Aymeric Agon-Rambosson
2023-Mar-15 22:31 UTC
Postfix : root and system user authentication
I have a solution to my problem.
For reference, I am putting it here :
I recall that my issue is that postfix authorises login with root
(or other users), even though authentication is delegated to
dovecot, and the documentation about {first,last}_valid_{g,u}id
seems to say that is should not be possible (and that
authentication to dovecot with root is also forbidden in a
hardcoded way).
I thank Mr. Ardley to have pointed out that dovecot delegates the
authentication to PAM.
What actually happens (in my case at least) is that dovecot
questions PAM about a specific authentication attempt, and
receives PAM's answer. Then, *and only for itself*, it applies its
own restrictions regarding root login and
{first,last}_valid_{g,u}id. When it authenticates on behalf of
postfix, it notifies postfix of success directly.
So the semantic of {first,last}_valid_{g,u}id should be understood
for dovecot only, not for other processes that have delegated
authentication to dovecot, which answers my first question.
Then, on how to effectively restrict postfix submission login
based on uids, the simple solution not involving virtual users is
to set these conditions in PAM directly.
The conditions that dovecot must match in order to succeed
authentication with PAM are in the file /etc/pam.d/dovecot (at
least on Debian) :
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
A simple way to restrict login based on uids is to modify the file
as such :
#%PAM-1.0
auth required pam_succeed_if.so uid > 500 quiet
@include common-auth
@include common-account
@include common-session
Now, in order for dovecot (and *for every process it authenticates
on behalf of* as well, which is what matters) to succeed
authentication, the uid will have to be greater than 500. It is
possible to specify other conditions as well, see
https://linux.die.net/man/8/pam_succeed_if.
Best regards to everyone,
Aymeric
On 16/3/23 06:31, Aymeric Agon-Rambosson wrote:> > I have a solution to my problem. > > For reference, I am putting it here : > > > A simple way to restrict login based on uids is to modify the file as > such : > > #%PAM-1.0 > > auth??? required??????? pam_succeed_if.so uid > 500 quiet > @include common-auth > @include common-account > @include common-session > >It is possible for dovecot sasl component to use different authorisation back-ends, such as LDAP, GSSAPI, MySQL etc. These do not necessarily have the ability to reject uid < 500. However, generally, these backends can be used by pam as well. In default debian installations: cat dovecot #%PAM-1.0 #auth required pam_faillock.so preauth silent audit #auth [default=die] pam_faillock.so authfail audit @include common-auth @include common-account @include common-session cat common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.).? The default is to use the # traditional Unix authentication mechanisms. A good practice would be to use? postfix --> dovecot/sasl --> pam --> backend server and do the uid vetting in the dovecot pam configuration -- Jeremy