In order to change the password scheme I wrote a script named
updateproxy that needs the plain text password from the user.
To get that I use the line
password_query = SELECT username as user, password, \
'%w' as userdb_plain_pass FROM auth_user WHERE
username='%n'
This works nicely with almost all passwords but not with this one
1234567%&/abcd
the error message being
dovecot: Failed to expand plugin setting plain_pass
'1234567%&/abcd': Unknown variable '%&'
It seems to me that dovecot tries to do another level of variable
evaluation upon the **value** of the already evaluated variable.
So I searched for ways to escape problematic characters like %
and changed my line to
password_query = SELECT username as user, password, \
'%E{w}' as userdb_plain_pass FROM auth_user WHERE
username='%n'
but this produces problems with password values containing quotes.
So how can I get a plain text password containing any ascii char
(or even better any utf-8 char) safely to my script?
Thanks for your suggestions
-------------- here the nasty details, if you want -------------
$ dovecot -n
# 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.2 ()
# OS: Linux 5.4.0-122-generic x86_64 Ubuntu 20.04.4 LTS
# Hostname: mx-10-2.bildung.hessen.de
auth_mechanisms = plain login
auth_username_chars =
abcdefghijklmnopqrstuvwxyz_0123456789.ABCDEFGHIJKLMNOPQRSTUVWXYZ-@
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart extracttext
namespace inbox {
inbox = yes
location mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix }
passdb {
# the following file contains a '%w'-line
args = /etc/dovecot/db1.conf
driver = sql
}
passdb {
# the following file contains a '%w'-line
args = /etc/dovecot/db2.conf
driver = sql
}
passdb {
# the following file contains no '%w'-line (just for detail)
args = /etc/dovecot/db3.conf
driver = sql
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_max_actions = 64
sieve_max_redirects = 16
sieve_max_script_size = 10M
sieve_trace_debug = yes
sieve_user_log = ~/sievelog
sieve_vacation_dont_check_recipient = yes
sieve_vacation_use_original_recipient = yes
}
protocols = imap sieve lmtp
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap {
executable = imap after-login
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
}
service after-login {
executable = script-login /etc/dovecot/updateproxy
user = vmail
}
service stats {
unix_listener stats-reader {
group = mail
mode = 0666
}
unix_listener stats-writer {
group = mail
mode = 0666
}
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-SSLv3
ssl_key = # hidden, use -P to show it
ssl_min_protocol = SSLv3
ssl_prefer_server_ciphers = yes
userdb {
args = uid=vmail gid=vmail home=/var/vmail/%n
driver = static
}
protocol lmtp {
mail_plugins = quota sieve
postmaster_address = somebody at somwhere.org
}
protocol lda {
deliver_log_format = msgid=%m: %$
mail_plugins = sieve
postmaster_address = somebody at somehwere.org
quota_full_tempfail = yes
rejection_reason = Your message to <%t> was automatically rejected:%n%r
}
protocol imap {
imap_client_workarounds = delay-newmail
mail_max_userip_connections = 300
}
Paul Kudla (SCOM.CA Internet Services Inc.)
2022-Aug-02 10:04 UTC
variable %w recursive expanding
ok not what you probably want to hear c, python etc uses % as a variable indicator along with the next character using a format variable (like %s being a string variable) this is what is causing the issue Not saying for sure but experience wise i am not familiar with any system allowing a % sign in the password now a days ? could be wrong, i guess it depends on the backbone password fetcher process even if you could get dovecot (or any c based programming) to allow for this clients would probably have similiar issues which there would be no real control over. another charater would also be '\' as it is used to being a delimiter for the next character being absolute along with \x00 (non ascii characters in a string) again just an experience fyi Happy Tuesday !!! Thanks - paul Paul Kudla Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main?1.866.411.7266 Fax?1.888.892.7266 Email?paul at scom.ca On 8/1/2022 4:47 AM, Franz Beslmeisl wrote:> > In order to change the password scheme I wrote a script named > updateproxy that needs the plain text password from the user. > To get that I use the line > > ??? password_query = SELECT username as user, password, \ > ????? '%w' as userdb_plain_pass FROM auth_user WHERE username='%n' > > This works nicely with almost all passwords but not with this one > > ??? 1234567%&/abcd > > the error message being > > ??? dovecot: Failed to expand plugin setting plain_pass > ????? '1234567%&/abcd': Unknown variable '%&' > > It seems to me that dovecot tries to do another level of variable > evaluation upon the **value** of the already evaluated variable. > > So I searched for ways to escape problematic characters like % > and changed my line to > > ??? password_query = SELECT username as user, password, \ > ????? '%E{w}' as userdb_plain_pass FROM auth_user WHERE username='%n' > > but this produces problems with password values containing quotes. > > So how can I get a plain text password containing any ascii char > (or even better any utf-8 char) safely to my script? > > Thanks for your suggestions > > > > -------------- here the nasty details, if you want ------------- > $ dovecot -n > # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.7.2 () > # OS: Linux 5.4.0-122-generic x86_64 Ubuntu 20.04.4 LTS > # Hostname: mx-10-2.bildung.hessen.de > auth_mechanisms = plain login > auth_username_chars = > abcdefghijklmnopqrstuvwxyz_0123456789.ABCDEFGHIJKLMNOPQRSTUVWXYZ-@ > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > mail_location = maildir:~/Maildir > mail_privileged_group = mail > managesieve_notify_capability = mailto > managesieve_sieve_capability = fileinto reject envelope > encoded-character vacation subaddress comparator-i;ascii-numeric > relational regex imap4flags copy include variables body enotify > environment mailbox date index ihave duplicate mime foreverypart > extracttext > namespace inbox { > ? inbox = yes > ? location > ? mailbox Drafts { > ??? auto = subscribe > ??? special_use = \Drafts > ? } > ? mailbox Junk { > ??? auto = subscribe > ??? special_use = \Junk > ? } > ? mailbox Sent { > ??? auto = subscribe > ??? special_use = \Sent > ? } > ? mailbox "Sent Messages" { > ??? special_use = \Sent > ? } > ? mailbox Trash { > ??? auto = subscribe > ??? special_use = \Trash > ? } > ? prefix > } > passdb { > ? # the following file contains a '%w'-line > ? args = /etc/dovecot/db1.conf > ? driver = sql > } > passdb { > ? # the following file contains a '%w'-line > ? args = /etc/dovecot/db2.conf > ? driver = sql > } > passdb { > ? # the following file contains no '%w'-line (just for detail) > ? args = /etc/dovecot/db3.conf > ? driver = sql > } > plugin { > ? sieve = ~/.dovecot.sieve > ? sieve_dir = ~/sieve > ? sieve_max_actions = 64 > ? sieve_max_redirects = 16 > ? sieve_max_script_size = 10M > ? sieve_trace_debug = yes > ? sieve_user_log = ~/sievelog > ? sieve_vacation_dont_check_recipient = yes > ? sieve_vacation_use_original_recipient = yes > } > protocols = imap sieve lmtp > service auth { > ? unix_listener /var/spool/postfix/private/dovecot-auth { > ??? group = postfix > ??? mode = 0660 > ??? user = postfix > ? } > } > service imap { > ? executable = imap after-login > } > service lmtp { > ? unix_listener /var/spool/postfix/private/dovecot-lmtp { > ??? group = postfix > ??? mode = 0660 > ??? user = postfix > ? } > } > service after-login { > ? executable = script-login /etc/dovecot/updateproxy > ? user = vmail > } > service stats { > ? unix_listener stats-reader { > ??? group = mail > ??? mode = 0666 > ? } > ? unix_listener stats-writer { > ??? group = mail > ??? mode = 0666 > ? } > } > ssl_cert = </etc/dovecot/private/dovecot.pem > ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-SSLv3 > ssl_key = # hidden, use -P to show it > ssl_min_protocol = SSLv3 > ssl_prefer_server_ciphers = yes > userdb { > ? args = uid=vmail gid=vmail home=/var/vmail/%n > ? driver = static > } > protocol lmtp { > ? mail_plugins = quota sieve > ? postmaster_address = somebody at somwhere.org > } > protocol lda { > ? deliver_log_format = msgid=%m: %$ > ? mail_plugins = sieve > ? postmaster_address = somebody at somehwere.org > ? quota_full_tempfail = yes > ? rejection_reason = Your message to <%t> was automatically rejected:%n%r > } > protocol imap { > ? imap_client_workarounds = delay-newmail > ? mail_max_userip_connections = 300 > } > >
Hi,
I had a similar problem.
Solved with "password, TO_BASE64('%w')" and decoding later
into the
(php) script updating my db
Il 01/08/2022 10:47, Franz Beslmeisl ha scritto:> In order to change the password scheme I wrote a script named
> updateproxy that needs the plain text password from the user.
> To get that I use the line
>
> ??? password_query = SELECT username as user, password, \
> ????? '%w' as userdb_plain_pass FROM auth_user WHERE
username='%n'
>
> This works nicely with almost all passwords but not with this one
>
> ??? 1234567%&/abcd
>
> the error message being
>
> ??? dovecot: Failed to expand plugin setting plain_pass > ?????
'1234567%&/abcd': Unknown variable '%&'
>
> It seems to me that dovecot tries to do another level of variable
> evaluation upon the **value** of the already evaluated variable.
>
> So I searched for ways to escape problematic characters like %
> and changed my line to
>
> ??? password_query = SELECT username as user, password, \
> ????? '%E{w}' as userdb_plain_pass FROM auth_user WHERE
username='%n'
>
> but this produces problems with password values containing quotes.
>
> So how can I get a plain text password containing any ascii char
> (or even better any utf-8 char) safely to my script?
>
> Thanks for your suggestions
>
>
>
> -------------- here the nasty details, if you want -------------
> $ dovecot -n
> # 2.3.7.2 (3c910f64b): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.2 ()
> # OS: Linux 5.4.0-122-generic x86_64 Ubuntu 20.04.4 LTS
> # Hostname: mx-10-2.bildung.hessen.de
> auth_mechanisms = plain login
> auth_username_chars =
> abcdefghijklmnopqrstuvwxyz_0123456789.ABCDEFGHIJKLMNOPQRSTUVWXYZ-@
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> mail_location = maildir:~/Maildir
> mail_privileged_group = mail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope
> encoded-character vacation subaddress comparator-i;ascii-numeric
> relational regex imap4flags copy include variables body enotify
> environment mailbox date index ihave duplicate mime foreverypart
> extracttext
> namespace inbox {
> ? inbox = yes
> ? location > ? mailbox Drafts {
> ??? auto = subscribe
> ??? special_use = \Drafts
> ? }
> ? mailbox Junk {
> ??? auto = subscribe
> ??? special_use = \Junk
> ? }
> ? mailbox Sent {
> ??? auto = subscribe
> ??? special_use = \Sent
> ? }
> ? mailbox "Sent Messages" {
> ??? special_use = \Sent
> ? }
> ? mailbox Trash {
> ??? auto = subscribe
> ??? special_use = \Trash
> ? }
> ? prefix > }
> passdb {
> ? # the following file contains a '%w'-line
> ? args = /etc/dovecot/db1.conf
> ? driver = sql
> }
> passdb {
> ? # the following file contains a '%w'-line
> ? args = /etc/dovecot/db2.conf
> ? driver = sql
> }
> passdb {
> ? # the following file contains no '%w'-line (just for detail)
> ? args = /etc/dovecot/db3.conf
> ? driver = sql
> }
> plugin {
> ? sieve = ~/.dovecot.sieve
> ? sieve_dir = ~/sieve
> ? sieve_max_actions = 64
> ? sieve_max_redirects = 16
> ? sieve_max_script_size = 10M
> ? sieve_trace_debug = yes
> ? sieve_user_log = ~/sievelog
> ? sieve_vacation_dont_check_recipient = yes
> ? sieve_vacation_use_original_recipient = yes
> }
> protocols = imap sieve lmtp
> service auth {
> ? unix_listener /var/spool/postfix/private/dovecot-auth {
> ??? group = postfix
> ??? mode = 0660
> ??? user = postfix
> ? }
> }
> service imap {
> ? executable = imap after-login
> }
> service lmtp {
> ? unix_listener /var/spool/postfix/private/dovecot-lmtp {
> ??? group = postfix
> ??? mode = 0660
> ??? user = postfix
> ? }
> }
> service after-login {
> ? executable = script-login /etc/dovecot/updateproxy
> ? user = vmail
> }
> service stats {
> ? unix_listener stats-reader {
> ??? group = mail
> ??? mode = 0666
> ? }
> ? unix_listener stats-writer {
> ??? group = mail
> ??? mode = 0666
> ? }
> }
> ssl_cert = </etc/dovecot/private/dovecot.pem
> ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-SSLv3
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = SSLv3
> ssl_prefer_server_ciphers = yes
> userdb {
> ? args = uid=vmail gid=vmail home=/var/vmail/%n
> ? driver = static
> }
> protocol lmtp {
> ? mail_plugins = quota sieve
> ? postmaster_address = somebody at somwhere.org
> }
> protocol lda {
> ? deliver_log_format = msgid=%m: %$
> ? mail_plugins = sieve
> ? postmaster_address = somebody at somehwere.org
> ? quota_full_tempfail = yes
> ? rejection_reason = Your message to <%t> was automatically
rejected:%n%r
> }
> protocol imap {
> ? imap_client_workarounds = delay-newmail
> ? mail_max_userip_connections = 300
> }
>
--
###############################
# Cristiano Deana #
# #
# Senior Network Engineer #
# Digital Response Team #
# CittaStudi S.p.a. #
# off. +39 015 855 1172 #
# cell +39 328 310 6392 #
###############################