args = /etc/dovecot/passwd
        }

I use usernames for SMTP SASL AUTH and IMAP that differ from either: user at
example.com or user.  So for
one user, for example, I have:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP user accounts and passwords
        user_account_1:{PLAIN}password: . . . 

        # LMTP username/e-mail address
        user at example.com:: . . . 
:/var/mail/vhosts/example.com/user_account_1

So in the LMTP entry I specify no password between the colons to prevent someone
trying to logon via
IMAP using the LMTP username/e-mail address.  Is this correct and: is there a
better way to do this ?

Thanks,

- J

Sources:

    [1] https://wiki.dovecot.org/PasswordDatabase/ExtraFields

Apparently Analagous Threads

Search for more seemingly similar threads

dovecot - Jul 2018 - Question about password field in passwd-file

Question about password field in passwd-file

Apparently Analagous Threads

Wisdom of the Ancients