dovecot - Mar 2018 - why is dovecot "Allowing any password"

Hi,

I noticed the following in the logs of our debian wheezy server:
> Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): bind search: base=CN=Users,
DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA
> ccountName=username)(!(userAccountControl=514)))
> Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username; uid
unused
> Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username
> Mar 21 07:13:48 mail dovecot: auth:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): invalid credentials (given
password: invalid_password)
> Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): lookup
> Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets: Matching for
network 127.0.0.1/32
> Mar 21 07:13:48 mail dovecot: auth:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP
not in allowed networks
> Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing any password
> Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174)
The line second last line "Allowing any password" comes as a
surprise..?
Why would dovecot Allow any password..?

We had the following bit in our config, but I removed it now:
> #passdb {
> #  driver = static
> #  args = nopassword=y allow_nets=127.0.0.1/32
> #}
Could anyone expain the "Allowing any password"?

And lastly our current doveconf -n:
> # 2.2.13: /etc/dovecot/dovecot.conf
> # OS: Linux 3.2.0-5-amd64 x86_64 Debian 7.11 xfs
> auth_debug = yes
> auth_debug_passwords = yes
> auth_failure_delay = 10 secs
> auth_master_user_separator = *
> auth_mechanisms = plain login
> auth_username_format = %Ln
> auth_verbose = yes
> auth_verbose_passwords = plain
> deliver_log_format = %f | %s | msgid=%m: %$
> disable_plaintext_auth = no
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> login_greeting = Dovecot ready.
> mail_gid = vmail
> mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
> mail_plugins = acl lazy_expunge zlib quota mail_log notify
> mail_uid = vmail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
> namespace {
>   list = children
>   location =
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
>   prefix = shared/%%n/
>   separator = /
>   subscriptions = no
>   type = shared
> }
> namespace inbox {
>   inbox = yes
>   location = 
>   mailbox "Deleted items" {
>     special_use = \Trash
>   }
>   mailbox Drafts {
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     special_use = \Junk
>   }
>   mailbox Sent {
>     special_use = \Sent
>   }
>   mailbox "Sent items" {
>     special_use = \Sent
>   }
>   mailbox Trash {
>     special_use = \Trash
>   }
>   mailbox inbox {
>     auto = subscribe
>   }
>   prefix = 
>   separator = /
>   type = private
> }
> passdb {
>   args = /etc/dovecot/master-users
>   driver = passwd-file
>   master = yes
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   acl = vfile
>   acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
>   mail_log_events = delete undelete expunge copy mailbox_delete
mailbox_rename append
>   mail_log_fields = uid box msgid from subject
>   quota = maildir
>   quota_rule = ?:storage=5G
>   quota_rule2 = Trash:storage=+100M
>   quota_warning = storage=97%% quota-warning 97 %u
>   quota_warning2 = storage=95%% quota-warning 95 %u
>   quota_warning3 = storage=90%% quota-warning 90 %u
>   quota_warning4 = storage=85%% quota-warning 85 %u
>   quota_warning5 = storage=80%% quota-warning 80 %u
>   quota_warning6 = -storage=100%% quota-warning below %u
>   sieve = ~/.dovecot.sieve
>   sieve_default = /var/lib/dovecot/default.sieve
>   sieve_dir = ~/sieve
> }
> protocols = imap lmtp sieve
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     mode = 0666
>   }
>   unix_listener auth-userdb {
>     group = vmail
>     mode = 0666
>     user = vmail
>   }
> }
> service imap-login {
>   process_limit = 500
>   process_min_avail = 2
> }
> service quota-warning {
>   executable = script /usr/local/bin/quota-warning.sh
>   unix_listener quota-warning {
>     user = vmail
>   }
>   user = dovecot
> }
> shutdown_clients = no
> ssl_ca = </etc/ssl/letsencrypt/fullchain.pem
> ssl_cert = </etc/ssl/letsencrypt/cert.pem
> ssl_key = </etc/ssl/letsencrypt/key.pem
> ssl_protocols = !SSLv2 !SSLv3
> userdb {
>   args = uid=vmail gid=vmail home=/var/vmail/%n allow_all_users=yes
>   driver = static
> }
> verbose_proctitle = yes
> protocol lda {
>   mail_plugins = acl lazy_expunge zlib quota mail_log notify sieve quota
> }
> protocol imap {
>   imap_max_line_length = 2 M
>   mail_max_userip_connections = 30
>   mail_plugins = acl lazy_expunge zlib quota mail_log notify imap_quota
imap_acl
> }
MJ

> On 21 March 2018 at 18:12 mj <lists at merit.unu.edu> wrote:
> 
> 
> Hi,
> 
> I noticed the following in the logs of our debian wheezy server:
> 
> > Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): bind search: base=CN=Users,
DC=samba, DC=company, DC=com filter=(&(objectclass=person)(sAMA
> > ccountName=username)(!(userAccountControl=514)))
> > Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username; uid
unused
> > Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username
> > Mar 21 07:13:48 mail dovecot: auth:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): invalid credentials (given
password: invalid_password)
> > Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): lookup
> > Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets: Matching for
network 127.0.0.1/32
> > Mar 21 07:13:48 mail dovecot: auth:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP
not in allowed networks
> > Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing any password
> > Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected
(pid=6174)
> 
> The line second last line "Allowing any password" comes as a
surprise..?
> Why would dovecot Allow any password..?
> 
> We had the following bit in our config, but I removed it now:
> 
> > #passdb {
> > #  driver = static
> > #  args = nopassword=y allow_nets=127.0.0.1/32
> > #}
> 
> Could anyone expain the "Allowing any password"?
> 
This is what 'nopassword=y' does. I'm guessing this is an attempt to
allow logging in from localhost without password, but I'd use master
password (for applications or webmails), or

doveadm exec imap -u victim

for admin use.

Aki

Hi AKi,

Thanks for the quick answer!

On 03/21/2018 05:24 PM, Aki Tuomi wrote:
> This is what 'nopassword=y' does. I'm guessing this is an
attempt to allow logging in from localhost without password, but I'd use
master password (for applications or webmails), or
Yes, the config is taken from the SOGo configuration guide, which can be 
seen here:
https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html

Yes, but we have args = nopassword=y allow_nets=127.0.0.1/32
so it should only allow passwordless logins from localhost, right..?

And in "Debug: static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing
any
password" 1.2.3.4 is NOT localhost...

(obviously 1.2.3.4 is not the *real* ip, bit it's a *real* ip from the 
internet, NOT localhost...

MJ