Hi,
I noticed the following in the logs of our debian wheezy server:
Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): bind search: base=CN=Users, DC=samba,
DC=company, DC=com filter=(&(objectclass=person)(sAMA
ccountName=username)(!(userAccountControl=514)))
Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username; uid unused
Mar 21 07:13:47 mail dovecot: auth: Debug:
ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): result: uid=username
Mar 21 07:13:48 mail dovecot: auth: ldap(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>):
invalid credentials (given password: invalid_password)
Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): lookup
Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets: Matching for network
127.0.0.1/32
Mar 21 07:13:48 mail dovecot: auth:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): allow_nets check failed: IP not in
allowed networks
Mar 21 07:13:48 mail dovecot: auth: Debug:
static(username,1.2.3.4,<g2/rF+ZnjAAu5ceg>): Allowing any password
Mar 21 07:13:54 mail dovecot: auth: Debug: auth client connected (pid=6174)
The line second last line "Allowing any password" comes as a surprise..?
Why would dovecot Allow any password..?
We had the following bit in our config, but I removed it now:
#passdb {
# driver = static
# args = nopassword=y allow_nets=127.0.0.1/32
#}
Could anyone expain the "Allowing any password"?
And lastly our current doveconf -n:
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-5-amd64 x86_64 Debian 7.11 xfs
auth_debug = yes
auth_debug_passwords = yes
auth_failure_delay = 10 secs
auth_master_user_separator = *
auth_mechanisms = plain login
auth_username_format = %Ln
auth_verbose = yes
auth_verbose_passwords = plain
deliver_log_format = %f | %s | msgid=%m: %$
disable_plaintext_auth = no
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_greeting = Dovecot ready.
mail_gid = vmail
mail_location = maildir:/var/vmail/%Ln/Maildir:LAYOUT=fs:DIRNAME=mAildir
mail_plugins = acl lazy_expunge zlib quota mail_log notify
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date ihave
namespace {
list = children
location =
maildir:/var/vmail/%%u/Maildir:LAYOUT=fs:DIRNAME=mAildir:INDEX=/var/vmail/%u/shared/%%u
prefix = shared/%%n/
separator = /
subscriptions = no
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox "Deleted items" {
special_use = \Trash
}
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent items" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
mailbox inbox {
auto = subscribe
}
prefix =
separator = /
type = private
}
passdb {
args = /etc/dovecot/master-users
driver = passwd-file
master = yes
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
acl = vfile
acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
append
mail_log_fields = uid box msgid from subject
quota = maildir
quota_rule = ?:storage=5G
quota_rule2 = Trash:storage=+100M
quota_warning = storage=97%% quota-warning 97 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_warning5 = storage=80%% quota-warning 80 %u
quota_warning6 = -storage=100%% quota-warning below %u
sieve = ~/.dovecot.sieve
sieve_default = /var/lib/dovecot/default.sieve
sieve_dir = ~/sieve
}
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
unix_listener auth-userdb {
group = vmail
mode = 0666
user = vmail
}
}
service imap-login {
process_limit = 500
process_min_avail = 2
}
service quota-warning {
executable = script /usr/local/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
}
user = dovecot
}
shutdown_clients = no
ssl_ca = </etc/ssl/letsencrypt/fullchain.pem
ssl_cert = </etc/ssl/letsencrypt/cert.pem
ssl_key = </etc/ssl/letsencrypt/key.pem
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = uid=vmail gid=vmail home=/var/vmail/%n allow_all_users=yes
driver = static
}
verbose_proctitle = yes
protocol lda {
mail_plugins = acl lazy_expunge zlib quota mail_log notify sieve quota
}
protocol imap {
imap_max_line_length = 2 M
mail_max_userip_connections = 30
mail_plugins = acl lazy_expunge zlib quota mail_log notify imap_quota imap_acl
}
MJ