dovecot - Oct 2006 - BUG: passdb checkpassword {} and lastauth file

(Repeat, because on the first message there was no reaction)

Hi.

If  checkpassword interface is used for working with vpopmail, function
vpopmail "Record time and ip of last auth attempt"
(--enable-auth-logging option for configure) won't work - the file
"lastauth" is created in Maildir, but does not contain  ip-address. If
I
had correctly understood, dovecot woldn't have set a enviroment variable
   TCPREMOTEIP for vchkpw.
If changes are made in auth/passdb-checkpassword.c (a patch in
attachment), everything will work.
Probably, the patch is incorrect and does not solve all problems,
however the request is to pay attention to existence of the problem.
Also it is possible, that a similar problem exists with other variables
TCP UCSPI protocol  (http://cr.yp.to/proto/ucspi-tcp.txt).

P.S. If use the interface vpopmail instead of checkpassword, the file
"lastauth" will not be created at all, that is a little bit 
inconvenient.


**********************************
System:
dovecot-1.0.rc10
vpopmail-5.4.17
ASP Linux Server II (RHEL3 clone)
kernel 2.4.21-47.EL.aspsmp
CPU architecture: x86 (IBM xSeries 336)
Filesystem: ext3


**********************************
dovecot configuration:

base_dir = /var/run/dovecot/
protocols = imap pop3
disable_plaintext_auth = no
ssl_disable = yes
login_greeting = Ready.
first_valid_uid = 89
last_valid_uid = 89
first_valid_gid = 89
last_valid_gid = 89
protocol imap {
    listen = 81.26.136.8:144
    mail_executable = /usr/local/libexec/dovecot/imap
    mail_plugins = quota imap_quota
    mail_plugin_dir = /usr/local/lib/dovecot/imap
    imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
tb-extra-mailbox-sep
}

protocol pop3 {
    listen = 81.26.136.8:112
    login_executable = /usr/local/libexec/dovecot/pop3-login
    mail_executable = /usr/local/libexec/dovecot/pop3
    pop3_uidl_format =  %f
    mail_plugins = quota
    mail_plugin_dir = /usr/local/lib/dovecot/pop3
    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
auth default {
    mechanisms = plain login
    passdb checkpassword {
      args = /var/qmail/vpopmail/bin/vchkpw
    }
    userdb prefetch {
    }
    user = root
}
dict {
}
plugin {
    quota = maildir
}

***************************************

dovecot configure options:
./configure \
          --disable-ipv6 \
          --prefix=/usr/local \
          --sysconfdir=/etc/dovecot \
          --without-passwd \
          --without-passwd-file \
          --without-shadow \
          --without-pam \
          --without-bsdauth \
          --with-checkpassword \
          --with-vpopmail \
          --without-static-userdb \
          --with-prefetch-userdb \
          --without-sql \
          --without-pgsql \
          --without-mysql \
          --without-sqlite \
          --with-ssl=openssl \
          --with-pop3d \
          --without-deliver \
          --with-storages=maildir \
          --with-docs

*****************************************
vpopmail configure options:

./configure \
      --enable-auth-module=cdb \
      --enable-logging=p \
      --enable-md5-passwords \
      --enable-make-seekable \
      --enable-file-sync \
      --enable-ip-alias-domains \
      --enable-clear-passwd \
      --disable-roaming-users \
      --disable-learn-passwords \
      --disable-passwd \
      --enable-auth-logging

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20061026/2515169e/attachment-0002.txt>

On Thu, 2006-10-26 at 11:49 +0400, Max A wrote:
> Also it is possible, that a similar problem exists with other variables
> TCP UCSPI protocol  (http://cr.yp.to/proto/ucspi-tcp.txt).
Hmm. I hadn't heard of UCSPI before.

Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP
will stay for backwards compatibility, maybe I'll remove them in Dovecot
v2.0.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20061102/0a6ef2b5/attachment.pgp

>> Also it is possible, that a similar problem exists with other variables
>> TCP UCSPI protocol  (http://cr.yp.to/proto/ucspi-tcp.txt).
> 
> Hmm. I hadn't heard of UCSPI before.
> 
> Oh well, I guess I'll have to change this. The LOCAL_IP and REMOTE_IP
> will stay for backwards compatibility, maybe I'll remove them in
Dovecot
> v2.0.
> 
Thanks for answer :)

There are still some problems with the use of the
checkpassword-interface with vpopmail. Besides standard exit codes of
checkpassword:

1 	unacceptable
2 	misused
111	temporary problem

vchkpw (the checkpassword analogue in vpopmail) uses two additional
groups of exit codes:

a) When user gives wrong username/password (procedure
checkpassword_request_half_finish() should call
checkpassword_request_finish() with parameter
PASSDB_RESULT_PASSWORD_MISMATCH):

1	pop/smtp/webmal/imap/ access denied (match with a code of
	classic checkpassword)
3	password fail / vpopmail user not found
12	null user name given
13	null password given
15	user has no password
20	invalid user/domain characters
21	system user not found
22	system user shadow entry not found
23	system password fail

b) vpopmail's internal errors:
(checkpassword_request_half_finish() call checkpassword_request_finish()
with parameter PASSDB_RESULT_INTERNAL_FAILURE):

4	setgid failed
5	setuid failed
6	autocreate dir error / chdir failed
7	putenv(USER) failed
8	putenv(HOME) failed
9	putenv(SHELL) failed
10	putenv(VPOPUSER) failed
11	vchkpw is only for talking with qmail-popup and qmail-pop3d.
	It is not for runnning on the command line
14	dir auto create failed / failed to vauth_getpw() after dir auto
	create

Now all these codes are processed in checkpassword_request_half_finish()
by "default" section. It will be wrong for the first group of codes to
return the user "-ERR Temporary authentication failure. ", because it
is
not an internal problem, it's a login failure (user problem).  I have 
made some changes in passdb-checkpassword.c to separate internal 
vpopmail mistakes from user's mistakes (a patch is in attachment).

As the exit code "1" in vchkpw corresponds to an interdiction of
access
to service (smtp/pop3/imap/webmail) I have changed a line for logging in
"case 1 " from "Password not accepted" to "Login
failed". This line
(imho) acceptables both for classical checkpassword and for vchkpw.

Now all user's mistakes will be processed as well as a mistake of the
password in checkpassword (exit code 1), and internal mistakes will be
logged by "default" section.

If you do not like an idea of changing a code specially for vpopmail it
will be possible to make some parameter in "passdb checkpassword {}"
section in the config file, pointing at work specially with vpopmail. 
Depending on its presence "case" will work otherwise (my knowledge of
C
is insufficiently for this purpose).

Also, if it is not too hard for you, can you add variable TCPLOCALPORT
(described in http://cr.yp.to/proto/ucspi-tcp.txt) to environment
variables for checkpassword, because vchkpw uses it for an interdiction
of access to various services (SMTP/POP3/IMAP/Webmal)?

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpopmail_env.patch
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20061109/98ce079e/attachment.pl>