dovecot - Oct 2018 - dovecot passdb driver=checkpassword as external script for block ip

Refer to
https://dovecot.org/pipermail/dovecot/2015-March/099971.html
https://wiki.dovecot.org/PasswordDatabase
I tried to repeat the same thing.
Set these passdb:

passdb {
  args = /myscript.sh ip=%r
  driver = checkpassword
  result_failure = return-fail
  result_success = continue
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
  driver = sql
}

Created executable /myscript.sh:
#!/bin/sh
exit 1

But I saw in the logs:

dovecot[15111]: auth: Error:
checkpassword(techdept at
nestormedia.com,192.168.99.128,<Mos6jW94XNzAqGOA>):
Child 15115 exited with status 1
dovecot[18016]: imap-login: Login: user=....[successful login]

Why result_failure=return-fail from first passdb does not work?

After some debuging i expain that this happens only when the client
authentication method is CRAM-MD5

dovecot[5553]: auth: Debug:
checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): execute:
/myscript.sh ip=192.168.99.128
/usr/libexec/dovecot/checkpassword-reply
dovecot[5553]: auth: Error:
checkpassword(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Child 7810
exited with status 1
dovecot[5553]: auth-worker(7811): Debug: Loading modules from
directory: /usr/lib/dovecot/auth
dovecot[5553]: auth-worker(7811): Debug: Module loaded:
/usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
dovecot[5553]: auth: Debug:
sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Generating CRAM-MD5 from
user 'login', password 'pass'
dovecot[5553]: auth: Debug:
sql(login,192.168.99.128,<5/TM6XN4QOrAqGOA>): Credentials:
39d6bc889c65808c09b87d2081fe2aff4fd1e174ed3a97ac966e67323cba8d7e
dovecot[5553]: auth: Debug: client passdb out: OK  1       user=login

Any other method works correctly and return:

auth: Debug: .........  execute: /myscript.sh ............
......
auth: checkpassword(login,ip,<uh259nN4jRwu2KzB>): Login failed (status=1)
......
auth: Debug: client passdb out: FAIL        1       user=login
On Wed, Oct 17, 2018 at 8:09 PM bes <bes.internal at gmail.com>
wrote:
>
> Refer to
> https://dovecot.org/pipermail/dovecot/2015-March/099971.html
> https://wiki.dovecot.org/PasswordDatabase
> I tried to repeat the same thing.
> Set these passdb:
>
> passdb {
>   args = /myscript.sh ip=%r
>   driver = checkpassword
>   result_failure = return-fail
>   result_success = continue
> }
> passdb {
>   args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
>   driver = sql
> }
>
> Created executable /myscript.sh:
> #!/bin/sh
> exit 1
>
> But I saw in the logs:
>
> dovecot[15111]: auth: Error:
> checkpassword(techdept at
nestormedia.com,192.168.99.128,<Mos6jW94XNzAqGOA>):
> Child 15115 exited with status 1
> dovecot[18016]: imap-login: Login: user=....[successful login]
>
> Why result_failure=return-fail from first passdb does not work?

> On 17 Oct 2018, at 20.09, bes <bes.internal at gmail.com> wrote:
> 
> Refer to
> https://dovecot.org/pipermail/dovecot/2015-March/099971.html
> https://wiki.dovecot.org/PasswordDatabase
> I tried to repeat the same thing.
> Set these passdb:
> 
> passdb {
>  args = /myscript.sh ip=%r
>  driver = checkpassword
>  result_failure = return-fail
>  result_success = continue
> }
> passdb {
>  args = /etc/dovecot/dovecot-sql.conf.ext ( my working auth method )
>  driver = sql
> }
> 
> Created executable /myscript.sh:
> #!/bin/sh
> exit 1

While I'm not sure why this does not work I'm was wondering if a
deny-passdb would be more
efficient to implement this blacklisting as executing a script on each login
attempt is awfully slow.

Instead I would do something like this:

  # check deny passwd for ip address first
  passdb {
    driver = passwd-file
    args = username_format=%r /etc/dovecot/ip-deny-list
    deny = yes
    auth_verbose = no
    result_success = return-fail
  }

and then just create /etc/dovecot/ip-deny-list with one ip address per line.


Sami

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20181018/7708c11b/attachment.html>