> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote: > > > > Cit?t azurit at pobox.sk: > > > Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: > > > >>> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote: > >>> > >>> > >>> > >>> Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: > >>> > >>>>> On July 10, 2017 at 12:33 PM azurit at pobox.sk wrote: > >>>>> > >>>>> > >>>>> Hi, > >>>>> > >>>>> i'm trying to configure Dovecot proxy with user authentication on > >>>>> proxy side only, so backends will authenticate using master password > >>>>> (proxy is configured to send it). The problem is that Dovecot, on > >>>>> backends, is telling me that i need to configure at least one auth > >>>>> mechanism: > >>>>> > >>>>> auth: Fatal: No passdbs specified in configuration file. LOGIN > >>>>> mechanism needs one > >>>>> > >>>>> > >>>>> The master auth is correctly configured. > >>>>> > >>>>> I want to accomplished to have user database only on one place > >>>>> (=proxy). Any hints? > >>>>> > >>>>> azur > >>>> > >>>> Can you show your backend doveconf -n? > >>>> > >>>> Aki > >>> > >>> > >>> > >>> Here it is: > >>> https://pastebin.com/C8dTUm5k > >> > >> Try adding another entry after the first passdb (order matters) > >> > >> passdb { > >> driver = static > >> args = nopassword > >> deny = yes > >> skip = authenticated > >> } > >> > >> Aki > > > > > > > > > > This seems to be working, thank you. Can you explain me why it's needed? > > > No need to explain it anymore, i understand it now. I made a little > change and (probably) final version is this: > > passdb { > driver = static > args = nopassword > skip = authenticated > } > > I removed 'deny = yes' as, i believe, it's not needed and it was doing > problems with LMTP proxing ('User doesn't exist' error message from > backend LMTP). Thanks again. > > azurHi! This is very dangerous configuration, please consider using what Sami suggested, viz passdb { driver = static args = password=masterpassword } and remove the master auth completely. then you can override user's password to masterpassword in proxy config. Aki
Quoting Aki Tuomi <aki.tuomi at dovecot.fi>:>> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote: >> >> Cit?t azurit at pobox.sk: >> >> Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: >> >> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote: >> >> Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: >> >> On July 10, 2017 at 12:33 PM azurit at pobox.sk wrote: >> >> Hi, >> >> i'm trying to configure Dovecot proxy with user authentication on >> proxy side only, so backends will authenticate using master password >> (proxy is configured to send it). The problem is that Dovecot, on >> backends, is telling me that i need to configure at least one auth >> mechanism: >> >> auth: Fatal: No passdbs specified in configuration file. LOGIN >> mechanism needs one >> >> The master auth is correctly configured. >> >> I want to accomplished to have user database only on one place >> (=proxy). Any hints? >> >> azur >> >> Can you show your backend doveconf -n? >> >> Aki >> >> Here it is: >> https://pastebin.com/C8dTUm5k >> >> Try adding another entry after the first passdb (order matters) >> >> passdb { >> ? driver = static >> ? args = nopassword >> ? deny = yes >> ? skip = authenticated >> } >> >> Aki >> >> This seems to be working, thank you. Can you explain me why it's needed? >> >> No need to explain it anymore, i understand it now. I made a little >> change and (probably) final version is this: >> >> passdb { >> ? ?driver = static >> ? ?args = nopassword >> ? ?skip = authenticated >> } >> >> I removed 'deny = yes' as, i believe, it's not needed and it was doing >> problems with LMTP proxing ('User doesn't exist' error message from >> backend LMTP). Thanks again. >> >> azur > > Hi! > > This is very dangerous configuration, please consider using what > Sami suggested, viz > > passdb { > driver = static > args = password=masterpassword > } > > and remove the master auth completely. > > then you can override user's password to masterpassword in proxy config. > AkiThis is awesome, as I was just contemplating how to maintain persistence with 2FA.? Is it possible to use a passdb based on remote ip?? There's a username_filter, but I want to use a master password for webmail (which will use 2FA via Radius), and those IPs are known and non-routable. Rick
Quoting Rick Romero <rick at havokmon.com>:> Quoting Aki Tuomi <aki.tuomi at dovecot.fi>: > >>> On July 11, 2017 at 11:50 AM azurit at pobox.sk wrote: >>> >>> Cit?t azurit at pobox.sk: >>> >>> Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: >>> >>> On July 10, 2017 at 1:45 PM azurit at pobox.sk wrote: >>> >>> Cit?t Aki Tuomi <aki.tuomi at dovecot.fi>: >>> >>> On July 10, 2017 at 12:33 PM azurit at pobox.sk wrote: >>> >>> Hi, >>> >>> i'm trying to configure Dovecot proxy with user authentication on >>> proxy side only, so backends will authenticate using master password >>> (proxy is configured to send it). The problem is that Dovecot, on >>> backends, is telling me that i need to configure at least one auth >>> mechanism: >>> >>> auth: Fatal: No passdbs specified in configuration file. LOGIN >>> mechanism needs one >>> >>> The master auth is correctly configured. >>> >>> I want to accomplished to have user database only on one place >>> (=proxy). Any hints? >>> >>> azur >>> >>> Can you show your backend doveconf -n? >>> >>> Aki >>> >>> Here it is: >>> https://pastebin.com/C8dTUm5k >>> >>> Try adding another entry after the first passdb (order matters) >>> >>> passdb { >>> ? driver = static >>> ? args = nopassword >>> ? deny = yes >>> ? skip = authenticated >>> } >>> >>> Aki >>> >>> This seems to be working, thank you. Can you explain me why it's needed? >>> >>> No need to explain it anymore, i understand it now. I made a little >>> change and (probably) final version is this: >>> >>> passdb { >>> ? ?driver = static >>> ? ?args = nopassword >>> ? ?skip = authenticated >>> } >>> >>> I removed 'deny = yes' as, i believe, it's not needed and it was doing >>> problems with LMTP proxing ('User doesn't exist' error message from >>> backend LMTP). Thanks again. >>> >>> azur >> >> Hi! >> >> This is very dangerous configuration, please consider using what >> Sami suggested, viz >> >> passdb { >> driver = static >> args = password=masterpassword >> } >> >> and remove the master auth completely. >> >> then you can override user's password to masterpassword in proxy config. >> Aki > > This is awesome, as I was just contemplating how to maintain > persistence with 2FA.? > Is it possible to use a passdb based on remote ip?? There's a > username_filter, but I want to use a master password for webmail > (which will use 2FA via Radius), and those IPs are known and > non-routable. > RickMaybe just in the SQL passdb would be better... password_query = SELECT userid as user, if(host = '192.168.1.1',encrypt('masterpassword'), pass_field) as password, FROM users WHERE userid = '%u'
> On 12 Jul 2017, at 15.46, Rick Romero <rick at havokmon.com> wrote: > This is awesome, as I was just contemplating how to maintain persistence with 2FA. > Is it possible to use a passdb based on remote ip? There's a username_filter, but I want to use a master password for webmail (which will use 2FA via Radius), and those IPs are known and non-routable.passdb { driver = static args = password=masterpassword allow_nets=192.168.0.0/24 } or can even use single ip like allow_nets=192.168.1.234 Sami