Quoting Aki Tuomi <aki.tuomi at open-xchange.com>:> On 03.10.2018 23:30, Eric Broch wrote: >> Hello list, >> >> I run Dovecot with the vpopmail driver and have found that it >> authenticates against the clear text password in the vpopmail >> database. Is there a configuration option either at compile time, link >> time, or a setting in one of the configuration files that tells the >> program to authenticate against the hash instead of the clear text? > > Prefix your passwords in vpopmail with {SCHEME} (like,? {CRYPT}) > AkiOr use SQL -? then you don't have to munge any of your tools. password_query SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail. Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181004/403cf005/attachment.html>
On 10/4/2018 6:34 AM, Rick Romero wrote:> > Quoting Aki Tuomi <aki.tuomi at open-xchange.com > <mailto:aki.tuomi at open-xchange.com>>: > >> On 03.10.2018 23:30, Eric Broch wrote: >> >>> Hello list, >>> >>> I run Dovecot with the vpopmail driver and have found that it >>> authenticates against the clear text password in the vpopmail >>> database. Is there a configuration option either at compile time, link >>> time, or a setting in one of the configuration files that tells the >>> program to authenticate against the hash instead of the clear text? >>> >> Prefix your passwords in vpopmail with {SCHEME} (like,? {CRYPT}) >> Aki > > > Or use SQL -? then you don't have to munge any of your tools. > > password_query > SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, > pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid > FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & > 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) > > pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, > Webmail. > > Rick >When configuring vpopmail for our purposes we use (now) the configuration option: --disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table. Only valid for MySQL and PostgreSQL This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'. So, we're limited to these configurations (no dovecot-mysql.conf.ext) : passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail } userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail } If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd). It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password. <snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet> Looking for an option to make dovecot use hashed password instead of clear text. Hope this makes sense. -EricB -- Eric Broch White Horse Technical Consulting (WHTC) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181004/925d88cb/attachment.html>
Quoting Eric Broch <ebroch at whitehorsetc.com>:> On 10/4/2018 6:34 AM, Rick Romero wrote: > >> ?Quoting Aki Tuomi <aki.tuomi at open-xchange.com>:> On 03.10.2018 23:30, Eric Broch wrote: > >> Hello list, >> >> I run Dovecot with the vpopmail driver and have found that it >> authenticates against the clear text password in the vpopmail >> database. Is there a configuration option either at compile time, link >> time, or a setting in one of the configuration files that tells the >> program to authenticate against the hash instead of the clear text? > > Prefix your passwords in vpopmail with {SCHEME} (like,? {CRYPT}) > AkiOr use SQL -? then you don't have to munge any of your tools. password_query SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM vpopmail WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) pw_gid refers to the the binary vpopmail flags for disable POP, IMAP, Webmail. Rick When configuring vpopmail for our purposes we use (now) the configuration option: --disable-many-domains Creates a table for each virtual domain instead of storing all users in a single table. Only valid for MySQL and PostgreSQL This disallows (I think) the use Dovecot MySQL configuration file as every user is stored in a domain table of the form 'mydomain_tld'. So, we're limited to these configurations (no dovecot-mysql.conf.ext) : passdb { args = cache_key=%u webmail=127.0.0.1 driver = vpopmail } userdb { args = cache_key=%u quota_template=quota_rule=*:backend=%q driver = vpopmail } If there is a clear text password (pw_clear_passwd) present it seems that Dovecot will use that instead of using the hash (pw_passwd). It seems that in the code 'passdb-vpopmail.c' (below) that if the clear password (pw_clear_passwd) is present Dovecot skips the hashed password (pw_passwd), and we want authentication against the hashed password. <snippet> if (vpopmail_is_disabled(auth_request, vpw)) { auth_request_log_info(auth_request, AUTH_SUBSYS_DB, "%s disabled in vpopmail for this user", auth_request->service); password = NULL; *result_r = PASSDB_RESULT_USER_DISABLED; } else { if (vpw->pw_clear_passwd != NULL && *vpw->pw_clear_passwd != '\0') { password = t_strdup_noconst(vpw->pw_clear_passwd); *cleartext = TRUE; } else if (!*cleartext) password = t_strdup_noconst(vpw->pw_passwd); else password = NULL; *result_r = password != NULL ? PASSDB_RESULT_OK : PASSDB_RESULT_SCHEME_NOT_AVAILABLE; } </snippet> Looking for an option to make dovecot use hashed password instead of clear text. Hope this makes sense. -EricB We seem to have lost quoting.. First - Why aren't you just deleting all the clear text passwords? Second, for many domanis, my password query for your purposes should just be: SELECT CONCAT(pw_name, '@', pw_domain) AS user, pw_passwd AS password, pw_dir as userdb_home, 89 as userdb_uid, 89 as userdb_gid FROM %d WHERE pw_name = '%n' AND pw_domain = '%d' AND !(pw_gid & 8) AND !(pw_gid & 2) AND ('%r'!='<webserverip>' or !(pw_gid & 4)) Where %d is the domain name. Your vpopmail database should have a bunch of domain.com table names. Or you can hardcode the database with FROM vpopmail.%d You may need to play with quotes.. FROM `vpopmail.%d` or FROM `%d` Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20181004/819b6809/attachment.html>