dovecot - Jan 2011 - authentication methods : pam, passwd and then backup question. How to restrict the methods

Dear all,

    I noticed that incoming users were attempting to authenicate using
several methods like pam sql. Eventually, they logged in.
Is there a way for dovecot to only query a mysql backup for users, and
skip the other methods?

Examples from logs (via Roundcube webmail in this case, but the same
messages appear with port 993)

Jan 25 17:22:17 srv dovecot: auth-worker(default):
pam(aa at bb.co.uk,127.0.0.1): pam_authenticate() failed: Authentication
failure (password mismatch?)
Jan 25 17:22:17 srv dovecot: auth(default):
passwd(aa at bb.co.uk,127.0.0.1): unknown user
Jan 25 17:22:17 srv dovecot: imap-login: Login: user=<aa at bb.co.uk>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured

As shown above, the user uses pam, passwd and then finally the user
account fetched from mysql.

The distribution is Debian Squeeze.

Regards, s

On 01/25/2011 05:50 PM J4K wrote:
> 
> Dear all,
> 
>     I noticed that incoming users were attempting to authenicate using
> several methods like pam sql. Eventually, they logged in.
> Is there a way for dovecot to only query a mysql backup for users, and
> skip the other methods?
> 
> Examples from logs (via Roundcube webmail in this case, but the same
> messages appear with port 993)
> 
> Jan 25 17:22:17 srv dovecot: auth-worker(default):
> pam(aa at bb.co.uk,127.0.0.1): pam_authenticate() failed: Authentication
> failure (password mismatch?)
> Jan 25 17:22:17 srv dovecot: auth(default):
> passwd(aa at bb.co.uk,127.0.0.1): unknown user
> Jan 25 17:22:17 srv dovecot: imap-login: Login: user=<aa at
bb.co.uk>,
> method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
> 
> As shown above, the user uses pam, passwd and then finally the user
> account fetched from mysql.
> 
> The distribution is Debian Squeeze.
> 
Configure only the userdb and passdb you want to use and remove all
other. You forgot to show your `doveconf -n`/`dovecot -n` output.


Regards,
Pascal
-- 
The trapper recommends today: c01dcofe.1102517 at localdomain.org

On 01/25/2011 05:53 PM, Pascal Volk wrote:
> On 01/25/2011 05:50 PM J4K wrote:
>> Dear all,
>>
>>     I noticed that incoming users were attempting to authenicate using
>> several methods like pam sql. Eventually, they logged in.
>> Is there a way for dovecot to only query a mysql backup for users, and
>> skip the other methods?
>>
>> Examples from logs (via Roundcube webmail in this case, but the same
>> messages appear with port 993)
>>
>> Jan 25 17:22:17 srv dovecot: auth-worker(default):
>> pam(aa at bb.co.uk,127.0.0.1): pam_authenticate() failed:
Authentication
>> failure (password mismatch?)
>> Jan 25 17:22:17 srv dovecot: auth(default):
>> passwd(aa at bb.co.uk,127.0.0.1): unknown user
>> Jan 25 17:22:17 srv dovecot: imap-login: Login: user=<aa at
bb.co.uk>,
>> method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
>>
>> As shown above, the user uses pam, passwd and then finally the user
>> account fetched from mysql.
>>
>> The distribution is Debian Squeeze.
>>
> Configure only the userdb and passdb you want to use and remove all
> other. You forgot to show your `doveconf -n`/`dovecot -n` output.
>
>
> Regards,
> Pascal
Sorry.  Its below:

# dovecot -n
# 1.2.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-cgmemcap-smack x86_64 Debian 6.0 ext4
log_timestamp: %Y-%m-%d %H:%M:%S
listen: 127.0.0.1:3993
ssl_listen: *:993
ssl: required
ssl_ca_file: /etc/ssl/certs/startcomIntermediateCA.pem
ssl_cert_file: /etc/ssl/private/klunky.co.uk.ssl.crt
ssl_key_file: /etc/ssl/private/klunky.co.uk.nopassphase_ssl.key
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
login_max_processes_count: 256
valid_chroot_dirs: /var/vmail
first_valid_uid: 106
mail_privileged_group: mail
mail_location: maildir:/var/vmail/%d/%u/
maildir_very_dirty_syncs: yes
mbox_write_locks: fcntl dotlock
mail_plugins: quota
lda:
  log_path:
  auth_socket_path: /var/run/dovecot/auth-master
  postmaster_address: postmaster at example.com
  mail_plugins: sieve quota
  sieve_global_path: /var/vmail/globalsieverc
auth default:
  mechanisms: plain login
  verbose: yes
  passdb:
    driver: pam
  passdb:
    driver: sql
    args: /etc/dovecot/dovecot-mysql.conf
  userdb:
    driver: passwd
  userdb:
    driver: static
    args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes
  userdb:
    driver: sql
    args: /etc/dovecot/dovecot-mysql.conf
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: postfix
    master:
      path: /var/run/dovecot/auth-master
      mode: 384
      user: vmail
plugin:
  quota_rule: *:storage=262144:messages=20000
  quota_rule2: Trash:storage=282144:messages=23000
dict:
  quotadict: mysql:/etc/dovecot/dovecot-dict-quota.conf

On 01/25/2011 05:55 PM J4K wrote:
> On 01/25/2011 05:53 PM, Pascal Volk wrote:
>> On 01/25/2011 05:50 PM J4K wrote:
>>>     I noticed that incoming users were attempting to authenicate
using
>>> several methods like pam sql. Eventually, they logged in.
>>> Is there a way for dovecot to only query a mysql backup for users,
and
>>> skip the other methods?
> # dovecot -n
> # 1.2.15: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-cgmemcap-smack x86_64 Debian 6.0 ext4
> ?
> auth default:
>   ?
>   passdb:
>     driver: pam
>   passdb:
>     driver: sql
>     args: /etc/dovecot/dovecot-mysql.conf
>   userdb:
>     driver: passwd
>   userdb:
>     driver: static
>     args: uid=5000 gid=5000 home=/var/vmail/%d/%n allow_all_users=yes
>   userdb:
>     driver: sql
>     args: /etc/dovecot/dovecot-mysql.conf
>   ?
Remove passdb pam and userdb static, then reload the configuration and
be happy. ;-)


Regards,
Pascal
-- 
The trapper recommends today: c01dcafe.1102518 at localdomain.org