Adi Pircalabu
2012-Aug-31 02:51 UTC
[Dovecot] [Postfix] SASL Auth. using Dovecot with password forwarding proxy configuration
Hi,
I'm relatively new to Dovecot and I did a bit of search but couldn't
find a possible solution for the particular setup I'm working on.
Basically I have an SMTP/POP/IMAP proxy setup running Postfix &
Dovecot. IMAP/POP authentication is done using the password proxy
feature, where the login credentials are passed to the backend server
after a db lookup, which does the actual authentication.
The POP/IMAP part is working fine. What I'm trying to do is to use
Dovecot SASL implementation in Postfix to do SMTP authentication in a
similar manner. The problem I have with my current configuration is that
SMTP authentication succeeds if only the username matches, because
password forwarding works if the authentication succeeds with any given
password, as documented at
http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
My question is, given the above: is there a way to get SMTP
authentication properly in this scenario? The way I see it now, Dovecot
SASL accepting the login if only the user matches isn't quite
"complete", the auth process should go further and authenticate
against
the backend server, same as for POP/IMAP connections. Does this
requirement make any sense?
Maybe I'm missing something in Dovecot configuration to get the SMTP
authentication work in password forwarding mode, few pointers will be
highly appreciated. PopBSMTP is not an sensible alternative in my case.
Here's my configuration, plus some dovecot auth_debug log entries. As
you can see, SMTP authentication succeeds with any given password.
---Dovecot---
dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.2.1.el6.centos.plus.x86_64 x86_64 CentOS release 6.3
(Final) auth_cache_size = 4 k
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
mbox_write_locks = fcntl
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl_ca = </etc/pki/tls/certs/ca-cert.pem
ssl_cert = </etc/pki/tls/certs/_cert.pem
ssl_key = </etc/pki/tls/certs/_key.pem
userdb {
driver = prefetch
}
grep -v "^$\|^#" /etc/dovecot/dovecot-sql.conf.ext
driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=postfixpassword
password_query = SELECT NULL AS password, 'Y' as nopassword, host,
email, 'Y' AS proxy FROM mailbox WHERE email = '%u'
---Dovecot---
---Postfix---
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
---Postfix---
---/var/log/maillog---
(IMAP connection)
Aug 31 11:20:20 centos6 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011lip=192.168.1.222#011rip=192.168.1.56#011lport=993#011rport=44024#011resp=AGFAMGFkaXRlc3QubmV0ADEyM3F3ZVpYQw=Aug
31 11:20:20 centos6 dovecot: auth: Debug: cache(a at 0aditest.net,192.168.1.56):
miss
Aug 31 11:20:20 centos6 dovecot: auth: Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Aug 31 11:20:20 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Aug 31 11:20:21 centos6 dovecot: auth: mysql: Connected to
/var/lib/mysql/mysql.sock (postfix)
Aug 31 11:20:21 centos6 dovecot: auth: Debug: sql(a at
0aditest.net,192.168.1.56): query: SELECT NULL AS password, 'Y' as
nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = 'a
at 0aditest.net'
Aug 31 11:20:21 centos6 dovecot: auth: Debug: client out: OK#0111#011user=a at
0aditest.net#011host=BACKEND_SERVER_IP#011email=a at
0aditest.net#011proxy#011pass=1234567890
Aug 31 11:20:21 centos6 dovecot: imap-login: Debug: Ignoring unknown passdb
extra field: email
Aug 31 11:20:21 centos6 dovecot: imap-login: proxy(a at 0aditest.net): started
proxying to BACKEND_SERVER_IP:143: user=<a at 0aditest.net>, method=PLAIN,
rip=192.168.1.56, lip=192.168.1.222, TLS
[...]
(SMTP connection)
Aug 31 11:36:14 centos6 postfix/smtpd[11213]: connect from
unknown[192.168.1.200]
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: auth client connected (pid=11213)
Aug 31 11:36:14 centos6 dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=192.168.1.222#011rip=192.168.1.200#011resp=AGFAMGFkaXRlc3QubmV0AGFzZA=Aug
31 11:36:14 centos6 dovecot: auth: Debug: cache(a at
0aditest.net,192.168.1.200): miss
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Loading modules from directory:
/usr/lib64/dovecot/auth
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libmech_gssapi.so
Aug 31 11:36:14 centos6 dovecot: auth: mysql: Connected to
/var/lib/mysql/mysql.sock (postfix)
Aug 31 11:36:14 centos6 dovecot: auth: Debug: sql(a at
0aditest.net,192.168.1.200): query: SELECT NULL AS password, 'Y' as
nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = 'a
at 0aditest.net'
Aug 31 11:36:14 centos6 dovecot: auth: Debug: client out: OK#0111#011user=a at
0aditest.net#011host=203.63.79.87#011email=a at
0aditest.net#011proxy#011pass=anygivenpassword
Aug 31 11:36:14 centos6 postfix/smtpd[11213]: C9620600A9:
client=unknown[192.168.1.200], sasl_method=PLAIN, sasl_username=a at
0aditest.net
Aug 31 11:36:14 centos6 postfix/cleanup[11219]: C9620600A9:
message-id=<20120831113614.72ed32df at adi.ddns.local>
[...]
---/var/log/maillog---
--
Adi Pircalabu
Timo Sirainen
2012-Aug-31 14:11 UTC
[Dovecot] [Postfix] SASL Auth. using Dovecot with password forwarding proxy configuration
On 31.8.2012, at 5.51, Adi Pircalabu wrote:> I'm relatively new to Dovecot and I did a bit of search but couldn't > find a possible solution for the particular setup I'm working on. > Basically I have an SMTP/POP/IMAP proxy setup running Postfix & > Dovecot. IMAP/POP authentication is done using the password proxy > feature, where the login credentials are passed to the backend server > after a db lookup, which does the actual authentication.POP/IMAP logs the user in and Dovecot proxies it.> The POP/IMAP part is working fine. What I'm trying to do is to use > Dovecot SASL implementation in Postfix to do SMTP authentication in a > similar manner. The problem I have with my current configuration is that > SMTP authentication succeeds if only the username matches, because > password forwarding works if the authentication succeeds with any given > password, as documented at > http://wiki.dovecot.org/PasswordDatabase/ExtraFields/ProxyDovecot has no SMTP proxy (currently). And anyway Postfix doesn't use SMTP to do authentication, Postfix authenticates using Dovecot's internal protocol, which replies that Postfix should do the proxying, which it of course doesn't do.> My question is, given the above: is there a way to get SMTP > authentication properly in this scenario?Make Postfix authenticate against the backend Dovecot server. You'll need to setup service auth { inet_listener } to some port for it.