[Dovecot] [Postfix] SASL Auth. using Dovecot with password forwarding proxy configuration

Adi Pircalabu adi at ddns.com.au
Fri Aug 31 05:51:20 EEST 2012


Hi,

I'm relatively new to Dovecot and I did a bit of search but couldn't
find a possible solution for the particular setup I'm working on.
Basically I have an SMTP/POP/IMAP proxy setup running Postfix &
Dovecot. IMAP/POP authentication is done using the password proxy
feature, where the login credentials are passed to the backend server
after a db lookup, which does the actual authentication.
The POP/IMAP part is working fine. What I'm trying to do is to use
Dovecot SASL implementation in Postfix to do SMTP authentication in a
similar manner. The problem I have with my current configuration is that
SMTP authentication succeeds if only the username matches, because
password forwarding works if the authentication succeeds with any given
password, as documented at
http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
My question is, given the above: is there a way to get SMTP
authentication properly in this scenario? The way I see it now, Dovecot
SASL accepting the login if only the user matches isn't quite
"complete", the auth process should go further and authenticate against
the backend server, same as for POP/IMAP connections. Does this
requirement make any sense?
Maybe I'm missing something in Dovecot configuration to get the SMTP
authentication work in password forwarding mode, few pointers will be
highly appreciated. PopBSMTP is not an sensible alternative in my case.
Here's my configuration, plus some dovecot auth_debug log entries. As
you can see, SMTP authentication succeeds with any given password.

---Dovecot---

 dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.2.1.el6.centos.plus.x86_64 x86_64 CentOS release 6.3 (Final) auth_cache_size = 4 k
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
mbox_write_locks = fcntl
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
ssl_ca = </etc/pki/tls/certs/ca-cert.pem
ssl_cert = </etc/pki/tls/certs/_cert.pem
ssl_key = </etc/pki/tls/certs/_key.pem
userdb {
  driver = prefetch
}

grep -v "^$\|^#" /etc/dovecot/dovecot-sql.conf.ext 
driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=postfixpassword
password_query = SELECT NULL AS password, 'Y' as nopassword, host,
email, 'Y' AS proxy FROM mailbox WHERE email = '%u'

---Dovecot---

---Postfix---

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination

---Postfix---

---/var/log/maillog---

(IMAP connection)
Aug 31 11:20:20 centos6 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=192.168.1.222#011rip=192.168.1.56#011lport=993#011rport=44024#011resp=AGFAMGFkaXRlc3QubmV0ADEyM3F3ZVpYQw==
Aug 31 11:20:20 centos6 dovecot: auth: Debug: cache(a at 0aditest.net,192.168.1.56): miss
Aug 31 11:20:20 centos6 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Aug 31 11:20:20 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug 31 11:20:21 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so
Aug 31 11:20:21 centos6 dovecot: auth: mysql: Connected to /var/lib/mysql/mysql.sock (postfix)
Aug 31 11:20:21 centos6 dovecot: auth: Debug: sql(a at 0aditest.net,192.168.1.56): query: SELECT NULL AS password, 'Y' as nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = 'a at 0aditest.net'
Aug 31 11:20:21 centos6 dovecot: auth: Debug: client out: OK#0111#011user=a at 0aditest.net#011host=BACKEND_SERVER_IP#011email=a at 0aditest.net#011proxy#011pass=1234567890
Aug 31 11:20:21 centos6 dovecot: imap-login: Debug: Ignoring unknown passdb extra field: email
Aug 31 11:20:21 centos6 dovecot: imap-login: proxy(a at 0aditest.net): started proxying to BACKEND_SERVER_IP:143: user=<a at 0aditest.net>, method=PLAIN, rip=192.168.1.56, lip=192.168.1.222, TLS
[...]

(SMTP connection)
Aug 31 11:36:14 centos6 postfix/smtpd[11213]: connect from unknown[192.168.1.200]
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: auth client connected (pid=11213)
Aug 31 11:36:14 centos6 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=192.168.1.222#011rip=192.168.1.200#011resp=AGFAMGFkaXRlc3QubmV0AGFzZA==
Aug 31 11:36:14 centos6 dovecot: auth: Debug: cache(a at 0aditest.net,192.168.1.200): miss
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Aug 31 11:36:14 centos6 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so
Aug 31 11:36:14 centos6 dovecot: auth: mysql: Connected to /var/lib/mysql/mysql.sock (postfix)
Aug 31 11:36:14 centos6 dovecot: auth: Debug: sql(a at 0aditest.net,192.168.1.200): query: SELECT NULL AS password, 'Y' as nopassword, host, email, 'Y' AS proxy FROM mailbox WHERE email = 'a at 0aditest.net'
Aug 31 11:36:14 centos6 dovecot: auth: Debug: client out: OK#0111#011user=a at 0aditest.net#011host=203.63.79.87#011email=a at 0aditest.net#011proxy#011pass=anygivenpassword
Aug 31 11:36:14 centos6 postfix/smtpd[11213]: C9620600A9: client=unknown[192.168.1.200], sasl_method=PLAIN, sasl_username=a at 0aditest.net
Aug 31 11:36:14 centos6 postfix/cleanup[11219]: C9620600A9: message-id=<20120831113614.72ed32df at adi.ddns.local>
[...]

---/var/log/maillog---

-- 
Adi Pircalabu


More information about the dovecot mailing list