similar to: Auth cache prevents login when non-password fields change

Hi everyone, first post to the list, be gentle with me! Perhaps I'm missing something here, but it appears to me that many password database extra fields currently aren't much use inside SQL queries? All boolean fields like nologin/nodelay/nopassword are set if the column is present in the returned query, regardless of value (including NULL) For example, say you have a query like:

Hello, Still busy with details... Considering, as in my previous example, a password_query returning '!' or NULL for the "nologin" column, depending on an account's status (suspended or not). Let's consider a suspended user "some.user". In the case of a successful authentication, one has: sh-3.2# doveadm auth test some.user goodpassword; echo $? passdb:

I upgraded to beta7 from alpha4, and got this error during the auth process: dovecot: auth(default): client in: AUTH 1 PLAIN service=POP3 lip=0.0.0.0 rip=0.0.0.0 resp=<hidden> dovecot: auth-worker(default): sql(webmaster at example.com,0.0.0.0): query: SELECT username as user, NULL as password FROM users WHERE username = 'webmaster at example.com' AND

Hello, While experimenting with the "nologin" extra field, I met a possibly overlooked behavior. Let's suppose the user database has those two columns: enabled: the user may/may not login (account active/not active) nologin: NULL if the mailbox is available, '!' if it is currently suspended (for maintenance reasons) The password_query: password_query = SELECT

Hello, In the past (older dovecot versions) I've tuned the SQL "password_query" of our mail server so that when the user has the account blocked for some reason (expired, need password change, etc.) the query returns nologin=1 and a verbose reason like reason="Your account is expired please change the password" and it worked very well with IMAP clients. I'm now

Hi, I have an issue with the authentication cache. When a user changes his password, the cache doesn't seem to get flushed. Meaning the user is unable to log in to his IMAP account after changing his password. Flow: - Log into IMAP account using pass1 - Approved - Stored in auth cache - Change password to pass2 in MySQL - Log into IMAP account using pass2 - Access is denied -

Hello list, Still need your help configuring proxy infrastructure. Today, I really struggle configuring master passwords forwarding. What I want: master user can connect to any other account, on proxy. Could please somebody help me, I read both articles about this on wiki, but still can't connect :( What I did: on proxy: auth_master_user_separator=* passdb sql { args =

Hi, I'm not sure if I should be posting this question here or on the Postfix mailing list, but I'll start here. When using Dovecot SASL with Postfix, is there a way to return a login-failed reason in the SMTP AUTH dialog using "nologin", similar to the way it can be done with Dovecot IMAP and POP? Details: I have a Dovecot authentication-only daemon working with a Postfix

> On Jul 7, 2018, at 2:12 AM, Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > you can add nopassword attribute to the end. See https://wiki.dovecot.org/PasswordDatabase/ExtraFields > > > --- > Aki Tuomi > Dovecot oy Hi Aki, Thank you for your reply. I have two questions regarding this: 1. Is the ?nopassword? attribute the same as specifying a null password

When using proxy_maybe CRAM-MD5 authentication fails when the connection is proxied. Is this expected behavior? Is proxy_maybe too simplified for this case? We're using SQL so I could rewrite the query with IFs to fake proxy_maybe and return the password as NULL and nologin as Y, but if it works that way couldn't it work with proxy_maybe? This works: password_query = \ SELECT NULL AS

Per Timo's direction, I decided to give the MasterUser a try in connecting my proxy to my destination server. This might allow for the use of 'secure password' for my clients that like to check that box by default. A couple of problems I'm running into running RC15: #1: My Proxy's SQL password_query line: password_query = SELECT a.clearpasswd AS password, v.storeIP AS host,

Hey guys, Wondering if anyone has tried to do this before - a last login timestamp field. Using mysql for auth, I figured it would be easy enough to add a timestamp field and then tack an UPDATE statement on the end of the password_query. But of course, dovecot sees this as only one statement to pass to MySQL - of which MySQL barfs at.. Any ideas on how to achieve this ? Regards

Hi there, I have just compiled up 3.6.1p2 both with and without Darren Tuckers passexpire patch. However, with the patch applied /etc/nologin isn't displayed to users (on AIX 5.1 / PSSP) The patched vesion seems to fail with "illegal user" - some parts of a debug 3 log... debug1: userauth-request for user ade45 service ssh-connection method none debug1: attempt 0 failures 0

I tried to use MySQL stored procedures from dovecot: password_query = CALL user_pass_check('%n', '%d', '%w') user_query = CALL user_info('%n', '%d') This failed with the message: User query failed: PROCEDURE imap.user_info can't return a result set in the given context The root of this problem is that mysql_real_connect() needs to be called with

Hello, we're trying to setup a platform with authenticated SMTP with exim and relying on dovecot as auth agent. We've read http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL and so made the changes mentioned there, also setting auth_mechanisms = plain login in conf.d/10-auth.conf . With this setup, we're able to use AUTH LOGIN method on an SMTP session, but using AUTH PLAIN

Hi List, I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the sieve-backends, which fails. My attempt was to alter the query to include

I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to ?no?. Interestingly, if I set ssl=NULL and don?t set starttls at all, it still tries an SSL connection to the backend. Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and ssl-backends which would be a similar use-case to

Hi all I have a problem when users change quota in SQL, the change is not reflected in Dovecot immediately so quota_warning is still triggered on some occasions. I think it's because the quota is stored in userdb, and there is no way to flush userdb cache? Is there a way to flush userdb entries? What controls userdb cache TTL/size? auth_cache entries? I can't seem to find any

Dovecot 1.1.8-0_85.el5 I'm seeing this set of messages repeat every 15 min. My best guess is the user tried to delete an imap folder and is failing? Feb 9 20:05:58 mailserver dovecot: imap-login: Login: user=<user at example.com>, method=PLAIN, rip=10.0.0.1, lip=192.168.250.80, TLS Feb 9 20:05:58 mailserver dovecot: IMAP(user at example.com):

Hi, I've searched the WIKI for this information but seem unable to find anything about it. What limitations are imposed on the password for IMAP/POP3 users? I've had a customer saying they can't use passwords which contain "." or ":", and some seem to have problems when the password is 8 characters. I use PLAIN authentication, passwords are stored in a MySQL