dovecot - Apr 2007 - Dovecot, Postfix and SMTP AUTH....

Hello.

I've notice a problem with SMTP AUTH in postfix with dovecot. My 
configuration is based on Postgresql. I've created a function in 
postgresql which returns password and username and attached it to 
password_query. Query looks like this

password_query = SELECT username_out as username, password_out as 
password FROM get_password(lower('%n'),lower('%d'));

Problem is when get_password returns something like this...

vmail=# SELECT username_out as username, password_out  FROM 
get_password(lower(''),lower(''));
LOG:  statement: SELECT username_out as username, password_out  FROM 
get_password(lower(''),lower(''));
LOG:  duration: 2.342 ms  statement: SELECT username_out as username, 
password_out  FROM get_password(lower(''),lower(''));
 username | password_out
----------+--------------
          |
(1 row)


It returns 1 empty row....

When this is attached to postfix with smtp auth with such configuration

# SMTP AUTH
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

my serwer starts to be open relay...

I now that it returns empty string for username and password... so where 
is the password checked... if I dont send password as a parameter to my 
function.

Definition of the function looks like this:

CREATE FUNCTION get_password("login" character varying,
"domain"
character varying, OUT username_out character varying, OUT password_out 
character varying) RETURNS record

Can you help with that...

BT



----------------------------------------------------------------------
Zrob numer kumplom >> http://link.interia.pl/f1a5d

You may not get a reply because your home domain is in the SURBL list, so 
your message will likely end up in everyone's spam folder. I've pasted
the
SpamAssassin report below.
> Content analysis details:   (5.7 points, 5.0 required)
>
>  pts rule name              description
> ---- ----------------------
> -------------------------------------------------- -0.0 SPF_HELO_PASS
> SPF: HELO matches SPF record
> -0.0 SPF_PASS               SPF: sender matches SPF record
> -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
>                             [score: 0.0000]
>  4.5 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL
> blocklist                             [URIs: interia.pl]
>  3.8 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL
> blocklist                             [URIs: interia.pl]

On Tue, 2007-04-24 at 16:39 +0200, Bartosz Toczek wrote:
> Problem is when get_password returns something like this...
..
>  username | password_out
> ----------+--------------
>           |
Isn't it possible to make PostgreSQL function not return a row?

Anyway, there's nothing in Dovecot side you can do for now, but for v1.1
I changed the code so that NULL password doesn't automatically mean that
any password is valid (it requires now also returning "nopassword"
field).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20070513/8983382d/attachment.bin>