Hello dovecot mailing list,
I have a server running postfix and dovecot. I havea configuration
on dovecot that allows me to provide imap4/pop3 messages for local
hosted users as well as for proxied users on other servers.
Basically, i have a simple MySQL table (imapproxy) with two fields,
'domain' and 'host'. My password_query isa 'UNION' query, exactly like:
password_query=select endereco as user, password, '/var/spool/mail/%u'
as userdb_home, 'maildir:/var/spool/mail/%u' as userdb_mail, 8 as
userdb_uid, 12 as userdb_gid, concat('*:storage=', quota) as
userdb_quota_rule, 'Trash:storage=+100M' as userdb_quota_rule2, 'Y' as
proxy_maybe, '10.252.38.2' as host from emails where endereco = '%u' and
ativa = '1' UNION select NULL as user, '%w' as password, NULL as
userdb_home, NULL as userdb_mail, NULL as userdb_uid, NULL as
userdb_gid, NULL as userdb_quota_rule, NULL as userdb_quota_rule2, 'Y'
as proxy_maybe, imapproxy.host as host from imapproxy where
imapproxy.dominio = '%d'
the 10.252.38.2 address, on the query, is my local server
when this query received a local user, from a domain that is NOT listed
on the imapproxy table, results are like:
*************************** 1. row ***************************
user: localu...@domain.com.br
password: (SSHA256 encrypted password)
userdb_home: /var/spool/mail/localu...@domain.com.br
userdb_mail: maildir:/var/spool/mail/localu...@domain.com.br
userdb_uid: 8
userdb_gid: 12
userdb_quota_rule: *:storage=51200
userdb_quota_rule2: Trash:storage=+100M
proxy_maybe: Y
host: 10.252.38.2
when it receives a proxied domain, results are:
*************************** 1. row ***************************
user: NULL
password: password
userdb_home: NULL
userdb_mail: NULL
userdb_uid: NULL
userdb_gid: NULL
userdb_quota_rule: NULL
userdb_quota_rule2: NULL
proxy_maybe: Y
host: 10.254.116.9
This is working just fine for IMAP4 and POP3 proxying. Local users
(which domains are NOT listed on imapproxy table) can successfully login
to their accountsas well as users from domains listed on imapproxy table
can successfully login to their accounts.
On SMTP authentication, tough, things are not so fine. SMTP
authentication is provided by dovecot to postfix:
[root@correio dovecot]# postconf mail_version
mail_version = 2.7.1
[root@correio dovecot]#
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
service auth is defined on dovecot confs as:
service auth {
unix_listener auth-userdb {
mode = 0600
user = mail
group = mail
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
and it seems to be allowing ANYuser on any domain listed on the
imapproxy table domains to login, even if the user does not exists or
provides wrong password. In fact, it seems dovecot returns OK to postfix
even without trying to contact the assigned server to that domain, as i
cannot find any password-failed-specific log to that user on the
specific server. Example:
(a proxied domain)
[root@correio dovecot]# telnet mail.proxieddomain.com.br 110
Trying 10.254.116.9...
Connected to mail.proxieddomain.com.br (10.254.116.9).
Escape character is '^]'.
+OK Dovecot ready.
user te...@proxieddomain.com.br
+OK
pass password
-ERR Authentication failed.
(i can successfully find this auth trial and fail on 10.254.116.9 logs)
but on SMTP authentication, i have:
[root@correio dovecot]# perl -MMIME::Base64 -e \ 'print
encode_base64("teste\@proxieddomain.com.br\0teste\@proxieddomain.com.br\0password");'
xxxxxxxxx(not the real encoded pass)xxxxxxxxxxxxxxxx=
[root@correio dovecot]#
[root@correio dovecot]# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.domain.com.br ESMTP
EHLO test
250-mail.domain.com.br
[ ... ]
AUTH PLAIN (encoded string returned by perl encode_base64)
235 2.7.0 Authentication successful
(and i cannot even find any authentication log, fail or success, on the
specific server for proxieddomain.com.br)
dovecot version is:
[root@correio dovecot]# dovecot --version
2.2.2
[root@correio dovecot]#
what am i doing wrong here ? How to have dovecot to really check users
before giving OK to postfix on SMTP authentications ?
Thanks for any hints !
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
