(Repeat, because on the first message there was no reaction) Hi. If checkpassword interface is used for working with vpopmail, function vpopmail "Record time and ip of last auth attempt" (--enable-auth-logging option for configure) won't work - the file "lastauth" is created in Maildir, but does not contain ip-address. If I had correctly understood, dovecot woldn't have set a enviroment variable TCPREMOTEIP for vchkpw. If changes are made in auth/passdb-checkpassword.c (a patch in attachment), everything will work. Probably, the patch is incorrect and does not solve all problems, however the request is to pay attention to existence of the problem. Also it is possible, that a similar problem exists with other variables TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt). P.S. If use the interface vpopmail instead of checkpassword, the file "lastauth" will not be created at all, that is a little bit inconvenient. ********************************** System: dovecot-1.0.rc10 vpopmail-5.4.17 ASP Linux Server II (RHEL3 clone) kernel 2.4.21-47.EL.aspsmp CPU architecture: x86 (IBM xSeries 336) Filesystem: ext3 ********************************** dovecot configuration: base_dir = /var/run/dovecot/ protocols = imap pop3 disable_plaintext_auth = no ssl_disable = yes login_greeting = Ready. first_valid_uid = 89 last_valid_uid = 89 first_valid_gid = 89 last_valid_gid = 89 protocol imap { listen = 81.26.136.8:144 mail_executable = /usr/local/libexec/dovecot/imap mail_plugins = quota imap_quota mail_plugin_dir = /usr/local/lib/dovecot/imap imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep } protocol pop3 { listen = 81.26.136.8:112 login_executable = /usr/local/libexec/dovecot/pop3-login mail_executable = /usr/local/libexec/dovecot/pop3 pop3_uidl_format = %f mail_plugins = quota mail_plugin_dir = /usr/local/lib/dovecot/pop3 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } auth default { mechanisms = plain login passdb checkpassword { args = /var/qmail/vpopmail/bin/vchkpw } userdb prefetch { } user = root } dict { } plugin { quota = maildir } *************************************** dovecot configure options: ./configure \ --disable-ipv6 \ --prefix=/usr/local \ --sysconfdir=/etc/dovecot \ --without-passwd \ --without-passwd-file \ --without-shadow \ --without-pam \ --without-bsdauth \ --with-checkpassword \ --with-vpopmail \ --without-static-userdb \ --with-prefetch-userdb \ --without-sql \ --without-pgsql \ --without-mysql \ --without-sqlite \ --with-ssl=openssl \ --with-pop3d \ --without-deliver \ --with-storages=maildir \ --with-docs ***************************************** vpopmail configure options: ./configure \ --enable-auth-module=cdb \ --enable-logging=p \ --enable-md5-passwords \ --enable-make-seekable \ --enable-file-sync \ --enable-ip-alias-domains \ --enable-clear-passwd \ --disable-roaming-users \ --disable-learn-passwords \ --disable-passwd \ --enable-auth-logging -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch.txt URL: <http://dovecot.org/pipermail/dovecot/attachments/20061026/2515169e/attachment-0002.txt>
Timo Sirainen
2006-Nov-02 21:29 UTC
[Dovecot] BUG: passdb checkpassword {} and lastauth file
On Thu, 2006-10-26 at 11:49 +0400, Max A wrote:> Also it is possible, that a similar problem exists with other variables > TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt).Hmm. I hadn't heard of UCSPI before. Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP will stay for backwards compatibility, maybe I'll remove them in Dovecot v2.0. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://dovecot.org/pipermail/dovecot/attachments/20061102/0a6ef2b5/attachment.pgp
>> Also it is possible, that a similar problem exists with other variables >> TCP UCSPI protocol (http://cr.yp.to/proto/ucspi-tcp.txt). > > Hmm. I hadn't heard of UCSPI before. > > Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP > will stay for backwards compatibility, maybe I'll remove them in Dovecot > v2.0. >Thanks for answer :) There are still some problems with the use of the checkpassword-interface with vpopmail. Besides standard exit codes of checkpassword: 1 unacceptable 2 misused 111 temporary problem vchkpw (the checkpassword analogue in vpopmail) uses two additional groups of exit codes: a) When user gives wrong username/password (procedure checkpassword_request_half_finish() should call checkpassword_request_finish() with parameter PASSDB_RESULT_PASSWORD_MISMATCH): 1 pop/smtp/webmal/imap/ access denied (match with a code of classic checkpassword) 3 password fail / vpopmail user not found 12 null user name given 13 null password given 15 user has no password 20 invalid user/domain characters 21 system user not found 22 system user shadow entry not found 23 system password fail b) vpopmail's internal errors: (checkpassword_request_half_finish() call checkpassword_request_finish() with parameter PASSDB_RESULT_INTERNAL_FAILURE): 4 setgid failed 5 setuid failed 6 autocreate dir error / chdir failed 7 putenv(USER) failed 8 putenv(HOME) failed 9 putenv(SHELL) failed 10 putenv(VPOPUSER) failed 11 vchkpw is only for talking with qmail-popup and qmail-pop3d. It is not for runnning on the command line 14 dir auto create failed / failed to vauth_getpw() after dir auto create Now all these codes are processed in checkpassword_request_half_finish() by "default" section. It will be wrong for the first group of codes to return the user "-ERR Temporary authentication failure. ", because it is not an internal problem, it's a login failure (user problem). I have made some changes in passdb-checkpassword.c to separate internal vpopmail mistakes from user's mistakes (a patch is in attachment). As the exit code "1" in vchkpw corresponds to an interdiction of access to service (smtp/pop3/imap/webmail) I have changed a line for logging in "case 1 " from "Password not accepted" to "Login failed". This line (imho) acceptables both for classical checkpassword and for vchkpw. Now all user's mistakes will be processed as well as a mistake of the password in checkpassword (exit code 1), and internal mistakes will be logged by "default" section. If you do not like an idea of changing a code specially for vpopmail it will be possible to make some parameter in "passdb checkpassword {}" section in the config file, pointing at work specially with vpopmail. Depending on its presence "case" will work otherwise (my knowledge of C is insufficiently for this purpose). Also, if it is not too hard for you, can you add variable TCPLOCALPORT (described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment variables for checkpassword, because vchkpw uses it for an interdiction of access to various services (SMTP/POP3/IMAP/Webmal)? -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: vpopmail_env.patch URL: <http://dovecot.org/pipermail/dovecot/attachments/20061109/98ce079e/attachment.pl>