thr3ads.net - dovecot - Stopping login via "nologin" parameter [Jul 2018]

If this information is useful, please help other people find it:
Share via:

J Doe

2018-Jul-19 22:49 UTC

Stopping login via "nologin" parameter

Hello,

I have a basic e-mail server with Postfix 3.1 and Dovecot 2.2.22.

I am using a passwd-file for both userdb and passdb:

    /etc/dovecot/dovecot.conf
        userdb {
            driver = passwd-file
            args = /etc/dovecot/passwd
        }

        passdb {
            driver = passwd-file
            args = /etc/dovecot/passwd
        }
    }

In the passwd file, I want to have user account names for SMTP SASL AUTH and
IMAP that are NOT e-mail addresses.

For example, employee one of ABC corp would have a SMTP SASL AUTH/IMAP account
name in the form: abc_company_employeeid (for example: abc_company_03284).  The
idea behind that is that I do not want someone outside of the company to be able
to know the first half of the username and password pair just because they have
an employee's e-mail address.

For the e-mail address I specify something like: bob at abc.com however I never
want someone to be able to login via their e-mail address.  Originally, I
specified the password field as empty, with the understanding being that the
default encryption of a password is {CRYPT}.  Since crypt() cannot output a null
string, this meant that there was never a valid password.

So passwd looked like this:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP accounts
       
abc_company_03284:::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284

        # IMAP
        bob at
abc.com:vmail:vmail::/home/vmail/bob::userdb_maill=maildir:/var/mail/vhosts/abc.com/abc_company_03284

I tested SMTP SASL AUTH and IMAP via the openssl s_client and can confirm that I
can login and send e-mail as well as retrieve mail only via the:
abc_company_03284 account, but because an empty password field isn?t mentioned
on the Dovecot wiki, I was wondering if I should add ?nologin? to explicitly
make it impossible for: bob at abc.com.  ?nologin? was mentioned to me in a
previous e-mail to this list.

So passwd would now look like this:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP accounts
       
abc_company_03284:::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284

        # IMAP
        bob at
abc.com:vmail:vmail::/home/vmail/bob::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
nologin

I restarted Dovecot and tested this with openssl s_client for SMTP SASL AUTH and
IMAP, but just wanted to make sure that this STOPS ANY LOGINS via the e-mail
address: bob at abc.com ?

Thanks,

- J

J Doe

2018-Jul-22 23:33 UTC

head link

Stopping login via "nologin" parameter

> On Jul 19, 2018, at 6:49 PM, J Doe <general at nativemethods.com
<mailto:general at nativemethods.com>> wrote:
> 
> Hello,
> 
> I have a basic e-mail server with Postfix 3.1 and Dovecot 2.2.22.
> 
> I am using a passwd-file for both userdb and passdb:
> 
>    /etc/dovecot/dovecot.conf
>        userdb {
>            driver = passwd-file
>            args = /etc/dovecot/passwd
>        }
> 
>        passdb {
>            driver = passwd-file
>            args = /etc/dovecot/passwd
>        }
>    }
> 
> In the passwd file, I want to have user account names for SMTP SASL AUTH
and IMAP that are NOT e-mail addresses.
> 
> For example, employee one of ABC corp would have a SMTP SASL AUTH/IMAP
account name in the form: abc_company_employeeid (for example:
abc_company_03284).  The idea behind that is that I do not want someone outside
of the company to be able to know the first half of the username and password
pair just because they have an employee's e-mail address.
> 
> For the e-mail address I specify something like: bob at abc.com
<mailto:bob at abc.com> however I never want someone to be able to login
via their e-mail address.  Originally, I specified the password field as empty,
with the understanding being that the default encryption of a password is
{CRYPT}.  Since crypt() cannot output a null string, this meant that there was
never a valid password.
> 
> So passwd looked like this:
> 
>    /etc/dovecot/passwd
>        # SMTP SASL AUTH and IMAP accounts
>       
abc_company_03284:::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>
> 
>        # IMAP
>        bob at abc.com <mailto:bob at
abc.com>:vmail:vmail::/home/vmail/bob::userdb_maill=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>
> 
> I tested SMTP SASL AUTH and IMAP via the openssl s_client and can confirm
that I can login and send e-mail as well as retrieve mail only via the:
abc_company_03284 account, but because an empty password field isn?t mentioned
on the Dovecot wiki, I was wondering if I should add ?nologin? to explicitly
make it impossible for: bob at abc.com <mailto:bob at abc.com>.  ?nologin?
was mentioned to me in a previous e-mail to this list.
> 
> So passwd would now look like this:
> 
>    /etc/dovecot/passwd
>        # SMTP SASL AUTH and IMAP accounts
>       
abc_company_03284:::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>
> 
>        # IMAP
>        bob at abc.com <mailto:bob at
abc.com>:vmail:vmail::/home/vmail/bob::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284> nologin
> 
> I restarted Dovecot and tested this with openssl s_client for SMTP SASL
AUTH and IMAP, but just wanted to make sure that this STOPS ANY LOGINS via the
e-mail address: bob at abc.com <mailto:bob at abc.com> ?
> 
> Thanks,
> 
> - J
Hi list,

I believe I?ve found the solution I?m looking for.

I use one passwd-file for SMTP SASL AUTH, IMAP and LMTP from a Postfix 3.1
server to a Dovecot 2.2.22 server.

    /etc/dovecot/dovecot.conf
        userdb {
           driver = passwd-file
           args = /etc/dovecot/passwd
       }

       passdb {
           driver = passwd-file
           args = /etc/dovecot/passwd
       }
   }

The passwd file contains one test user.  The test user?s SMTP SASL AUTH and IMAP
account name is: ?abc_company_03284" and has a password of ?password?.
The e-mail address of that user is "bob at abc.com <mailto:bob at
abc.com>".  I don?t have the SMTP SASL AUTH and IMAP account name set to
?bob at abc.com <mailto:bob at abc.com>" because I don?t want someone
to try to login by assuming the SMTP SASL AUTH/IMAP account name is the user?s
e-mail address.

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP information
       
abc_company_03284:{PLAIN}password::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>

        # LMTP
        bob at abc.com <mailto:bob at
abc.com>:{PLAIN}password:vmail:vmail:/home/vmail/bob::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>

If I test logging on via SMTP SASL AUTH and IMAP via the openssl s_client, I can
log on using an account name of ?bob at abc.com" and a password of
?password?, as expected.

To stop someone from logging on via their e-mail address, I place ?fail? [1] at
the end INSTEAD OF ?nologin?:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP information
       
abc_company_03284:{PLAIN}password::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>

        # LMTP
        bob at abc.com <mailto:bob at
abc.com>:{PLAIN}password:vmail:vmail:/home/vmail/bob::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284> fail

If I then restart Postfix and Dovecot and attempt to login via SMTP SASL AUTH
and IMAP via the openssl s_client with an account name of ?bob at abc.com
<mailto:bob at abc.com>? and use a password of ?password?, it now fails
password lookup in both instances.  Because of the ?fail? command, the password
field I used for testing with the ?bob at abc.com <mailto:bob at
abc.com>" account is irrelevant and I can remove it.  Therefore my final
passwd file is:

    /etc/dovecot/passwd
        # SMTP SASL AUTH and IMAP information
       
abc_company_03284:{PLAIN}password::::::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>

        # LMTP
        bob at abc.com <mailto:bob at
abc.com>::vmail:vmail:/home/vmail/bob::userdb_mail=maildir:/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284> fail

Sending a test e-mail to ?bob at abc.com <mailto:bob at abc.com>? confirms
that the user?s e-mail is received and stored in:
"/var/mail/vhosts/abc.com/abc_company_03284
<http://abc.com/abc_company_03284>?, which means LMTP is working.

Can anyone confirm that I am correct about this ?  I want to be sure that is
now:

    1) Impossible to login via SMTP SASL AUTH and IMAP using the e-mail address
?bob at abc.com <mailto:bob at abc.com>?.
    2) Only possible to login via SMTP SASL AUTH and IMAP using the account name
?abc_company_03284? and a password of ?password"

Thanks,

- J

Sources:

[1] https://wiki2.dovecot.org/PasswordDatabase/ExtraFields
<https://wiki2.dovecot.org/PasswordDatabase/ExtraFields> and see
?fail"
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180722/d9cc7c90/attachment.html>

Seemingly Similar Threads

Search for more possibly parallel threads

dovecot - Jul 2018 - Stopping login via "nologin" parameter

Stopping login via "nologin" parameter

Stopping login via "nologin" parameter

Seemingly Similar Threads